Open Bug 1939071 Opened 1 month ago Updated 16 days ago

Crash in [@ js::jit::BacktrackingAllocator::installAllocationsInLIR]

Tracking

()

Status:

NEW

Tracking Flags:

Tracking

Status

firefox135

---

affected

People

(Reporter: release-mgmt-account-bot, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash)

Crash Data

BugBot [:suhaib / :marco/ :calixte]

Reporter

Description

•

1 month ago

Crash report: https://crash-stats.mozilla.org/report/index/aae3597a-53d7-4295-b50d-f7b520240916

Reason: SIGSEGV / SEGV_MAPERR

Top 10 frames of crashing thread:

0  libxul.so  js::jit::BacktrackingAllocator::installAllocationsInLIR  js/src/jit/BacktrackingAllocator.cpp:4077
1  libxul.so  js::jit::BacktrackingAllocator::go  js/src/jit/BacktrackingAllocator.cpp:4669
2  libxul.so  js::jit::GenerateLIR  js/src/jit/Ion.cpp:1578
3  libxul.so  js::jit::CompileBackEnd  js/src/jit/Ion.cpp:1636
4  libxul.so  js::jit::IonCompileTask::runTask  js/src/jit/IonCompileTask.cpp:52
4  libxul.so  js::jit::IonCompileTask::runHelperThreadTask  js/src/jit/IonCompileTask.cpp:30
5  libxul.so  js::GlobalHelperThreadState::runTaskLocked  js/src/vm/HelperThreads.cpp:650
5  libxul.so  js::GlobalHelperThreadState::runOneTask  js/src/vm/HelperThreads.cpp:606
5  libxul.so  JS::RunHelperThreadTask  js/src/vm/HelperThreads.cpp:595
5  libxul.so  HelperThreadTaskHandler::Run  js/xpconnect/src/XPCJSContext.cpp:1133

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

First crash report: 2024-10-16
Process type: Content
Is startup crash: No
Has user comments: No
Is null crash: No

BugBot [:suhaib / :marco/ :calixte]

Reporter

Comment 1

•

1 month ago

The Bugbug bot thinks this bug should belong to the 'Core::JavaScript Engine: JIT' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: General → JavaScript Engine: JIT

Nicolas B. Pierron [:nbp]

Comment 2

•

23 days ago

There is indeed a spike starting with 133.0.3.
Strangely enough the bit-flip probability is not low for 8 - 10 of the 14 crashes on 133.0.3.

Jan, maybe you would have some insight on why this corner might have becomed more popular (among bit-flipping reasons)?

Blocks: sm-opt-jits

Severity: -- → S4

Flags: needinfo?(jdemooij)

Priority: -- → P3

Jan de Mooij [:jandem]

Comment 3

•

16 days ago

If I look at all crashes from the last 6 months, this signature has been stable with ~5-10 crashes per day:

https://crash-stats.mozilla.org/signature/?product=Firefox&signature=js%3A%3Ajit%3A%3ABacktrackingAllocator%3A%3AinstallAllocationsInLIR&date=%3E%3D2024-07-14T15%3A04%3A00.000Z&date=%3C2025-01-14T15%3A04%3A00.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_columns=startup_crash&_sort=-date&page=1#graphs

URLs look pretty random. This could be memory corruption.

Flags: needinfo?(jdemooij)

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Crash in [@ js::jit::BacktrackingAllocator::installAllocationsInLIR]

Categories

(Core :: JavaScript Engine: JIT, defect, P3)

Tracking

()

People

(Reporter: release-mgmt-account-bot, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash)

Crash Data

Security

(public)

User Story

Description

Comment 1

Comment 2

Comment 3