1561921 - Crash in [@ js::InternalBarrierMethods<T>::preBarrier]

Status: RESOLVED WORKSFORME

(Core :: JavaScript Engine, defect, P3)

Description

[Marcia Knous [:marcia]]

This bug is for crash report bp-01be5d2c-41b6-4813-b110-f30990190627.

Seen while looking at 68 beta crash stats. This crash is showing as a rising startup crash in the most current beta (b13) and the crash count seems almost as high as the crashes on Fennec release: https://bit.ly/2X96Ogx

The crashes on 68 have MOZ_CRASH(no missing return)

(50.00% in signature vs 02.66% overall) adapter_device_id = Mali-G71 [100.0% vs 08.85% if adapter_vendor_id = ARM]

Top 8 frames of crashing thread:

0 libxul.so js::InternalBarrierMethods<JS::Value>::preBarrier js/src/gc/Barrier.cpp:91
1 libxul.so SetExistingProperty js/src/vm/NativeObject.cpp:2863
2 libxul.so bool js::NativeSetProperty< js/src/vm/NativeObject.cpp:2908
3 libxul.so Interpret js/src/vm/Interpreter.cpp:2847
4 libxul.so js::RunScript js/src/vm/Interpreter.cpp:423
5 libxul.so js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:563
6 libxul.so js::fun_apply js/src/vm/JSFunction.cpp:1184
7  @0x75f7146bd0 

Comment 1

[Jon Coppeard (:jonco)]

This is some kind of heap corruption and not specifically GC related. It may be related to the Mali-G71 adapter (I don't know how prevalent these are).

Comment 2

[Nicolas B. Pierron [:nbp]]

One thing to note, among the crash address, we can notice:

• 23 (1.62%) crashes with the FREED_ARENA pattern.
• 2 (0.14%) crashes with the FRESH_TENURED pattern.

Not sure if this can help identify this issue better.

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

Since the crash volume is low (less than 15 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.

For more information, please visit auto_nag documentation.

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

Closing because no crashes reported for 12 weeks.