You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In bug 1837205, we noticed a large number of crashes in JS::Rooted<T>::~Rooted, the destructor for an RAII type we use to root garbage-collected objects on the stack. Digging into the crashes, I noticed that ~30% of the crashes had the same two functions in their proto signature (js::Lambda and CloneFunctionReuseScript). Looking at a dozen or so minidumps, though, there was no consistent pattern in the instructions at the crash site. This is weird, because ~Rooted is (in release builds) a simple one-line function:
Looking at the crash reports, it looks like many of them (and in particular most/all of the Lambda/CloneFunctionReuseScript reports) have stacks that look like this:
It seems plausible that we are getting crash addresses, scanning backwards through the address space until we find a known function, and then attributing them to that function. This might explain why ~Rooted shows up so frequently: it is usually inlined as the very last thing in a function, so any crash address after that point looks like it is part of the destructor.
This may be a problem in the stackwalker?
The text was updated successfully, but these errors were encountered:
Can we detect these cases / filter them out somehow? If we knew how big each function was, we could detect when stack scanning started outside the bounds of the function we're reporting.
Is that top frame JIT code? We've struggled with walking out of JIT frames since Spidermonkey grew a JIT. I'm not sure if anything has improved on that front.
In bug 1837205, we noticed a large number of crashes in
JS::Rooted<T>::~Rooted
, the destructor for an RAII type we use to root garbage-collected objects on the stack. Digging into the crashes, I noticed that ~30% of the crashes had the same two functions in their proto signature (js::Lambda
andCloneFunctionReuseScript
). Looking at a dozen or so minidumps, though, there was no consistent pattern in the instructions at the crash site. This is weird, because~Rooted
is (in release builds) a simple one-line function:Looking at the crash reports, it looks like many of them (and in particular most/all of the Lambda/CloneFunctionReuseScript reports) have stacks that look like this:
It seems plausible that we are getting crash addresses, scanning backwards through the address space until we find a known function, and then attributing them to that function. This might explain why
~Rooted
shows up so frequently: it is usually inlined as the very last thing in a function, so any crash address after that point looks like it is part of the destructor.This may be a problem in the stackwalker?
The text was updated successfully, but these errors were encountered: