Open Bug 1583374 Opened 6 years ago Updated 2 years ago

Crashes in zone_realloc on secondary thread, often while running file picker on main thread

Categories

(Core :: mozglue, defect)

Product:
Core
Component:
mozglue
Platform:
Unspecified
macOS
Type:
defect

Tracking

()

People

(Reporter: smichaud, Unassigned)

Details

(Whiteboard: qa-not-actionable)

Crash Data

These crashes are deep in system code, so I suspect this is an Apple bug, even though zone_realloc is in mozglue. They happen on macOS 10.12, 10.13 and 10.14.

https://crash-stats.mozilla.com/signature/?signature=zone_realloc

This bug might benefit from an analysis using a HookCase hook library (https://github.com/steven-michaud/HookCase).

Severity: normal → critical
Crash Signature: [@ zone_realloc]

One peculiarity of many of these crashes is that, above them on the stack, there's a call to DallocSmall() and then a call to start_wqthread:

    34  libsystem_pthread.dylib start_wqthread frame_pointer
    35  libmozglue.dylib arena_t::DallocSmall(arena_chunk_t*, void*, arena_chunk_map_t*) memory/build/mozjemalloc.cpp:3292  scan
    36  libmozglue.dylib arena_dalloc(void*, unsigned long, arena_t*) memory/build/mozjemalloc.cpp:3328  scan

This is so very bizarre that I'm not entirely sure I trust these crash stacks.

Here's the source for zone_realloc:

    static void* zone_realloc(malloc_zone_t* zone, void* ptr, size_t size) {
      if (malloc_usable_size_impl(ptr)) return realloc_impl(ptr, size);
    
      // Sometimes, system libraries call malloc_zone_* functions with the wrong
      // zone (e.g. CoreFoundation does). In that case, we need to find the real
      // one. We can't call libSystem's realloc directly because we're exporting
      // realloc from libmozglue and we'd pick that one, so we manually find the
      // right zone and realloc with it.
      malloc_zone_t* real_zone = malloc_zone_from_ptr(ptr);
      // The system allocator crashes voluntarily by default when a pointer can't
      // be traced back to a zone. Do the same.
      MOZ_RELEASE_ASSERT(real_zone);
      MOZ_RELEASE_ASSERT(real_zone != zone);
      return malloc_zone_realloc(real_zone, ptr, size);
    }

This bug's crashes happen in MOZ_RELEASE_ASSERT(real_zone); So this is almost surely an Apple bug.

The priority flag is not set for this bug.
:glandium, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(mh+mozilla)
Whiteboard: qa-not-actionable
Severity: critical → S2

Since the crash volume is low (less than 15 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.

For more information, please visit auto_nag documentation.

Severity: S2 → S3

Setting priority is no longer part of current triage processes, clearing needinfo.

Flags: needinfo?(mh+mozilla)
You need to log in before you can comment on or make changes to this bug.