Closed Bug 1842035 Opened 2 years ago Closed 2 years ago

Crash in [@ js::jit::CacheRegisterAllocator::addressOf]

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
Unspecified
Android
Type:
defect

Tracking

()

Status:
RESOLVED INVALID
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox115 --- wontfix

People

(Reporter: cpeterson, Unassigned)

Details

(Keywords: crash)

Crash Data

This JIT crashes first appeared in 115. All of the crashes are on Android (except for a shutdown hang in CacheRegisterAllocator::addressOf on desktop that's probably unrelated: bp-319bb278-3c43-408b-8f13-e610d0230615).

Crash report: https://crash-stats.mozilla.org/report/index/0a931803-e166-4282-b872-f2dfb0230702

Reason: SIGSEGV / SEGV_MAPERR

Top 2 frames of crashing thread:

0  libxul.so  js::jit::CacheRegisterAllocator::addressOf const  js/src/jit/BaselineCacheIRCompiler.cpp:50
0  libxul.so  js::jit::BaselineCacheIRCompiler::updateArgc  js/src/jit/BaselineCacheIRCompiler.cpp:2586

All 256 of the crash reports we've received so far are from one user, so they might just have some bad hardware.

There is nothing in CacheRegisterAllocator::addressOf that could reasonably crash. It's not dereferencing any pointers; it's just doing some math. I can't get breakpad to give me arm disassembly, but since every crash was from the same user, it seems very likely that their binary was corrupted somehow.

Nothing we can do here.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.