Open Bug 1928445 Opened 1 month ago Updated 12 days ago

Crash in [@ js::frontend::RewritingParseNodeVisitor<T>::visit]

Categories

(Core :: JavaScript Engine, defect, P5)

Unspecified
All
defect

Tracking

()

Tracking Status
firefox-esr115 --- affected
firefox-esr128 --- affected
firefox132 --- affected
firefox133 --- affected
firefox134 --- affected

People

(Reporter: aryx, Unassigned, NeedInfo)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, topcrash, topcrash-startup)

Crash Data

Not a new signature. >1k crashes for desktop and Android for the v131 release cycle.

Crash report: https://crash-stats.mozilla.org/report/index/61f586ba-1964-4f40-bec1-ddd750241031

MOZ_CRASH Reason:

MOZ_CRASH(invalid node kind)

Top 10 frames:

0  xul.dll  js::frontend::RewritingParseNodeVisitor<FoldVisitor>::visit(js::frontend::Par...  js/src/frontend/ParseNodeVisitor.h:118
1  xul.dll  js::frontend::RewritingParseNodeVisitor<FoldVisitor>::visit(js::frontend::Par...  js/src/frontend/ParseNodeVisitor.h:115
2  xul.dll  js::frontend::ListNode::accept(FoldVisitor&)  js/src/frontend/ParseNode.h:1235
2  xul.dll  js::frontend::RewritingParseNodeVisitor<FoldVisitor>::visitArguments(js::fron...  js/src/frontend/ParseNodeVisitor.h:129
2  xul.dll  js::frontend::RewritingParseNodeVisitor<FoldVisitor>::visit(js::frontend::Par...  js/src/frontend/ParseNodeVisitor.h:115
3  xul.dll  js::frontend::ListNode::accept(FoldVisitor&)  js/src/frontend/ParseNode.h:1235
3  xul.dll  js::frontend::RewritingParseNodeVisitor<FoldVisitor>::visitOrExpr(js::fronten...  js/src/frontend/ParseNodeVisitor.h:129
3  xul.dll  FoldVisitor::visitOrExpr(js::frontend::ParseNode*&)  js/src/frontend/FoldConstants.cpp:1426
3  xul.dll  js::frontend::RewritingParseNodeVisitor<FoldVisitor>::visit(js::frontend::Par...  js/src/frontend/ParseNodeVisitor.h:115
4  xul.dll  js::frontend::ListNode::accept(FoldVisitor&)  js/src/frontend/ParseNode.h:1235

This is most likely a memory corruption of the enumerated value which makes us take a branch which is crashing.

However, after some discussion about the graph visible at [Crash Data > signature > (drop down) beta] in this bug, we cannot completely exclude the possibility of a beta-werewolf bit flipping bug, especially given the correlation with the Full moon, as of November 2024, with the past 6 months of history.

Severity: -- → S4
Priority: -- → P5

Damn, the werewolf bug hypothesis did not hold that long …

We have a MOZ_RELEASE_ASSERT conditioned on EARLY_BETA_OR_EARLIER, which likely make the failure happen sooner in one of these assertions rather than in the switch case as a bad input (this bug)

See Also: → 1547561

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 20 desktop browser crashes on release (startup)

:willyelm, could you consider increasing the severity of this top-crash bug?

For more information, please visit BugBot documentation.

Flags: needinfo?(wmedina)
You need to log in before you can comment on or make changes to this bug.