Closed Bug 865106 Opened 7 years ago Closed 7 years ago

crash in sqlite3_prepare16 on LGE Nexus 4

Categories

(Firefox for Android :: General, defect, critical)

23 Branch
ARM
Android
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Firefox 23
Tracking Status
firefox22 --- unaffected
firefox23 --- fixed

People

(Reporter: scoobidiver, Assigned: glandium)

References

Details

(Keywords: crash, regression, Whiteboard: [native-crash])

Crash Data

Attachments

(1 file)

It first showed up in 23.0a1/20130417. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1d9c510b3742&tochange=50ab959f4bd1
It might be a regression from bug 850332.

Signature 	arena_dalloc | sqlite3_prepare16 More Reports Search
UUID	d85430e1-03e6-4759-a60e-afc112130424
Date Processed	2013-04-24 02:06:41
Uptime	1071
Last Crash	1.1 days before submission
Install Age	17.9 minutes since version was first installed.
Install Time	2013-04-24 01:48:45
Product	FennecAndroid
Version	23.0a1
Build ID	20130423030935
Release Channel	nightly
OS	Android
OS Version	0.0.0 Linux 3.4.0-perf-g7ce11cd #1 SMP PREEMPT Tue Jan 29 11:41:33 PST 2013 armv7l google/occam/mako:4.2.2/JDQ39/573038:user/release-keys
Build Architecture	arm
Build Architecture Info	
Crash Reason	SIGSEGV
Crash Address	0x43c00000
App Notes 	
AdapterDescription: 'Qualcomm -- Adreno (TM) 320 -- OpenGL ES 2.0 V@6.0 AU@ (CL@2961380) -- Model: Nexus 4, Product: occam, Manufacturer: LGE, Hardware: mako'
GL Layers! EGL? EGL+ GL Context? GL Context+ GL Layers+ Stagefright? Stagefright+ 
LGE Nexus 4
google/occam/mako:4.2.2/JDQ39/573038:user/release-keys
Processor Notes 	sp-processor08.phx1.mozilla.com_32023:2012; exploitability tool failed: 127
EMCheckCompatibility	True
Adapter Vendor ID	Qualcomm
Adapter Device ID	Adreno (TM) 320
Device	LGE Nexus 4
Android API Version	17 (REL)
Android CPU ABI	armeabi-v7a

Frame 	Module 	Signature 	Source
0 	libmozglue.so 	arena_dalloc 	jemalloc.c:4668
1 	libnss3.so 	sqlite3_prepare16 	sqlite3.c:94700
2 	libmozglue.so 	sqliteInternalCall 	SQLiteBridge.cpp:397
3 	libnss3.so 	sqlite3_free 	sqlite3.c:19076
4 	libnss3.so 	openDatabase 	sqlite3.c:115796
5 	libnss3.so 	libnss3.so@0x10355f 	
6 	libc.so 	libc.so@0x11811 	
7 	libmozglue.so 	Java_org_mozilla_gecko_sqlite_SQLiteBridge_sqliteCall 	SQLiteBridge.cpp:155
8 	dalvik-LinearAlloc (deleted) 	dalvik-LinearAlloc @0x3b3436 	
9 	libdvm.so 	libdvm.so@0x1e292 	
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=arena_dalloc+|+sqlite3_prepare16
https://crash-stats.mozilla.com/report/list?signature=jemalloc_crash+|+arena_dalloc+|+sqlite3_prepare16
The use of --wrap=free when linking makes free() calls go to __wrap_free(), which is jemalloc's free(), and __real_free() calls to libc's free(). asprintf is allocating memory with libc's malloc() (it's a libc function), so its buffer needs to be freed with libc's free().
Attachment #741187 - Flags: review?(bugmail.mozilla)
Assignee: nobody → mh+mozilla
Note this means these crashing people are getting sqlite errors.
Comment on attachment 741187 [details] [diff] [review]
Remove allocator mismatch when freeing asprintf allocated buffers

Review of attachment 741187 [details] [diff] [review]:
-----------------------------------------------------------------

There are two other calls to free(errorMsg) in SQLiteBridge.cpp that look like they should also be converted. One in Java_org_mozilla_gecko_sqlite_SQLiteBridge_sqliteCall and one in Java_org_mozilla_gecko_sqlite_SQLiteBridge_openDatabase. r=me with those fixed as well.
Attachment #741187 - Flags: review?(bugmail.mozilla) → review+
Blocks: 850332
https://hg.mozilla.org/mozilla-central/rev/e38bf6995ed5
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 23
Crash Signature: [@ arena_dalloc | sqlite3_prepare16] [@ jemalloc_crash | arena_dalloc | sqlite3_prepare16 ] → [@ arena_dalloc | sqlite3_prepare16 ] [@ jemalloc_crash | arena_dalloc | sqlite3_prepare16]
You need to log in before you can comment on or make changes to this bug.