Crash in [@ js::jit::JSJitProfilingFrameIterator::JSJitProfilingFrameIterator]
Categories
(Core :: JavaScript Engine: JIT, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox66 | --- | unaffected |
firefox67 | --- | affected |
firefox68 | --- | fix-optional |
People
(Reporter: overholt, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: crash, regression)
Crash Data
This bug is for crash report bp-1ac7566e-cc35-4d36-b8ff-981050190220.
Top 9 frames of crashing thread:
0 xul.dll js::jit::JSJitProfilingFrameIterator::JSJitProfilingFrameIterator js/src/jit/JSJitFrameIter.cpp:479
1 xul.dll JS::ProfilingFrameIterator::ProfilingFrameIterator js/src/vm/Stack.cpp:1793
2 xul.dll JS::ProfilingFrameIterator::ProfilingFrameIterator js/src/vm/Stack.cpp:1793
3 xul.dll static void MergeStacks tools/profiler/core/platform.cpp:1048
4 xul.dll static void DoSharedSample tools/profiler/core/platform.cpp:1570
5 xul.dll static unsigned int ThreadEntry tools/profiler/core/platform-win32.cpp:178
6 ucrtbase.dll thread_start<unsigned int >
7 kernel32.dll BaseThreadInitThunk
8 ntdll.dll RtlUserThreadStart
Comment 1•6 years ago
|
||
12 crashes/2 installs from the 2-19 build.
The other installation was Anthony.
Glad to see that crash reporting is at least partially working now!
Comment 3•6 years ago
|
||
I wonder if this is related at all to Bug 1506329, Bug 1513897.
Updated•6 years ago
|
At line 473 we set fp_
to some inaccessible piece of memory: https://hg.mozilla.org/mozilla-central/annotate/dd4aa59c6a1271cbf6ca10813d73f62e7cb072d5/js/src/jit/JSJitFrameIter.cpp#l473
Then the tryInitWithPc
at 479 calls frameScript()
which eventually derefs fp_
.
Are we sure that the MOZ_ASSERT(cx->profilingActivation()->isJit());
would have succeeded if this were a debug build?
Updated•6 years ago
|
Comment 5•6 years ago
|
||
Moving to P2 as we would look at crashes issues after fuzz-bugs unless they are high volume.
Comment 6•5 years ago
|
||
Closing because no crashes reported for 12 weeks.
Comment 7•5 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
Description
•