Closed Bug 1940692 Opened 2 months ago Closed 2 months ago

Linux arm64 startup Crash in [@ js::gc::CheckDecommit]

Categories

(Core :: JavaScript: GC, defect, P1)

Product:
Core
Component:
JavaScript: GC
Platform:
ARM64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
136 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox134 --- unaffected
firefox135 --- unaffected
firefox136 + fixed

People

(Reporter: aryx, Assigned: jonco)

References

(Regression)

Details

(4 keywords)

Crash Data

Attachments

(2 files)

Bug 1940692 - Part 1: Don't decommit any buffer memory if decommit is disabled r?sfink
48 bytes, text/x-phabricator-request
Details | Review
Bug 1940692 - Part 2: Add a test that collects buffers with decommit disabled r?sfink
48 bytes, text/x-phabricator-request
Details | Review

33 crashes from 7+ installs of Firefox 136.0a1 with lowest build ID 20250108093633. CPU architecture is arm64, OS is Linux, often Fedora Linux Asahi. The crash is registered on startup.

Regression from bug 1934856?

Crash report: https://crash-stats.mozilla.org/report/index/119c4041-c9df-4fe8-9612-66d380250109

MOZ_CRASH Reason:

MOZ_RELEASE_ASSERT(OffsetFromAligned(region, pageSize) == 0)

Top 10 frames:

0  libxul.so  js::gc::CheckDecommit(void*, unsigned long)  js/src/gc/Memory.cpp:831
0  libxul.so  js::gc::MarkPagesUnusedSoft(void*, unsigned long)  js/src/gc/Memory.cpp:837
1  libxul.so  js::gc::BufferAllocator::addSweptRegion(js::gc::BufferChunk*, unsigned long, ...  js/src/gc/BufferAllocator.cpp:1833
2  libxul.so  js::gc::BufferAllocator::sweepChunk(js::gc::BufferChunk*, js::gc::BufferAlloc...  js/src/gc/BufferAllocator.cpp:1803
3  libxul.so  js::gc::BufferAllocator::sweepForMajorCollection(bool)  js/src/gc/BufferAllocator.cpp:1109
4  libxul.so  js::gc::GCRuntime::sweepBackgroundThings(js::gc::ZoneList&)  js/src/gc/Sweeping.cpp:400
4  libxul.so  js::gc::GCRuntime::sweepFromBackgroundThread(js::AutoLockHelperThreadState&)  js/src/gc/Sweeping.cpp:453
4  libxul.so  js::gc::BackgroundSweepTask::run(js::AutoLockHelperThreadState&)  js/src/gc/Sweeping.cpp:444
5  libxul.so  js::GCParallelTask::runTask(JS::GCContext*, js::AutoLockHelperThreadState&)  js/src/gc/GCParallelTask.cpp:218
6  libxul.so  js::GCParallelTask::runFromMainThread(js::AutoLockHelperThreadState&)  js/src/gc/GCParallelTask.cpp:174
Flags: needinfo?(jcoppeard)
Assignee: nobody → jcoppeard

Bug 1934856 broke arm64 Linux on Apple hardware and other systems where the system page size doesn't match the compiled in value.

Flags: needinfo?(jcoppeard)
Keywords: regression
Regressed by: 1934856

This required adding a way of disabling decommit in the shell.

Duplicate of this bug: 1940408
Duplicate of this bug: 1941143

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 10 desktop browser crashes on nightly (startup)

For more information, please visit BugBot documentation.

Keywords: topcrash, topcrash-startup
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e3f2eed01249 Part 1: Don't decommit any buffer memory if decommit is disabled r=sfink https://hg.mozilla.org/integration/autoland/rev/c4f26c26393a Part 2: Add a test that collects buffers with decommit disabled r=sfink

https://hg.mozilla.org/mozilla-central/rev/e3f2eed01249
https://hg.mozilla.org/mozilla-central/rev/c4f26c26393a

Status: NEW → RESOLVED
Closed: 2 months ago
status-firefox136: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 136 Branch
Severity: -- → S3
Priority: -- → P1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: