Open Bug 1859381 Opened 8 months ago Updated 7 months ago

Crash in [@ js::wasm::Instance::callExport]

Categories

(Core :: JavaScript: WebAssembly, defect, P2)

Product:
Core
Component:
JavaScript: WebAssembly
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr115 --- affected
firefox118 --- wontfix
firefox119 --- wontfix
firefox120 --- affected

People

(Reporter: RyanVM, Assigned: rhunt)

References

Details

(Keywords: crash)

Crash Data

Seems to be happening primarily on Fenix, but there are some Desktop occurrences as well.

Crash report: https://crash-stats.mozilla.org/report/index/3eaebb34-e4da-4473-9cbf-6e6b70231016

Reason: SIGSEGV / SEGV_MAPERR

Top 2 frames of crashing thread:

0  ?  @0x50e44064  
1  libxul.so  js::wasm::Instance::callExport  js/src/wasm/WasmInstance.cpp:2644

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 10 AArch64 and ARM crashes on nightly

For more information, please visit BugBot documentation.

Keywords: topcrash

This appears to be mostly arm32, with a bit of arm64, x32 and x64.

See Also: → 1855425

Looking at the trends, it's hard to tell if this was a 118 specific issue or if the release of 119 will cause this to spike up in that version. Crash reports are hard to tell what's going on and I need to re-up my protected data access to dig in deeper. Doing that now.

From sampling random reports, the crash seems to be happening in a JIT frame immediately below the Instance::callExport. This would be our 'interpreter entry stub'. It'd be really useful to know what instruction is failing. Most of the address violations are relatively near 0.

Assignee: nobody → rhunt
Severity: -- → S2
Priority: -- → P1

Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.

For more information, please visit BugBot documentation.

Keywords: topcrash
Severity: S2 → S3
Priority: P1 → P2
You need to log in before you can comment on or make changes to this bug.