Open Bug 1879229 Opened 7 months ago Updated 7 months ago

Crash in [@ js::AvlTree<T>::remove]

Categories

(Core :: JavaScript Engine: JIT, defect, P5)

Other
All
defect

Tracking

()

Tracking Status
firefox124 --- affected

People

(Reporter: release-mgmt-account-bot, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/e618137e-6461-466c-a1f7-16e6e0240124

MOZ_CRASH Reason: MOZ_CRASH()

Top 10 frames of crashing thread:

0  libxul.so  js::AvlTree<js::jit::JitCodeRange*, js::jit::JitCodeRange>::remove  js/src/ds/AvlTree.h:1001
0  libxul.so  js::jit::JitcodeGlobalTable::traceWeak const  js/src/jit/JitcodeMap.cpp:360
0  libxul.so  mozilla::Vector<mozilla::UniquePtr<js::jit::JitcodeGlobalEntry, js::jit::JitcodeGlobalEntry::DestroyPolicy>,  const  mfbt/Vector.h:1395
0  libxul.so  __gnu_cxx::__ops::_Iter_pred<mozilla::Vector<mozilla::UniquePtr<js::jit::JitcodeGlobalEntry, js::jit::JitcodeGlobalEntry::DestroyPolicy>,   /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/c++/8/bits/predefined_ops.h:283
0  libxul.so  std::__remove_if<mozilla::UniquePtr<js::jit::JitcodeGlobalEntry, js::jit::JitcodeGlobalEntry::DestroyPolicy>*, __gnu_cxx::__ops::_Iter_pred<mozilla::Vector<mozilla::UniquePtr<js::jit::JitcodeGlobalEntry, js::jit::JitcodeGlobalEntry::DestroyPolicy>,   /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/c++/8/bits/stl_algo.h:869
0  libxul.so  std::remove_if<mozilla::UniquePtr<js::jit::JitcodeGlobalEntry, js::jit::JitcodeGlobalEntry::DestroyPolicy>*, mozilla::Vector<mozilla::UniquePtr<js::jit::JitcodeGlobalEntry, js::jit::JitcodeGlobalEntry::DestroyPolicy>,   /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/c++/8/bits/stl_algo.h:939
0  libxul.so  mozilla::Vector<mozilla::UniquePtr<js::jit::JitcodeGlobalEntry, js::jit::JitcodeGlobalEntry::DestroyPolicy>,   mfbt/Vector.h:1394
0  libxul.so  js::jit::JitcodeGlobalTable::traceWeak  js/src/jit/JitcodeMap.cpp:343
0  libxul.so  js::jit::JitRuntime::TraceWeakJitcodeGlobalTable  js/src/jit/Ion.cpp:450
1  libxul.so  js::gc::GCRuntime::sweepJitDataOnMainThread  js/src/gc/Sweeping.cpp:1350

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

  • First crash report: 2023-12-24
  • Process type: Content
  • Is startup crash: No
  • Has user comments: No
  • Is null crash: Yes - 1 out of 5 crashes happened on null or near null memory address

I looked at about 6 crashes. They all look like JIT GC sweeping crashes.

Component: General → JavaScript Engine: JIT

Sounds like some inconsistencies between the AVL structure and the Vector supporting the JitCodeGlobalTable.
Based on the volume of crashes I would bet more on a hardware issue, but given how localised it is, maybe this could be a real issue.

Jan, what do you think?

Severity: -- → S4
Flags: needinfo?(jdemooij)
Priority: -- → P5

(In reply to Nicolas B. Pierron [:nbp] from comment #2)

Sounds like some inconsistencies between the AVL structure and the Vector supporting the JitCodeGlobalTable.
Based on the volume of crashes I would bet more on a hardware issue, but given how localised it is, maybe this could be a real issue.

Jan, what do you think?

Entries are always added to (and removed from) both the Vector and the tree. If inserting into the tree OOMs, we remove the last entry from the vector so they should always be consistent.

Some of these crashes are for other AvlTree uses such as the register allocator: https://crash-stats.mozilla.org/report/index/901f96bc-c8e3-467a-b8b3-590c60240124

Especially the register allocator code has a lot of test and fuzzing coverage and the crash volume isn't that big, so it's most likely a hardware or memory corruption issue.

Flags: needinfo?(jdemooij)
You need to log in before you can comment on or make changes to this bug.