Closed Bug 1536159 Opened 8 months ago Closed 6 months ago

Crash in [@ OOM | unknown | js::AutoEnterOOMUnsafeRegion::crash | js::TypeZone::addPendingRecompile]

Categories

(Core :: JavaScript Engine, defect, P1, critical)

x86
Windows 10
defect

Tracking

()

RESOLVED FIXED
Tracking Status
firefox-esr60 --- wontfix
firefox66 --- wontfix
firefox67 --- fixed
firefox68 --- fixed

People

(Reporter: marcia, Assigned: tcampbell)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

This bug is for crash report bp-e45b6bc4-b466-4fa0-8c96-ab3660190318.

Seen while looking at release and beta crash stats - this crash has been around and is sometimes in the top 25 crashes: https://bit.ly/2YeK6Fs. We shall see where it ends up after we release 66.

High correlation to Win 7 - 80.95% in signature vs 46.36% overall) platform_pretty_version = Windows 7

Some of the comments mention repeatedly crashing.

Top 10 frames of crashing thread:

0 xul.dll js::AutoEnterOOMUnsafeRegion::crash js/src/vm/JSContext.cpp:1487
1 xul.dll js::TypeZone::addPendingRecompile js/src/vm/TypeInference.cpp
2 xul.dll void `anonymous namespace'::TypeConstraintFreezeStack::newType js/src/vm/TypeInference.cpp:1466
3 xul.dll js::ConstraintTypeSet::addType js/src/vm/TypeInference.cpp:766
4 xul.dll js::TypeScript::SetThis js/src/vm/TypeInference-inl.h:776
5 xul.dll static bool js::jit::DoTypeMonitorFallback js/src/jit/BaselineIC.cpp:1425
6 xul.dll trunc 
7  @0x159b5e26 
8  @0x5bef7ce7 
9  @0x159006aa 

Steven, this is a moderately high volume crash, can you find someone to investigate?

Flags: needinfo?(sdetar)

Ted, could you help me find someone to look at this. Would this be appropriate for Iain to look at (possibly OOM related?)?

Flags: needinfo?(sdetar) → needinfo?(tcampbell)

Record the size of allocation in crashreporter to determine if these are
genuine small OOM or if something problematic has happened.

These look like just small-OOM, but I'll land a diagnositic patch to confirm.

Assignee: nobody → tcampbell
Flags: needinfo?(tcampbell)
Priority: -- → P1
Pushed by tcampbell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ccc1a9b4ea13
Crash diagnositic for js::TypeZone::addPendingRecompile. r=jwalden
Status: NEW → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68

Reopening since the patch is just adding diagnostics.

Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Target Milestone: mozilla68 → ---

Ted, were you able to find out more about these crashes since the last landing?

Flags: needinfo?(tcampbell)

Comment on attachment 9054064 [details]
Bug 1536159 - Crash diagnositic for js::TypeZone::addPendingRecompile. r?jwalden

Beta/Release Uplift Approval Request

  • Feature/Bug causing the regression: None
  • User impact if declined: This is a diagnostic patch to determine if crashes we are seeing in release are real issues or just users running out of memory. Crash rate on nightly is very low so we can either let this ride the trains for another month or uplift now and be able to possibly be able to take action this cycle. Note that most likely result is that this will be a normal small-OOM that we do nothing about.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Low risk. Has been on nightly for a week and the patch simply captures an integer in the existing forced-crash operation.
  • String changes made/needed:
Flags: needinfo?(tcampbell)
Attachment #9054064 - Flags: approval-mozilla-beta?

Comment on attachment 9054064 [details]
Bug 1536159 - Crash diagnositic for js::TypeZone::addPendingRecompile. r?jwalden

Diagnostic patch on beta to investigate a crash, approved for 67 beta 10, thanks.

Attachment #9054064 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

The result of the diagnostic is that the OOM|unknown are are now classified as OOM|small and fall into the general OOM|small bucket. I'm not sure it makes sense to have any targeted fix here as this is risky code.

Closing as fixed due to the reclassifying as OOM|small.

Status: REOPENED → RESOLVED
Closed: 7 months ago6 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.