Delazification Crashes, loading immutableFlags_ off null (0x38 crashes)
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
People
(Reporter: aryx, Assigned: tcampbell)
References
(Blocks 1 open bug)
Details
(Keywords: crash)
Crash Data
Attachments
(1 file)
Prex-existing crash but frequency increased for Firefox 88 (already 62 crashes vs. 53 for the whole Firefox 87 cycle).
Crash report: https://crash-stats.mozilla.org/report/index/1675336d-9266-4288-bfec-507080210427
Reason: EXCEPTION_ACCESS_VIOLATION_READ
Top 10 frames of crashing thread:
0 xul.dll js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::statementListItem js/src/frontend/Parser.cpp:8888
1 xul.dll js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::functionFormalParametersAndBody js/src/frontend/Parser.cpp:3461
2 xul.dll js::frontend::Parser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::standaloneLazyFunction js/src/frontend/Parser.cpp:3326
3 xul.dll js::frontend::DelazifyCanonicalScriptedFunction js/src/frontend/BytecodeCompiler.cpp:1145
4 xul.dll static JSFunction::delazifyLazilyInterpretedFunction js/src/vm/JSFunction.cpp:1548
5 xul.dll static JSFunction::getOrCreateScript js/src/vm/JSFunction.h:406
6 xul.dll static JSFunction::delazifyLazilyInterpretedFunction js/src/vm/JSFunction.cpp:1536
7 xul.dll Interpret js/src/vm/Interpreter.cpp:3260
8 xul.dll js::ExecuteKernel js/src/vm/Interpreter.cpp:776
9 xul.dll js::Execute js/src/vm/Interpreter.cpp:808
Comment 1•3 years ago
|
||
A good chunk of these are at offset 0x38 (56). A repeated theme of the parser crashes is the crashing lines calling pos().begin
Updated•3 years ago
|
Comment hidden (obsolete) |
Comment hidden (obsolete) |
Updated•3 years ago
|
Comment 4•3 years ago
|
||
See analysis in Bug 1706429, Comment 9.
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Comment 9•3 years ago
|
||
So in Bug 1706429, Comment 9, my analysis led me to a JSFunction in the skipped-inner-function list that seems to report having a BaseScript according to Function flags, but has nullptr in the union.
Arai: This seems relevant to your delazification work; not sure if the above gives you any hypotheses.
Updated•3 years ago
|
Updated•3 years ago
|
Comment 11•3 years ago
|
||
Hello,
For what it's worth, my crashes of yesterday (→ bug1705761) are solved by the update from 89.0b13 to 89.0b14 (Firefox DevEdition, Linux).
Cheers,
Florent
Assignee | ||
Comment 12•3 years ago
|
||
(In reply to Florent Fayolle from comment #11)
Hello,
For what it's worth, my crashes of yesterday (→ bug1705761) are solved by the update from 89.0b13 to 89.0b14 (Firefox DevEdition, Linux).
Cheers,
Florent
Thanks for the update. Nothing relevant changed between those versions which suggests what changed was the cache file was cleared on update and there is a risk the issue will reappear :(
Comment 13•3 years ago
|
||
Had another crash just now: https://crash-stats.mozilla.org/report/index/0c096d1e-31c5-4c91-b757-ecc230210520
This time it had nothing to do with dev-tools, but it still happend when executing JavaScript. It was solved again by SHIFT-reloading the page (and all scripts).
Updated•3 years ago
|
Assignee | ||
Comment 14•3 years ago
|
||
These placeholder functions should not be exposed to the debugger. This adds a
few more early-returns to parts of the debugger that might leak. Also add a
diagnostic assert to delazification to get more meaningful stack traces. This is
an investigation and I do not have a concrete testcase that produces crashes.
Updated•3 years ago
|
Comment 15•3 years ago
|
||
Pushed by tcampbell@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/725361ac47bc Prevent debugger exposing "ghost" functions. r=arai
Assignee | ||
Updated•3 years ago
|
Comment 16•3 years ago
|
||
bugherder |
Updated•3 years ago
|
Comment 18•3 years ago
|
||
Given that the patch on this bug seems to have ameliorated the problem, should we consider uplift? Just duped Bug 1717480, which was on release, here.
Updated•3 years ago
|
Updated•3 years ago
|
Comment 19•2 years ago
|
||
The leave-open keyword is there and there is no activity for 6 months.
:tcampbell, maybe it's time to close this bug?
For more information, please visit auto_nag documentation.
Comment 20•2 years ago
|
||
The severity field for this bug is relatively low, S3. However, the bug has 6 duplicates.
:tcampbell, could you consider increasing the bug severity?
For more information, please visit auto_nag documentation.
Comment 21•2 years ago
|
||
The leave-open keyword is there and there is no activity for 6 months.
:tcampbell, maybe it's time to close this bug?
For more information, please visit auto_nag documentation.
Assignee | ||
Updated•1 year ago
|
Description
•