1867696 - Crash in [@ js::InlineList<T>::remove]

Status: NEW

(Core :: JavaScript Engine: JIT, defect, P5)

Description

[BugBot [:suhaib / :marco/ :calixte]]

Crash report: https://crash-stats.mozilla.org/report/index/72d3b658-c9d8-40a3-abc0-27fed0231124

Reason: EXCEPTION_ACCESS_VIOLATION_WRITE

Top 10 frames of crashing thread:

0  xul.dll  js::InlineList<js::jit::MUse>::remove  js/src/jit/InlineList.h:320
0  xul.dll  js::jit::MDefinition::removeUse  js/src/jit/MIR.h:757
0  xul.dll  js::jit::MUse::releaseProducer  js/src/jit/MIR.h:11620
0  xul.dll  js::jit::MResumePoint::releaseUses  js/src/jit/MIR.h:8824
0  xul.dll  js::jit::MBasicBlock::discardResumePoint  js/src/jit/MIRGraph.cpp:781
0  xul.dll  js::jit::MBasicBlock::prepareForDiscard  js/src/jit/MIRGraph.cpp:807
0  xul.dll  js::jit::MBasicBlock::discard  js/src/jit/MIRGraph.cpp:829
1  xul.dll  js::jit::RangeAnalysis::adjustTruncatedInputs  js/src/jit/RangeAnalysis.cpp:3116
1  xul.dll  js::jit::RangeAnalysis::truncate  js/src/jit/RangeAnalysis.cpp:3269
1  xul.dll  js::jit::OptimizeMIR  js/src/jit/Ion.cpp:1269

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

• First crash report: 2023-10-21
• Process type: Content
• Is startup crash: No
• Has user comments: No
• Is null crash: Yes - 5 out of 6 crashes happened on null or near null memory address

Comment 1

[Nicolas B. Pierron [:nbp]]

All crashes with these signature sounds like a lot like pointer corruption in a linked list.
Also given the low volume, I will just consider these are mostly bad hardware issues until we get someone to reproduce this issue.

Comment 2

[Gabriele Svelto [:gsvelto]]

I can confirm your suspicion, almost 40% of the crashes on file have been flagged as having been potentially caused by a bit-flip.