Closed Bug 648514 Opened 14 years ago Closed 11 years ago

Crash in JS Interpreter: pointer being reallocated was not allocated

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: spamcop, Unassigned)

Details

[I don't know which version to select, since I have no idea on what version Firefox 4 is based-upon; please fix this for me] I get the following crash rather frequently (several times a day, usually when filling out forms): Identifier: org.mozilla.firefox Version: 4.0 (4.0) Code Type: X86-64 (Native) Parent Process: ??? [1] Date/Time: 2011-04-08 13:14:02.061 +0200 OS Version: Mac OS X 10.6.7 (10J869) Report Version: 6 Interval Since Last Report: 182549 sec Crashes Since Last Report: 1 Per-App Interval Since Last Report: 516618 sec Per-App Crashes Since Last Report: 1 Anonymous UUID: 71B2DE78-6E4C-4E05-A258-B96958927F1D Exception Type: EXC_CRASH (SIGABRT) Exception Codes: 0x0000000000000000, 0x0000000000000000 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Application Specific Information: *** error for object 0x118968690: pointer being reallocated was not allocated Thread 0 Crashed: Dispatch queue: com.apple.main-thread 0 libSystem.B.dylib 0x00007fff808c05d6 __kill + 10 1 libSystem.B.dylib 0x00007fff80960cd6 abort + 83 2 libSystem.B.dylib 0x00007fff8094f90d szone_error + 519 3 libSystem.B.dylib 0x00007fff8087a13e szone_realloc + 102 4 libSystem.B.dylib 0x00007fff8087a09b malloc_zone_realloc + 92 5 libSystem.B.dylib 0x00007fff80886132 realloc + 169 6 XUL 0x0000000101003d67 js_CheckUndeclaredVarAssignment(JSContext*, JSString*) + 2567 7 XUL 0x00000001010142d5 JSObject::clone(JSContext*, JSObject*, JSObject*) + 19061 8 XUL 0x0000000100f5bd58 JS_HasUCProperty + 1320 9 XUL 0x0000000100fb1e7e js_GetSrcNoteOffset + 98878 10 XUL 0x00000001010142ff JSObject::clone(JSContext*, JSObject*, JSObject*) + 19103 11 XUL 0x00000001010b6d8f JSWrapper::trace(JSTracer*, JSObject*) + 591 12 XUL 0x000000010105e293 js::FixProxy(JSContext*, JSObject*, int*) + 4595 13 XUL 0x0000000100f73214 js_CloneDensePrimitiveArray(JSContext*, JSObject*, JSObject**) + 10804 14 XUL 0x00000001010145b6 JSObject::clone(JSContext*, JSObject*, JSObject*) + 19798 15 XUL 0x0000000100fbda2c js::IsBuiltinFunctionConstructor(JSFunction*) + 37948 16 XUL 0x00000001010142ff JSObject::clone(JSContext*, JSObject*, JSObject*) + 19103 17 XUL 0x00000001010b6d8f JSWrapper::trace(JSTracer*, JSObject*) + 591 18 XUL 0x000000010105e293 js::FixProxy(JSContext*, JSObject*, int*) + 4595 19 XUL 0x0000000100f73214 js_CloneDensePrimitiveArray(JSContext*, JSObject*, JSObject**) + 10804 20 XUL 0x00000001010145b6 JSObject::clone(JSContext*, JSObject*, JSObject*) + 19798 21 XUL 0x00000001010b66d8 JSWrapper::typeOf(JSContext*, JSObject*) + 344 22 XUL 0x00000001010b6ffd JSWrapper::trace(JSTracer*, JSObject*) + 1213 23 XUL 0x000000010105e293 js::FixProxy(JSContext*, JSObject*, int*) + 4595 24 XUL 0x0000000101005529 js_obj_defineGetter(JSContext*, unsigned int, js::Value*) + 4137 25 XUL 0x0000000101014b7b JSObject::clone(JSContext*, JSObject*, JSObject*) + 21275 26 XUL 0x00000001010145b6 JSObject::clone(JSContext*, JSObject*, JSObject*) + 19798 27 XUL 0x00000001010145b6 JSObject::clone(JSContext*, JSObject*, JSObject*) + 19798 28 XUL 0x0000000100fbda2c js::IsBuiltinFunctionConstructor(JSFunction*) + 37948 29 XUL 0x00000001010142ff JSObject::clone(JSContext*, JSObject*, JSObject*) + 19103 30 XUL 0x00000001010b6d8f JSWrapper::trace(JSTracer*, JSObject*) + 591 31 XUL 0x000000010105e293 js::FixProxy(JSContext*, JSObject*, int*) + 4595 32 XUL 0x00000001010145b6 JSObject::clone(JSContext*, JSObject*, JSObject*) + 19798 33 XUL 0x00000001010b66d8 JSWrapper::typeOf(JSContext*, JSObject*) + 344 34 XUL 0x00000001010b6ffd JSWrapper::trace(JSTracer*, JSObject*) + 1213 35 XUL 0x000000010105e293 js::FixProxy(JSContext*, JSObject*, int*) + 4595 36 XUL 0x0000000101005529 js_obj_defineGetter(JSContext*, unsigned int, js::Value*) + 4137 37 XUL 0x0000000101014b7b JSObject::clone(JSContext*, JSObject*, JSObject*) + 21275 38 XUL 0x00000001010b6d8f JSWrapper::trace(JSTracer*, JSObject*) + 591 39 XUL 0x000000010105e293 js::FixProxy(JSContext*, JSObject*, int*) + 4595 40 XUL 0x00000001010145b6 JSObject::clone(JSContext*, JSObject*, JSObject*) + 19798 41 XUL 0x00000001010b66d8 JSWrapper::typeOf(JSContext*, JSObject*) + 344 42 XUL 0x00000001010b6ffd JSWrapper::trace(JSTracer*, JSObject*) + 1213 43 XUL 0x000000010105e293 js::FixProxy(JSContext*, JSObject*, int*) + 4595 44 XUL 0x0000000101005529 js_obj_defineGetter(JSContext*, unsigned int, js::Value*) + 4137 45 XUL 0x0000000101014b7b JSObject::clone(JSContext*, JSObject*, JSObject*) + 21275 46 XUL 0x00000001010145b6 JSObject::clone(JSContext*, JSObject*, JSObject*) + 19798 47 XUL 0x0000000101005529 js_obj_defineGetter(JSContext*, unsigned int, js::Value*) + 4137 48 XUL 0x0000000101014b93 JSObject::clone(JSContext*, JSObject*, JSObject*) + 21299 49 XUL 0x00000001010145b6 JSObject::clone(JSContext*, JSObject*, JSObject*) + 19798 50 XUL 0x0000000100fcd771 js::MarkContext(JSTracer*, JSContext*) + 8497 51 XUL 0x0000000100fce540 js::MarkContext(JSTracer*, JSContext*) + 12032 52 XUL 0x000000010096fba5 DumpJSValue + 741 53 XUL 0x000000010096badd vpx_reset_mmx_state + 1878453 54 XUL 0x0000000100e24d1a XRE_AddStaticComponent + 38682 55 XUL 0x0000000100e24db8 XRE_AddStaticComponent + 38840 56 XUL 0x0000000100e211b3 XRE_AddStaticComponent + 23475 57 XUL 0x0000000100ddd21e nsPrintSession::Release() + 1129646 58 XUL 0x0000000100cbc30d JSD_DebuggerOnForUser + 1178781 59 XUL 0x0000000100c87be7 JSD_DebuggerOnForUser + 963959 60 com.apple.CoreFoundation 0x00007fff81f26401 __CFRunLoopDoSources0 + 1361 61 com.apple.CoreFoundation 0x00007fff81f245f9 __CFRunLoopRun + 873 62 com.apple.CoreFoundation 0x00007fff81f23dbf CFRunLoopRunSpecific + 575 63 com.apple.HIToolbox 0x00007fff8325a7ee RunCurrentEventLoopInMode + 333 64 com.apple.HIToolbox 0x00007fff8325a5f3 ReceiveNextEventCommon + 310 65 com.apple.HIToolbox 0x00007fff8325a4ac BlockUntilNextEventMatchingListInMode + 59 66 com.apple.AppKit 0x00007fff8610ae64 _DPSNextEvent + 718 67 com.apple.AppKit 0x00007fff8610a7a9 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 155 68 com.apple.AppKit 0x00007fff860d048b -[NSApplication run] + 395 69 XUL 0x0000000100c874ad JSD_DebuggerOnForUser + 962109 70 XUL 0x0000000100af01b4 js::JSProxyHandler::isOuterWindow() + 609220 71 XUL 0x0000000100016aae XRE_main + 8574 72 org.mozilla.firefox 0x0000000100001af7 start + 471 73 org.mozilla.firefox 0x0000000100001954 start + 52 Thread 0 crashed with X86 Thread State (64-bit): rax: 0x0000000000000000 rbx: 0x00000001057a4000 rcx: 0x00007fff5fbfc608 rdx: 0x0000000000000000 rdi: 0x0000000000000ac5 rsi: 0x0000000000000006 rbp: 0x00007fff5fbfc620 rsp: 0x00007fff5fbfc608 r8: 0x0000000000000e03 r9: 0x0000000000000000 r10: 0x00007fff808bc616 r11: 0x0000000000000202 r12: 0x0000000000000000 r13: 0x0000000118968690 r14: 0x0000000101d34000 r15: 0x00000001057a40c0 rip: 0x00007fff808c05d6 rfl: 0x0000000000000202 cr2: 0x00007fff8094b442 The crash might be caused by an extension; however, no matter what the extension does, the crash happens while JS code of this extension is being executed and even if the extension has a bug, the JS interpreter must not crash. I think I have probably submitted a couple of those crashes via the build-in crash reporter, but now, that I finally got a real system crash report, I thought I should maybe track this issue by filing a bug for it.
For what it's worth, the crash reports you submitted probably have more information than the system crash report. As soon as you submit a crash report, you can look in about:crashes and submit a bug report with the report url or id for that particular report... Could you post one (or more) of those here? Just to check something, did you perhaps enable chrome methodjit?
Thank you for the hint to "about:crashes", I never noticed that you can see your crash reports that way. And I'm sorry to say that I just found out that my other regular crashes don't happen because of a re-malloc issues, but because of a bad-access in the GC code. So I don't have Mozilla crash report for the issue above, I'm sorry. Regarding the config, methodjit settings are all default. I installed Fx 4.0 with a fresh profile; I always create a fresh profile on major updates. Methodjit for chrome is disabled, it is enabled for content and methodjit_always is also disabled. Maybe this bug can be closed then, since I cannot really provide any more information than I already did above. Should I maybe open a bug for all my other crashes or are crash reports automatically treated as "bugs"? All my crashes happen exactly at the same line of code in the GC.
Crash reports that happen to enough users are filed as bugs. You should probably file a separate bug on your GC issue. It's probably better to leave this bug open in case someone can make sense of the stack from comment
I meant "from comment 0".
TGOS do you still see this problem?
Flags: needinfo?(spamcop)
Whiteboard: [closeme 2013-09-01]
Nope, haven't see any malloc() crashes for a very long time. Actually I haven't seen any crashes at all for a very long time. Feel free to close this bug, I guess it has been fixed by one of the many changes to JS code in the last 2 years (quite possible that the code causing the crash has been removed years ago).
Flags: needinfo?(spamcop)
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
Whiteboard: [closeme 2013-09-01]
You need to log in before you can comment on or make changes to this bug.