Crash in [@ BaselineStackBuilder::setNextCallee]
Categories
(Core :: JavaScript Engine: JIT, defect, P2)
Tracking
()
People
(Reporter: release-mgmt-account-bot, Assigned: jandem)
References
(Blocks 3 open bugs)
Details
(Keywords: crash, csectype-jit, sec-high, Whiteboard: [adv-main123+r][adv-esr115.8+r])
Crash Data
Attachments
(3 files)
|
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
tjr
:
sec-approval+
|
Details | Review |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-esr115+
|
Details | Review |
Crash report: https://crash-stats.mozilla.org/report/index/1d0af9e5-9b6e-4484-b67e-e50010240124
MOZ_CRASH Reason: MOZ_RELEASE_ASSERT(icScript_->numICEntries() == calleeScript->numICEntries())
Top 9 frames of crashing thread:
0 xul.dll BaselineStackBuilder::setNextCallee js/src/jit/BaselineBailouts.cpp:522
0 xul.dll BaselineStackBuilder::buildStubFrame js/src/jit/BaselineBailouts.cpp:1089
0 xul.dll BaselineStackBuilder::prepareForNextFrame js/src/jit/BaselineBailouts.cpp:926
0 xul.dll BaselineStackBuilder::buildOneFrame js/src/jit/BaselineBailouts.cpp:1524
0 xul.dll js::jit::BailoutIonToBaseline js/src/jit/BaselineBailouts.cpp:1662
1 xul.dll js::jit::InvalidationBailout js/src/jit/Bailouts.cpp:220
2 ? @0x000003dedd971236
3 xul.dll mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions> dom/bindings/BindingUtils.cpp:3147
4 ? @0x00000156b8920a37
By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:
- First crash report: 2023-12-17
- Process type: Content
- Is startup crash: No
- Has user comments: No
- Is null crash: Yes - 1 out of 9 crashes happened on null or near null memory address
|
Reporter | |
Comment 1•1 year ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::JavaScript Engine: JIT' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
||
Comment 2•1 year ago
|
||
Matthew, this does not seems to be related to fuses, given that this crashes start in 122, but fuses might use this path more than the rest in the near future.
If you have any idea what else might be responsible for these invalidations feel free to forward this bug.
Looking at the crash reports some URL are notable as a source of issues. Maybe you will find a way to reproduce the crash this way.
|
|
||
Updated•1 year ago
|
|
||
Comment 3•1 year ago
|
||
Going to redirect this to Jan, as this assert was added in Bug 1867193
|
Assignee | |
Comment 4•1 year ago
•
|
||
I was able to reproduce this with one of the URLs in the crash reports, and I have a shell test case for this.
|
|
Assignee | |
Comment 5•1 year ago
|
||
(In reply to Matthew Gaudet (he/him) [:mgaudet] from comment #3)
Going to redirect this to Jan, as this assert was added in Bug 1867193
The bug predates that bug, because I can reproduce it with a debug build of ESR 115 where it's a crash in JIT code. It even repros with a JS shell opt build of FF 113 (from the FTP server).
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 6•1 year ago
|
||
|
|
Assignee | |
Comment 7•1 year ago
|
||
|
|
Assignee | |
Comment 8•1 year ago
•
|
||
The most reliable STR I found for the browser:
- Load https://www.netzclub.net/sim-karte-bestellen/sponsored-surf-basic
- Wait 30 seconds. The tab will crash at some point.
After the first time you need to restart the browser or use a private window, to not let it skip the initial screen.
|
|
Assignee | |
Comment 9•1 year ago
|
||
Comment on attachment 9377977 [details]
Bug 1876425 part 1 - Stop using trial inlined ICScripts during bailout if needed. r?iain!
Security Approval Request
- How easily could an exploit be constructed based on the patch?: It's fairly difficult to write a test for this.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: All
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?: Patch should apply or be easy to backport.
- How likely is this patch to cause regressions; how much testing does it need?: Unlikely. Normal Nightly testing and fuzzing should be sufficient.
- Is Android affected?: Yes
|
||
Comment 10•1 year ago
|
||
Comment on attachment 9377977 [details]
Bug 1876425 part 1 - Stop using trial inlined ICScripts during bailout if needed. r?iain!
Approved to request uplift and land
|
|
||
Updated•1 year ago
|
|
||
Comment 11•1 year ago
|
||
|
||
Comment 12•1 year ago
|
||
|
|
Reporter | |
Comment 13•1 year ago
|
||
The patch landed in nightly and beta is affected.
:jandem, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox123towontfix.
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 14•1 year ago
|
||
Comment on attachment 9377977 [details]
Bug 1876425 part 1 - Stop using trial inlined ICScripts during bailout if needed. r?iain!
Beta/Release Uplift Approval Request
- User impact if declined: Security bugs, crashes.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Pretty small patch that has been tested on Nightly.
- String changes made/needed:
- Is Android affected?: Yes
|
||
Comment 15•1 year ago
|
||
Comment on attachment 9377977 [details]
Bug 1876425 part 1 - Stop using trial inlined ICScripts during bailout if needed. r?iain!
Approved for 123 beta 9, thanks.
|
|
||
Comment 16•1 year ago
|
||
| uplift | ||
|
|
||
Updated•1 year ago
|
|
||
Comment 17•1 year ago
|
||
Comment on attachment 9377977 [details]
Bug 1876425 part 1 - Stop using trial inlined ICScripts during bailout if needed. r?iain!
This needs a rebased patch for esr115.
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 18•1 year ago
|
||
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Comment 19•1 year ago
|
||
| uplift | ||
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
Reporter | |
Comment 20•1 year ago
|
||
a month ago, tjr placed a reminder on the bug using the whiteboard tag [reminder-test 2024-04-02] .
jandem, please refer to the original comment to better understand the reason for the reminder.
|
|
Assignee | |
Updated•1 year ago
|
|
|
||
Comment 21•1 year ago
|
||
|
|
||
Comment 22•1 year ago
|
||
|
||
Updated•1 year ago
|
|
||
Updated•3 months ago
|
Description
•