Open Bug 1865444 Opened 7 months ago Updated 6 months ago

Crash in [@ JSScript::getScope]

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Platform:
Other
All
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox122 --- affected

People

(Reporter: release-mgmt-account-bot, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/aa5b72d0-921b-435b-ae9c-799620231027

MOZ_CRASH Reason: MOZ_RELEASE_ASSERT(idx < storage_.size())

Top 10 frames of crashing thread:

0  xul.dll  AnnotateMozCrashReason  mfbt/Assertions.h:46
0  xul.dll  mozilla::Span<const JS::GCCellPtr, 18446744073709551615>::operator[] const  mfbt/Span.h:735
0  xul.dll  JSScript::getScope const  js/src/vm/JSScript.h:2070
0  xul.dll  JSScript::getScope const  js/src/vm/JSScript.h:2080
0  xul.dll  js::Interpret  js/src/vm/Interpreter.cpp:1963
1  xul.dll  MaybeEnterInterpreterTrampoline  js/src/vm/Interpreter.cpp:386
1  xul.dll  js::RunScript  js/src/vm/Interpreter.cpp:444
1  xul.dll  js::InternalCallOrConstruct  js/src/vm/Interpreter.cpp:598
1  xul.dll  InternalCall  js/src/vm/Interpreter.cpp:633
1  xul.dll  js::Call  js/src/vm/Interpreter.cpp:665

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

  • First crash report: 2023-09-14
  • Process type: Multiple distinct types
  • Is startup crash: No
  • Has user comments: No
  • Is null crash: Yes - 1 out of 8 crashes happened on null or near null memory address
Component: General → JavaScript Engine

I'm inclined to call this a release assert catching bitflips; however, the thing that gives me pause is the sudden appearance of this signature in August. I'm not sure if there's something in that timeframe that helps explain this.

Did you want to take a peek at this Arai, just to see if anything stands out?

Blocks: sm-defects-crashes
Severity: -- → S3
Flags: needinfo?(arai.unmht)
Priority: -- → P3

Checked the reports from August.

The oldest report is at 2023-08-10 17:27:52, for 115.1.0esr (20230724124053).
The oldest version is at 2023-11-06 23:45:07, for 91.12.0esr (20220718130424).
Most frequent major version is 115, where the oldest version is 115.0.1 (20230706202047)

There's a gap between the build ID and the spike. so I doubt the spike is caused only by certain patch.

Possibility I can think of is the change in the crash signature generation, which is to skip the mozilla::Span frame.
and indeed the mozilla::Span<T>::operator[] crash stopped at that point, and the amount of the report matches (~50 crashes per day, for 115.1.0esr)

https://crash-stats.mozilla.org/signature/?signature=mozilla%3A%3ASpan%3CT%3E%3A%3Aoperator%5B%5D&date=%3E%3D2023-07-01T18%3A17%3A00.000Z&date=%3C2023-11-21T18%3A17%3A00.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_columns=startup_crash&_sort=-date&page=1#graphs

so, the spike isn't something we should worry about.

Flags: needinfo?(arai.unmht)

I've checked some of the mozilla::Span<T>::operator[] reports, and they're indeed for JSScript::getScope.

You need to log in before you can comment on or make changes to this bug.