Open Bug 1405062 Opened 8 years ago Updated 2 years ago

Crash in RedBlackTree<T>::Remove

Categories

(Core :: Memory Allocator, defect, P3)

Product:
Core
Component:
Memory Allocator
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr60 --- affected
firefox57 --- unaffected
firefox58 --- wontfix
firefox59 --- wontfix
firefox66 --- affected
firefox67 --- affected

People

(Reporter: marcia, Unassigned)

References

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is report bp-a62f5fb8-b90b-485c-ba26-c6c600171002. ============================================================= Seen while looking at nightly crash stats: http://bit.ly/2fEAnTD. Crashes started using 20170929100122 Possible regression range based on Build ID: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=76a26ef7c493311c170ae83eb0c1d6592a21396d&tochange=57f68296c350469d73d788eb3695a898947b4acb Possibly Bug 1403444? ni on :glandium
Flags: needinfo?(mh+mozilla)
Crashing address is 0x20, so looks like a null pointer when calling `RedBlackTree::Remove` [1]. I wonder if we should make this a diagnostic assert instead? [1] http://searchfox.org/mozilla-central/source/memory/build/mozjemalloc.cpp#4280-4284
Changing platform to all. Still a small volume crash with about 15 crashes in the last week.
OS: Windows 10 → All
Hardware: Unspecified → All
Mike, can you give this a priority?
Flags: needinfo?(mh+mozilla)
(In reply to Mike Taylor [:miketaylr] (58 Regression Engineering Owner) from comment #4) > Mike, can you give this a priority? As mentioned in comment 2, this is not a regression. It's a signature change.
Flags: needinfo?(mh+mozilla)
Keywords: regression
Crashes here on Debian ppc64: (gdb) bt #0 0x0000000100010718 in RedBlackTree<arena_chunk_map_t, ArenaAvailTreeTrait>::Remove(RedBlackTree<arena_chunk_map_t, ArenaAvailTreeTrait>::TreeNode*) (this=0x7ffff7800080, aNode=0x7ffff4f00038) at /build/firefox-083moG/firefox-59.0~b4/memory/build/rb.h:388 #1 0x0000000100011890 in RedBlackTree<arena_chunk_map_t, ArenaAvailTreeTrait>::Remove(arena_chunk_map_t*) (aNode=0x7ffff4f00038, this=<optimized out>) at /build/firefox-083moG/firefox-59.0~b4/memory/build/rb.h:152 #2 0x0000000100011890 in arena_t::SplitRun(arena_run_t*, unsigned long, bool, bool) (this=this@entry=0x7ffff7800000, aRun=aRun@entry=0x7ffff4f10000, aSize=aSize@entry=1048576, aLarge=<optimized out>, aLarge@entry=false, aZero=<optimized out>) at /build/firefox-083moG/firefox-59.0~b4/memory/build/mozjemalloc.cpp:2363 #3 0x0000000100011f60 in arena_t::AllocRun(unsigned long, bool, bool) (this=0x7ffff7800000, aSize=1048576, aLarge=aLarge@entry=false, aZero=aZero@entry=false) at /build/firefox-083moG/firefox-59.0~b4/memory/build/mozjemalloc.cpp:2541 #4 0x0000000100014090 in arena_t::GetNonFullBinRun(arena_bin_t*) (this=<optimized out>, aBin=0x7ffff78008d8) at /build/firefox-083moG/firefox-59.0~b4/memory/build/mozjemalloc.cpp:2791 #5 0x0000000100015e7c in arena_t::MallocSmall(unsigned long, bool) (aZero=true, aSize=<optimized out>, this=0x7ffff7800000) at /build/firefox-083moG/firefox-59.0~b4/memory/build/mozjemalloc.cpp:2937 #6 0x0000000100015e7c in arena_t::Malloc(unsigned long, bool) (aZero=true, aSize=<optimized out>, this=0x7ffff7800000) at /build/firefox-083moG/firefox-59.0~b4/memory/build/mozjemalloc.cpp:2994 #7 0x0000000100015e7c in BaseAllocator::calloc(unsigned long, unsigned long) (aSize=<optimized out>, aNum=<optimized out>, this=<synthetic pointer>) at /build/firefox-083moG/firefox-59.0~b4/memory/build/mozjemalloc.cpp:4173 #8 0x0000000100015e7c in Allocator<MozJemallocBase>::calloc(unsigned long, unsigned long) (arg2=<optimized out>, arg1=<optimized out>) at /build/firefox-083moG/firefox-59.0~b4/memory/build/malloc_decls.h:38 #9 0x0000000100015e7c in calloc(size_t, size_t) (arg1=<optimized out>, arg2=<optimized out>) at /build/firefox-083moG/firefox-59.0~b4/memory/build/malloc_decls.h:38 #10 0x00007ffff5b34afc in .xcb_connect_to_fd () at /usr/lib/powerpc64-linux-gnu/libxcb.so.1 #11 0x00007ffff5b3a0ac in .xcb_connect_to_display_with_auth_info () at /usr/lib/powerpc64-linux-gnu/libxcb.so.1 #12 0x00007ffff5b3a208 in .xcb_connect () at /usr/lib/powerpc64-linux-gnu/libxcb.so.1 #13 0x00007ffff698bb4c in ._XConnectXCB () at /usr/lib/powerpc64-linux-gnu/libX11.so.6 #14 0x00007ffff6976e3c in .XOpenDisplay () at /usr/lib/powerpc64-linux-gnu/libX11.so.6 #15 0x00007ffff6d01764 in () at /usr/lib/powerpc64-linux-gnu/libgdk-3.so.0 #16 0x00007ffff6cbd57c in .gdk_display_manager_open_display () at /usr/lib/powerpc64-linux-gnu/libgdk-3.so.0 #17 0x00007ffff6cba8a4 in .gdk_display_open () at /usr/lib/powerpc64-linux-gnu/libgdk-3.so.0 #18 0x00007ffff308432c in XREMain::XRE_mainStartup(bool*) (this=this@entry=0x7fffffffdb58, aExitFlag=aExitFlag@entry=0x7fffffffda98) at /build/firefox-083moG/firefox-59.0~b4/toolkit/xre/nsAppRunner.cpp:3951 #19 0x00007ffff30890ac in XREMain::XRE_mainStartup(bool*) (aExitFlag=0x7fffffffda98, this=0x7fffffffdb58) at /build/firefox-083moG/firefox-59.0~b4/build-browser/dist/include/nsCOMPtr.h:313 #20 0x00007ffff30890ac in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) (this=this@entry=0x7fffffffdb58, argc=argc@entry=1, argv=argv@entry=0x7ffffffff358, aConfig=...) at /build/firefox-083moG/firefox-59.0~b4/toolkit/xre/nsAppRunner.cpp:4826 #21 0x00007ffff3089528 in XRE_main(int, char**, mozilla::BootstrapConfig const&) (argc=<optimized out>, argv=0x7ffffffff358, aConfig=...) at /build/firefox-083moG/firefox-59.0~b4/toolkit/xre/nsAppRunner.cpp:4933 #22 0x00007ffff308b2bc in mozilla::BootstrapImpl::XRE_main(int, char**, mozilla::BootstrapConfig const&) (this=<optimized out>, argc=<optimized out>, argv=<optimized out>, aConfig=...) at /build/firefox-083moG/firefox-59.0~b4/toolkit/xre/Bootstrap.cpp:49 #23 0x000000010000a1d8 in do_main(int, char**, char**) (argc=<optimized out>, argv=0x7ffffffff358, envp=<optimized out>) at /build/firefox-083moG/firefox-59.0~b4/browser/app/nsBrowserApp.cpp:231 #24 0x0000000100009850 in main(int, char**, char**) (argc=<optimized out>, argv=0x7ffffffff358, envp=0x7ffffffff368) at /build/firefox-083moG/firefox-59.0~b4/browser/app/nsBrowserApp.cpp:304 (gdb)
We've got the same on SUSE Linux ppc64le, right at startup. An interesting thing: the only architecture where we see this has pagesize of 64k (may be just a coincidence though).
See Also: → 1466567
Priority: -- → P3

Happens sometimes right after startup, with Firefox 73.0b12 on Ubuntu 18.04.

385	    TreeNode rbp_r_p, rbp_r_c, rbp_r_xp, rbp_r_t, rbp_r_u;
(gdb) bt
#0  0x00005555555f2d91 in RedBlackTree<arena_chunk_map_t, ArenaRunTreeTrait>::Remove(RedBlackTree<arena_chunk_map_t, ArenaRunTreeTrait>::TreeNode) (this=0x7ffff6b000e0, aNode=...)
    at /home/mirko/src/firefox/gecko/memory/build/rb.h:385
#1  0x00005555555db572 in RedBlackTree<arena_chunk_map_t, ArenaRunTreeTrait>::Remove(arena_chunk_map_t*) (this=0x7ffff6b000e0, aNode=0x7fffc9801088) at /home/mirko/src/firefox/gecko/memory/build/rb.h:137
#2  0x00005555555d4b87 in arena_t::GetNonFullBinRun(arena_bin_t*) (this=0x7ffff6b00000, aBin=0x7ffff6b000d8) at /home/mirko/src/firefox/gecko/memory/build/mozjemalloc.cpp:2681
#3  0x00005555555e38aa in arena_t::MallocSmall(unsigned long, bool) (this=0x7ffff6b00000, aSize=16, aZero=false) at /home/mirko/src/firefox/gecko/memory/build/mozjemalloc.cpp:2858
#4  0x00005555555db722 in arena_t::Malloc(unsigned long, bool) (this=0x7ffff6b00000, aSize=16, aZero=false) at /home/mirko/src/firefox/gecko/memory/build/mozjemalloc.cpp:2911
#5  0x00005555555e85f9 in BaseAllocator::malloc(unsigned long) (this=0x7fffcae785c0, aSize=16) at /home/mirko/src/firefox/gecko/memory/build/mozjemalloc.cpp:4050
#6  0x00005555555e70b5 in Allocator<MozJemallocBase>::malloc(unsigned long) (arg1=16) at /home/mirko/src/firefox/gecko/memory/build/malloc_decls.h:51
#7  0x000055555561e296 in PageMalloc(mozilla::Maybe<unsigned long> const&, unsigned long) (aArenaId=..., aReqSize=16) at /home/mirko/src/firefox/gecko/memory/replace/phc/PHC.cpp:937
#8  0x000055555561f336 in replace_malloc(unsigned long) (aReqSize=16) at /home/mirko/src/firefox/gecko/memory/replace/phc/PHC.cpp:941
#9  0x00005555555dd286 in Allocator<ReplaceMallocBase>::malloc(unsigned long) (arg1=16) at /home/mirko/src/firefox/gecko/memory/build/malloc_decls.h:51
#10 0x00005555555d7d25 in malloc(size_t) (arg1=16) at /home/mirko/src/firefox/gecko/memory/build/malloc_decls.h:51
#11 0x00007fffe84c5f8e in <gkrust_shared::moz_memory::GeckoAlloc as core::alloc::GlobalAlloc>::alloc (self=0x7fffda253f80, layout=...) at toolkit/library/rust/shared/lib.rs:252
#12 0x00007fffe84c4efd in __rg_alloc (arg0=16, arg1=8) at toolkit/library/rust/shared/lib.rs:291
#13 0x00007fffec46ea68 in alloc::alloc::alloc (layout=...) at /rustc/4560ea788cb760f0a34127156c78e2552949f734/src/liballoc/alloc.rs:84
#14 0x00007fffec46e871 in <alloc::alloc::Global as core::alloc::Alloc>::alloc (self=0x7fffcae78880, layout=...) at /rustc/4560ea788cb760f0a34127156c78e2552949f734/src/liballoc/alloc.rs:172
#15 0x00007fffec4743d0 in alloc::raw_vec::RawVec<T,A>::allocate_in (capacity=1, zeroed=false, a=...) at /rustc/4560ea788cb760f0a34127156c78e2552949f734/src/liballoc/raw_vec.rs:98
#16 0x00007fffec473ee8 in alloc::raw_vec::RawVec<T>::with_capacity (capacity=1) at /rustc/4560ea788cb760f0a34127156c78e2552949f734/src/liballoc/raw_vec.rs:167
#17 0x00007fffec46d8d4 in alloc::vec::Vec<T>::with_capacity (capacity=1) at /rustc/4560ea788cb760f0a34127156c78e2552949f734/src/liballoc/vec.rs:357
#18 0x00007fffea575fab in alloc::slice::hack::to_vec (s=...) at /rustc/4560ea788cb760f0a34127156c78e2552949f734/src/liballoc/slice.rs:158
#19 0x00007fffea3fa545 in alloc::slice::<impl [T]>::to_vec (self=...) at /rustc/4560ea788cb760f0a34127156c78e2552949f734/src/liballoc/slice.rs:379
#20 0x00007fffea3709c1 in webrender::shade::LazilyCompiledShader::new (kind=..., name=..., features=..., device=0x7fffcae91370, precache_flags=...) at gfx/wr/webrender/src/shade.rs:95
#21 0x00007fffea371c92 in webrender::shade::BrushShader::new (name=..., device=0x7fffcae91370, features=..., precache_flags=..., advanced_blend=false, dual_source=true, use_pixel_local_storage=false)
    at gfx/wr/webrender/src/shade.rs:293
#22 0x00007fffea3761ca in webrender::shade::Shaders::new (device=0x7fffcae91370, gl_type=gleam::gl::GlType::Gl, options=0x7fffcaeaffd0) at gfx/wr/webrender/src/shade.rs:794
#23 0x00007fffea32fb67 in webrender::renderer::Renderer::new (gl=..., notifier=..., options=..., shaders=..., start_size=...) at gfx/wr/webrender/src/renderer.rs:2031
#24 0x00007fffea0db514 in wr_window_new (window_id=..., window_width=1, window_height=1, support_low_priority_transactions=true, support_low_priority_threadpool=true, allow_texture_swizzling=true, enable_picture_caching=true, start_debug_server=false, gl_context=0x7fffc73d2000, surface_origin_is_top_left=false, program_cache=..., shaders=..., thread_pool=0x7fffd2e97568, thread_pool_low_priority=0x7fffd2e97570, size_of_op=0x7fffe017c3f0 <mozilla::wr::WebRenderMallocSizeOf(void const*)>, enclosing_size_of_op=0x7fffe017c420 <mozilla::wr::WebRenderMallocEnclosingSizeOf(void const*)>, document_id=0, compositor=0x0, max_update_rects=0, max_partial_present_rects=0, out_handle=0x7fffcaa726c0, out_renderer=0x7fffcaeb66f8, out_max_texture_size=0x7fffcaa726bc, enable_gpu_markers=true, panic_on_gl_error=false)
    at gfx/webrender_bindings/src/bindings.rs:1507
#25 0x00007fffe01a9681 in mozilla::wr::NewRenderer::Run(mozilla::wr::RenderThread&, mozilla::wr::WrWindowId) (this=0x7fffc7330c40, aRenderThread=..., aWindowId=...)
    at /home/mirko/src/firefox/gecko/gfx/webrender_bindings/WebRenderAPI.cpp:90
#26 0x00007fffe016e95a in mozilla::wr::RenderThread::RunEvent(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >) (this=0x7fffd3c48880, aWindowId=..., aEvent=[(mozilla::wr::NewRenderer *) 0x7fffc7330c40]) at /home/mirko/src/firefox/gecko/gfx/webrender_bindings/RenderThread.cpp:413
#27 0x00007fffe01a2820 in mozilla::detail::RunnableMethodArguments<mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >&&>::applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> > >, 0ul, 1ul>(mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), mozilla::Tuple<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> > > >&, std::integer_sequence<unsigned long, 0ul, 1ul>) (o=0x7fffd3c48880, m=
    (void (mozilla::wr::RenderThread::*)(mozilla::wr::RenderThread * const, mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >)) 0x7fffe016e880 <mozilla::wr::RenderThread::RunEvent(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >)>, args=...)
    at /home/mirko/src/firefox/gecko/obj-x86_64-pc-linux-gnu-debug/dist/include/nsThreadUtils.h:1163
#28 0x00007fffe01a272d in _ZN7mozilla6detail23RunnableMethodArgumentsIJNS_2wr10WrWindowIdEONS_9UniquePtrINS2_13RendererEventENS_13DefaultDeleteIS5_EEEEEE5applyINS2_12RenderThreadEMSC_FvS3_S8_EEEDTcl9applyImplfp_fp0_dtdefpT10mArgumentstlSt16integer_sequenceImJLm0ELm1EEEEEEPT_T0_ (this=0x7fffc7353910, o=0x7fffd3c48880, m=
    (void (mozilla::wr::RenderThread::*)(mozilla::wr::RenderThread * const, mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >)) 0x7fffe016e880 <mozilla::wr::RenderThread::RunEvent(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >)>)
    at /home/mirko/src/firefox/gecko/obj-x86_64-pc-linux-gnu-debug/dist/include/nsThreadUtils.h:1169
#29 0x00007fffe01a24a0 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >&&>::Run() (this=0x7fffc73538d0) at /home/mirko/src/firefox/gecko/obj-x86_64-pc-linux-gnu-debug/dist/include/nsThreadUtils.h:1215

For the past five times when I ran ./mach run --debug --disable-e10s, Firefox crashed with above mentioned stacktrace. So perhaps this is debug- or e10s-specific.

The problem seems to be around https://searchfox.org/mozilla-central/rev/3a0a8e2762821c6afc1d235b3eb3dde63ad3b01a/memory/build/mozjemalloc.cpp#2589.

A user is reporting a bug with this crash in reddit.

https://old.reddit.com/r/firefox/comments/lksmhp/random_firefox_tabapp_crashes/

They have included several crash reports.

From that thread:
"Is this machine overclocked by any chance?"
"It actually is, yes. i5-6600k pumped up to 4.2 ghz"

Here is another user report from reddit:
https://www.reddit.com/r/firefox/comments/ogd104/firefox_is_now_extremely_unstable_how_do_i/

Maybe they can provide more information, according to them they a are not overclocking anything.

See Also: → 1728842
Severity: critical → S2

Lowering to S4 until we have evidence this is a real bug.

Severity: S2 → S4
You need to log in before you can comment on or make changes to this bug.