Closed Bug 859247 Opened 11 years ago Closed 9 years ago

crash in nsACString_internal::SetCapacity with abort message: "OOM: file e:\builds\...\xpcom\string\src\nsTSubstring.cpp, line 533"

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: sebo, Unassigned)

References

(
URL
)

Details

(Keywords: crash, reproducible)

Crash Data

This crash happend while trying to reproduce http://code.google.com/p/fbug/issues/detail?id=4613 on a local server in combination with Firebug.

Steps to reproduce:
1. Open Firebug on https://getfirebug.com/tests/manual/issues/4613/issue4613.html
2. Enable and switch to the Net panel
3. Choose a big file (~100 MB) to upload
4. Click the "Upload This File" button

Related crash report:
https://crash-stats.mozilla.com/report/index/bp-536b268c-7d6a-494b-b0cf-249962130408

Sebastian
Severity: normal → critical
Crash Signature: [@ mozalloc_abort(char const* const) | moz_xmalloc | XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) ]
Keywords: crash
That's an out-of-memory crash: we attempted to allocate a 200MB+ buffer and failed to do that.  Not entirely unlikely, on a 32-bit system with fragmented virtual memory...

Based on the description, presumably something is trying to pass a 100e6 char string through xpconnect here?  Possibly multiple times, even.

The best we can do is to make the relevant allocation fallible and bail out if it fails, but I can't tell based on the stack what the actual allocation site is.  That part optimized away or something.  :(

Can someone reproduce this with a sane 32-bit debug build?

Sebastian, is this reliably reproducible?  I assume it's not....  Does it become that way if you use a larger file?
Flags: needinfo?
Flags: needinfo? → needinfo?(sebastianzartner)
> Sebastian, is this reliably reproducible?
With the same file as yesterday, no. Thought so yesterday after the second time successfully reproducing the steps.

> Does it become that way if you use a larger file?
Yes, reliably. See the following crash reports:


Though here are some other random crashes related to this:
https://crash-stats.mozilla.com/report/index/3b434138-55f7-4c3a-93e8-190402130409
https://crash-stats.mozilla.com/report/index/34d03fd7-a26f-40f1-93be-6037d2130409
https://crash-stats.mozilla.com/report/index/bp-b5cda953-83e2-482e-a485-db5082130409
https://crash-stats.mozilla.com/report/index/55954ae6-f974-4651-90f8-2b2162130409

> Does it become that way if you use a larger file?
Trying with a huge file (> 1 GB), yes. Though the crash signature is different:
https://crash-stats.mozilla.com/report/index/e7f94642-bc8e-4af2-983e-2d8332130409
https://crash-stats.mozilla.com/report/index/ca47e93d-c198-4ddb-9c1f-9e9ea2130409
https://crash-stats.mozilla.com/report/index/f4cd6df4-46b2-454d-a8b5-dc15e2130409

FWIW, trying with a file with a file size in between (~400 MB) the browser sometimes freezes instead of crashing. When it crashes, the signature is the same as of this report:

https://crash-stats.mozilla.com/report/index/ea0116ce-0a94-489f-955f-bc1af2130409
https://crash-stats.mozilla.com/report/index/882f0b6e-1865-47cb-8474-096082130409

Sebastian
Flags: needinfo?(sebastianzartner)
Hmm.  Those help some: we want to make that SetCapacity fallible.

I still can't tell where it's happening, though, what with all the inlining.  :(
Flags: needinfo?(alice0775)
??? What should I do?
Flags: needinfo?(alice0775)
If you have 32-bit Windows debug builds, reproduce the bug and see what the stack looks like?

If you don't, then don't worry about it.
I just realized that step 2 is incorrect. It should be:
Enable and switch to the Console panel

> Does it happen in Nightly (http://nightly.mozilla.org/)?
Yes, with a different signature:
https://crash-stats.mozilla.com/report/index/bp-d0a77768-9925-40be-9909-0573a2130409
https://crash-stats.mozilla.com/report/index/bp-b7b2c1a5-9b5f-40b2-b90d-22be62130409

Sebastian
Flags: needinfo?(sebastianzartner)
Status: UNCONFIRMED → NEW
Crash Signature: [@ mozalloc_abort(char const* const) | moz_xmalloc | XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) ] → [@ mozalloc_abort(char const* const) | moz_xmalloc | XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) ] [@ mozalloc_abort(char const* const) | NS_DebugBreak ]
Depends on: 858926
Ever confirmed: true
Keywords: reproducible
Summary: Crash [@ mozalloc_abort(char const* const) | moz_xmalloc | XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) ] → crash in nsACString_internal::SetCapacity with abort message: "OOM: file e:\builds\...\xpcom\string\src\nsTSubstring.cpp, line 533"
Version: 20 Branch → Trunk
Blocks: 802152
Crash Signature: [@ mozalloc_abort(char const* const) | moz_xmalloc | XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) ] [@ mozalloc_abort(char const* const) | NS_DebugBreak ] → [@ mozalloc_abort(char const* const) | moz_xmalloc | XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) ] [@ mozalloc_abort(char const* const) | NS_DebugBreak ] [@ mozalloc_abort(char const*) | NS_DebugBreak | nsACString_internal::SetCapacity(unsig…
With Nightly 37.0a1 (2014-12-15; with disabled e10s to get Firebug working) + Firebug 2.0.7 I can't reproduce that problem anymore.
This doesn't guarantee that the bug is really gone as the tested version of Firebug is not the same as the previous one.

So should I close this issue, anyway?

Sebastian
Flags: needinfo?(scoobidiver)
Flags: needinfo?(bzbarsky)
Flags: needinfo?(alice0775)
Flags: needinfo?(alice0775)
If it's not really reproducible anymore, I'd resolve worksforme....
Flags: needinfo?(bzbarsky)
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
Flags: needinfo?(scoobidiver)
You need to log in before you can comment on or make changes to this bug.