Closed Bug 505742 Opened 16 years ago Closed 15 years ago

crash [@arena_avail_tree_remove ]

Categories

(Core :: XPCOM, defect)

1.9.1 Branch
x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: Usul, Unassigned)

References

()

Details

(Keywords: crash)

Crash Data

Not sure NSPR is the right place, sorry if it ain't. 0 mozcrt19.dll arena_avail_tree_remove jemalloc.c:3079 1 mozcrt19.dll arena_run_dalloc jemalloc.c:3690 2 mozcrt19.dll arena_dalloc jemalloc.c:4568 3 mozcrt19.dll free jemalloc.c:6404 4 plds4.dll PL_FinishArenaPool nsprpub/lib/ds/plarena.c:324 5 xpcom_core.dll NS_PurgeAtomTable xpcom/ds/nsAtomTable.cpp:419 6 xpcom_core.dll NS_ShutdownXPCOM_P xpcom/build/nsXPComInit.cpp:882 7 thunderbird.exe ScopedXPCOMStartup::~ScopedXPCOMStartup toolkit/xre/nsAppRunner.cpp:951 8 thunderbird.exe XRE_main toolkit/xre/nsAppRunner.cpp:3342 9 thunderbird.exe NS_internal_main mail/app/nsMailApp.cpp:103 10 thunderbird.exe wmain toolkit/xre/nsWindowsWMain.cpp:110 11 thunderbird.exe __tmainCRTStartup crtexe.c:591 12 kernel32.dll kernel32.dll@0x17066
The stack given in comment 0 is very strange because it's very incomplete. There are numerous missing frames. Here's a more complete version for levels 0-5 as identified in comment 0 0 mozcrt19.dll arena_avail_tree_remove jemalloc.c:3079 1 mozcrt19.dll arena_run_dalloc jemalloc.c:3690 mozcrt19.dll arena_dalloc_large jemalloc.c:4543 2 mozcrt19.dll arena_dalloc jemalloc.c:4568 mozcrt19.dll idalloc jemalloc.c:4581 3 mozcrt19.dll free jemalloc.c:6404 nspr4.dll PR_Free prmem.c:490 plds4.dll FreeArenaList nsprpub/lib/ds/plarena.c:286 4 plds4.dll PL_FinishArenaPool nsprpub/lib/ds/plarena.c:324 5 xpcom_core.dll NS_PurgeAtomTable xpcom/ds/nsAtomTable.cpp:419 arena_avail_tree_remove is hard to find (mxr doesn't find it) because it's actually defined in an invocation of the rb_wrap macro at http://mxr.mozilla.org/mozilla1.9.1/source/memory/jemalloc/jemalloc.c#3077 That macro, seen at http://mxr.mozilla.org/mozilla1.9.1/source/memory/jemalloc/rb.h#744 in turn invokes the rb_remove macro http://mxr.mozilla.org/mozilla1.9.1/source/memory/jemalloc/rb.h#480 the crash is somewhere inside that huge macro. No telling where.
Assignee: wtc → nobody
Component: NSPR → jemalloc
Product: NSPR → Core
QA Contact: nspr → jemalloc
Version: other → 1.9.1 Branch
so, jemalloc is equivalent to the system heap. most likely this is equivalent to someone corrupting it. xpcom's atom table is barely above that, most likely someone else took and atom and tried to do something evil to it. If I weren't busy filing hundreds of Coverity bugs (and patches for them, and ... and ...), I might consider reviewing each and every place where someone uses an atom.
Component: jemalloc → XPCOM
QA Contact: jemalloc → xpcom
Yeah, really can't do anything with this other than "use valgrind more" and "audit uses of atoms".
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → INCOMPLETE
Crash Signature: [@arena_avail_tree_remove ]
You need to log in before you can comment on or make changes to this bug.