Closed Bug 1677087 Opened 4 years ago Closed 2 years ago

Startup Crash in [@ js::frontend::CompilationInfo::instantiateStencilsAfterPreparation]

Categories

(Core :: JavaScript Engine, defect, P5)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: aryx, Assigned: arai)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

2 crashes on 2 devices, both with Firefox 840a1, older one with 20201105045247

Crash report: https://crash-stats.mozilla.org/report/index/cae4bc14-3c15-4dcb-9c8c-d08e50201106

MOZ_CRASH Reason: MOZ_CRASH(ParserAtom should already be instantiatedd)

Top 9 frames of crashing thread:

0 xul.dll js::frontend::CompilationInfo::instantiateStencilsAfterPreparation js/src/frontend/Stencil.cpp:694
1 xul.dll js::frontend::InstantiateStencils js/src/frontend/BytecodeCompiler.cpp:330
2 xul.dll ScriptParseTask<mozilla::Utf8Unit>::parse js/src/vm/HelperThreads.cpp:698
3 xul.dll js::ParseTask::runHelperThreadTask js/src/vm/HelperThreads.cpp:613
4 xul.dll static js::HelperThread::ThreadMain js/src/vm/HelperThreads.cpp:2362
5 xul.dll static js::detail::ThreadTrampoline<void  js/src/threading/Thread.h:206
6 ucrtbase.dll thread_start<unsigned int , 1> 
7 kernel32.dll BaseThreadInitThunk 
8 ntdll.dll RtlUserThreadStart
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED

(In reply to Tooru Fujisawa [:arai] from comment #1)

https://crash-stats.mozilla.org/report/index/f92c8190-6d5b-45a0-aaae-6cfe90201113#tab-details seems to be different issue.
function's baseScript is nullptr here
https://hg.mozilla.org/mozilla-central/file/7bc6104186054d5b1b5383d480446bd7fa4cdfc8/js/src/frontend/Stencil.cpp#l568

this was wrong.
inner was nullptr there

(In reply to Tooru Fujisawa [:arai] from comment #2)

inner was nullptr there

given that it passes is<JSObject>(), and also inner.as<JSObject>() results in nullptr, the inner value is completely 0.

This means

given it's lazy script, there can only be atom/null/function.

  • NullScriptThing should become GCCellPtr with Null tag that is 6.
  • at that point ParserAtomEntry::toExistingJSAtom no more have MOZ_CRASH for not-instantiated case, and it can return nullptr if the atom isn't instantiated, but in that case it has String tag that is 2.

so, it should be a function entry, that can have Object tag that is 0,
gcOutput.functions is initialized for all functions as long as ScriptStencil::isFunction() return true.
but it can be false for function because of bug 1677354.

Depends on: 1677354

(In reply to Tooru Fujisawa [:arai] from comment #3)

but it can be false for function because of bug 1677354.

bug 1677354 affects script flag, and isFunction checks functionFlags. so this isn't the reason.

No longer depends on: 1677354
Severity: -- → S4
Priority: -- → P5
Blocks: stencil
Blocks: stencil-backlog
No longer blocks: stencil
Crash Signature: [@ js::frontend::CompilationInfo::instantiateStencilsAfterPreparation] → [@ js::frontend::CompilationInfo::instantiateStencilsAfterPreparation] [@ js::frontend::CompilationStencil::instantiateStencilsAfterPreparation]

Closing because no crashes reported for 12 weeks.

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.