Closed Bug 865106 Opened 7 years ago Closed 7 years ago

crash in sqlite3_prepare16 on LGE Nexus 4


(Firefox for Android :: General, defect, critical)

23 Branch
Not set



Firefox 23
Tracking Status
firefox22 --- unaffected
firefox23 --- fixed


(Reporter: scoobidiver, Assigned: glandium)



(Keywords: crash, regression, Whiteboard: [native-crash])

Crash Data


(1 file)

It first showed up in 23.0a1/20130417. The regression range is:
It might be a regression from bug 850332.

Signature 	arena_dalloc | sqlite3_prepare16 More Reports Search
UUID	d85430e1-03e6-4759-a60e-afc112130424
Date Processed	2013-04-24 02:06:41
Uptime	1071
Last Crash	1.1 days before submission
Install Age	17.9 minutes since version was first installed.
Install Time	2013-04-24 01:48:45
Product	FennecAndroid
Version	23.0a1
Build ID	20130423030935
Release Channel	nightly
OS	Android
OS Version	0.0.0 Linux 3.4.0-perf-g7ce11cd #1 SMP PREEMPT Tue Jan 29 11:41:33 PST 2013 armv7l google/occam/mako:4.2.2/JDQ39/573038:user/release-keys
Build Architecture	arm
Build Architecture Info	
Crash Reason	SIGSEGV
Crash Address	0x43c00000
App Notes 	
AdapterDescription: 'Qualcomm -- Adreno (TM) 320 -- OpenGL ES 2.0 V@6.0 AU@ (CL@2961380) -- Model: Nexus 4, Product: occam, Manufacturer: LGE, Hardware: mako'
GL Layers! EGL? EGL+ GL Context? GL Context+ GL Layers+ Stagefright? Stagefright+ 
LGE Nexus 4
Processor Notes 	sp-processor08.phx1.mozilla.com_32023:2012; exploitability tool failed: 127
EMCheckCompatibility	True
Adapter Vendor ID	Qualcomm
Adapter Device ID	Adreno (TM) 320
Device	LGE Nexus 4
Android API Version	17 (REL)
Android CPU ABI	armeabi-v7a

Frame 	Module 	Signature 	Source
0 	arena_dalloc 	jemalloc.c:4668
1 	sqlite3_prepare16 	sqlite3.c:94700
2 	sqliteInternalCall 	SQLiteBridge.cpp:397
3 	sqlite3_free 	sqlite3.c:19076
4 	openDatabase 	sqlite3.c:115796
7 	Java_org_mozilla_gecko_sqlite_SQLiteBridge_sqliteCall 	SQLiteBridge.cpp:155
8 	dalvik-LinearAlloc (deleted) 	dalvik-LinearAlloc @0x3b3436 	

More reports at:|+sqlite3_prepare16|+arena_dalloc+|+sqlite3_prepare16
The use of --wrap=free when linking makes free() calls go to __wrap_free(), which is jemalloc's free(), and __real_free() calls to libc's free(). asprintf is allocating memory with libc's malloc() (it's a libc function), so its buffer needs to be freed with libc's free().
Attachment #741187 - Flags: review?(bugmail.mozilla)
Assignee: nobody → mh+mozilla
Note this means these crashing people are getting sqlite errors.
Comment on attachment 741187 [details] [diff] [review]
Remove allocator mismatch when freeing asprintf allocated buffers

Review of attachment 741187 [details] [diff] [review]:

There are two other calls to free(errorMsg) in SQLiteBridge.cpp that look like they should also be converted. One in Java_org_mozilla_gecko_sqlite_SQLiteBridge_sqliteCall and one in Java_org_mozilla_gecko_sqlite_SQLiteBridge_openDatabase. r=me with those fixed as well.
Attachment #741187 - Flags: review?(bugmail.mozilla) → review+
Blocks: 850332
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 23
Crash Signature: [@ arena_dalloc | sqlite3_prepare16] [@ jemalloc_crash | arena_dalloc | sqlite3_prepare16 ] → [@ arena_dalloc | sqlite3_prepare16 ] [@ jemalloc_crash | arena_dalloc | sqlite3_prepare16]
You need to log in before you can comment on or make changes to this bug.