Need help reproducing a JIT crash

The top crash signature for Firefox 3.5 Beta 99 and last Friday's Firefox 3.5 Release Candidate is "js_MonitorLoopEdge". This signature indicates a crash within code generated by the TraceMonkey JIT compiler. Bug 499169 tracks this topcrash.

The scariest part is that we don't know whether the large number of crashes is due to a single bug or multiple bugs. (All crashes in JIT code appear with the same signature because the crash reporter does not understand the structure of the generated code.) We might not even know until we fix one bug and ship a new release candidate to a large number of users.

We have a list of 3000 URLs associated with js_MonitorLoopEdge crash reports. Bob Clary is going to try loading all 3000 pages. Damon Sicore has already identified one page that crashes reliably. While Andreas Gal debugs it, I'm going to try to make a reduced testcase.

These efforts should fix any crashes triggered by simply loading popular web pages, but might not catch other bugs that involve extensions or when interacting with web pages in a specific way.

If you've been hitting crashes in js_MonitorLoopEdge, please try to figure out how to reproduce them and share what information you can. Click the links in about:crashes to find out if your crashes are in this function. The sooner we figure this out, the sooner we can ship a stable Firefox 3.5.

5 Responses to “Need help reproducing a JIT crash”

  1. Robert O'Callahan Says:

    Sounds like we need to get JS stacks and/or JIT code signatures into Breakpad ASAP.

  2. Blake Kaplan Says:

    I think we would have needed a full heap dump to track this down if we hadn’t reproduced it in a debugger. It would be really nice if we could teach breakpad and gdb about JIT code, though.

  3. jmdesp Says:

    What about enhancing breakpad to be able to return a bug status after sending it ? I think it could be added value for the average user, showing him more directly how his crash report contributes to the evolution of the software, that it’s really not just a black box.

    So he could sometimes see that his crash is currently being worked on by some developer, or even should be solved in the latest version that he hasn’t downloaded yet, or it’s just some anonymous unfrequent crash, but even in that case that the development would like to hear from him if he’s able to reproduce it systematically. And then you would have a place to put the red flag of “hey guy, you’ve just had the frequent crash that we can’t repro and if you have a few minutes we’d love to hear more info from you about how you got it”.

  4. Jesse Ruderman Says: – Give Breakpad users immediate feedback based on signature or stack trace

  5. Jesse Ruderman Says:

    Good news: this one js_MonitorLoopEdge crash was most of them. The remaining crashes, tracked by , are only topcrash #20.