1626328 - Crash in [@ js::wasm::WasmFrameIter::popFrame]

Status: RESOLVED DUPLICATE of bug 1624886

(Core :: JavaScript: WebAssembly, defect, P1)

Description

[Ryan VanderMeulen [:RyanVM]]

This bug is for crash report bp-bc466b1f-8548-4a37-8650-a8e810200331.

Seems to have been hanging around for awhile now, though there appears to have also been a more recent spike within the last month or so.

Top 10 frames of crashing thread:

0 xul.dll js::wasm::WasmFrameIter::popFrame js/src/wasm/WasmFrameIter.cpp:113
1 xul.dll js::JitFrameIter::operator++ js/src/vm/FrameIter.cpp:232
2 xul.dll InvalidateActivation js/src/jit/Ion.cpp:2402
3 xul.dll js::jit::Invalidate js/src/jit/Ion.cpp:2627
4 xul.dll js::jit::Invalidate js/src/jit/Ion.cpp:2718
5 xul.dll js::jit::CodeGenerator::link js/src/jit/CodeGenerator.cpp:10699
6 xul.dll js::jit::LinkIonScript js/src/jit/Ion.cpp:390
7 xul.dll js::jit::LazyLinkTopActivation js/src/jit/Ion.cpp:409
8  @0x27440b19 
9  @0x27d96b 

Comment 1

[Steven DeTar [:sdetar]]

This is possible better looked at by the Wasm team. Please move it back to JS if it is not.

Comment 2

[Lars T Hansen [:lth]]

Not much to go on, sadly, but we should look. Given the location of the crash it could indicate an improperly created frame (at the time when the traversal happen) or a buggy frame iterator.

Comment 3

[[:philipp]]

the signature is regressing volume during firefox 76. it also seems to have increased at the same time as another wasm signature in bug 1624886, so they may be related.

Comment 4

[[:philipp]]

the [@ js::JitFrameIter::operator++] signature started spiking up in the same time-frame and with the same reported urls (a handful of gaming sites), so i presume it's the same underlying issue.

Comment 5

[Ryan Hunt [:rhunt] (on leave until early May)]

I would also guess that this has the same underlying issue. I was getting this crash signature while debugging bug 1624886.