Closed Bug 792698 Opened 7 years ago Closed 7 years ago

IonMonkey: crash in js::Vector<unsigned char, 32, js::SystemAllocPolicy>::growStorageBy

Categories

(Core :: JavaScript Engine, defect, critical)

18 Branch
x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla18
Tracking Status
firefox16 --- unaffected
firefox17 --- unaffected
firefox18 + verified

People

(Reporter: scoobidiver, Unassigned)

References

Details

(Keywords: crash, regression, topcrash)

Crash Data

It first appeared with IonMonkey and is #2 top browser crasher on Mac OS X in 18.0a1.

Signature 	arena_bin_malloc_easy More Reports Search
UUID	a4ac8070-f80f-4590-90f3-e608b2120920
Date Processed	2012-09-20 02:32:02
Uptime	19020
Last Crash	1.2 weeks before submission
Install Age	5.3 hours since version was first installed.
Install Time	2012-09-19 21:14:14
Product	Firefox
Version	18.0a1
Build ID	20120919030602
Release Channel	nightly
OS	Mac OS X
OS Version	10.6.8 10K549
Build Architecture	amd64
Build Architecture Info	family 6 model 37 stepping 5
Crash Reason	EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Crash Address	0x53878b18
App Notes 	
AdapterVendorID: 0x10de, AdapterDeviceID: 0x a29GL Context? GL Context+ GL Layers? GL Layers+ 
Processor Notes 	
EMCheckCompatibility	True

Frame 	Module 	Signature 	Source
0 	libmozglue.dylib 	arena_bin_malloc_easy 	jemalloc.c:3174
1 	libmozglue.dylib 	arena_malloc 	jemalloc.c:3940
2 	libmozglue.dylib 	je_realloc 	jemalloc.c:4819
3 	libmozglue.dylib 	ozone_realloc 	jemalloc.c:6990
4 	libSystem.B.dylib 	malloc_zone_realloc 	
5 	libSystem.B.dylib 	realloc 	
6 	XUL 	js::Vector<unsigned char, 32, js::SystemAllocPolicy>::growStorageBy 	
7 	XUL 	js::ion::SnapshotWriter::addSlot 	
8 	XUL 	js::ion::CodeGeneratorShared::encodeSlots 	CodeGenerator-shared.cpp:118
9 	XUL 	js::ion::CodeGeneratorShared::encodeSlots 	CodeGenerator-shared.cpp:175
10 	XUL 	js::ion::CodeGeneratorShared::encode 	CodeGenerator-shared.cpp:243
11 	libmozglue.dylib 	je_malloc 	jemalloc.c:4217
12 	libmozglue.dylib 	ozone_size 	jemalloc.c:6963
13 	XUL 	js::ion::CodeGeneratorX86Shared::bailout<js::ion::BailoutJump> 	CodeGenerator-x86-shared.cpp:343
14 	XUL 	js::ion::CodeGeneratorX86Shared::bailoutIf 	CodeGenerator-x86-shared.cpp:376
15 	XUL 	js::ion::CodeGeneratorX64::visitUnbox 	CodeGenerator-x64.cpp:117
16 	XUL 	js::ion::LUnbox::accept 	LIR-x64.h:53
17 	XUL 	js::ion::CodeGenerator::generateBody 	CodeGenerator.cpp:1287
18 	XUL 	js::ion::CodeGenerator::generate 	CodeGenerator.cpp:2798
19 	XUL 	js::ion::CodeGeneratorShared::CodeGeneratorShared 	CodeGenerator-shared.cpp:37
20 	XUL 	js::ion::CodeGeneratorX64::CodeGeneratorX64 	CodeGenerator-x64.cpp:21
21 	XUL 	js::ion::TestCompiler 	Ion.cpp:917
22 	XUL 	js::VectorImpl<js::ion::IonCache, 0, js::SystemAllocPolicy, false>::growTo

More reports at:
https://crash-stats.mozilla.com/report/list?signature=arena_bin_malloc_easy
Keywords: regression
Summary: crash in js::Vector<unsigned char, 32, js::SystemAllocPolicy>::growStorageBy → IonMonkey: crash in js::Vector<unsigned char, 32, js::SystemAllocPolicy>::growStorageBy
This is probably bug 793257 but I'll keep this open and check crash-stats in a few days.
(In reply to David Anderson [:dvander] from comment #2)
> This is probably bug 793257 but I'll keep this open and check crash-stats in
> a few days.
There are indeed no crashes after 18.0a1/20120925.
Sweet!
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
I see no recent crashes checking the crash stats. Marking this as verified fixed on FF 18.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.