Closed
Bug 1032425
Opened 10 years ago
Closed 2 years ago
crash in arena_dalloc | je_free | js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned int)
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
RESOLVED
WORKSFORME
Tracking | Status | |
---|---|---|
firefox31 | --- | affected |
People
(Reporter: lizzard, Unassigned)
References
Details
(Keywords: crash)
Crash Data
This bug was filed from the Socorro interface and is report bp-00132fd6-dcdc-48a5-887d-591f42140624. ============================================================= This crash signature began appearing 2014-06-24 and the earliest build it appeared on was 20140527004002. Crashes increased dramatically for the 2014062317 build. There have been 373 crashes in the last 7 days and it's currently the #51 crasher for Firefox 31. I'm filing this bug because the crash signature showed up significantly in the explosiveness report for Firefox 31. Crashing thread: 0 mozglue.dll arena_dalloc memory/mozjemalloc/jemalloc.c 1 mozglue.dll je_free memory/mozjemalloc/jemalloc.c 2 mozjs.dll js::gc::Arena::finalize<JSObject>(js::FreeOp *,js::gc::AllocKind,unsigned int) js/src/jsgc.cpp 3 mozjs.dll FinalizeTypedArenas<JSObject> js/src/jsgc.cpp 4 mozjs.dll FinalizeArenas js/src/jsgc.cpp 5 nss3.dll _PR_MD_WAIT_CV nsprpub/pr/src/md/windows/w95cv.c
Reporter | ||
Updated•10 years ago
|
status-firefox31:
--- → affected
Updated•9 years ago
|
Crash Signature: [@ arena_dalloc | je_free | js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned int)] → [@ arena_dalloc | je_free | js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned int)]
[@ arena_dalloc | je_free | js::gc::Arena::finalize<T>]
Comment 1•6 years ago
|
||
Moving this to a security bug because recent crashes have a MOZ_CRASH reason of potential double frees.
Group: core-security
Crash Signature: [@ arena_dalloc | je_free | js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned int)]
[@ arena_dalloc | je_free | js::gc::Arena::finalize<T>] → [@ arena_dalloc | je_free | js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned int)]
[@ arena_dalloc | je_free | js::gc::Arena::finalize<T>]
[@ arena_dalloc | js::gc::Arena::finalize<T> ]
[@ huge_dalloc | je_free | js::gc::Arena…
Hardware: x86 → All
Version: 31 Branch → Trunk
Comment 2•6 years ago
|
||
The new signatures start in 60 beta (I don't see any nightly ones -- odd). Maybe it's the same signature but I don't think it's useful to treat as the same as the old bug. Something changed recently that might be easier to track down.
Updated•6 years ago
|
Group: core-security → javascript-core-security
Comment 3•6 years ago
|
||
Filed bug 1449615 on the newer MOZ_RELEASE_ASSERT signatures and symptoms. The original signature in this bug doesn't appear anymore
Group: javascript-core-security
Crash Signature: [@ arena_dalloc | je_free | js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned int)]
[@ arena_dalloc | je_free | js::gc::Arena::finalize<T>]
[@ arena_dalloc | js::gc::Arena::finalize<T> ]
[@ huge_dalloc | je_free | js::gc::Arena… → [@ arena_dalloc | je_free | js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned int)]
[@ arena_dalloc | je_free | js::gc::Arena::finalize<T>]
Updated•4 years ago
|
Crash Signature: [@ arena_dalloc | je_free | js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned int)]
[@ arena_dalloc | je_free | js::gc::Arena::finalize<T>] → [@ arena_dalloc | je_free | js::gc::Arena::finalize<JSObject>(js::FreeOp*, js::gc::AllocKind, unsigned int)]
[@ arena_dalloc | je_free | js::gc::Arena::finalize<T>] [@ Allocator<T>::free | replace_free | js::gc::Arena::finalize<T> ]
Comment 4•2 years ago
|
||
Closing because no crashes reported for 12 weeks.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•