Closed
Bug 1326176
Opened 7 years ago
Closed 7 years ago
Crash in jemalloc_crash | arena_dalloc_small | je_free | `anonymous namespace''::wasapi_stream_render_loop
Categories
(Core :: Audio/Video: cubeb, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla53
Tracking | Status | |
---|---|---|
firefox50 | --- | unaffected |
firefox51 | --- | wontfix |
firefox52 | --- | fixed |
firefox53 | --- | fixed |
People
(Reporter: philipp, Assigned: achronop)
References
Details
(Keywords: crash, regression)
Crash Data
This bug was filed from the Socorro interface and is report bp-dd947224-49c3-4c77-aa59-536e22161229. ============================================================= rashing Thread (72) Frame Module Signature Source 0 mozglue.dll jemalloc_crash memory/mozjemalloc/jemalloc.c:1631 1 mozglue.dll arena_dalloc_small memory/mozjemalloc/jemalloc.c:4618 2 mozglue.dll je_free memory/mozjemalloc/jemalloc.c:6485 3 xul.dll `anonymous namespace'::wasapi_stream_render_loop media/libcubeb/src/cubeb_wasapi.cpp:822 4 ucrtbase.dll _o__CIpow 5 kernel32.dll BaseThreadInitThunk 6 ntdll.dll __RtlUserThreadStart 7 ntdll.dll _RtlUserThreadStart this crash signature is mostly occurring on windows 8 and windows 7. on 51.0b10 it's accounting for 0.15% of all crashes. the signature has first shown up in 51.0b3 and subsequent later builds. this would be the changelog between beta 2 and beta 3: https://hg.mozilla.org/releases/mozilla-beta/pushloghtml?fromchange=FIREFOX_51_0b2_RELEASE&tochange=FIREFOX_51_0b3_RELEASE - out of that bug 1310224 looks related to wasapi changes...
Flags: needinfo?(padenot)
Updated•7 years ago
|
Component: Audio/Video → Audio/Video: Playback
Updated•7 years ago
|
Component: Audio/Video: Playback → Audio/Video: cubeb
Flags: needinfo?(padenot)
Updated•7 years ago
|
Rank: 15
Priority: -- → P1
Comment 1•7 years ago
|
||
Very late for beta fixes... let's at least make sure we know what's up. Also: these crashes are almost certainly jemalloc assert()'s in arena_run_reg_dalloc() is MALLOC_DEBUG is on, or more likely RELEASE_ASSERT(diff == regind * size); or RELEASE_ASSERT(regind < bin->nregs); This makes me concerned about memory trashing. Unfortunately since arena_run_reg_dalloc() is inline, we can't tell which got hit.
Flags: needinfo?(padenot)
Comment 2•7 years ago
|
||
This is from 1302231. Leaving the NI, I'll investigate more tomorrow.
Comment 3•7 years ago
|
||
After investigation, I still don't understand. This is a fallout from 1302231, but we don't want to back it out, since it divides by about five the number of crashes (i.e. it fixes what it was suppose to fix entirely, and adds a lower frequency crash). I'll try harder tomorrow, keeping the NI to not forget.
Comment 4•7 years ago
|
||
glandium, could that possibly be a double-free, based on the assert in comment 1, or is it more likely to be plain trashing of the address space ?
Flags: needinfo?(padenot) → needinfo?(mh+mozilla)
Updated•7 years ago
|
Comment 5•7 years ago
|
||
As I said jesup, it does look like a double-free.
Flags: needinfo?(mh+mozilla)
Comment 6•7 years ago
|
||
This is now fixed (by landing bug 1331869).
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Updated•7 years ago
|
Assignee: padenot → achronop
Target Milestone: --- → mozilla53
Comment 7•7 years ago
|
||
IIUC, the patch that landed on Fx52 for bug 1331869 was only for OSX, so we'd expect 52 to still be affected here? If that's the case, is there a targeted fix we could take to fix this crash as well?
Flags: needinfo?(padenot)
Comment 8•7 years ago
|
||
Certainly, I'll prepare a patch today. It's very small as well, so it should be fine. Thanks for reminding us !
Flags: needinfo?(padenot)
Comment 9•7 years ago
|
||
This should be fixed now on Beta by https://hg.mozilla.org/releases/mozilla-beta/rev/a5045a32c413753551a2f532c76d035cfc09623c.
You need to log in
before you can comment on or make changes to this bug.
Description
•