It first showed up in 23.0a1/20130417. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=1d9c510b3742&tochange=50ab959f4bd1 It might be a regression from bug 850332. Signature arena_dalloc | sqlite3_prepare16 More Reports Search UUID d85430e1-03e6-4759-a60e-afc112130424 Date Processed 2013-04-24 02:06:41 Uptime 1071 Last Crash 1.1 days before submission Install Age 17.9 minutes since version was first installed. Install Time 2013-04-24 01:48:45 Product FennecAndroid Version 23.0a1 Build ID 20130423030935 Release Channel nightly OS Android OS Version 0.0.0 Linux 3.4.0-perf-g7ce11cd #1 SMP PREEMPT Tue Jan 29 11:41:33 PST 2013 armv7l google/occam/mako:4.2.2/JDQ39/573038:user/release-keys Build Architecture arm Build Architecture Info Crash Reason SIGSEGV Crash Address 0x43c00000 App Notes AdapterDescription: 'Qualcomm -- Adreno (TM) 320 -- OpenGL ES 2.0 V@6.0 AU@ (CL@2961380) -- Model: Nexus 4, Product: occam, Manufacturer: LGE, Hardware: mako' GL Layers! EGL? EGL+ GL Context? GL Context+ GL Layers+ Stagefright? Stagefright+ LGE Nexus 4 google/occam/mako:4.2.2/JDQ39/573038:user/release-keys Processor Notes sp-processor08.phx1.mozilla.com_32023:2012; exploitability tool failed: 127 EMCheckCompatibility True Adapter Vendor ID Qualcomm Adapter Device ID Adreno (TM) 320 Device LGE Nexus 4 Android API Version 17 (REL) Android CPU ABI armeabi-v7a Frame Module Signature Source 0 libmozglue.so arena_dalloc jemalloc.c:4668 1 libnss3.so sqlite3_prepare16 sqlite3.c:94700 2 libmozglue.so sqliteInternalCall SQLiteBridge.cpp:397 3 libnss3.so sqlite3_free sqlite3.c:19076 4 libnss3.so openDatabase sqlite3.c:115796 5 libnss3.so libnss3.so@0x10355f 6 libc.so libc.so@0x11811 7 libmozglue.so Java_org_mozilla_gecko_sqlite_SQLiteBridge_sqliteCall SQLiteBridge.cpp:155 8 dalvik-LinearAlloc (deleted) dalvik-LinearAlloc @0x3b3436 9 libdvm.so libdvm.so@0x1e292 ... More reports at: https://crash-stats.mozilla.com/report/list?signature=arena_dalloc+|+sqlite3_prepare16 https://crash-stats.mozilla.com/report/list?signature=jemalloc_crash+|+arena_dalloc+|+sqlite3_prepare16

The use of --wrap=free when linking makes free() calls go to __wrap_free(), which is jemalloc's free(), and __real_free() calls to libc's free(). asprintf is allocating memory with libc's malloc() (it's a libc function), so its buffer needs to be freed with libc's free().

Note this means these crashing people are getting sqlite errors.

Comment on attachment 741187 [details] [diff] [review] Remove allocator mismatch when freeing asprintf allocated buffers Review of attachment 741187 [details] [diff] [review]: ----------------------------------------------------------------- There are two other calls to free(errorMsg) in SQLiteBridge.cpp that look like they should also be converted. One in Java_org_mozilla_gecko_sqlite_SQLiteBridge_sqliteCall and one in Java_org_mozilla_gecko_sqlite_SQLiteBridge_openDatabase. r=me with those fixed as well.