Closed Bug 1832825 Opened 2 years ago Closed 2 years ago

Intermittent crash in EntryTrampolineMap::updateScriptsAfterMovingGC

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
115 Branch
Tracking Flags:
Tracking Status
firefox115 --- fixed

People

(Reporter: jrmuizel, Assigned: denispal)

Details

Attachments

(1 file)

Bug 1832825: Use BaseScript as the key for the entry trampoline map and always remove the entry during finalization. r=jonco!
48 bytes, text/x-phabricator-request
Details | Review

We see this intermittently while running with interpreter entry trampolines on Windows.

 7  xul.dll!js::jit::EntryTrampolineMap::updateScriptsAfterMovingGC() [InterpreterEntryTrampoline.cpp : 37 + 0x3a]
     rax = 0x4b4b4b4b4b4b4000    rdx = 0x0000000000001000
     rcx = 0x4b4b4b4b4b4b4b48    rbx = 0x000000e2bebfe0b0
     rsi = 0x000000e2bebfe060    rdi = 0x000000e2bebfe028
     rbp = 0x000000e2bebfe188    rsp = 0x000000e2bebfe000
      r8 = 0x0000000054f52ed8     r9 = 0x0000000054f52ed8
     r10 = 0x0000027208fbb4f0    r11 = 0x0000027208fb353c
     r12 = 0x000000e2bebfe2e0    r13 = 0x0000027205538500
     r14 = 0x00000272055163e0    r15 = 0x00000000bebfe201
     rip = 0x00007ff8706b2836
    Found by: given as instruction pointer in context
 8  xul.dll!js::gc::GCRuntime::updateRuntimePointersToRelocatedCells(js::gc::AutoGCSession&) [Compacting.cpp : 824 + 0x4]
     rbp = 0x000000e2bebfe188    rsp = 0x000000e2bebfe090
     rip = 0x00007ff86f72af52
    Found by: stack scanning
 9  xul.dll!js::gc::GCRuntime::compactPhase(JS::GCReason, js::SliceBudget&, js::gc::AutoGCSession&) [Compacting.cpp : 103 + 0xc]
Assignee: nobody → dpalmeiro

I think what's happening here is that an entry in the trampoline map ends up getting relazified and then finalized later, but during finalization we are only looking at scripts that have bytecode so we never remove it from the map and end up referencing a garbage pointer during updateScriptsAfterMovingGC().

Pushed by dpalmeiro@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b29d2d67b5c7 Use BaseScript as the key for the entry trampoline map and always remove the entry during finalization. r=jonco

https://hg.mozilla.org/mozilla-central/rev/b29d2d67b5c7

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox115: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 115 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: