Crash in [@ mozilla::detail::EntrySlot<T>::isFree]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox122 | --- | affected |
People
(Reporter: release-mgmt-account-bot, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash)
Crash Data
Crash report: https://crash-stats.mozilla.org/report/index/245ddb85-a035-468a-aa51-e3bf00231117
Reason: SIGSEGV / SI_KERNEL
Top 10 frames of crashing thread:
0 libxul.so mozilla::detail::EntrySlot<js::SharedShape* const>::isFree const mfbt/HashTable.h:1160
0 libxul.so mozilla::detail::HashTable<js::SharedShape* const, mozilla::HashSet<js::SharedShape*, js::ShapeForAddHasher, js::SystemAllocPolicy>::SetHashPolicy, js::SystemAllocPolicy>::lookup< const mfbt/HashTable.h:1775
0 libxul.so mozilla::detail::HashTable<js::SharedShape* const, mozilla::HashSet<js::SharedShape*, js::ShapeForAddHasher, js::SystemAllocPolicy>::SetHashPolicy, js::SystemAllocPolicy>::readonlyThreadsafeLookup const mfbt/HashTable.h:2099
0 libxul.so mozilla::detail::HashTable<js::SharedShape* const, mozilla::HashSet<js::SharedShape*, js::ShapeForAddHasher, js::SystemAllocPolicy>::SetHashPolicy, js::SystemAllocPolicy>::lookup const mfbt/HashTable.h:2104
0 libxul.so mozilla::HashSet<js::SharedShape*, js::ShapeForAddHasher, js::SystemAllocPolicy>::lookup const mfbt/HashTable.h:533
0 libxul.so LookupShapeForAdd js/src/vm/Shape.cpp:277
0 libxul.so js::NativeObject::addProperty js/src/vm/Shape.cpp:328
1 libxul.so AddOrChangeProperty< js/src/vm/NativeObject.cpp:1304
1 libxul.so js::NativeDefineProperty js/src/vm/NativeObject.cpp:1617
1 libxul.so js::DefineDataProperty js/src/vm/JSObject.cpp:2081
By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:
- First crash report: 2023-10-28
- Process type: Multiple distinct types
- Is startup crash: No
- Has user comments: No
- Is null crash: No
Reporter | ||
Comment 1•5 months ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::JavaScript Engine' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Comment 2•5 months ago
|
||
I'm inclined to say these are bad hardware; but I'd be interested in a second opinion from Jan.
Comment 3•5 months ago
|
||
This looks like hardware noise to me too. EntrySlot::isFree
is just dereferencing a pointer that is part of the implementation of mozilla::HashTable. We're not doing anything unusual with this hash table. If there were a real bug in mozilla::HashTable, it would show up at a much higher frequency.
This code is very hot, so the crash rate here doesn't seem unusually high. Looking at the first page of crashes with this signature, there are illegal instruction crashes (most likely a hardware problem), and multiple cases where a single install crashed repeatedly, including a sequence of 13 startup crashes (which generally means the binary was corrupted somehow).
Digging a little more into the reports, it looks like this crash signature is combining crashes from hash tables in a variety of unrelated code: the StoreBuffer, a shape's property map, the used name tracker in the frontend, a different hash table in the property map, and so on. So it's not specific to the way we use the hash table, and it's very unlikely to be a problem in the hash table itself, which means it's almost certainly bogus.
I'm going to close this.
Description
•