Open Bug 1686432 Opened 4 years ago Updated 3 years ago

Crash in [@ js::jit::ICEntry::trace]

Categories

(Core :: JavaScript Engine: JIT, defect, P5)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

People

(Reporter: sg, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, stalled)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/e652eb69-d3b6-42ee-96d4-1ab7d0210112

MOZ_CRASH Reason: MOZ_DIAGNOSTIC_ASSERT(traceMagic_ == EXPECTED_TRACE_MAGIC)

Top 10 frames of crashing thread:

0 xul.dll js::jit::ICEntry::trace js/src/jit/BaselineIC.cpp:199
1 xul.dll js::jit::ICScript::trace js/src/jit/JitScript.cpp:203
2 xul.dll js::jit::InliningRoot::trace js/src/jit/TrialInlining.cpp:715
3 xul.dll js::GCMarker::processMarkStackTop js/src/gc/Marking.cpp:1936
4 xul.dll js::GCMarker::markUntilBudgetExhausted js/src/gc/Marking.cpp:1784
5 xul.dll js::gc::GCRuntime::incrementalSlice js/src/gc/GC.cpp:6851
6 xul.dll js::gc::GCRuntime::gcCycle js/src/gc/GC.cpp:7320
7 xul.dll js::gc::GCRuntime::collect js/src/gc/GC.cpp:7523
8 xul.dll JS::IncrementalGCSlice js/src/gc/GC.cpp:8496
9 xul.dll static nsJSContext::GarbageCollectNow dom/base/nsJSEnvironment.cpp:1094

This was first reported for build id 20201122093438.

traceMagic_ is initialized when we create the array of ICEntries in the ICScript, which is owned by a UniquePtr in the InliningRoot, so if we don't see the expected value, some memory somewhere has been clobbered.

Given the fairly low frequency, this is very likely to be hardware failure / random bitflips.

I don't think this is actionable.

Severity: -- → S4
Keywords: stalled
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.