Open Bug 1801916 Opened 2 years ago Updated 9 months ago

Crash in [@ js::frontend::ParseNode::getKind]

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox-esr115 --- affected
firefox107 --- wontfix
firefox108 --- wontfix
firefox109 --- wontfix
firefox115 --- wontfix
firefox116 --- fix-optional
firefox117 --- fix-optional

People

(Reporter: aryx, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, topcrash)

Crash Data

Not a new signature, e.g. ~100 crashes for Firefox 106.0.x builds.

Crash report: https://crash-stats.mozilla.org/report/index/703b9a12-7f69-45cf-a26e-7f3dc0221119

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  js::frontend::ParseNode::getKind const  js/src/frontend/ParseNode.h:746
0  xul.dll  js::frontend::RewritingParseNodeVisitor<FoldVisitor>::visit  js/src/frontend/ParseNodeVisitor.h:116
1  xul.dll  js::frontend::ListNode::accept  js/src/frontend/ParseNode.h:1234
1  xul.dll  js::frontend::RewritingParseNodeVisitor<FoldVisitor>::visitObjectExpr  js/src/frontend/ParseNodeVisitor.h:134
1  xul.dll  FoldVisitor::visitObjectExpr  js/src/frontend/FoldConstants.cpp:1553
1  xul.dll  js::frontend::RewritingParseNodeVisitor<FoldVisitor>::visit  js/src/frontend/ParseNodeVisitor.h:120
2  xul.dll  js::frontend::ListNode::accept  js/src/frontend/ParseNode.h:1234
2  xul.dll  js::frontend::RewritingParseNodeVisitor<FoldVisitor>::visitArguments  js/src/frontend/ParseNodeVisitor.h:134
2  xul.dll  js::frontend::RewritingParseNodeVisitor<FoldVisitor>::visit  js/src/frontend/ParseNodeVisitor.h:120
3  xul.dll  js::frontend::ListNode::accept  js/src/frontend/ParseNode.h:1230

15% of the reports matching ParseNode::getKind are reporting a failure in the following assertions:

    JS_PARSE_NODE_ASSERT(ParseNodeKind::Start <= pn_type);
    JS_PARSE_NODE_ASSERT(pn_type < ParseNodeKind::Limit);

Arai, would this suggest anything actionable?
If not, I guess we can mark this bug as stalled.

Blocks: sm-defects-crashes, sm-frontend
Severity: -- → S4
Flags: needinfo?(arai.unmht)
Priority: -- → P3

So far I don't find anything specifically.

there's no trend for the context within multiple reports:

  • expected parse node kind
  • surrounding structure
  • compilation phase (constant folding, name resolve, bytecode emitter)

except that, almost all reports are for helper thread.

Flags: needinfo?(arai.unmht)

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 10 content process crashes on beta

:sdetar, could you consider increasing the severity of this top-crash bug?

For more information, please visit auto_nag documentation.

Flags: needinfo?(sdetar)
Keywords: topcrash
Flags: needinfo?(sdetar)

The bug is linked to a topcrash signature, which matches the following criteria:

  • Top 20 desktop browser crashes on release (startup)
  • Top 10 content process crashes on beta
  • Top 10 content process crashes on release

:sdetar, could you consider increasing the severity of this top-crash bug?

For more information, please visit auto_nag documentation.

Flags: needinfo?(sdetar)
Keywords: topcrash-startup
Flags: needinfo?(sdetar)

We have some PHC failures for this signature: https://crash-stats.mozilla.org/report/index/b5bfc963-9e06-405b-b7b4-297690230421 for example

Flags: needinfo?(gsvelto)

I couldn't find one even looking back 6 months :(

Flags: needinfo?(gsvelto)

Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.

For more information, please visit BugBot documentation.

Keywords: topcrash-startup

most of recent crashes happens in FoldConstants.cpp.
I'll look into it

Flags: needinfo?(arai.unmht)

Sorry for removing the keyword earlier but there is a recent change in the ranking, so the bug is again linked to a topcrash signature, which matches the following criteria:

  • Top 20 desktop browser crashes on release (startup)
  • Top 10 content process crashes on release

For more information, please visit BugBot documentation.

Keywords: topcrash-startup
Flags: needinfo?(arai.unmht)
Flags: needinfo?(arai.unmht)
Flags: needinfo?(arai.unmht)

Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.

For more information, please visit BugBot documentation.

Keywords: topcrash-startup
You need to log in before you can comment on or make changes to this bug.