1670567 - Mesa/Nouveau: Crash in [@ arena_t::DallocSmall | Allocator<T>::free | replace_free | _tc_sync]

Status: RESOLVED WORKSFORME

(Core :: Widget: Gtk, defect)

Description

[Gabriele Svelto [:gsvelto]]

Crash report: https://crash-stats.mozilla.org/report/index/1c96f6d0-c7fd-4295-a720-4a7540201010

MOZ_CRASH Reason: MOZ_RELEASE_ASSERT((run->mRegionsMask[elm] & (1U << bit)) == 0) (Double-free?)

Top 10 frames of crashing thread:

0 firefox-bin arena_t::DallocSmall memory/build/mozjemalloc.cpp:3291
1 firefox-bin Allocator<MozJemallocBase>::free memory/build/malloc_decls.h:54
2 firefox-bin replace_free memory/replace/phc/PHC.cpp:1317
3 libgallium_dri.so _tc_sync ../src/gallium/auxiliary/util/u_threaded_context.c:209
4 libgallium_dri.so tc_transfer_map ../src/gallium/auxiliary/util/u_threaded_context.c:1490
5 libgallium_dri.so dri2_map_image ../src/gallium/state_trackers/dri/dri2.c:1546
6 libgbm.so.1 gbm_dri_bo_map ./build/../src/gbm/backends/dri/gbm_dri.c:1229
7 libxul.so DMABufSurface::MapInternal widget/gtk/DMABufSurface.cpp:546
8 libxul.so DMABufSurfaceYUV::UpdateYUVData widget/gtk/DMABufSurface.cpp:785
9 libxul.so mozilla::FFmpegVideoDecoder<58>::CreateImageDMABuf dom/media/platforms/ffmpeg/FFmpegVideoDecoder.cpp:800

This appears to be a double-free deep into the buffer management code, though I wonder if we're triggering it from within Firefox. It seems to always involve modifying a mapping used by FFMpeg for accelerated video decoding if I'm reading it correctly. There might be more crash signatures given that they're not very good (yet, we'll get better ones soonish).

Comment 1

[Gabriele Svelto [:gsvelto]]

Added one more crash signature

Comment 2

[BugBot [:suhaib / :marco/ :calixte]]

Closing because no crashes reported for 12 weeks.