1823563 - Possible double-free in mozilla::gl::GLContextEGL::SwapBuffers()

Status: RESOLVED DUPLICATE of bug 1817336

(Core :: Graphics, defect)

Description

[Randell Jesup [:jesup] (needinfo me)]

Note: signature will pick up a lot of other crashes. This is for SwapBuffers(), curently 13 crashes in 107a1 to 112a1:

https://crash-stats.mozilla.org/signature/?product=Firefox&proto_signature=~GLContextEGL%3A%3ASwapBuffers&signature=arena_run_reg_dalloc%20%7C%20arena_t%3A%3ADallocSmall%20%7C%20arena_dalloc%20%7C%20BaseAllocator%3A%3Afree%20%7C%20Allocator%3CT%3E%3A%3Afree%20%7C%20PageFree&date=%3E%3D2022-09-21T01%3A06%3A00.000Z&date=%3C2023-03-21T01%3A06%3A00.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_columns=startup_crash&_sort=-date&page=1

Crash report: https://crash-stats.mozilla.org/report/index/708baea2-3f19-4d4b-8213-4d82d0230128

MOZ_CRASH Reason: MOZ_RELEASE_ASSERT((run->mRegionsMask[elm] & (1U << bit)) == 0) (Double-free?)

Top 10 frames of crashing thread:

0  firefox-bin  arena_run_reg_dalloc  memory/build/mozjemalloc.cpp:2472
0  firefox-bin  arena_t::DallocSmall  memory/build/mozjemalloc.cpp:3572
0  firefox-bin  arena_dalloc  memory/build/mozjemalloc.cpp:3656
0  firefox-bin  BaseAllocator::free  memory/build/mozjemalloc.cpp:4431
0  firefox-bin  Allocator<MozJemallocBase>::free  memory/build/malloc_decls.h:54
0  firefox-bin  PageFree  memory/replace/phc/PHC.cpp:1298
0  firefox-bin  replace_free  memory/replace/phc/PHC.cpp:1334
0  firefox-bin  Allocator<ReplaceMallocBase>::free  memory/build/malloc_decls.h:54
0  firefox-bin  free  memory/build/malloc_decls.h:54
1  libgallium_dri.so  nouveau_fence_trigger_work  src/gallium/drivers/nouveau/nouveau_fence.c:52

Comment 1

[Andrew McCreight [:mccr8]]

Looks like a dupe of bug 1817336. The builds look old.