Crash in [@ JSExternalString::finalize]
Categories
(Core :: JavaScript: GC, defect, P5)
Tracking
()
Tracking | Status | |
---|---|---|
firefox129 | --- | affected |
People
(Reporter: release-mgmt-account-bot, Unassigned)
References
(Blocks 3 open bugs)
Details
(Keywords: crash)
Crash Data
Crash report: https://crash-stats.mozilla.org/report/index/31a1fa58-5873-4796-b6a9-ef9c20240614
Reason: EXCEPTION_ACCESS_VIOLATION_READ
Top 10 frames of crashing thread:
0 xul.dll JSExternalString::finalize js/src/vm/StringType-inl.h:797
0 xul.dll js::gc::Arena::finalize js/src/gc/Sweeping.cpp:133
0 xul.dll FinalizeTypedArenas js/src/gc/Sweeping.cpp:200
0 xul.dll FinalizeArenas js/src/gc/Sweeping.cpp:231
1 xul.dll js::gc::GCRuntime::backgroundFinalize js/src/gc/Sweeping.cpp:270
2 xul.dll js::gc::GCRuntime::sweepBackgroundThings js/src/gc/Sweeping.cpp:348
2 xul.dll js::gc::GCRuntime::sweepFromBackgroundThread js/src/gc/Sweeping.cpp:425
2 xul.dll js::gc::BackgroundSweepTask::run js/src/gc/Sweeping.cpp:416
3 xul.dll js::GCParallelTask::runTask js/src/gc/GCParallelTask.cpp:218
4 xul.dll js::GCParallelTask::runHelperThreadTask js/src/gc/GCParallelTask.cpp:200
By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:
- First crash report: 2024-05-01
- Process type: Multiple distinct types
- Is startup crash: No
- Has user comments: No
- Is null crash: No
- Is use after free crash: Yes - 1 out of 5 crashes happened on or near an allocator poison value
Comment 1•3 months ago
|
||
These are crashes with this signature going back the full 6 month Socorro data window.
In the last week I only see one with a poison-looking address (x4b4b), and that's in ESR115.11:
bp-86dcafda-7913-41e4-b716-77df50240627
Likely multiple causes/bugs lead to conditions that trip up GC in this spot, and the real bugs could be far distant from here.
Comment 2•3 months ago
|
||
Given that this is a low volume, that we have multiple bit poisoning such as 0x4b and 0xe5.
Thus is is most likely something wrong happening ahead of this issue …
and most likely a hardware issue …
Then if Jon manages to find something with this issue, I would be happy to be proven wrong.
Comment 3•2 months ago
|
||
There's a 127.0a1 crash with a poison value that does not show obvious evidence of memory hardware issues
bp-1d439beb-7346-43a7-ae85-458c00240509
A quarter of the crashes do seem to exhibit failing memory, but there's still a bunch of legit crashes here. But only very very few with a definitive poison value of some kind. I agree w/McCreight that this is not going to be a useful bug.
Comment 4•2 months ago
|
||
Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit BugBot documentation.
Description
•