Open Bug 1905557 Opened 1 year ago Updated 1 year ago

Crash in [@ JSScript::getString]

Categories

(Core :: JavaScript Engine: JIT, defect, P5)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
Other
Linux
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox129 --- affected

People

(Reporter: release-mgmt-account-bot, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/b3f84552-44da-45ec-8c5e-7d4f80240625

MOZ_CRASH Reason: MOZ_RELEASE_ASSERT(idx < storage_.size())

Top 10 frames of crashing thread:

0  libxul.so  mozilla::Span<JS::GCCellPtr const,  const  mfbt/Span.h:755
0  libxul.so  JSScript::getString const  js/src/vm/JSScript.h:2034
0  libxul.so  JSScript::getString const  js/src/vm/JSScript.h:2040
0  libxul.so  js::jit::BaselineCodeGen<js::jit::BaselineCompilerHandler>::emit_String  js/src/jit/BaselineCodeGen.cpp:2491
0  libxul.so  js::jit::BaselineCompiler::emitBody  js/src/jit/BaselineCodeGen.cpp:6612
1  libxul.so  js::jit::BaselineCompiler::compile  js/src/jit/BaselineCodeGen.cpp:245
2  libxul.so  js::jit::BaselineCompile  js/src/jit/BaselineJIT.cpp:231
3  libxul.so  CanEnterBaselineJIT  js/src/jit/BaselineJIT.cpp:332
3  libxul.so  js::jit::BaselineCompileFromBaselineInterpreter  js/src/jit/BaselineJIT.cpp:478
4  ?  @0x0000042e0cab852f

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

  • First crash report: 2024-05-19
  • Process type: Content
  • Is startup crash: No
  • Has user comments: No
  • Is null crash: Yes - all crashes happened on null or near null memory address

The Bugbug bot thinks this bug should belong to the 'Core::JavaScript Engine: JIT' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: General → JavaScript Engine: JIT

Looking at crashes, based on the volume there is nothing to look at, and based on the alignment of some of the crash addresses (except for a majority of nullptr / assertion), this looks like we are walking over unmapped memory and falling into unmapped memory.

So a corrupted pointer for the string, or a corrupted length.
Nothing that we can investigate from this issue.

One remark, there is a peak at 86 crashes, but crash-stat only reports 68 crashes in total over the past 6 months :/

Blocks: sm-defects-crashes
Severity: -- → S4
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.