[siglist] Crashes in MaybePoison could be unrelated.
Categories
(Socorro :: Signature, task)
Tracking
(Not tracked)
People
(Reporter: pbone, Unassigned)
References
Details
MaybePoison is a relatively new function in mozjemalloc and it now has a bunch of crashes grouped under it in a single signature that are almost certainly unrelated. For example.
https://crash-stats.mozilla.org/report/index/d666cbf5-bba5-4852-a2fa-c8e040230711
and
https://crash-stats.mozilla.org/report/index/d4ea1b2e-3edc-4764-8f67-4faa40231205
They both crash in MaybePoison when trying to free some memory. They could be double frees and the caller outside mozjemalloc should be part of the signature.
That said, there are some crashes like this one:
https://crash-stats.mozilla.org/report/index/fe80324e-6940-4acf-a3dd-c3fac0230717
that were probably due to a CPU bug and might get lost if memset or MaybePoison is not part of the signature. This one was noticed because it had a high correlation with specific CPUs (Bug 1844401).
So maybe if the signature could be made to be:
MaybePoison | mozilla::net::CacheFileUtils::FreeBuffer(void*)
or
memset | MaybePoison | mozilla::net::CacheFileUtils::FreeBuffer(void*)
So that MaybePoison is still included but the frames between it and free (including free) are skipped.
|
||
Comment 1•1 year ago
|
||
Sounds like we should add (at least) the following to the irrelevant list:
arena_dalloc(void*, unsigned long, arena_t*)BaseAllocator::free(void*)Allocator<MozJemallocBase>::free(void*)free
If someone wants to do a PR, that'd be great. Otherwise I'll get to it when I get to it, but it might be next year.
|
Reporter | |
Comment 2•1 year ago
|
||
Also AllocInfo::GetInChunk has the same problem eg https://crash-stats.mozilla.org/report/index/2326ddb4-4ae5-42a9-a535-2e5d90230918
Description
•