Large OOM in nsHtml5TreeBuilder::characters

RESOLVED WORKSFORME

Status

()

Core
HTML: Parser
--
critical
RESOLVED WORKSFORME
4 years ago
2 years ago

People

(Reporter: Robert Kaiser, Unassigned)

Tracking

({crash})

32 Branch
x86
Windows NT
crash
Points:
---

Firefox Tracking Flags

(firefox34 affected)

Details

(crash signature)

(Reporter)

Description

4 years ago
This bug was filed from the Socorro interface and is 
report bp-df783497-62c6-420e-a36f-f07332140616.
=============================================================

Top frames:
0 	mozalloc.dll 	mozalloc_abort(char const * const) 	memory/mozalloc/mozalloc_abort.cpp
1 	mozalloc.dll 	mozalloc_handle_oom(unsigned int) 	memory/mozalloc/mozalloc_oom.cpp
2 	mozalloc.dll 	moz_xmalloc 	memory/mozalloc/mozalloc.cpp
3 	xul.dll 	nsHtml5TreeBuilder::characters(wchar_t const *,int,int) 	parser/html/nsHtml5TreeBuilder.cpp
4 	xul.dll 	nsHtml5Tokenizer::stateLoop<nsHtml5SilentPolicy>(int,wchar_t,int,wchar_t *,bool,int,int) 	parser/html/nsHtml5Tokenizer.cpp
5 	xul.dll 	nsHtml5Tokenizer::tokenizeBuffer(nsHtml5UTF16Buffer *) 	parser/html/nsHtml5Tokenizer.cpp

The stacks diverge after that. Many of those OOM are with 2M allocations, but some like the one linked at the top of the comment or bp-8231cb77-f40a-4415-823c-1f34c2140616 are way over 10M.

See https://crash-stats.mozilla.com/report/list?signature=OOM%20%7C%20large%20%7C%20mozalloc_abort%28char%20const%2A%20const%29%20%7C%20mozalloc_handle_oom%28unsigned%20int%29%20%7C%20moz_xmalloc%20%7C%20nsHtml5TreeBuilder%3A%3Acharacters%28wchar_t%20const%2A%2C%20int%2C%20int%29 for more reports.

We should use fallible instead of infallible allocations here.

Comment 1

4 years ago
My SO's Firefox beta 32.0 crashed like this:

bp-549c0cc3-1a63-42a0-8b6c-a8b5d2140801	01/08/2014	12:40 p.m.

Let me know if there's anything worth collecting from the crashing profile.
Version: 26 Branch → 32 Branch
Theres' little chance of fixing this before implementing the change proposed in bug 489820.

Since this is an OOM, gathering anything from the profile is not worthwhile. Until my other duties permit focusing on bug 489820, the best workaround is to run a 64-bit build. :-(
Depends on: 489820
(Reporter)

Comment 3

4 years ago
(In reply to Henri Sivonen (:hsivonen) (Not reading bugmail or doing reviews until 2014-08-18) from comment #2)
> the best workaround is to run a 64-bit build. :-(

Which is not officially supported or tested (or even built for anything but Nightly). So you put users between a rock and a hard place here, which is very unfortunate.

Comment 4

4 years ago
Report ID 	Date Submitted
bp-cd11f170-7012-42c9-88c8-2818e2141201	01/12/2014	12:33 p.m.
status-firefox34: --- → affected

Updated

3 years ago
Crash Signature: [@ OOM | large | mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xmalloc | nsHtml5TreeBuilder::characters(wchar_t const*, int, int)] → [@ OOM | large | mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xmalloc | nsHtml5TreeBuilder::characters(wchar_t const*, int, int)] [@ OOM | large | mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | nsHtml5TreeBuild&hellip;

Comment 5

2 years ago
no crashes with this signature since version 35 bp-553a1793-4f49-445e-8aa2-82f902160527
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.