1388382 - Crash in realloc_impl | mozilla::Vector<T>::growStorageBy

Status: RESOLVED WORKSFORME

(Core :: JavaScript Engine, defect, P2)

Description

[Marcia Knous [:marcia]]

This bug was filed from the Socorro interface and is 
report bp-964c2d2b-d428-4554-a900-8d5f00170808.
=============================================================

Seen while looking at crash stats - there are a bunch of new crashes in this build that start with realloc_impl - here is one: http://bit.ly/2wEeXwg

Possible regression range based on Build ID: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=fe6609d22dfdd710b11e3ac7773aff89f7a8d12c&tochange=47248637eafa9a38dade8dc3aa6c4736177c8d8d

Other possible related signatures:

je_realloc | moz_xrealloc | nsTArray_base<T>::EnsureCapacity<T> | nsTArray_Impl<T>::InsertElementAt<T> | `anonymous namespace''::AxisPartition::InsertCoord

realloc_impl | alloc::raw_vec::RawVec<T>::double<T>

Comment 1

[Randell Jesup [:jesup] (needinfo me)]

For some reason, even expanding to 6 months, I only see about a dozen crashes.  8 or so of them appear to be the same installation, and all of those are EXEC wildptr crashes.

From the graph, it appears there have been few if any crashes recently... possibly this is fixed?

Comment 2

[Frederik Braun [:freddy]]

Dan, do you think we can close this? Not a lot of crashes per comment 1 and no more crashes since the great purging of crash data.

Comment 3

[Daniel Veditz [:dveditz]]

There are a lot of crashes for [@ mozilla::Vector<T>::growStorageBy ] but they go back a long ways so I guess that's a different one? In fact for different types <T> they probably are different causes. I don't see a bug filed on those--and some look like potential vulnerabilities--but that doesn't make them this bug.