Closed Bug 420678 Opened 16 years ago Closed 16 years ago

Repeated crashes [@arena_dalloc_small]

Categories

(Core :: General, defect, P2)

Product:
Core
Component:
General
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: sciguyryan, Assigned: jasone)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file, 1 obsolete file)

use alloca instead of variable sized array
6.08 KB, patch
jasone
: review+
pavlov
: superreview+
beltzner
: approval1.9+
Details | Diff | Splinter Review 
I have gotten lots of crashes at arena_dalloc_small in the last few days and its not number 25 on the prebeta 4 top crash list (http://crash-stats.mozilla.com/report/list?range_unit=weeks&version=Firefox%3A3.0b4pre&range_value=2&signature=arena_dalloc_small)

783deea8-e8ff-11dc-8b9d-001a4bd46e84, e7395670-e85e-11dc-a53c-001a4bd46e84 and ccfc652e-e6e9-11dc-b70f-001a4bd43ef6 are the three I can find off the top of my head.

I cannot seem to repeat this unfortunately so I have no test for it.
Summary: Repeated crashes [@arena_dalloc_small] and [] → Repeated crashes [@arena_dalloc_small]
I see the same problem. Ever since I updated from Firefox 2 to the Pre-Beta-5 Nightlies, I get a large number of crashes, making Firefox almost unusable. Many of these crashes point to arena_dalloc_small and it is now number 6 in the list of reported crashes for 3.0b5pre.

Let me know if there is anything I can do to further investigate this problem.


Okay. This has gone up to '5 on the top crashers now. I'm requesting a blocking to see if there is anything that can be done here. Unfortunately the seemingly random nature of this crash is going to cause issues in investigating I think.
Severity: major → critical
Flags: blocking1.9?
re comment 1, do you have *any* extensions installed? or any plugins? i don't see any plugins in the modules list for this crash:
Signature	arena_dalloc_small
UUID	783deea8-e8ff-11dc-8b9d-001a4bd46e84
Time	2008-03-02 19:02:34-08:00
Uptime	0
Product	Firefox
Version	3.0b4pre
Build ID	2008030206
OS	Windows NT
OS Version	5.1.2600 Service Pack 2
CPU	x86
CPU Info	AuthenticAMD family 6 model 8 stepping 1
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0x6f706d77
Comments	
Crashing Thread
Frame 	Signature 	Source
0 	arena_dalloc_small 	jemalloc.c:3992
1 	arena_dalloc 	jemalloc.c:4180
2 	free 	jemalloc.c:5915
3 	XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) 	mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2539
4 	XPC_WN_CallMethod(JSContext*, JSObject*, unsigned int, long*, long*) 	mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1470
5 	js_Invoke 	
6 	js_InternalInvoke 	
7 	js_TryMethod 	
8 	js_DefaultValue

but maybe I'm missing something.
Yeah. I have got plugins and extensions installed but after disabling them the browser still periodically crashes. It should be noted that it normally happens after closing say Gmail -  a few seconds later the browser crashes.
I also have a few plugins and extensions installed - nothing spectacular though. I have disabled some of them for a while without any change.

Also, I frequently see Firefox crashing without Breakpad even catching it. That might be unrelated though.


it's possible, but unlikely that running under windbg
http://developer.mozilla.org/en/docs/How_to_get_a_stacktrace_with_WinDbg 
may give hints...

at the very least if you catch this crash under a debugger someone on irc should be able to talk you through getting a js stack trace.
Jason the info here is sketchy - but the crash is in jemalloc - any way we can diagnose better?
Assignee: nobody → jasone
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
If we're lucky, enabling the MALLOC_SEATBELTS code that's in bug 418510 will tell us that this is a common memory allocation error, like a double free.
If anyone has discovered a repeatable test case for this crash I'll be happy to take a look.
these aren't double frees, they are binary extensions allocating using the wrong allocator to allocate objects and they're just getting freed in this spot.  
I too have experienced Firefox suddenly closing for no reason. Unfortunately, I've not noticed anything specific that I'm doing at the time. It appears to be random. It happens daily, though not so much as to make Firefox unusable--but it's very annoying!  Most recently it crashed when I entered an item into the snopes search box that's on my toolbar...
most of the comments coming in on this one show some interaction with the URL bar/tabs or windows opening...

> Typing an address into the navigation bar

>  Typed m a i l into the address bar with two other tabs open

> it just crashed when i was typing in something...

> I was trying to write a url in the address bar

and a slight variation 

> i just try to select a bookmark a little fast in bookmark toolbar

Then there are a few another arena_dalloc_small crashes with some different stacks but those are likely for other bugs...


in http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&range_unit=weeks&version=Firefox%3A3.0b5&signature=arena_dalloc_small&range_value=1

sort on address and look at the 0x6f706d77 to see URL typing and stack frame like

Frame   Signature       Source
0       arena_dalloc_small      jemalloc.c:3992
1       arena_dalloc    jemalloc.c:4180
2       free    jemalloc.c:5915
3       XPCWrappedNative::CallMethod(XPCCallContext&,

set of problems.
Stuart what's the final plan for binary extensions with this issue?
Stuart asked me to make malloc_usable_size() detect pointers that do not reside within memory regions managed by jemalloc.  The patch does this.  My understanding is that Stuart will add a call to malloc_usable_size() before calling free() for any objects that are allocated by extensions, in order to be able to catch mixed allocator use.

The patch should perform adequately for the intended purpose, but if we were to do such validation for *all* calls to free(), I would want to make more extensive changes to avoid the overhead of extra locking and red-black tree searches.
jason's patch except using alloca() for arenas_snapshot.  This seems to work fine and the rest of the patch looks OK to me.
Attachment #314637 - Attachment is obsolete: true
Attachment #315240 - Flags: superreview+
Attachment #315240 - Flags: review?(jasone)
Attachment #315240 - Flags: review?(jasone) → review+
Attachment #315240 - Flags: approval1.9?
Comment on attachment 315240 [details] [diff] [review]
use alloca instead of variable sized array

a1.9=beltzner
Attachment #315240 - Flags: approval1.9? → approval1.9+
ok, I've checked in this patch.

Because this particular bug is crashing with binary extensions, and extension authors need to update for Firefox 3 anyways, I'm going to mark this particular bug WONTFIX.  We should continue to blacklist crashy extensions.

I am going to put in a workaround for plugins that uses this code to keep them from crashing in bug 422024.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WONTFIX
I still see a lot of these crashes (4 over the last 3 days - not heavily using Firefox during these days) even though I have disabled all incompatible extensions.

My current extension list:
Adblock Plus
German Dictionary
Firebug
Gmail Notifier
US English Dictionary

I have a few more extensions installed, but they are all disabled because they are not compatible with Firefox 3.
if we have checked in patches that might address parts of the problem seems like this should be "fixed" not "wontfix" and then open up additional bugs for the remaining parts of the problem, but I'm not sure that the resolution of this bug number matters much at this point.

pav suggests blocklisting versions of anything thats still crashing so lets figure some of that out in bug 434752

> from comment 19

which versions of those extensions are you using?   Please add that data to bug 434752 if you can.  Firebug in particular was known to not be compatible until just recently so that might be one to check on for sure.

check on https://bugzilla.mozilla.org/show_bug.cgi?id=411814 for more details about firebug

gmail notifier might also have binary components in the collection of google tools that have known compatiblity problems so getting version info on what you were using there would be good as well


I have a friend who's still seeing crashes like this with no extensions enabled. I've filed bug 436375 on it.
Crash Signature: [@arena_dalloc_small]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: