Open Bug 1868775 Opened 1 year ago Updated 5 months ago

MOZ_CRASH(invalid node kind) in [@ js::frontend::RewritingParseNodeVisitor<T>::visit]

Categories

(Core :: JavaScript Engine, defect, P5)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr115 --- affected
firefox120 --- wontfix
firefox121 --- affected
firefox122 --- affected

People

(Reporter: aryx, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, topcrash)

Crash Data

See bug 1547561 for the previous bug about this signature.

Not a new signature, 40% of crashes in first minute, 30% in minutes 2 to 5.

Crash report: https://crash-stats.mozilla.org/report/index/c30345b2-053c-46d3-9fee-09f0d0231207

MOZ_CRASH Reason: MOZ_CRASH(invalid node kind)

Top 10 frames of crashing thread:

0  xul.dll  js::frontend::RewritingParseNodeVisitor<FoldVisitor>::visit  js/src/frontend/ParseNodeVisitor.h:118
1  xul.dll  js::frontend::ListNode::accept  js/src/frontend/ParseNode.h:1233
1  xul.dll  js::frontend::RewritingParseNodeVisitor<FoldVisitor>::visitArguments  js/src/frontend/ParseNodeVisitor.h:129
1  xul.dll  js::frontend::RewritingParseNodeVisitor<FoldVisitor>::visit  js/src/frontend/ParseNodeVisitor.h:115
2  xul.dll  js::frontend::RewritingParseNodeVisitor<FoldVisitor>::visit  js/src/frontend/ParseNodeVisitor.h:115
3  xul.dll  js::frontend::ListNode::accept  js/src/frontend/ParseNode.h:1233
3  xul.dll  js::frontend::RewritingParseNodeVisitor<FoldVisitor>::visitCommaExpr  js/src/frontend/ParseNodeVisitor.h:129
3  xul.dll  js::frontend::RewritingParseNodeVisitor<FoldVisitor>::visit  js/src/frontend/ParseNodeVisitor.h:115
4  xul.dll  js::frontend::RewritingParseNodeVisitor<FoldVisitor>::visit  js/src/frontend/ParseNodeVisitor.h:115
5  xul.dll  js::frontend::ListNode::accept  js/src/frontend/ParseNode.h:1233

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 10 content process crashes on release

For more information, please visit BugBot documentation.

Keywords: topcrash

Pretty good guess these are bad hardware...

Severity: -- → S3
Priority: -- → P3

The MOZ_CRASH from the previous bug fix turned it into a "safe" problem, but it's still a problem.

Group: javascript-core-security
Summary: Crash in [@ js::frontend::RewritingParseNodeVisitor<T>::visit] → MOZ_CRASH(invalid node kind) in [@ js::frontend::RewritingParseNodeVisitor<T>::visit]

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 20 desktop browser crashes on release (startup)

For more information, please visit BugBot documentation.

Keywords: topcrash-startup

Looking at the crash addresses, there is a long tail of bit-flipped pointers.
This is consistent with hardware issues given the low number of nightly crashes, and with the conclusion from comment 2.

Blocks: sm-defects-hardware
Severity: S3 → S4
Priority: P3 → P5

Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.

For more information, please visit BugBot documentation.

Keywords: topcrash-startup
You need to log in before you can comment on or make changes to this bug.