Crash in [@ PrimitiveToAtom<T>]
Categories
(Core :: JavaScript Engine: JIT, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr115 | --- | unaffected |
firefox122 | --- | unaffected |
firefox123 | --- | unaffected |
firefox124 | --- | fixed |
People
(Reporter: gsvelto, Assigned: nbp)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: crash, regression, topcrash)
Crash Data
Attachments
(1 file)
Crash report: https://crash-stats.mozilla.org/report/index/ab17720c-71fd-4360-ba60-19e000240128
MOZ_CRASH Reason: MOZ_CRASH(Unexpected type)
Top 10 frames of crashing thread:
0 libxul.so PrimitiveToAtom< js/src/vm/JSAtomUtils.cpp:1035
0 libxul.so js::PrimitiveValueToIdSlow< js/src/vm/JSAtomUtils.cpp:1097
1 libxul.so js::PrimitiveValueToId< js/src/vm/JSAtomUtils-inl.h:76
1 libxul.so js::ToPropertyKey js/src/vm/JSObject-inl.h:323
1 libxul.so js::GetObjectElementOperation js/src/vm/Interpreter-inl.h:419
1 libxul.so js::GetElementOperationWithStackIndex js/src/vm/Interpreter-inl.h:519
1 libxul.so js::GetElementOperation js/src/vm/Interpreter-inl.h:527
1 libxul.so js::jit::DoGetElemFallback js/src/jit/BaselineIC.cpp:716
2 ? @0x0000006e33562c74
3 ? @0x0000006e3357f9e4
This crash is showing up with some volume in nightly starting with buildid 20240126095257.
Comment 1•3 months ago
|
||
I just had this with a slightly different signature.
Comment 2•3 months ago
|
||
In both of those dumps, a register contains the value 0xfffa800000000009
, which is MagicValue(JS_OPTIMIZED_OUT)
. The same appears to be true in all but one of the crashes with PrimitiveToAtom in the signature. (That crash occurred in 121, and might be unrelated.)
nbp: Your patches for bug 1874456 landed in that build, and made changes to when we optimize out resume point operands. Can you look into this?
Assignee | ||
Comment 3•3 months ago
|
||
(In reply to Iain Ireland [:iain] from comment #2)
nbp: Your patches for bug 1874456 landed in that build, and made changes to when we optimize out resume point operands. Can you look into this?
I am currently investigating another bug, which potentially has a test case for this issue.
If not, a few URL are listed on some of the crash reports, coming from a single website.
Updated•3 months ago
|
Comment 5•3 months ago
|
||
Copying crash signatures from duplicate bugs.
Comment 6•3 months ago
|
||
The bug is linked to a topcrash signature, which matches the following criterion:
- Top 10 AArch64 and ARM crashes on nightly
:willyelm, could you consider increasing the severity of this top-crash bug?
For more information, please visit BugBot documentation.
Comment 7•3 months ago
|
||
Hit this trying to access a specific Zoom whiteboard.
Crash log: https://crash-stats.mozilla.org/report/index/99fb8be8-b088-46ec-88c0-982490240131
URL: https://zoom.us/wb/doc/1NDQIkmBSwS8lz9EK5tRSQ/p/54141638148096
Updated•3 months ago
|
Updated•3 months ago
|
Updated•3 months ago
|
Assignee | ||
Comment 8•3 months ago
|
||
Updated•3 months ago
|
Pushed by npierron@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/42aa41fca836 Revert Bug 1874456 part 2 r=iain
Comment 10•3 months ago
|
||
bugherder |
Updated•3 months ago
|
Description
•