Closed Bug 1876978 Opened 4 months ago Closed 3 months ago

Crash in [@ PrimitiveToAtom<T>]

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
Unspecified
Android
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
124 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox122 --- unaffected
firefox123 --- unaffected
firefox124 --- fixed

People

(Reporter: gsvelto, Assigned: nbp)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression, topcrash)

Crash Data

Attachments

(1 file)

Bug 1876978 - Revert Bug 1874456 part 2
48 bytes, text/x-phabricator-request
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/ab17720c-71fd-4360-ba60-19e000240128

MOZ_CRASH Reason: MOZ_CRASH(Unexpected type)

Top 10 frames of crashing thread:

0  libxul.so  PrimitiveToAtom<  js/src/vm/JSAtomUtils.cpp:1035
0  libxul.so  js::PrimitiveValueToIdSlow<  js/src/vm/JSAtomUtils.cpp:1097
1  libxul.so  js::PrimitiveValueToId<  js/src/vm/JSAtomUtils-inl.h:76
1  libxul.so  js::ToPropertyKey  js/src/vm/JSObject-inl.h:323
1  libxul.so  js::GetObjectElementOperation  js/src/vm/Interpreter-inl.h:419
1  libxul.so  js::GetElementOperationWithStackIndex  js/src/vm/Interpreter-inl.h:519
1  libxul.so  js::GetElementOperation  js/src/vm/Interpreter-inl.h:527
1  libxul.so  js::jit::DoGetElemFallback  js/src/jit/BaselineIC.cpp:716
2  ?  @0x0000006e33562c74  
3  ?  @0x0000006e3357f9e4

This crash is showing up with some volume in nightly starting with buildid 20240126095257.

I just had this with a slightly different signature.

Crash Signature: [@ PrimitiveToAtom<T>] → [@ PrimitiveToAtom<T>] [@ PrimitiveToAtom ]

In both of those dumps, a register contains the value 0xfffa800000000009, which is MagicValue(JS_OPTIMIZED_OUT). The same appears to be true in all but one of the crashes with PrimitiveToAtom in the signature. (That crash occurred in 121, and might be unrelated.)

nbp: Your patches for bug 1874456 landed in that build, and made changes to when we optimize out resume point operands. Can you look into this?

Flags: needinfo?(nicolas.b.pierron)

(In reply to Iain Ireland [:iain] from comment #2)

nbp: Your patches for bug 1874456 landed in that build, and made changes to when we optimize out resume point operands. Can you look into this?

I am currently investigating another bug, which potentially has a test case for this issue.
If not, a few URL are listed on some of the crash reports, coming from a single website.

Blocks: sm-defects-crashes
Severity: -- → S3
Priority: -- → P2
Duplicate of this bug: 1877044

Copying crash signatures from duplicate bugs.

Crash Signature: [@ PrimitiveToAtom<T>] [@ PrimitiveToAtom ] → [@ PrimitiveToAtom<T>] [@ PrimitiveToAtom ] [@ js::PrimitiveToObject]

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 10 AArch64 and ARM crashes on nightly

:willyelm, could you consider increasing the severity of this top-crash bug?

For more information, please visit BugBot documentation.

Flags: needinfo?(wmedina)
Keywords: topcrash
Crash Signature: [@ PrimitiveToAtom<T>] [@ PrimitiveToAtom ] [@ js::PrimitiveToObject] → [@ PrimitiveToAtom<T>] [@ PrimitiveToAtom ] [@ js::PrimitiveToObject]
Severity: S3 → S2
Flags: needinfo?(wmedina)
Assignee: nobody → nicolas.b.pierron
Status: NEW → ASSIGNED
See Also: → 1878353

https://hg.mozilla.org/mozilla-central/rev/42aa41fca836

Status: ASSIGNED → RESOLVED
Closed: 3 months ago
status-firefox124: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 124 Branch
status-firefox122: --- → unaffected
status-firefox123: --- → unaffected
status-firefox-esr115: --- → unaffected
Flags: needinfo?(nicolas.b.pierron)
Keywords: regression
Regressed by: 1874456
See Also: 1874456
Duplicate of this bug: 1882158
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: