Closed Bug 1446907 Opened 7 years ago Closed 7 years ago

Crash in static void js::jit::PatchJump

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
Unspecified
Windows 7
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla61
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox59 --- unaffected
firefox60 --- unaffected
firefox61 + fixed

People

(Reporter: calixte, Assigned: jandem)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression)

Crash Data

This bug was filed from the Socorro interface and is report bp-2cb24fcb-00a0-47db-be30-50a770180316. ============================================================= Top 6 frames of crashing thread: 0 xul.dll static void js::jit::PatchJump js/src/jit/x64/Assembler-x64.h:1126 1 xul.dll js::jit::JitZoneGroup::patchIonBackedges js/src/jit/Ion.cpp:425 2 xul.dll js::jit::InterruptCheck js/src/jit/VMFunctions.cpp:564 3 @0x207dcbf4acf 4 xul.dll js::NativeObject::growSlotsDontReportOOM js/src/vm/NativeObject.cpp:432 5 xul.dll xul.dll@0x415cac7 ============================================================= There are 59 crashes (from 14 installations) in nightly 61 starting with buildid 20180316100132. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1435360. [1] https://hg.mozilla.org/mozilla-central/rev?node=d8b27e30ef91
Flags: needinfo?(luke)
Version: 60 Branch → Trunk
I think the patch in question must've changed the signature for classification purposes. I see both "js::jit::PatchJump" and "static void js::jit::PatchJump" and the former has been a constant source of crashes for the last few months (and beyond): https://crash-stats.mozilla.com/signature/?signature=js%3A%3Ajit%3A%3APatchJump&date=%3E%3D2018-02-19T10%3A15%3A43.000Z&date=%3C2018-03-19T11%3A15%3A43.000Z#graphs
Flags: needinfo?(luke)
Steve: Can you get this triaged?
Flags: needinfo?(sdetar)
The current plan is to remove all this code in bug 1448887; it will fix these crashes. I can get to that tomorrow or next week.
Depends on: 1448887
(In reply to Luke Wagner [:luke] from comment #1) > I think the patch in question must've changed the signature for > classification purposes. I see both "js::jit::PatchJump" and "static void > js::jit::PatchJump" and the former has been a constant source of crashes for > the last few months (and beyond): This is certainly a factor, as the MSVC version changed injected all of these "static" things into signatures (I filed bug 1448957 for that). However, "js::jit::PatchJump" has only 51 crashes in the last week, across all branches, but "static void js::jit::PatchJump" has 219 crashes in the last week, just on Nightly, so it seems like the volume has greatly increased.
More specifically, this is the #2 top crash for the March 28th Windows Nightly builds.
There aren't a ton of URLs in these crashes, but I see about a half dozen different Twitch streams plus maybe another 10 Google Maps URLs.
This currently being worked on by :jandem. There is a patch created for 1448887 (dependency) that is currently being reviewed and when landed it is believed it will fix this bug also. (See comment 3 above).
Flags: needinfo?(sdetar)
Jan, can you take this?
Flags: needinfo?(jdemooij)
Priority: -- → P2
Fixed by bug 1448887.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → FIXED
Assignee: nobody → jdemooij
status-firefox61: affectedfixed
Target Milestone: --- → mozilla61
You need to log in before you can comment on or make changes to this bug.