If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

IonMonkey: crash in js::Vector<unsigned char, 32, js::SystemAllocPolicy>::growStorageBy

VERIFIED FIXED in Firefox 18

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: Scoobidiver (away), Unassigned)

Tracking

({crash, regression, topcrash})

18 Branch
mozilla18
x86_64
Mac OS X
crash, regression, topcrash
Points:
---

Firefox Tracking Flags

(firefox16 unaffected, firefox17 unaffected, firefox18+ verified)

Details

(crash signature)

(Reporter)

Description

5 years ago
It first appeared with IonMonkey and is #2 top browser crasher on Mac OS X in 18.0a1.

Signature 	arena_bin_malloc_easy More Reports Search
UUID	a4ac8070-f80f-4590-90f3-e608b2120920
Date Processed	2012-09-20 02:32:02
Uptime	19020
Last Crash	1.2 weeks before submission
Install Age	5.3 hours since version was first installed.
Install Time	2012-09-19 21:14:14
Product	Firefox
Version	18.0a1
Build ID	20120919030602
Release Channel	nightly
OS	Mac OS X
OS Version	10.6.8 10K549
Build Architecture	amd64
Build Architecture Info	family 6 model 37 stepping 5
Crash Reason	EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Crash Address	0x53878b18
App Notes 	
AdapterVendorID: 0x10de, AdapterDeviceID: 0x a29GL Context? GL Context+ GL Layers? GL Layers+ 
Processor Notes 	
EMCheckCompatibility	True

Frame 	Module 	Signature 	Source
0 	libmozglue.dylib 	arena_bin_malloc_easy 	jemalloc.c:3174
1 	libmozglue.dylib 	arena_malloc 	jemalloc.c:3940
2 	libmozglue.dylib 	je_realloc 	jemalloc.c:4819
3 	libmozglue.dylib 	ozone_realloc 	jemalloc.c:6990
4 	libSystem.B.dylib 	malloc_zone_realloc 	
5 	libSystem.B.dylib 	realloc 	
6 	XUL 	js::Vector<unsigned char, 32, js::SystemAllocPolicy>::growStorageBy 	
7 	XUL 	js::ion::SnapshotWriter::addSlot 	
8 	XUL 	js::ion::CodeGeneratorShared::encodeSlots 	CodeGenerator-shared.cpp:118
9 	XUL 	js::ion::CodeGeneratorShared::encodeSlots 	CodeGenerator-shared.cpp:175
10 	XUL 	js::ion::CodeGeneratorShared::encode 	CodeGenerator-shared.cpp:243
11 	libmozglue.dylib 	je_malloc 	jemalloc.c:4217
12 	libmozglue.dylib 	ozone_size 	jemalloc.c:6963
13 	XUL 	js::ion::CodeGeneratorX86Shared::bailout<js::ion::BailoutJump> 	CodeGenerator-x86-shared.cpp:343
14 	XUL 	js::ion::CodeGeneratorX86Shared::bailoutIf 	CodeGenerator-x86-shared.cpp:376
15 	XUL 	js::ion::CodeGeneratorX64::visitUnbox 	CodeGenerator-x64.cpp:117
16 	XUL 	js::ion::LUnbox::accept 	LIR-x64.h:53
17 	XUL 	js::ion::CodeGenerator::generateBody 	CodeGenerator.cpp:1287
18 	XUL 	js::ion::CodeGenerator::generate 	CodeGenerator.cpp:2798
19 	XUL 	js::ion::CodeGeneratorShared::CodeGeneratorShared 	CodeGenerator-shared.cpp:37
20 	XUL 	js::ion::CodeGeneratorX64::CodeGeneratorX64 	CodeGenerator-x64.cpp:21
21 	XUL 	js::ion::TestCompiler 	Ion.cpp:917
22 	XUL 	js::VectorImpl<js::ion::IonCache, 0, js::SystemAllocPolicy, false>::growTo

More reports at:
https://crash-stats.mozilla.com/report/list?signature=arena_bin_malloc_easy
(Reporter)

Updated

5 years ago
Keywords: regression
Some URLs:

1	http://ffg.football.cbssports.com/scoring/preview/2/1
1 	https://www.google.com/search?hl=en&q=rsaeuro+debian
1 	https://encrypted.google.com/search?btnG=Google+Search&q=balzac
1 	http://thedatakey.upstreamedia.com/generate/list/business#.UFfZLDNAyXI
1 	https://www.google.com/search?q=iPhone+vs+Android&ie=utf-8&oe=utf-8&aq=t&rls=org
1 	file:///Users/kayhanatamyildiz/Desktop/home-images/html-design/index.html
1 	http://excellentdigitallab.com/admin/gallery.php
1 	https://www.google.com/search?q=mixpanel+javascript&ie=utf-8&oe=utf-8&aq=t&rls=o
1 	https://www.google.com/search?q=5.1.1+&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en
1 	https://www.google.com/search?hl=en&safe=off&nomo=1&output=search&sclient=psy-ab
1 	http://conveyor:8080/
1 	https://www.google.com/search?q=java+scientific+applications&ie=utf-8&oe=utf-8&a
1 	https://boveda.banamex.com.mx/spanishdir/ayudas/inactividad8min2.htm
1 	https://www.google.com/search?q=sand+symbol&ie=utf-8&oe=utf-8&aq=t&rls=org.mozil
1 	https://www.google.com/search?q=how%20to%20tie%20a%20tie#hl=en&sugexp=les%3B&gs_
1 	https://www.facebook.com/dialog/oauth?client_id=212500508799908&response_type=to
1 	http://codepen.io/juliangarnier/pen/idhuG

Updated

5 years ago
Summary: crash in js::Vector<unsigned char, 32, js::SystemAllocPolicy>::growStorageBy → IonMonkey: crash in js::Vector<unsigned char, 32, js::SystemAllocPolicy>::growStorageBy
This is probably bug 793257 but I'll keep this open and check crash-stats in a few days.

Updated

5 years ago
status-firefox16: --- → unaffected
status-firefox17: --- → unaffected
tracking-firefox18: ? → +

Updated

5 years ago
status-firefox18: --- → affected
(Reporter)

Comment 3

5 years ago
(In reply to David Anderson [:dvander] from comment #2)
> This is probably bug 793257 but I'll keep this open and check crash-stats in
> a few days.
There are indeed no crashes after 18.0a1/20120925.
Sweet!
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Reporter)

Updated

5 years ago
status-firefox18: affected → fixed
Target Milestone: --- → mozilla18
I see no recent crashes checking the crash stats. Marking this as verified fixed on FF 18.
Status: RESOLVED → VERIFIED
status-firefox18: fixed → verified
You need to log in before you can comment on or make changes to this bug.