Filing this as a good bug for a talented newcomer. This is very self-contained, has a big upside, but may be challenging. You'll need to have good C debugging skills for this bug, and of course a Mac.
Bug 414946 is fixing jemalloc on mac. The patch worked when it was written, but a bug has crept in on 32-bit platforms, which cause Firefox to crash on start. This component is jemalloc, the memory allocator used by firefox for all its low-level memory allocation, so it's difficult to know whether the bug is in jemalloc itself or if it's in some code that does memory allocation, but I suspect the former.
When running firefox in gdb:
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: 13 at address: 0x00000000
0x00005001 in _mh_dylib_header ()
#0 0x00005001 in _mh_dylib_header ()
#1 0x97e41646 in malloc_good_size ()
#2 0x95f98522 in __CFStringChangeSizeMultiple ()
#3 0x95f98e1f in CFStringAppendCharacters ()
#4 0x95fb4d34 in resolveAbsoluteURLString ()
#5 0x95f96591 in CFURLCopyAbsoluteURL ()
#6 0x95fde741 in _CFBundleAddPreferredLprojNamesInDirectory ()
#7 0x95fde230 in _CFBundleGetLanguageSearchList ()
#8 0x95fde07a in CFBundleCopyResourceURL ()
#9 0x95fe8654 in CFBundleGetLocalInfoDictionary ()
#10 0x95fe85b2 in CFBundleGetValueForInfoDictionaryKey ()
#11 0x96e192f7 in CGSServerPort ()
#12 0x96e19127 in CGSScoreboard ()
#13 0x96e18f07 in initCGDisplayState ()
#14 0x96e18d2b in initCGDisplayMappings ()
#15 0x96e1855c in cg_setup ()
#16 0x97e558a0 in pthread_once ()
#17 0x96e18519 in CGSInitialize ()
#18 0x96e34fad in CGSInputModifierKeyState ()
#19 0x9076adbe in GetCurrentKeyModifiers ()
#20 0x9076ad8e in GetCurrentEventKeyModifiers ()
#21 0x00039886 in XRE_main (argc=1, argv=0xbfffe8ac, aAppData=0x4731080) at ../../../toolkit/xre/nsAppRunner.cpp:3128
Typically malloc_good_size would call zone->good_size, but something must be set wrong. In the past, I had a similar problem with this where the size of the zone structs were different on 10.5 than 10.6, so there may be a similar problem here.
szone2ozone and create_zone in jemalloc.c are probably pretty local to the problem, so start there, and be sure to read the comment labelled MALLOC_ZONE_T_SNOW_LEOPARD_NOTE.
I got a different stack trace some time back, so it may be that the frame pointers are getting overwritten and gdb is being confused. But since CFStringChangeSizeMultiple can actually call malloc_good_size, it is probably right.
Finally, a good tactic to figure the problem out would be to use hg to bisect between the revisions where it worked (when I posted the patch) and when it didn't (for example today).
Created attachment 534269 [details] [diff] [review]
Fixes up a bad pointer set in szone2ozone for introspection.
The patch is basically the patch from Paul for bug 414946. A few changes for getting the build to succeed, but the actual bug fix is a 1 byte change in szone2ozone:
zone->introspect = (malloc_introspection_t*)(ozone_introspect);
Paul, can you review this?
Wow, I am ashamed :( Great job Dale!
I've sent this to tryserver: http://tbpl.mozilla.org/?tree=Try&rev=5dd3a5f7fbb0
The differences between this patch and the last one reviewed in bug 651952 are not huge. It's kinda borderline whether we need a new review, so I'm going to be conservative and ask pavlov for one.
My biggest concern is the build fix changes I made. There are some gcc function aliasing and visibility stuff that I ended up removing, but I have no idea how that will affect other platforms.
(In reply to comment #5)
> My biggest concern is the build fix changes I made. There are some gcc
> function aliasing and visibility stuff that I ended up removing, but I have
> no idea how that will affect other platforms.
OK, I see them. I reviewed the patch which brought them in, so I can fix them.
Although we don't quite have jemalloc-on-mac in the tree yet, this particular bug is fixed, so marking it as such. Further jemalloc-on-mac goodness in bug 414946.