Closed Bug 1032425 Opened 10 years ago Closed 2 years ago

crash in arena_dalloc | je_free | js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned int)

Categories

(Core :: JavaScript: GC, defect)

All
Windows NT
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox31 --- affected

People

(Reporter: lizzard, Unassigned)

References

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-00132fd6-dcdc-48a5-887d-591f42140624.
=============================================================

This crash signature began appearing 2014-06-24 and the earliest build it appeared on was 20140527004002. Crashes increased dramatically for the 2014062317 build. There have been 373 crashes in the last 7 days and it's currently the #51 crasher for Firefox 31. I'm filing this bug because the crash signature showed up significantly in the explosiveness report for Firefox 31. 

Crashing thread:

0 	mozglue.dll 	arena_dalloc 	memory/mozjemalloc/jemalloc.c
1 	mozglue.dll 	je_free 	memory/mozjemalloc/jemalloc.c
2 	mozjs.dll 	js::gc::Arena::finalize<JSObject>(js::FreeOp *,js::gc::AllocKind,unsigned int) 	js/src/jsgc.cpp
3 	mozjs.dll 	FinalizeTypedArenas<JSObject> 	js/src/jsgc.cpp
4 	mozjs.dll 	FinalizeArenas 	js/src/jsgc.cpp
5 	nss3.dll 	_PR_MD_WAIT_CV 	nsprpub/pr/src/md/windows/w95cv.c
Crash Signature: [@ arena_dalloc | je_free | js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned int)] → [@ arena_dalloc | je_free | js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned int)] [@ arena_dalloc | je_free | js::gc::Arena::finalize<T>]
Moving this to a security bug because recent crashes have a MOZ_CRASH reason of potential double frees.
Group: core-security
Crash Signature: [@ arena_dalloc | je_free | js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned int)] [@ arena_dalloc | je_free | js::gc::Arena::finalize<T>] → [@ arena_dalloc | je_free | js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned int)] [@ arena_dalloc | je_free | js::gc::Arena::finalize<T>] [@ arena_dalloc | js::gc::Arena::finalize<T> ] [@ huge_dalloc | je_free | js::gc::Arena…
Hardware: x86 → All
Version: 31 Branch → Trunk
The new signatures start in 60 beta (I don't see any nightly ones -- odd). Maybe it's the same signature but I don't think it's useful to treat as the same as the old bug. Something changed recently that might be easier to track down.
Group: core-security → javascript-core-security
Blocks: 1449615
Filed bug 1449615 on the newer MOZ_RELEASE_ASSERT signatures and symptoms. The original signature in this bug doesn't appear anymore
Group: javascript-core-security
Crash Signature: [@ arena_dalloc | je_free | js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned int)] [@ arena_dalloc | je_free | js::gc::Arena::finalize<T>] [@ arena_dalloc | js::gc::Arena::finalize<T> ] [@ huge_dalloc | je_free | js::gc::Arena… → [@ arena_dalloc | je_free | js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned int)] [@ arena_dalloc | je_free | js::gc::Arena::finalize<T>]
Crash Signature: [@ arena_dalloc | je_free | js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned int)] [@ arena_dalloc | je_free | js::gc::Arena::finalize<T>] → [@ arena_dalloc | je_free | js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned int)] [@ arena_dalloc | je_free | js::gc::Arena::finalize<T>] [@ Allocator<T>::free | replace_free | js::gc::Arena::finalize<T> ]

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.