930307 - crash in mozilla::HashBytes(void const*, unsigned int)

Status: ASSIGNED

(Core :: JavaScript Engine, defect)

Description

[Kevin Brosnan [Ex-Mozilla]]

This bug was filed from the Socorro interface and is 
report bp-c5fb66eb-a40c-4c08-abf5-b6f532131022.
=============================================================

Not sure how I hit this. Crashed while on cnn.com while running on a Galaxy SII GT-I9100.


0 	libmozglue.so 	mozilla::HashBytes(void const*, unsigned int) 	mfbt/HashFunctions.cpp
1 	libxul.so 	SaveSharedScriptData 	js/src/jsscript.h
2 	libxul.so 	JSScript::fullyInitFromEmitter(js::ExclusiveContext*, JS::Handle<JSScript*>, js::frontend::BytecodeEmitter*) 	js/src/jsscript.cpp
3 	libxul.so 	js::frontend::EmitFunctionScript(js::ExclusiveContext*, js::frontend::BytecodeEmitter*, js::frontend::ParseNode*) 	js/src/frontend/BytecodeEmitter.cpp
4 	libxul.so 	js::frontend::CompileLazyFunction(JSContext*, js::LazyScript*, char16_t const*, unsigned int) 	js/src/frontend/BytecodeCompiler.cpp
5 	libxul.so 	JSFunction::createScriptForLazilyInterpretedFunction(JSContext*, JS::Handle<JSFunction*>) 	js/src/jsfun.cpp
6 	libxul.so 	JSFunction::createScriptForLazilyInterpretedFunction(JSContext*, JS::Handle<JSFunction*>) 	js/src/jsfun.h
7 	libxul.so 	Interpret 	js/src/jsfun.h
8 	libxul.so 	js::RunScript 	js/src/vm/Interpreter.cpp
9 	libxul.so 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
10 	libxul.so 	js_fun_apply(JSContext*, unsigned int, JS::Value*) 	js/src/jsfun.cpp
11 	libxul.so 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/jscntxtinlines.h
12 	libxul.so 	Interpret 	js/src/vm/Interpreter.cpp
13 	libxul.so 	js::RunScript 	js/src/vm/Interpreter.cpp
14 	libxul.so 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
15 	libxul.so 	js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
16 	libxul.so 	JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) 	js/src/jsapi.cpp
17 	libxul.so 	mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JSObject*>, nsDOMEvent&, mozilla::ErrorResult&) 	obj-firefox/dom/bindings/EventListenerBinding.cpp
18 	libxul.so 	void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, nsDOMEvent&, mozilla::ErrorResult&, mozilla::dom::CallbackObject::ExceptionHandling) 	obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h
19 	libxul.so 	nsEventListenerManager::HandleEventSubType(nsListenerStruct*, mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener> const&, nsIDOMEvent*, mozilla::dom::EventTarget*, nsCxPusher*) 	content/events/src/nsEventListenerManager.cpp
20 	libxul.so 	nsEventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*, nsCxPusher*) 	content/events/src/nsEventListenerManager.cpp
21 	libxul.so 	nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, ELMCreationDetector&, nsCxPusher*) 	content/events/src/nsEventListenerManager.h
22 	libxul.so 	nsEventTargetChainItem::HandleEventTargetChain(nsTArray<nsEventTargetChainItem>&, nsEventChainPostVisitor&, nsDispatchingCallback*, ELMCreationDetector&, nsCxPusher*) 	content/events/src/nsEventDispatcher.cpp
23 	libxul.so 	nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<mozilla::dom::EventTarget>*) 	content/events/src/nsEventDispatcher.cpp
24 	libxul.so 	nsEventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) 	content/events/src/nsEventDispatcher.cpp
25 	libxul.so 	nsINode::DispatchEvent(nsIDOMEvent*, bool*) 	content/base/src/nsINode.cpp
26 	libxul.so 	nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsAString_internal const&, bool, bool, bool, bool*) 	content/base/src/nsContentUtils.cpp
27 	libxul.so 	nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsAString_internal const&, bool, bool, bool*) 	content/base/src/nsContentUtils.cpp
28 	libxul.so 	nsDocument::DispatchContentLoadedEvents() 	content/base/src/nsDocument.cpp
29 	libxul.so 	nsRunnableMethodImpl<tag_nsresult (mozilla::dom::NotificationPermissionRequest::*)(), void, true>::Run() 	obj-firefox/dist/include/nsThreadUtils.h
30 	libxul.so 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
31 	libxul.so 	NS_ProcessNextEvent(nsIThread*, bool) 	xpcom/glue/nsThreadUtils.cpp
32 	libxul.so 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
33 	libxul.so 	MessageLoop::RunInternal() 	ipc/chromium/src/base/message_loop.cc
34 	libxul.so 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
35 	libxul.so 	nsBaseAppShell::Run() 	widget/xpwidgets/nsBaseAppShell.cpp
36 	libxul.so 	nsAppStartup::Run() 	toolkit/components/startup/nsAppStartup.cpp
37 	libxul.so 	XREMain::XRE_mainRun() 	toolkit/xre/nsAppRunner.cpp
38 	libxul.so 	XREMain::XRE_main(int, char**, nsXREAppData const*) 	toolkit/xre/nsAppRunner.cpp
39 	libxul.so 	XRE_main 	toolkit/xre/nsAppRunner.cpp
40 	libxul.so 	GeckoStart 	toolkit/xre/nsAndroidStartup.cpp
41 	libmozglue.so 	Java_org_mozilla_gecko_mozglue_GeckoLoader_nativeRun 	mozglue/android/APKOpen.cpp
42 	libdvm.so 	dvmPlatformInvoke 	
43 	libdvm.so 	dvmCallJNIMethod_general 	
44 	libdvm.so 	dvmResolveNativeMethod 	
45 	libdvm.so 	dvmAsmSisterStart 	
46 	libdvm.so 	dvmMterpStd 	
47 	libdvm.so 	dvmInterpret 	
48 	libdvm.so 	dvmCallMethodV 	
49 	libdvm.so 	dvmCallMethod 	
50 	libdvm.so 	dvmDetachCurrentThread 	
51 	libc.so 	__thread_entry 	
52 	libc.so 	pthread_create

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

Crash volume for signature 'mozilla::HashBytes':
 - nightly (version 51): 0 crashes from 2016-08-01.
 - aurora  (version 50): 3 crashes from 2016-08-01.
 - beta    (version 49): 2 crashes from 2016-08-02.
 - release (version 48): 19 crashes from 2016-07-25.
 - esr     (version 45): 14 crashes from 2016-05-02.

Crash volume on the last weeks (Week N is from 08-22 to 08-28):
            W. N-1  W. N-2  W. N-3
 - nightly       0       0       0
 - aurora        0       3       0
 - beta          0       2       0
 - release       6       2       1
 - esr           1       5       0

Affected platforms: Windows, Linux

Crash rank on the last 7 days:
           Browser     Content   Plugin
 - nightly
 - aurora
 - beta
 - release #1750
 - esr

Comment 2

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Are the recent failures a regression from bug 1688886? Firefox 87 has a few hundred crash reports, 88.0 a single crash report and 89.0b2 has 7.

Comment 3

[Tooru Fujisawa [:arai]]

Given that several case hits the crash in ScriptPreloader's DecodeMultiOffThreadScripts, it's likely bug 1688886 caused the issue,

The change is orthogonal to other Stencil or XDR changes, so we could try backout/uplift and see if it helps.

anyway I'll investigate more.

Comment 4

[Pascal Chevrel:pascalc (PTO until Sept 2)]

This crash has grown in volume on desktop release channel from ~20 a day to >100 a day since June 1st which corresponds to 89 shipping date.

Comment 5

[Matthew Gaudet (he/him) [:mgaudet]]

Bug 1710984 seems to have potentially alleviated this, so we could potentially uplift that change

Comment 6

[Julien Cristau [:jcristau]]

It'd have been clearer from a tracking pov if comment 2 had been a new bug. Anyway, I guess we can see what happens after 91 moves to beta next week.

Comment 7

[Marco Castelluccio [:marco]]

The volume seems to be low, should we decrease the severity?

Comment 8

[Will Medina [:willyelm]]

Crashes are significantly decreasing since last month https://crash-stats.mozilla.org/signature/?signature=mozilla%3A%3AHashBytes&date=%3E%3D2023-02-21T16%3A43%3A00.000Z&date=%3C2023-03-21T16%3A43%3A00.000Z#summary, lowering the bug severity.