Closed Bug 1461480 Opened 6 years ago Closed 5 years ago

[ARM64] Crash in js::jit::MaybeEnterJit (1MB aligned address)

Categories

(Core :: JavaScript Engine: JIT, defect, P3)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
ARM64
Android
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE
Tracking Flags:
Tracking Status
firefox60 --- wontfix
firefox61 --- wontfix
firefox62 --- wontfix
firefox63 --- affected

People

(Reporter: tcampbell, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, Whiteboard: [geckoview:fxr:p2][arm64:m3])

Crash Data

This bug was filed from the Socorro interface and is
report bp-f2f883c7-6c20-4455-992d-762860180505.
=============================================================

Top 10 frames of crashing thread:

0  @0x722c1105ec 
1 libxul.so js::jit::MaybeEnterJit js/src/jit/Jit.cpp:99
2 libxul.so js::LiveSavedFrameCache::~LiveSavedFrameCache mfbt/Variant.h:672
3 libxul.so nsTArray_Impl<nsCOMPtr<nsIContent>, nsTArrayInfallibleAllocator>::AppendElement<mozilla::dom::Element*, nsTArrayInfallibleAllocator> xpcom/base/nsCOMPtr.h:486
4 libxul.so nsContentList::PopulateSelf dom/base/nsContentList.cpp:946
5 libxul.so mozilla::dom::IsNonExposedGlobal dom/bindings/BindingUtils.cpp:2873
6 libxul.so nsContentList::Length dom/base/nsContentList.cpp:511
7 libxul.so mozilla::dom::HTMLCollectionBinding::get_length dom/bindings/HTMLCollectionBinding.cpp:34
8 libxul.so mozilla::dom::GenericBindingGetter dom/bindings/BindingUtils.cpp:2905
9 libxul.so mozilla::dom::IsNonExposedGlobal dom/bindings/BindingUtils.cpp:2873

=============================================================

In the various JIT crashes, we have a number of ARM64-specific crashes with addresses that are 1MB aligned. These crashes don't occur on on 32-bit ARM or on desktop in any comparable rate.
Sean, any thoughts on why we might have an ARM64-specific crash with this pattern?
Flags: needinfo?(sstangl)
1MB alignment makes me worry about our mmap replacement on this platform.  It has not been tested heavily (being used only for 48-bit-virtual-address systems such as ARM64 and SPARC) and I have found bugs in it before.  It also needs to be replaced (bug 1441473) because it is not performant and it subverts ASLR.  Adding GC people.
James, do you know why we would be seeing a spike in ARM64 crashes starting with Fennec 58? Where did all these ARM64 Fennec users come from? I thought we didn't actually ship any ARM64 builds.
status-firefox60: --- → affected
status-firefox61: --- → affected
status-firefox62: --- → affected
Flags: needinfo?(snorp)
See Also: → 1441473
Whiteboard: [geckoview:fxr]
(In reply to Chris Peterson [:cpeterson] from comment #3)
> James, do you know why we would be seeing a spike in ARM64 crashes starting
> with Fennec 58? Where did all these ARM64 Fennec users come from? I thought
> we didn't actually ship any ARM64 builds.

We don't ship it anywhere, but we do have the Focus/Klar GV aarch64 builds in the Play Store. That wouldn't be version 58, though, so I guess I don't really have an explanation.
Flags: needinfo?(snorp)
[geckoview:fxr:p2] because Firefox Reality 1.0 will not include ARM64 support.
status-firefox60: affectedwontfix
status-firefox61: affectedwontfix
status-firefox62: affectedwontfix
status-firefox63: --- → affected
See Also: → 1451720
Whiteboard: [geckoview:fxr] → [geckoview:fxr:p2]
Priority: -- → P3
See Also: 1441473
Whiteboard: [geckoview:fxr:p2] → [geckoview:fxr:p2][arm64:m3]
See Also: → 1550525

Looking at current numbers for arm64 Fennec 68 I don't see any specific 1MB aligned crashes. Closing this bug in favour of Bug 858032.

Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(sstangl)
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.