Closed Bug 1895694 Opened 1 year ago Closed 1 year ago

Crash in [@ js::BaseScript::hasBytecode]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
Other
Windows
Type:
defect

Tracking

()

Status:
RESOLVED INVALID
Tracking Flags:
Tracking Status
firefox127 --- affected

People

(Reporter: release-mgmt-account-bot, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/88b02d2b-b78e-4b4b-9f50-8bba70240508

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 8 frames of crashing thread:

0  xul.dll  RefPtr<js::SharedImmutableScriptData>::operator bool const  mfbt/RefPtr.h:338
0  xul.dll  js::BaseScript::hasBytecode const  js/src/vm/JSScript.h:1629
0  xul.dll  JSFunction::getOrCreateScript  js/src/vm/JSFunction.h:493
0  xul.dll  js::InternalCallOrConstruct  js/src/vm/Interpreter.cpp:585
0  xul.dll  InternalCall  js/src/vm/Interpreter.cpp:641
0  xul.dll  js::Call  js/src/vm/Interpreter.cpp:673
1  xul.dll  js::fun_apply  js/src/vm/JSFunction.cpp:1105
2  ?  @0x0000014bc12a7e01

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

  • First crash report: 2024-03-04
  • Process type: Content
  • Is startup crash: No
  • Has user comments: No
  • Is null crash: Yes - 1 out of 13 crashes happened on null or near null memory address

The Bugbug bot thinks this bug should belong to the 'Core::JavaScript Engine' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: General → JavaScript Engine

The crash linked in comment 1 has a 92% confidence bit flip. Peeking at the minidumps for the five most recent crashes (excluding that one), it looks like in all cases we have a pointer to a JSFunction and check the flag bit indicating that it has a base script. That bit is set, so we dereference the script slot and load a field from the base script, but the base script is a bogus pointer and we segfault.

This crash isn't listed as a bitflip, but the dereferenced address is 0x0080195e38ce6b98, which looks like a real address with an upper bit set. (Maybe the bitflip detector didn't flag it because the corresponding address isn't mapped?)

This code is very hot; for example, it runs every time C++ code calls a JS script. If we were getting our bookkeeping systematically wrong here, we would probably see it in fuzzing. The crashes do not appear to be associated with any URL in particular. Over the last six months, 931/2204 crashes with this signature are flagged for possible bitflips. I don't see anything actionable here.

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.