Closed Bug 1885728 Opened 2 years ago Closed 2 years ago

Crash in [@ huge_dalloc | MozJemalloc::free | free | rlbox::rlbox_wasm2c_sandbox::impl_create_sandbox]

Categories

(Core :: Security: RLBox, defect)

Product:
Core
Component:
Security: RLBox
Platform:
ARM64
Android
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1885359

People

(Reporter: michideep, Unassigned)

Details

Steps to reproduce:

  1. Go to https://issmmbeatenyet.com
  2. Mash the "NOT YET" logo
  3. The tab will crash after about 17-40 taps

This also happens on nightly 125.0a1.

Crash report: https://crash-stats.mozilla.org/report/index/bd99e119-d92d-48e2-96b7-11c320240316

MOZ_CRASH Reason: MOZ_RELEASE_ASSERT(node) (Double-free?)

Top 10 frames of crashing thread:

0  libmozglue.so  huge_dalloc  memory/build/mozjemalloc.cpp:4295
1  libmozglue.so  MozJemalloc::free  memory/build/malloc_decls.h:54
1  libmozglue.so  free  memory/build/malloc_decls.h:54
2  liblgpllibs.so  rlbox::rlbox_wasm2c_sandbox::impl_create_sandbox  media/libsoundtouch/src/RLBoxSoundTouch.cpp
2  liblgpllibs.so  rlbox::rlbox_sandbox<rlbox::rlbox_wasm2c_sandbox>::create_sandbox<bool>  third_party/rlbox/include/rlbox_sandbox.hpp:402
2  liblgpllibs.so  mozilla::RLBoxSoundTouch::RLBoxSoundTouch  media/libsoundtouch/src/RLBoxSoundTouch.cpp:15
3  libxul.so  mozilla::AudioDecoderInputTrack::EnsureTimeStretcher  dom/media/mediasink/AudioDecoderInputTrack.cpp:623
3  libxul.so  mozilla::AudioDecoderInputTrack::AppendTimeStretchedDataToSegment  dom/media/mediasink/AudioDecoderInputTrack.cpp:424
3  libxul.so  mozilla::AudioDecoderInputTrack::AppendBufferedDataToOutput  dom/media/mediasink/AudioDecoderInputTrack.cpp:390
3  libxul.so  mozilla::AudioDecoderInputTrack::ProcessInput  dom/media/mediasink/AudioDecoderInputTrack.cpp:343

mozregession with GeckoviewExample (arm64) result:

https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6a7f708c3d0458c9b30efa2bdfde6e7812554d1e&tochange=4ea28f9fcd5bc19c617bcdadc6bc361755d1680d

It looks related to bug 1853840

Also this seems not reproducible on GeckoviewExample (x86_64)

Component: Browser Engine → Security: RLBox
Product: Fenix → Core
Hardware: Unspecified → ARM64

The severity field is not set for this bug.
:shravanrn, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(shravanrn)

Sorry for the delay here. Will investigate. I think this could be a dup which is now fixed. Will investigate and confirm in the next day or so.

Yup, this is a dup. The prior bug partially addresses the problem. But, we still need to provide a more graceful fallback to OOM, but we can track this as a separate feature.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1885359
Flags: needinfo?(shravanrn)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.