Closed Bug 1326176 Opened 7 years ago Closed 7 years ago

Crash in jemalloc_crash | arena_dalloc_small | je_free | `anonymous namespace''::wasapi_stream_render_loop

Categories

(Core :: Audio/Video: cubeb, defect, P1)

Product:
Core
Component:
Audio/Video: cubeb
Version:
51 Branch
Platform:
All
Windows
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla53
Tracking Flags:
Tracking Status
firefox50 --- unaffected
firefox51 --- wontfix
firefox52 --- fixed
firefox53 --- fixed

People

(Reporter: philipp, Assigned: achronop)

References

Details

(Keywords: crash, regression)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-dd947224-49c3-4c77-aa59-536e22161229.
=============================================================
rashing Thread (72)
Frame 	Module 	Signature 	Source
0 	mozglue.dll 	jemalloc_crash 	memory/mozjemalloc/jemalloc.c:1631
1 	mozglue.dll 	arena_dalloc_small 	memory/mozjemalloc/jemalloc.c:4618
2 	mozglue.dll 	je_free 	memory/mozjemalloc/jemalloc.c:6485
3 	xul.dll 	`anonymous namespace'::wasapi_stream_render_loop 	media/libcubeb/src/cubeb_wasapi.cpp:822
4 	ucrtbase.dll 	_o__CIpow 	
5 	kernel32.dll 	BaseThreadInitThunk 	
6 	ntdll.dll 	__RtlUserThreadStart 	
7 	ntdll.dll 	_RtlUserThreadStart

this crash signature is mostly occurring on windows 8 and windows 7. on 51.0b10 it's accounting for 0.15% of all crashes.
the signature has first shown up in 51.0b3 and subsequent later builds. this would be the changelog between beta 2 and beta 3: https://hg.mozilla.org/releases/mozilla-beta/pushloghtml?fromchange=FIREFOX_51_0b2_RELEASE&tochange=FIREFOX_51_0b3_RELEASE - out of that bug 1310224 looks related to wasapi changes...
Flags: needinfo?(padenot)
Component: Audio/Video → Audio/Video: Playback
Component: Audio/Video: Playback → Audio/Video: cubeb
Flags: needinfo?(padenot)
Rank: 15
Priority: -- → P1
Very late for beta fixes... let's at least make sure we know what's up.  Also: these crashes are almost certainly jemalloc assert()'s in arena_run_reg_dalloc() is MALLOC_DEBUG is on, or more likely RELEASE_ASSERT(diff == regind * size); or RELEASE_ASSERT(regind < bin->nregs);  This makes me concerned about memory trashing.

Unfortunately since arena_run_reg_dalloc() is inline, we can't tell which got hit.
Flags: needinfo?(padenot)
This is from 1302231. Leaving the NI, I'll investigate more tomorrow.
After investigation, I still don't understand. This is a fallout from 1302231, but we don't want to back it out, since it divides by about five the number of crashes (i.e. it fixes what it was suppose to fix entirely, and adds a lower frequency crash).

I'll try harder tomorrow, keeping the NI to not forget.
glandium, could that possibly be a double-free, based on the assert in comment 1, or is it more likely to be plain trashing of the address space ?
Flags: needinfo?(padenot) → needinfo?(mh+mozilla)
As I said jesup, it does look like a double-free.
Flags: needinfo?(mh+mozilla)
Assignee: nobody → padenot
Depends on: 1331869
This is now fixed (by landing bug 1331869).
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Assignee: padenot → achronop
status-firefox51: fix-optionalwontfix
status-firefox53: affectedfixed
Target Milestone: --- → mozilla53
IIUC, the patch that landed on Fx52 for bug 1331869 was only for OSX, so we'd expect 52 to still be affected here? If that's the case, is there a targeted fix we could take to fix this crash as well?
Flags: needinfo?(padenot)
Certainly, I'll prepare a patch today. It's very small as well, so it should be fine. Thanks for reminding us !
Flags: needinfo?(padenot)
You need to log in before you can comment on or make changes to this bug.