Closed Bug 1905457 Opened 3 months ago Closed 2 months ago

Crash in [@ JSExternalString::finalize]

Categories

(Core :: JavaScript: GC, defect, P5)

Other
All
defect

Tracking

()

RESOLVED INCOMPLETE
Tracking Status
firefox129 --- affected

People

(Reporter: release-mgmt-account-bot, Unassigned)

References

(Blocks 3 open bugs)

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/31a1fa58-5873-4796-b6a9-ef9c20240614

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  JSExternalString::finalize  js/src/vm/StringType-inl.h:797
0  xul.dll  js::gc::Arena::finalize  js/src/gc/Sweeping.cpp:133
0  xul.dll  FinalizeTypedArenas  js/src/gc/Sweeping.cpp:200
0  xul.dll  FinalizeArenas  js/src/gc/Sweeping.cpp:231
1  xul.dll  js::gc::GCRuntime::backgroundFinalize  js/src/gc/Sweeping.cpp:270
2  xul.dll  js::gc::GCRuntime::sweepBackgroundThings  js/src/gc/Sweeping.cpp:348
2  xul.dll  js::gc::GCRuntime::sweepFromBackgroundThread  js/src/gc/Sweeping.cpp:425
2  xul.dll  js::gc::BackgroundSweepTask::run  js/src/gc/Sweeping.cpp:416
3  xul.dll  js::GCParallelTask::runTask  js/src/gc/GCParallelTask.cpp:218
4  xul.dll  js::GCParallelTask::runHelperThreadTask  js/src/gc/GCParallelTask.cpp:200

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

  • First crash report: 2024-05-01
  • Process type: Multiple distinct types
  • Is startup crash: No
  • Has user comments: No
  • Is null crash: No
  • Is use after free crash: Yes - 1 out of 5 crashes happened on or near an allocator poison value

These are crashes with this signature going back the full 6 month Socorro data window.

In the last week I only see one with a poison-looking address (x4b4b), and that's in ESR115.11:
bp-86dcafda-7913-41e4-b716-77df50240627

Likely multiple causes/bugs lead to conditions that trip up GC in this spot, and the real bugs could be far distant from here.

Group: core-security → javascript-core-security
Component: General → JavaScript: GC
Blocks: GCCrashes

Given that this is a low volume, that we have multiple bit poisoning such as 0x4b and 0xe5.
Thus is is most likely something wrong happening ahead of this issue …
and most likely a hardware issue …

Then if Jon manages to find something with this issue, I would be happy to be proven wrong.

Severity: -- → S4
Priority: -- → P5
Keywords: stalled

There's a 127.0a1 crash with a poison value that does not show obvious evidence of memory hardware issues
bp-1d439beb-7346-43a7-ae85-458c00240509

A quarter of the crashes do seem to exhibit failing memory, but there's still a bunch of legit crashes here. But only very very few with a definitive poison value of some kind. I agree w/McCreight that this is not going to be a useful bug.

Group: javascript-core-security
Status: NEW → RESOLVED
Closed: 2 months ago
Resolution: --- → INCOMPLETE

Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit BugBot documentation.

Keywords: stalled
You need to log in before you can comment on or make changes to this bug.