Closed Bug 1505857 Opened 6 years ago Closed 1 year ago

Firefox Crash: SIGSEGV in js::DecompressStringChunk

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Version:
63 Branch
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
114 Branch
Tracking Flags:
Tracking Status
firefox114 --- fixed

People

(Reporter: andreadari91, Assigned: tcampbell)

Details

Crash Data

Attachments

(1 file)

Bug 1505857 - Preserve return value when DecompressStringChunk crashes. r?nbp
48 bytes, text/x-phabricator-request
Details | Review 
This bug was filed from the Socorro interface and is
report bp-9de0315f-2ee9-4557-8deb-e53390181108.
=============================================================

Top 10 frames of crashing thread:

0 libxul.so js::DecompressStringChunk /build/firefox-v14lEw/firefox-63.0+build2/js/src/vm/Compression.cpp:267
1 libxul.so js::ScriptSource::chunkChars /build/firefox-v14lEw/firefox-63.0+build2/js/src/vm/JSScript.cpp:1598
2 libxul.so js::ScriptSource::chars /build/firefox-v14lEw/firefox-63.0+build2/js/src/vm/JSScript.cpp:1688
3 libxul.so js::ScriptSource::PinnedChars::PinnedChars /build/firefox-v14lEw/firefox-63.0+build2/js/src/vm/JSScript.cpp:1671
4 libxul.so JSFunction::createScriptForLazilyInterpretedFunction /build/firefox-v14lEw/firefox-63.0+build2/js/src/vm/JSFunction.cpp:1636
5 libxul.so JSFunction::createScriptForLazilyInterpretedFunction /build/firefox-v14lEw/firefox-63.0+build2/js/src/vm/JSFunction.h:536
6 libxul.so js::InternalCallOrConstruct /build/firefox-v14lEw/firefox-63.0+build2/js/src/vm/JSFunction.h:536
7 libxul.so js::CallFromStack /build/firefox-v14lEw/firefox-63.0+build2/js/src/vm/Interpreter.cpp:588
8 libxul.so DoCallFallback /build/firefox-v14lEw/firefox-63.0+build2/js/src/jit/BaselineIC.cpp:3608
9  @0x35bee55c 

=============================================================

Jan, 36% of these crashes have these assertions [1] being reported. As you investigated these assertions in the past (Bug 1305570), is there anything way to get more information out of these crashes?

[1] https://searchfox.org/mozilla-central/rev/c035ee7d3a5cd6913e7143e1bce549ffb4a566ff/js/src/vm/Compression.cpp#250,256

Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3
Severity: critical → S2
Severity: S2 → S3
Assignee: nobody → tcampbell
Status: NEW → ASSIGNED

This is a low volume release assert so user impact is not S2. I've put up a diagnostic patch to use volatile int ret so that the specific return code from zlib is preserved in crash reports.

It is also possible that these are just examples of memory corruption since the zlib decoding would fail if the bytestream had issues. The actual return codes will help us better understand this, so seems worth landing the diagnostic patch.

Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/738cafb0f0f3
Preserve return value when DecompressStringChunk crashes. r=nbp

https://hg.mozilla.org/mozilla-central/rev/738cafb0f0f3

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox114: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 114 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: