Crash in [@ mozilla::Maybe<T>::operator* | js::unicode::CountUTF16CodeUnits]
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox126 | --- | affected |
People
(Reporter: release-mgmt-account-bot, Unassigned)
References
(Blocks 3 open bugs)
Details
(Keywords: crash)
Crash Data
Attachments
(1 obsolete file)
Crash report: https://crash-stats.mozilla.org/report/index/58a23cbd-dd74-4a3d-81a8-27c260240223
MOZ_CRASH Reason: MOZ_RELEASE_ASSERT(isSome())
Top 10 frames of crashing thread:
0 xul.dll AnnotateMozCrashReason mfbt/Assertions.h:46
0 xul.dll mozilla::Maybe<char32_t>::operator* mfbt/Maybe.h:819
0 xul.dll js::unicode::CountUTF16CodeUnits js/src/util/Text.cpp:433
0 xul.dll js::frontend::TokenStreamAnyChars::computeColumnOffsetForUTF8 const js/src/frontend/TokenStream.cpp:811
0 xul.dll js::frontend::TokenStreamAnyChars::computeColumnOffset const js/src/frontend/TokenStream.cpp:608
0 xul.dll js::frontend::GeneralTokenStreamChars<mozilla::Utf8Unit, js::frontend::ParserAnyCharsAccess<js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit> > >::computeColumn const js/src/frontend/TokenStream.cpp:843
0 xul.dll js::frontend::TokenStreamSpecific<mozilla::Utf8Unit, js::frontend::ParserAnyCharsAccess<js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit> > >::columnAt const js/src/frontend/TokenStream.h:2549
0 xul.dll js::frontend::BytecodeEmitter::updateSourceCoordNotes js/src/frontend/BytecodeEmitter.cpp:610
0 xul.dll js::frontend::BytecodeEmitter::updateSourceCoordNotesIfNonLiteral js/src/frontend/BytecodeEmitter.cpp:654
0 xul.dll js::frontend::BytecodeEmitter::emitArguments js/src/frontend/BytecodeEmitter.cpp:8249
By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:
- First crash report: 2024-02-10
- Process type: Content
- Is startup crash: No
- Has user comments: No
- Is null crash: Yes - 1 out of 5 crashes happened on null or near null memory address
| Comment hidden (off-topic) |
|
||
Updated•10 months ago
|
| Comment hidden (off-topic) |
|
||
Updated•10 months ago
|
|
||
Comment 3•10 months ago
|
||
This isn't search related, this was taken accidentally with a wrong bug number on the commit.
|
||
Comment 4•10 months ago
|
||
Any idea what might be going wrong, why would this only be noticed in the BytecodeEmitter and not in the token stream of the parser?
Could this be a race with a closing process?
|
||
Comment 5•10 months ago
|
||
In most case this happens in the off-thread compilation. I wonder if the script source buffer gets destroyed on the other (main) thread somehow?
the other possibility about "why only in BytecodeEmitter" could be that the end position is wrong and the range ends at the middle of UTF-8 sequence, which can explain why this doesn't happen in parser.
we could add extra release asserts about the range, sourceUnits's state, and the reason for Nothing to get more info.
|
|
||
Comment 6•9 months ago
|
||
I've looked into other crash reports happening in updateSourceCoordNotes,
and crashes in js::frontend::RetractPointerToCodePointBoundary look somewhat related.
https://crash-stats.mozilla.org/signature/?proto_signature=~updateSourceCoordNotes&signature=js%3A%3Afrontend%3A%3ARetractPointerToCodePointBoundary&date=%3E%3D2024-03-11T15%3A22%3A00.000Z&date=%3C2024-04-11T15%3A22%3A00.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_columns=startup_crash&_sort=-date&page=1#reports
it's also happening in off-thread compilation, inside BytecodeEmitter, and in most case EXCEPTION_ACCESS_VIOLATION_READ on the pointer for source text, with possibly bit flip, and the amount of the crash reports are similar.
Description
•