Closed
Bug 1446907
Opened 7 years ago
Closed 7 years ago
Crash in static void js::jit::PatchJump
Categories
(Core :: JavaScript Engine: JIT, defect, P2)
Tracking
()
RESOLVED
FIXED
mozilla61
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox59 | --- | unaffected |
firefox60 | --- | unaffected |
firefox61 | + | fixed |
People
(Reporter: calixte, Assigned: jandem)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression)
Crash Data
This bug was filed from the Socorro interface and is
report bp-2cb24fcb-00a0-47db-be30-50a770180316.
=============================================================
Top 6 frames of crashing thread:
0 xul.dll static void js::jit::PatchJump js/src/jit/x64/Assembler-x64.h:1126
1 xul.dll js::jit::JitZoneGroup::patchIonBackedges js/src/jit/Ion.cpp:425
2 xul.dll js::jit::InterruptCheck js/src/jit/VMFunctions.cpp:564
3 @0x207dcbf4acf
4 xul.dll js::NativeObject::growSlotsDontReportOOM js/src/vm/NativeObject.cpp:432
5 xul.dll xul.dll@0x415cac7
=============================================================
There are 59 crashes (from 14 installations) in nightly 61 starting with buildid 20180316100132. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1435360.
[1] https://hg.mozilla.org/mozilla-central/rev?node=d8b27e30ef91
Flags: needinfo?(luke)
Reporter | ||
Updated•7 years ago
|
Version: 60 Branch → Trunk
Comment 1•7 years ago
|
||
I think the patch in question must've changed the signature for classification purposes. I see both "js::jit::PatchJump" and "static void js::jit::PatchJump" and the former has been a constant source of crashes for the last few months (and beyond):
https://crash-stats.mozilla.com/signature/?signature=js%3A%3Ajit%3A%3APatchJump&date=%3E%3D2018-02-19T10%3A15%3A43.000Z&date=%3C2018-03-19T11%3A15%3A43.000Z#graphs
Flags: needinfo?(luke)
Assignee | ||
Comment 3•7 years ago
|
||
The current plan is to remove all this code in bug 1448887; it will fix these crashes. I can get to that tomorrow or next week.
Depends on: 1448887
Updated•7 years ago
|
tracking-firefox61:
--- → +
Comment 4•7 years ago
|
||
(In reply to Luke Wagner [:luke] from comment #1)
> I think the patch in question must've changed the signature for
> classification purposes. I see both "js::jit::PatchJump" and "static void
> js::jit::PatchJump" and the former has been a constant source of crashes for
> the last few months (and beyond):
This is certainly a factor, as the MSVC version changed injected all of these "static" things into signatures (I filed bug 1448957 for that). However, "js::jit::PatchJump" has only 51 crashes in the last week, across all branches, but "static void js::jit::PatchJump" has 219 crashes in the last week, just on Nightly, so it seems like the volume has greatly increased.
Comment 5•7 years ago
|
||
More specifically, this is the #2 top crash for the March 28th Windows Nightly builds.
Comment 6•7 years ago
|
||
There aren't a ton of URLs in these crashes, but I see about a half dozen different Twitch streams plus maybe another 10 Google Maps URLs.
Comment 7•7 years ago
|
||
This currently being worked on by :jandem. There is a patch created for 1448887 (dependency) that is currently being reviewed and when landed it is believed it will fix this bug also. (See comment 3 above).
Flags: needinfo?(sdetar)
Assignee | ||
Comment 9•7 years ago
|
||
Fixed by bug 1448887.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → FIXED
Updated•7 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•