Crash in [@ js::AvlTree<T>::remove]
Categories
(Core :: JavaScript Engine: JIT, defect, P5)
Tracking
()
Tracking | Status | |
---|---|---|
firefox124 | --- | affected |
People
(Reporter: release-mgmt-account-bot, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: crash)
Crash Data
Crash report: https://crash-stats.mozilla.org/report/index/e618137e-6461-466c-a1f7-16e6e0240124
MOZ_CRASH Reason: MOZ_CRASH()
Top 10 frames of crashing thread:
0 libxul.so js::AvlTree<js::jit::JitCodeRange*, js::jit::JitCodeRange>::remove js/src/ds/AvlTree.h:1001
0 libxul.so js::jit::JitcodeGlobalTable::traceWeak const js/src/jit/JitcodeMap.cpp:360
0 libxul.so mozilla::Vector<mozilla::UniquePtr<js::jit::JitcodeGlobalEntry, js::jit::JitcodeGlobalEntry::DestroyPolicy>, const mfbt/Vector.h:1395
0 libxul.so __gnu_cxx::__ops::_Iter_pred<mozilla::Vector<mozilla::UniquePtr<js::jit::JitcodeGlobalEntry, js::jit::JitcodeGlobalEntry::DestroyPolicy>, /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/c++/8/bits/predefined_ops.h:283
0 libxul.so std::__remove_if<mozilla::UniquePtr<js::jit::JitcodeGlobalEntry, js::jit::JitcodeGlobalEntry::DestroyPolicy>*, __gnu_cxx::__ops::_Iter_pred<mozilla::Vector<mozilla::UniquePtr<js::jit::JitcodeGlobalEntry, js::jit::JitcodeGlobalEntry::DestroyPolicy>, /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/c++/8/bits/stl_algo.h:869
0 libxul.so std::remove_if<mozilla::UniquePtr<js::jit::JitcodeGlobalEntry, js::jit::JitcodeGlobalEntry::DestroyPolicy>*, mozilla::Vector<mozilla::UniquePtr<js::jit::JitcodeGlobalEntry, js::jit::JitcodeGlobalEntry::DestroyPolicy>, /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/c++/8/bits/stl_algo.h:939
0 libxul.so mozilla::Vector<mozilla::UniquePtr<js::jit::JitcodeGlobalEntry, js::jit::JitcodeGlobalEntry::DestroyPolicy>, mfbt/Vector.h:1394
0 libxul.so js::jit::JitcodeGlobalTable::traceWeak js/src/jit/JitcodeMap.cpp:343
0 libxul.so js::jit::JitRuntime::TraceWeakJitcodeGlobalTable js/src/jit/Ion.cpp:450
1 libxul.so js::gc::GCRuntime::sweepJitDataOnMainThread js/src/gc/Sweeping.cpp:1350
By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:
- First crash report: 2023-12-24
- Process type: Content
- Is startup crash: No
- Has user comments: No
- Is null crash: Yes - 1 out of 5 crashes happened on null or near null memory address
Comment 1•7 months ago
|
||
I looked at about 6 crashes. They all look like JIT GC sweeping crashes.
Comment 2•7 months ago
|
||
Sounds like some inconsistencies between the AVL structure and the Vector supporting the JitCodeGlobalTable.
Based on the volume of crashes I would bet more on a hardware issue, but given how localised it is, maybe this could be a real issue.
Jan, what do you think?
Comment 3•7 months ago
|
||
(In reply to Nicolas B. Pierron [:nbp] from comment #2)
Sounds like some inconsistencies between the AVL structure and the Vector supporting the JitCodeGlobalTable.
Based on the volume of crashes I would bet more on a hardware issue, but given how localised it is, maybe this could be a real issue.Jan, what do you think?
Entries are always added to (and removed from) both the Vector and the tree. If inserting into the tree OOMs, we remove the last entry from the vector so they should always be consistent.
Some of these crashes are for other AvlTree uses such as the register allocator: https://crash-stats.mozilla.org/report/index/901f96bc-c8e3-467a-b8b3-590c60240124
Especially the register allocator code has a lot of test and fuzzing coverage and the crash volume isn't that big, so it's most likely a hardware or memory corruption issue.
Description
•