1867167 - Crash in [@ arena_t::DallocRun | arena_t::DallocLarge | arena_dalloc | BaseAllocator::free | MozJemalloc::free | PageFree]

Status: RESOLVED INVALID

(Core :: Memory Allocator, defect)

Description

[BugBot [:suhaib / :marco/ :calixte]]

Crash report: https://crash-stats.mozilla.org/report/index/63827bfa-843f-40a9-82b0-c5aff0231123

MOZ_CRASH Reason: MOZ_DIAGNOSTIC_ASSERT((chunk->map[run_ind].bits & ~gPageSizeMask) == prun_size)

Top 10 frames of crashing thread:

0  firefox-bin  arena_t::DallocRun  memory/build/mozjemalloc.cpp:3010
0  firefox-bin  arena_t::DallocLarge  memory/build/mozjemalloc.cpp:3780
0  firefox-bin  arena_dalloc  memory/build/mozjemalloc.cpp:3815
0  firefox-bin  BaseAllocator::free  memory/build/mozjemalloc.cpp:4638
0  firefox-bin  MozJemalloc::free  memory/build/malloc_decls.h:54
0  firefox-bin  PageFree  memory/build/PHC.cpp:1523
0  firefox-bin  MozJemallocPHC::free  memory/build/PHC.cpp:1527
0  firefox-bin  ReplaceMalloc::free  memory/build/malloc_decls.h:54
0  firefox-bin  free  memory/build/malloc_decls.h:54
1  libxul.so  js_free  js/public/Utility.h:418

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

• First crash report: 2023-11-23
• Process type: Multiple distinct types
• Is startup crash: No
• Has user comments: No
• Is null crash: Yes - 3 out of 4 crashes happened on null or near null memory address

Comment 1

[Gabriele Svelto [:gsvelto]]

Practically all the crashes here as flagged as having bit-flips. I suggest closing this as INVALID.

Comment 2

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:glandium, could you have a look please?

For more information, please visit BugBot documentation.

Comment 3

[Mike Hommey [:glandium]]

Closing per comment 1.