Open Bug 1864305 Opened 7 months ago Updated 7 months ago

Crash in [@ js::jit::X86Encoding::BaseAssembler::assertValidJmpSrc]

Categories

(Core :: JavaScript Engine: JIT, defect, P3)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
Other
Windows
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox121 --- affected

People

(Reporter: release-mgmt-account-bot, Unassigned)

References

(Blocks 3 open bugs)

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/f1201fc3-c133-43ac-9664-3c4af0231014

MOZ_CRASH Reason: MOZ_RELEASE_ASSERT(size_t(src.offset()) <= size())

Top 10 frames of crashing thread:

0  xul.dll  AnnotateMozCrashReason  mfbt/Assertions.h:46
0  xul.dll  js::jit::X86Encoding::BaseAssembler::assertValidJmpSrc  js/src/jit/x86-shared/BaseAssembler-x86-shared.h:4576
0  xul.dll  js::jit::X86Encoding::BaseAssembler::setNextJump  js/src/jit/x86-shared/BaseAssembler-x86-shared.h:4607
0  xul.dll  js::jit::AssemblerX86Shared::retarget  js/src/jit/x86-shared/Assembler-x86-shared.h:1078
0  xul.dll  js::jit::BailoutLabel::operator const  js/src/jit/x86-shared/CodeGenerator-x86-shared.cpp:574
0  xul.dll  js::jit::CodeGeneratorX86Shared::bailout  js/src/jit/x86-shared/CodeGenerator-x86-shared.cpp:589
0  xul.dll  js::jit::CodeGeneratorX86Shared::bailoutFrom  js/src/jit/x86-shared/CodeGenerator-x86-shared.cpp:607
1  xul.dll  js::jit::CodeGenerator::visitGuardNullOrUndefined  js/src/jit/CodeGenerator.cpp:4958
1  xul.dll  js::jit::CodeGenerator::generateBody  js/src/jit/CodeGenerator.cpp:7380
2  xul.dll  js::jit::CodeGenerator::generate  js/src/jit/CodeGenerator.cpp:14231

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

  • First crash report: 2023-09-30
  • Process type: Content
  • Is startup crash: No
  • Has user comments: No
  • Is null crash: No

The Bugbug bot thinks this bug should belong to the 'Core::JavaScript Engine: JIT' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: General → JavaScript Engine: JIT

I took a look at the last week of crashes (28 total). At first I was interested to note that 8 of the crashes were inside generateRegExpSearcherStub, which might point to a real issue, but it turns out that 7 of those crashes were from a single broken installation of Thunderbird.

Beyond that, I don't see any particularly interesting pattern here.

Blocks: sm-defects-crashes
Severity: -- → S4
Priority: -- → P3
Blocks: sm-jits
You need to log in before you can comment on or make changes to this bug.