Open Bug 1862282 Opened 1 year ago Updated 1 year ago

Crash in [@ mozilla::Vector<T>::length | js::jit::AssemblerBuffer::size ]

Categories

(Core :: JavaScript Engine: JIT, defect, P5)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
Other
All
Type:
defect

Tracking

()

People

(Reporter: release-mgmt-account-bot, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/4427696d-6117-4549-8a5a-bedd70231029

Reason: SIGSEGV / SEGV_MAPERR

Top 10 frames of crashing thread:

0  libxul.so  mozilla::Vector<unsigned char,  const  mfbt/Vector.h:557
0  libxul.so  js::jit::AssemblerBuffer::size const  js/src/jit/x86-shared/AssemblerBuffer-x86-shared.h:172
0  libxul.so  js::jit::X86Encoding::BaseAssembler::X86InstructionFormatter::size const  js/src/jit/x86-shared/BaseAssembler-x86-shared.h:6230
0  libxul.so  js::jit::X86Encoding::BaseAssembler::label  js/src/jit/x86-shared/BaseAssembler-x86-shared.h:4510
0  libxul.so  js::jit::AssemblerX86Shared::bind  js/src/jit/x86-shared/Assembler-x86-shared.h:1042
0  libxul.so  js::jit::OutOfLineCode::bind  js/src/jit/shared/CodeGenerator-shared.h:412
0  libxul.so  js::jit::CodeGeneratorShared::generateOutOfLineCode  js/src/jit/shared/CodeGenerator-shared.cpp:204
0  libxul.so  js::jit::CodeGeneratorX86Shared::generateOutOfLineCode  js/src/jit/x86-shared/CodeGenerator-x86-shared.cpp:530
1  libxul.so  js::jit::CodeGenerator::generate  js/src/jit/CodeGenerator.cpp:14085
1  libxul.so  js::jit::GenerateCode  js/src/jit/Ion.cpp:1556

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

  • First crash report: 2023-10-01
  • Process type: Content
  • Is startup crash: No
  • Has user comments: No
  • Is null crash: Yes - 3 out of 4 crashes happened on null or near null memory address
Component: General → JavaScript Engine
Component: JavaScript Engine → JavaScript Engine: JIT

This is a pretty generic signature. Some crashes are for the AssemblerBuffer vector, but this is one that's related to stencils:

https://crash-stats.mozilla.org/report/index/50cdd760-fdec-45ee-b4f2-e4f940231030

And one in the bytecode emitter:

https://crash-stats.mozilla.org/report/index/d87bbea6-aae2-4a95-8cf9-c44800231030

I'll file a bug about adding mozilla:Vector to the prefix list to split this signature up.

See Also: → 1862460

The signature for the crash in the first comment is now [@ mozilla::Vector<T>::length | js::jit::AssemblerBuffer::size ]

Crash Signature: [@ mozilla::Vector<T>::length] → [@ mozilla::Vector<T>::length] [@ mozilla::Vector<T>::length | js::jit::AssemblerBuffer::size ]
Crash Signature: [@ mozilla::Vector<T>::length] [@ mozilla::Vector<T>::length | js::jit::AssemblerBuffer::size ] → [@ mozilla::Vector<T>::length]
Summary: Crash in [@ mozilla::Vector<T>::length] → Crash in [@ mozilla::Vector<T>::length | js::jit::AssemblerBuffer::size ]
Severity: -- → S3
Priority: -- → P4

Given the low volume of crashes (less than 10 per day), and the fact that this signature is so generic, I have hard time to believe that there is really anything to be fixed by us.

Blocks: sm-defects-crashes
Severity: S3 → S4
Priority: P4 → P5

It looks like I somehow deleted the non-generic signature.

Crash Signature: [@ mozilla::Vector<T>::length] → [@ mozilla::Vector<T>::length] [@ mozilla::Vector<T>::length | js::jit::AssemblerBuffer::size ]
You need to log in before you can comment on or make changes to this bug.