Closed
Bug 1700614
Opened 4 years ago
Closed 4 years ago
Crash in [@ js::jit::LIRGenerator::visitUnbox]
Categories
(Core :: JavaScript Engine: JIT, defect)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
FIXED
89 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox86 | --- | unaffected |
| firefox87 | --- | unaffected |
| firefox88 | --- | unaffected |
| firefox89 | blocking | fixed |
People
(Reporter: furkan, Unassigned)
References
(Regression)
Details
(Keywords: regression)
Crash Data
Maybe Fission related. (DOMFissionEnabled=1)
Crash report: https://crash-stats.mozilla.org/report/index/f6d669ef-9484-47b2-9a05-0898f0210324
MOZ_CRASH Reason: MOZ_CRASH(unexpected type)
Top 10 frames of crashing thread:
0 libxul.so js::jit::LIRGenerator::visitUnbox js/src/jit/x64/Lowering-x64.cpp:101
1 libxul.so js::jit::LIRGenerator::visitInstructionDispatch js/src/jit/Lowering.cpp:5631
2 libxul.so js::jit::LIRGenerator::generate js/src/jit/Lowering.cpp:5795
3 libxul.so js::jit::GenerateLIR js/src/jit/Ion.cpp:1497
4 libxul.so js::jit::CompileBackEnd js/src/jit/Ion.cpp:1591
5 libxul.so js::jit::IonCompileTask::runHelperThreadTask js/src/jit/IonCompileTask.cpp:30
6 libxul.so js::HelperThread::ThreadMain js/src/vm/HelperThreads.cpp:2369
7 libxul.so js::detail::ThreadTrampoline<void js/src/threading/Thread.h:205
8 libpthread.so.0 start_thread /usr/src/debug/glibc-2.33/nptl/pthread_create.c:473
9 libc.so.6 __GI___clone
|
||
Comment 1•4 years ago
|
||
If it's useful, I hit this one this morning when opening up a document in Google Drive. I have Fission enabled.
|
||
Comment 2•4 years ago
|
||
I got this on Windows 10 64bit.
Report: https://crash-stats.mozilla.org/report/index/e267dc6a-2110-4f66-8efa-3ae2f0210324
|
||
Updated•4 years ago
|
status-firefox86:
--- → unaffected
status-firefox87:
--- → unaffected
status-firefox88:
--- → unaffected
status-firefox89:
--- → affected
status-firefox-esr78:
--- → unaffected
tracking-firefox89:
--- → blocking
|
||
Comment 3•4 years ago
|
||
Likely regressor bug 1697696 got backed out. New Nightlies are being built (updates have been halted).
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Keywords: regression
Regressed by: 1697696
Resolution: --- → FIXED
Target Milestone: --- → 89 Branch
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
|
||
Updated•4 years ago
|
Crash Signature: [@ js::jit::LIRGenerator::visitUnbox] → [@ js::jit::LIRGenerator::visitUnbox]
[@ js::jit::LIRGeneratorShared::define<(unsigned long)0>(js::jit::details::LInstructionFixedDefsTempsHelper<(unsigned long)1, (unsigned long)0>*, js::jit::MDefinition*, js::jit::LDefinition::Policy)]
You need to log in
before you can comment on or make changes to this bug.
Description
•