1878985 - Crash in [@ js::jit::MUse::producer]

Status: RESOLVED INCOMPLETE

(Core :: JavaScript Engine: JIT, defect)

Description

[BugBot [:suhaib / :marco/ :calixte]]

Crash report: https://crash-stats.mozilla.org/report/index/ef4e0351-af47-4346-bd09-fb8610240206

Reason: EXC_BAD_ACCESS / EXC_I386_GPFLT

Top 10 frames of crashing thread:

0  XUL  js::jit::MUse::producer const  js/src/jit/MIR.h:249
0  XUL  js::jit::MPhi::getOperand const  js/src/jit/MIR.h:6111
0  XUL  FlagPhiInputsAsImplicitlyUsed  js/src/jit/IonAnalysis.cpp:213
0  XUL  FlagOperandsAsImplicitlyUsedAfter  js/src/jit/IonAnalysis.cpp:306
1  XUL  FlagAllOperandsAsImplicitlyUsed  js/src/jit/IonAnalysis.cpp:340
1  XUL  js::jit::PruneUnusedBranches  js/src/jit/IonAnalysis.cpp:423
2  XUL  js::jit::OptimizeMIR  js/src/jit/Ion.cpp:999
3  XUL  js::jit::CompileBackEnd  js/src/jit/Ion.cpp:1605
4  XUL  js::jit::IonCompileTask::runTask  js/src/jit/IonCompileTask.cpp:52
4  XUL  js::jit::IonCompileTask::runHelperThreadTask  js/src/jit/IonCompileTask.cpp:30

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

• First crash report: 2024-02-02
• Process type: Content
• Is startup crash: No
• Has user comments: No
• Is null crash: No
• Is use after free crash: Yes - 1 out of 2 crashes happened on or near an allocator poison value

Comment 1

[Andrew McCreight [:mccr8]]

Here's the crash near a poison value: bp-e6245203-3fe2-4f81-a5d3-dae0e0240202

Comment 2

[Andrew McCreight [:mccr8]]

It looks like that's the only crash on this signature in the last 3 months on a poison value.

Comment 3

[Andrew McCreight [:mccr8]]

It says that install hadn't experienced a crash in 31 weeks, but also they are on 115 Nightly (from June 2023) on Windows 7 and crashed in February 2024. So I think we can ignore this.