Open Bug 1561921 Opened 5 years ago Updated 1 year ago

Crash in [@ js::InternalBarrierMethods<T>::preBarrier]

Categories

(Core :: JavaScript Engine, defect, P3)

68 Branch
Unspecified
Android
defect

Tracking

()

Tracking Status
firefox67 --- wontfix
firefox68 --- wontfix
firefox69 --- fix-optional

People

(Reporter: marcia, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, Whiteboard: [#jsapi:crashes-retriage])

Crash Data

This bug is for crash report bp-01be5d2c-41b6-4813-b110-f30990190627.

Seen while looking at 68 beta crash stats. This crash is showing as a rising startup crash in the most current beta (b13) and the crash count seems almost as high as the crashes on Fennec release: https://bit.ly/2X96Ogx

The crashes on 68 have MOZ_CRASH(no missing return)

(50.00% in signature vs 02.66% overall) adapter_device_id = Mali-G71 [100.0% vs 08.85% if adapter_vendor_id = ARM]

Top 8 frames of crashing thread:

0 libxul.so js::InternalBarrierMethods<JS::Value>::preBarrier js/src/gc/Barrier.cpp:91
1 libxul.so SetExistingProperty js/src/vm/NativeObject.cpp:2863
2 libxul.so bool js::NativeSetProperty< js/src/vm/NativeObject.cpp:2908
3 libxul.so Interpret js/src/vm/Interpreter.cpp:2847
4 libxul.so js::RunScript js/src/vm/Interpreter.cpp:423
5 libxul.so js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:563
6 libxul.so js::fun_apply js/src/vm/JSFunction.cpp:1184
7  @0x75f7146bd0 

This is some kind of heap corruption and not specifically GC related. It may be related to the Mali-G71 adapter (I don't know how prevalent these are).

Component: JavaScript: GC → JavaScript Engine

One thing to note, among the crash address, we can notice:

  • 23 (1.62%) crashes with the FREED_ARENA pattern.
  • 2 (0.14%) crashes with the FRESH_TENURED pattern.

Not sure if this can help identify this issue better.

Priority: -- → P3
Whiteboard: [#jsapi:crashes-retriage]
Severity: critical → S2

Since the crash volume is low (less than 15 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.

For more information, please visit auto_nag documentation.

Severity: S2 → S3
You need to log in before you can comment on or make changes to this bug.