Crash in [@ js::frontend::RewritingParseNodeVisitor<T>::visit]
Categories
(Core :: JavaScript Engine, defect, P5)
Tracking
()
People
(Reporter: aryx, Unassigned, NeedInfo)
References
(Blocks 2 open bugs)
Details
(Keywords: crash, topcrash, topcrash-startup)
Crash Data
Not a new signature. >1k crashes for desktop and Android for the v131 release cycle.
Crash report: https://crash-stats.mozilla.org/report/index/61f586ba-1964-4f40-bec1-ddd750241031
MOZ_CRASH Reason:
MOZ_CRASH(invalid node kind)
Top 10 frames:
0 xul.dll js::frontend::RewritingParseNodeVisitor<FoldVisitor>::visit(js::frontend::Par... js/src/frontend/ParseNodeVisitor.h:118
1 xul.dll js::frontend::RewritingParseNodeVisitor<FoldVisitor>::visit(js::frontend::Par... js/src/frontend/ParseNodeVisitor.h:115
2 xul.dll js::frontend::ListNode::accept(FoldVisitor&) js/src/frontend/ParseNode.h:1235
2 xul.dll js::frontend::RewritingParseNodeVisitor<FoldVisitor>::visitArguments(js::fron... js/src/frontend/ParseNodeVisitor.h:129
2 xul.dll js::frontend::RewritingParseNodeVisitor<FoldVisitor>::visit(js::frontend::Par... js/src/frontend/ParseNodeVisitor.h:115
3 xul.dll js::frontend::ListNode::accept(FoldVisitor&) js/src/frontend/ParseNode.h:1235
3 xul.dll js::frontend::RewritingParseNodeVisitor<FoldVisitor>::visitOrExpr(js::fronten... js/src/frontend/ParseNodeVisitor.h:129
3 xul.dll FoldVisitor::visitOrExpr(js::frontend::ParseNode*&) js/src/frontend/FoldConstants.cpp:1426
3 xul.dll js::frontend::RewritingParseNodeVisitor<FoldVisitor>::visit(js::frontend::Par... js/src/frontend/ParseNodeVisitor.h:115
4 xul.dll js::frontend::ListNode::accept(FoldVisitor&) js/src/frontend/ParseNode.h:1235
Comment 1•22 days ago
|
||
This is most likely a memory corruption of the enumerated value which makes us take a branch which is crashing.
However, after some discussion about the graph visible at [Crash Data > signature > (drop down) beta] in this bug, we cannot completely exclude the possibility of a beta-werewolf bit flipping bug, especially given the correlation with the Full moon, as of November 2024, with the past 6 months of history.
Comment 2•22 days ago
|
||
Damn, the werewolf bug hypothesis did not hold that long …
We have a MOZ_RELEASE_ASSERT
conditioned on EARLY_BETA_OR_EARLIER
, which likely make the failure happen sooner in one of these assertions rather than in the switch case as a bad input (this bug)
Comment 3•12 days ago
|
||
The bug is linked to a topcrash signature, which matches the following criterion:
- Top 20 desktop browser crashes on release (startup)
:willyelm, could you consider increasing the severity of this top-crash bug?
For more information, please visit BugBot documentation.
Description
•