Closed Bug 1388382 Opened 6 years ago Closed 5 years ago

Crash in realloc_impl | mozilla::Vector<T>::growStorageBy


(Core :: JavaScript Engine, defect, P2)

Windows 10



Tracking Status
firefox57 --- fix-optional


(Reporter: marcia, Unassigned)


(4 keywords)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-964c2d2b-d428-4554-a900-8d5f00170808.

Seen while looking at crash stats - there are a bunch of new crashes in this build that start with realloc_impl - here is one:

Possible regression range based on Build ID:

Other possible related signatures:

je_realloc | moz_xrealloc | nsTArray_base<T>::EnsureCapacity<T> | nsTArray_Impl<T>::InsertElementAt<T> | `anonymous namespace''::AxisPartition::InsertCoord

realloc_impl | alloc::raw_vec::RawVec<T>::double<T>
Priority: -- → P2
For some reason, even expanding to 6 months, I only see about a dozen crashes.  8 or so of them appear to be the same installation, and all of those are EXEC wildptr crashes.

From the graph, it appears there have been few if any crashes recently... possibly this is fixed?
Group: core-security
Group: core-security → javascript-core-security
Dan, do you think we can close this? Not a lot of crashes per comment 1 and no more crashes since the great purging of crash data.
Flags: needinfo?(dveditz)
There are a lot of crashes for [@ mozilla::Vector<T>::growStorageBy ] but they go back a long ways so I guess that's a different one? In fact for different types <T> they probably are different causes. I don't see a bug filed on those--and some look like potential vulnerabilities--but that doesn't make them this bug.
Closed: 5 years ago
Flags: needinfo?(dveditz)
Resolution: --- → WORKSFORME
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.