Open Bug 1878984 Opened 3 months ago Updated 21 days ago

Crash in [@ arena_t::ArenaRunRegAlloc | arena_t::MallocSmall | arena_t::Malloc | BaseAllocator::malloc | MozJemalloc::malloc]

Categories

(Core :: Memory Allocator, defect)

Product:
Core
Component:
Memory Allocator
Platform:
Other
All
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox124 --- affected

People

(Reporter: release-mgmt-account-bot, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/9745486e-136a-40ab-b538-2b1160240131

MOZ_CRASH Reason: MOZ_DIAGNOSTIC_ASSERT(0)

Top 10 frames of crashing thread:

0  firefox-bin  arena_t::ArenaRunRegAlloc  memory/build/mozjemalloc.cpp:2558
0  firefox-bin  arena_t::MallocSmall  memory/build/mozjemalloc.cpp:3286
0  firefox-bin  arena_t::Malloc  memory/build/mozjemalloc.cpp:3332
0  firefox-bin  BaseAllocator::malloc  memory/build/mozjemalloc.cpp:4551
0  firefox-bin  MozJemalloc::malloc  memory/build/malloc_decls.h:51
0  firefox-bin  PageMalloc  memory/build/PHC.cpp:1306
0  firefox-bin  MozJemallocPHC::malloc  memory/build/PHC.cpp:1310
0  firefox-bin  ReplaceMalloc::malloc  memory/build/malloc_decls.h:51
0  firefox-bin  malloc  memory/build/malloc_decls.h:51
1  libglib-2.0.so.0  g_malloc  /usr/src/debug/glib2/glib/glib/gmem.c:130

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

  • First crash report: 2023-12-14
  • Process type: Multiple distinct types
  • Is startup crash: No
  • Has user comments: No
  • Is null crash: Yes - 3 out of 5 crashes happened on null or near null memory address

The Bugbug bot thinks this bug should belong to the 'Core::Memory Allocator' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: General → Memory Allocator

The severity field is not set for this bug.
:glandium, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(mh+mozilla)

We should probably change this

MOZ_CRASH Reason: MOZ_DIAGNOSTIC_ASSERT(0)

to be more explicit that this is reaching code that is not supposed to be reached.

Which suggests either something went really badly wrong, or... more likely, some bit flip happened. I'm not exclusing the former, Paul, would you mind taking a deeper dive?

Severity: -- → S2
Flags: needinfo?(mh+mozilla) → needinfo?(pbone)
See Also: → 1878195

There's a few different crash locations captured by the same signatures for both this and Bug 1878195.

Some are definitely bad ram, I saw one bitflip in an index that was used to lookup an array. For others I think we could add some assertions or promote some debug assertions to diagnostic assertions. I'll consider what assertions we might want and keep looking.

Flags: needinfo?(pbone)

Since the crash volume is low (less than 15 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.

For more information, please visit BugBot documentation.

Severity: S2 → S3
You need to log in before you can comment on or make changes to this bug.