Open Bug 1848152 Opened 2 years ago Updated 1 year ago

Crash in [@ mozilla::Span<T>::operator[]] with Stencil

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox-esr115 --- affected
firefox116 + wontfix
firefox117 + wontfix
firefox118 - wontfix
firefox119 --- affected

People

(Reporter: aryx, Assigned: arai)

References

(Blocks 2 open bugs)

Details

(Keywords: crash)

Crash Data

~120 crash reports for Firefox 116.0.x so far (where we accept 10% of the crash reports) vs ~520 for 115.1.0esr (where 100% of submissions get accepted). >40% in the first minute after startup, 75% with 64-bit.

Crash report: https://crash-stats.mozilla.org/report/index/cf028109-caa8-4b8b-adcc-db0a10230810

MOZ_CRASH Reason: MOZ_RELEASE_ASSERT(idx < storage_.size())

Top 10 frames of crashing thread:

0  xul.dll  AnnotateMozCrashReason  mfbt/Assertions.h:43
0  xul.dll  mozilla::Span<JS::GCCellPtr, 18446744073709551615>::operator[] const  mfbt/Span.h:734
0  xul.dll  js::frontend::EmitScriptThingsVector  js/src/frontend/BytecodeSection.cpp:72
0  xul.dll  js::PrivateScriptData::InitFromStencil  js/src/vm/JSScript.cpp:2293
0  xul.dll  JSScript::fullyInitFromStencil  js/src/vm/JSScript.cpp:2417
0  xul.dll  JSScript::fromStencil  js/src/vm/JSScript.cpp:2511
1  xul.dll  InstantiateScriptStencils  js/src/frontend/Stencil.cpp:2085
1  xul.dll  js::frontend::CompilationStencil::instantiateStencilAfterPreparation  js/src/frontend/Stencil.cpp:2481
1  xul.dll  js::frontend::CompilationStencil::instantiateStencils  js/src/frontend/Stencil.cpp:2414
2  xul.dll  js::frontend::InstantiateStencils  js/src/frontend/BytecodeCompiler.cpp:440

This signature is not good. It should get added to the prefix list.

These crashes look like script/stencil things and not the GC.

Component: JavaScript: GC → JavaScript Engine
Summary: Crash in [@ mozilla::Span<T>::operator[]] → Crash in [@ mozilla::Span<T>::operator[]] with Stencil

The bug is marked as tracked for firefox116 (release), tracked for firefox117 (beta) and tracked for firefox118 (nightly). We have limited time to fix this, the soft freeze is in 13 days. However, the bug still isn't assigned.

:sdetar, could you please find an assignee for this tracked bug? If you disagree with the tracking decision, please talk with the release managers.

For more information, please visit BugBot documentation.

Flags: needinfo?(sdetar)

:arai, could you take a look at this bug?

Flags: needinfo?(sdetar) → needinfo?(arai.unmht)
Depends on: 1848369

bug 1848369 will add yet another check for data corruption

Flags: needinfo?(arai.unmht)

We are adding a checksum in bug 1848369 which may take care of this. I will give this S3/P3 for now.

Severity: -- → S3
Priority: -- → P3

bug 1848369 patch is applied to central, beta, and esr115.
so far nightly and beta see no crash in recent builds.

Keep in mind that the signature has changed. For instance, the original crash would apparently now be [@ js::frontend::EmitScriptThingsVector ].

Crash Signature: [@ mozilla::Span<T>::operator[]] → [@ mozilla::Span<T>::operator[]] [@ js::frontend::EmitScriptThingsVector ]

just to make sure, can you tell me how EmitScriptThingsVector is considered the changed signature?

to my understanding, EmitScriptThingsVector is another pre-existing issue.

Flags: needinfo?(continuation)

I looked at the crash in comment 0 and it says "Signature generation has changed since this was processed. New signature would be: [@ js::frontend::EmitScriptThingsVector ]". Feel free to remove the signature if you think it isn't applicable for this bug.

Flags: needinfo?(continuation)

Also, the signature changed because in bug 1848162 aryx added mozilla::Span<T> to the skip list for signature generation.

See Also: → 1848162

oh, indeed. I misunderstood the meaning of "change". (I thought it's about a change somehow caused by the bug 1848369 patch)
thank you for pointing that out.

I'll track the EmitScriptThingsVector crashes.

Sorry, I could have been more explicit about the cause of the signature change in my initial comment.

Looks like we've got some EmitScriptThingsVector crash reports coming in from 117.0 and 115.2esr. Maybe we want to track those in a new bug, though.

Flags: needinfo?(arai.unmht)

As noted in the previous comment, bug 1848369 significantly reduced the crash volume here, but didn't fully eliminate it. I don't think we need to actively track this anymore given the new volume, however.

status-firefox117: fixedwontfix
status-firefox118: fixedfix-optional
status-firefox119: --- → affected
tracking-firefox118: +-
tracking-firefox-esr115: 117+?

let's keep using this bug to track the crash itself, but given the crash volume is reduced to the amount before the increase, which is long standing crash around the disk cache corruption, we don't need to track this for the next release.

Flags: needinfo?(arai.unmht)
You need to log in before you can comment on or make changes to this bug.