Closed Bug 1559455 Opened 6 years ago Closed 6 years ago

Crash in [@ js::jit::DoGetNameFallback]

Categories

(Core :: JavaScript Engine: JIT, defect, P3)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox68 --- unaffected
firefox69 --- affected

People

(Reporter: marcia, Unassigned)

Details

(Keywords: crash, regression)

Crash Data

This bug is for crash report bp-98b82752-09d0-4b23-904d-27bfc0190614.

Seen while looking at nightly crash stats. Crashes started in 20190613095633: https://bit.ly/2F6TAKH. 20 crashes/13 installations

Possible regression range based on Build ID: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=e7e81a32c2ab11f089f9c53eab71da94902f8e6d&tochange=e93ecdda786c4e168323b099ec38c5f098bc1911

Bug 1467191/ ni on Adam

Top 10 frames of crashing thread:

0  @0x1c28fe8b4f0 
1 xul.dll js::jit::DoGetNameFallback js/src/jit/BaselineIC.cpp:2649
2  @0x25c84fc7935 
3 xul.dll round 
4 xul.dll js::EmptyShape::getInitialShape js/src/vm/Shape.cpp:2190
5  @0x673b7fa897 
6 xul.dll js::jit::MaybeEnterJit js/src/jit/Jit.cpp:195
7 xul.dll js::RunScript js/src/vm/Interpreter.cpp:410
8 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:568
9 xul.dll static bool InternalConstruct js/src/vm/Interpreter.cpp:641
Flags: needinfo?(asorholm)

I'm taking a look at this right now. Here are failures from the try build which are probably related:

https://treeherder.mozilla.org/#/jobs?repo=try&revision=766ed15660316d84a96de5491163e79ebf61748e&selectedJob=251566555

https://treeherder.mozilla.org/#/jobs?repo=try&revision=766ed15660316d84a96de5491163e79ebf61748e&selectedJob=251572273

@Matt ideas?

Flags: needinfo?(asorholm) → needinfo?(mgaudet)
Regressed by: 1467191

I reran the jobs from the failures in the build I posted above. The Windows 10 x64 debug job passed, https://treeherder.mozilla.org/#/jobs?repo=try&revision=766ed15660316d84a96de5491163e79ebf61748e&selectedJob=251923469. The Windows 7 debug job failed due to max run time exceeded, but of 20 similar jobs, 5 failed that job for the same reason. It looks like the failures are intermittent and unrelated to my patch.

Flags: needinfo?(mgaudet)

Adam and I have looked into the crash stats a little. I am confident that this was not caused by Bug 1467191.

Observations:

  1. The signature is only detected via scan. The crash appears to be in jitcode, but DoGetNameFallback does not call into the JIT directly, so it doesn't make sense as a signature.

  2. 100% of the crashes occur on AMD Ryzen (family 23 model 1 stepping 1), vs 1.72% overall.

  3. So far, there don't appear to be any crashes with this signature in any more recent build id. It seems like there was a temporary spike in one build, and then it went away.

None of this is consistent with Adam's patch, which just refactored existing code. It's worth leaving this bug open for a few days to see if we get more data, but as it stands I don't think there's anything actionable here.

Priority: -- → P3
No longer regressed by: 1467191

Thanks Iain - It appears this was a one day spike. Interestingly enough there are other JS signatures in that same build, in this query https://bit.ly/2ZrqKwA that also had a one day spike. https://bit.ly/31Cs6Xl is one other example that I saw during nightly triage.

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression

Resolving this one as WFM. The spike in 69 is gone, and even though there are other crashes on other branches they aren't related to the one day spike that I saw.

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.