1529302 - Crash in [@ js::jit::JSJitProfilingFrameIterator::JSJitProfilingFrameIterator]

Status: RESOLVED WORKSFORME

(Core :: JavaScript Engine: JIT, defect, P2)

Description

[Andrew Overholt [:overholt]]

This bug is for crash report bp-1ac7566e-cc35-4d36-b8ff-981050190220.

Top 9 frames of crashing thread:

0 xul.dll js::jit::JSJitProfilingFrameIterator::JSJitProfilingFrameIterator js/src/jit/JSJitFrameIter.cpp:479
1 xul.dll JS::ProfilingFrameIterator::ProfilingFrameIterator js/src/vm/Stack.cpp:1793
2 xul.dll JS::ProfilingFrameIterator::ProfilingFrameIterator js/src/vm/Stack.cpp:1793
3 xul.dll static void MergeStacks tools/profiler/core/platform.cpp:1048
4 xul.dll static void DoSharedSample tools/profiler/core/platform.cpp:1570
5 xul.dll static unsigned int ThreadEntry tools/profiler/core/platform-win32.cpp:178
6 ucrtbase.dll thread_start<unsigned int > 
7 kernel32.dll BaseThreadInitThunk 
8 ntdll.dll RtlUserThreadStart 

Comment 1

[Marcia Knous [:marcia]]

12 crashes/2 installs from the 2-19 build.

Comment 2

[(Away)]

The other installation was Anthony.

Glad to see that crash reporting is at least partially working now!

Comment 3

[Ted Campbell [:tcampbell]]

I wonder if this is related at all to Bug 1506329, Bug 1513897.

Comment 4

[(Away)]

At line 473 we set fp_ to some inaccessible piece of memory: https://hg.mozilla.org/mozilla-central/annotate/dd4aa59c6a1271cbf6ca10813d73f62e7cb072d5/js/src/jit/JSJitFrameIter.cpp#l473

Then the tryInitWithPc at 479 calls frameScript() which eventually derefs fp_.

Are we sure that the MOZ_ASSERT(cx->profilingActivation()->isJit()); would have succeeded if this were a debug build?

Comment 5

[Nicolas B. Pierron [:nbp]]

Moving to P2 as we would look at crashes issues after fuzz-bugs unless they are high volume.

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

Closing because no crashes reported for 12 weeks.

Comment 7

[BugBot [:suhaib / :marco/ :calixte]]

Bugbug thinks this bug is a regression, but please revert this change in case of error.