1885439 - Crash in [@ CanEnterBaselineJIT]

Status: NEW

(Core :: JavaScript Engine: JIT, defect, P3)

Description

[Emil Ghitta, QA [:emilghitta]]

Crash report: https://crash-stats.mozilla.org/report/index/3f1c2982-9235-4bd6-a14e-71a6b0240314

Reason: EXCEPTION_IN_PAGE_ERROR_READ / STATUS_VOLUME_DISMOUNTED

Top 10 frames of crashing thread:

0  xul.dll  CanEnterBaselineJIT  js/src/jit/BaselineJIT.cpp:280
0  xul.dll  js::jit::CanEnterBaselineMethod  js/src/jit/BaselineJIT.cpp:457
0  xul.dll  js::jit::MaybeEnterJit  js/src/jit/Jit.cpp:214
1  xul.dll  js::Interpret  js/src/vm/Interpreter.cpp:3099
2  xul.dll  MaybeEnterInterpreterTrampoline  js/src/vm/Interpreter.cpp:393
2  xul.dll  js::RunScript  js/src/vm/Interpreter.cpp:451
2  xul.dll  js::InternalCallOrConstruct  js/src/vm/Interpreter.cpp:605
2  xul.dll  InternalCall  js/src/vm/Interpreter.cpp:640
2  xul.dll  js::Call  js/src/vm/Interpreter.cpp:672
3  xul.dll  JS::Call  js/src/vm/CallAndConstruct.cpp:119

Unfortunately I don't have any clear steps on how to reproduce this issue. It occurred randomly while having multiple Firefox tabs open.

Occurred on Windows 10 using Firefox 123.0.1

Comment 1

[Iain Ireland [:iain]]

The crashing instructions are:

    7ffddf77e672:       48 8b 42 48             mov    0x48(%rdx),%rax
    7ffddf77e676:       48 8b 40 08             mov    0x8(%rax),%rax
    7ffddf77e67a:       81 78 04 00 00 00 10    cmpl   $0x10000000,0x4(%rax)

The crash points to this line, which is loading script->length(). The offset of 0x48 in the first instruction matches the offset of sharedData_ in the script. The offset of 0x8 in the second instruction matches the offset of isd_ in SharedImutableScriptData. The offset of 0x4 in the third instruction matches the offset of codeLength_ in ImmutableScriptData. So it's pretty clear that we tried accessing the script's data, and we failed to do so.

The crash reason is EXCEPTION_IN_PAGE_ERROR_READ / STATUS_VOLUME_DISMOUNTED. After poking around for a bit, I think (based on stuff like this comment and this list of Windows error codes) that the error code is pointing the finger at a failure to page-in some memory allocated via mmap (or rather the Window equivalent). In particular, I think it implies that we serialized this script into the on-disk cache, mapped the cache file when deserializing (I think we do that here, although I'm not super-familiar with this code), and then later the volume containing that file was dismounted.

My first thought is that this sounds like it's happening outside of Firefox; either you accidentally dismounted some drive containing data that we were still using, or there was some sort of OS/hardware level error that similarly messed us up. I'm not sure there's anything we can do about that inside Firefox.

Interestingly, it looks like most crashes in CanEnterBaselineJIT have similar crash reasons, at least on the basis of seeing lots of EXCEPTION_IN_PAGE_ERROR_READ. I'm not sure what to do with that information, though.