Closed Bug 1870182 Opened 5 months ago Closed 5 months ago

Crash in [@ mozilla::detail::EntrySlot<T>::isFree]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
Other
All
Type:
defect

Tracking

()

Status:
RESOLVED INVALID
Tracking Flags:
Tracking Status
firefox122 --- affected

People

(Reporter: release-mgmt-account-bot, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/245ddb85-a035-468a-aa51-e3bf00231117

Reason: SIGSEGV / SI_KERNEL

Top 10 frames of crashing thread:

0  libxul.so  mozilla::detail::EntrySlot<js::SharedShape* const>::isFree const  mfbt/HashTable.h:1160
0  libxul.so  mozilla::detail::HashTable<js::SharedShape* const, mozilla::HashSet<js::SharedShape*, js::ShapeForAddHasher, js::SystemAllocPolicy>::SetHashPolicy, js::SystemAllocPolicy>::lookup< const  mfbt/HashTable.h:1775
0  libxul.so  mozilla::detail::HashTable<js::SharedShape* const, mozilla::HashSet<js::SharedShape*, js::ShapeForAddHasher, js::SystemAllocPolicy>::SetHashPolicy, js::SystemAllocPolicy>::readonlyThreadsafeLookup const  mfbt/HashTable.h:2099
0  libxul.so  mozilla::detail::HashTable<js::SharedShape* const, mozilla::HashSet<js::SharedShape*, js::ShapeForAddHasher, js::SystemAllocPolicy>::SetHashPolicy, js::SystemAllocPolicy>::lookup const  mfbt/HashTable.h:2104
0  libxul.so  mozilla::HashSet<js::SharedShape*, js::ShapeForAddHasher, js::SystemAllocPolicy>::lookup const  mfbt/HashTable.h:533
0  libxul.so  LookupShapeForAdd  js/src/vm/Shape.cpp:277
0  libxul.so  js::NativeObject::addProperty  js/src/vm/Shape.cpp:328
1  libxul.so  AddOrChangeProperty<  js/src/vm/NativeObject.cpp:1304
1  libxul.so  js::NativeDefineProperty  js/src/vm/NativeObject.cpp:1617
1  libxul.so  js::DefineDataProperty  js/src/vm/JSObject.cpp:2081

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

  • First crash report: 2023-10-28
  • Process type: Multiple distinct types
  • Is startup crash: No
  • Has user comments: No
  • Is null crash: No

The Bugbug bot thinks this bug should belong to the 'Core::JavaScript Engine' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: General → JavaScript Engine

I'm inclined to say these are bad hardware; but I'd be interested in a second opinion from Jan.

Flags: needinfo?(jdemooij)

This looks like hardware noise to me too. EntrySlot::isFree is just dereferencing a pointer that is part of the implementation of mozilla::HashTable. We're not doing anything unusual with this hash table. If there were a real bug in mozilla::HashTable, it would show up at a much higher frequency.

This code is very hot, so the crash rate here doesn't seem unusually high. Looking at the first page of crashes with this signature, there are illegal instruction crashes (most likely a hardware problem), and multiple cases where a single install crashed repeatedly, including a sequence of 13 startup crashes (which generally means the binary was corrupted somehow).

Digging a little more into the reports, it looks like this crash signature is combining crashes from hash tables in a variety of unrelated code: the StoreBuffer, a shape's property map, the used name tracker in the frontend, a different hash table in the property map, and so on. So it's not specific to the way we use the hash table, and it's very unlikely to be a problem in the hash table itself, which means it's almost certainly bogus.

I'm going to close this.

Status: NEW → RESOLVED
Closed: 5 months ago
Flags: needinfo?(jdemooij)
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.