Closed
Bug 505742
Opened 16 years ago
Closed 15 years ago
crash [@arena_avail_tree_remove ]
Categories
(Core :: XPCOM, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: Usul, Unassigned)
References
()
Details
(Keywords: crash)
Crash Data
Not sure NSPR is the right place, sorry if it ain't.
0 mozcrt19.dll arena_avail_tree_remove jemalloc.c:3079
1 mozcrt19.dll arena_run_dalloc jemalloc.c:3690
2 mozcrt19.dll arena_dalloc jemalloc.c:4568
3 mozcrt19.dll free jemalloc.c:6404
4 plds4.dll PL_FinishArenaPool nsprpub/lib/ds/plarena.c:324
5 xpcom_core.dll NS_PurgeAtomTable xpcom/ds/nsAtomTable.cpp:419
6 xpcom_core.dll NS_ShutdownXPCOM_P xpcom/build/nsXPComInit.cpp:882
7 thunderbird.exe ScopedXPCOMStartup::~ScopedXPCOMStartup toolkit/xre/nsAppRunner.cpp:951
8 thunderbird.exe XRE_main toolkit/xre/nsAppRunner.cpp:3342
9 thunderbird.exe NS_internal_main mail/app/nsMailApp.cpp:103
10 thunderbird.exe wmain toolkit/xre/nsWindowsWMain.cpp:110
11 thunderbird.exe __tmainCRTStartup crtexe.c:591
12 kernel32.dll kernel32.dll@0x17066
Comment 1•16 years ago
|
||
The stack given in comment 0 is very strange because it's very incomplete.
There are numerous missing frames. Here's a more complete version for
levels 0-5 as identified in comment 0
0 mozcrt19.dll arena_avail_tree_remove jemalloc.c:3079
1 mozcrt19.dll arena_run_dalloc jemalloc.c:3690
mozcrt19.dll arena_dalloc_large jemalloc.c:4543
2 mozcrt19.dll arena_dalloc jemalloc.c:4568
mozcrt19.dll idalloc jemalloc.c:4581
3 mozcrt19.dll free jemalloc.c:6404
nspr4.dll PR_Free prmem.c:490
plds4.dll FreeArenaList nsprpub/lib/ds/plarena.c:286
4 plds4.dll PL_FinishArenaPool nsprpub/lib/ds/plarena.c:324
5 xpcom_core.dll NS_PurgeAtomTable xpcom/ds/nsAtomTable.cpp:419
arena_avail_tree_remove is hard to find (mxr doesn't find it) because it's
actually defined in an invocation of the rb_wrap macro at
http://mxr.mozilla.org/mozilla1.9.1/source/memory/jemalloc/jemalloc.c#3077
That macro, seen at
http://mxr.mozilla.org/mozilla1.9.1/source/memory/jemalloc/rb.h#744
in turn invokes the rb_remove macro
http://mxr.mozilla.org/mozilla1.9.1/source/memory/jemalloc/rb.h#480
the crash is somewhere inside that huge macro. No telling where.
Assignee: wtc → nobody
Component: NSPR → jemalloc
Product: NSPR → Core
QA Contact: nspr → jemalloc
Version: other → 1.9.1 Branch
so, jemalloc is equivalent to the system heap. most likely this is equivalent to someone corrupting it.
xpcom's atom table is barely above that, most likely someone else took and atom and tried to do something evil to it. If I weren't busy filing hundreds of Coverity bugs (and patches for them, and ... and ...), I might consider reviewing each and every place where someone uses an atom.
Component: jemalloc → XPCOM
QA Contact: jemalloc → xpcom
Comment 3•15 years ago
|
||
Yeah, really can't do anything with this other than "use valgrind more" and "audit uses of atoms".
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → INCOMPLETE
Assignee | ||
Updated•14 years ago
|
Crash Signature: [@arena_avail_tree_remove ]
You need to log in
before you can comment on or make changes to this bug.
Description
•