Closed Bug 1156255 Opened 6 years ago Closed 5 years ago

crash in OOM | large | NS_ABORT_OOM(unsigned int) | nsSimpleURI::SetPath(nsACString_internal const&)

Categories

(Firefox for Android Graveyard :: General, defect)

Product:
Firefox for Android Graveyard
Component:
General
Version:
40 Branch
Platform:
All
Android
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(firefox37 affected, firefox38 affected, firefox39 affected, firefox40 affected, firefox51 fixed)

Status:
RESOLVED FIXED
Milestone:
Firefox 51
Tracking Flags:
Tracking Status
firefox37 --- affected
firefox38 --- affected
firefox39 --- affected
firefox40 --- affected
firefox51 --- fixed

People

(Reporter: csuciu, Assigned: n.nethercote)

References

(
URL
)

Details

(Keywords: crash, reproducible)

Crash Data

Attachments

(1 file)

Make fallible a potentially large allocation in nsSimpleURI::SetPath
1.03 KB, patch
dholbert
: review+
Details | Diff | Splinter Review 
This bug was filed from the Socorro interface and is 
report bp-9bc0feef-27c4-4028-95af-74b122150420.
=============================================================

This crash occurs every time the desktop version of this page is loading: 
http://www.bbc.com/earth/story/20150320-weird-and-wonderful-photo-quiz-2

Tested on Note 3 (4.4.2), Xperia Z2 10" (4.4.4), Nexus 7 (5.1) ant it is reproducible on all three devices. All branches are affected.

Crashing Thread
Frame 	Module 	Signature 	Source
0 	libxul.so 	NS_ABORT_OOM(unsigned int) 	xpcom/base/nsDebugImpl.cpp
1 	libxul.so 	nsSimpleURI::SetPath(nsACString_internal const&) 	xpcom/string/nsTString.h
2 	libxul.so 	nsSimpleURI::SetSpec(nsACString_internal const&) 	netwerk/base/nsSimpleURI.cpp
3 	libxul.so 	nsDataHandler::NewURI(nsACString_internal const&, char const*, nsIURI*, nsIURI**) 	netwerk/protocol/data/nsDataHandler.cpp
4 	libxul.so 	nsIOService::NewURI(nsACString_internal const&, char const*, nsIURI*, nsIURI**) 	netwerk/base/nsIOService.cpp
5 	libxul.so 	imgRequestProxy::GetURI(nsIURI**) 	netwerk/base/nsNetUtil.h
6 	libxul.so 	nsSecureBrowserUIImpl::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) 	security/manager/boot/src/nsSecureBrowserUIImpl.cpp
7 	libxul.so 	nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) 	uriloader/base/nsDocLoader.cpp
8 	libxul.so 	nsDocLoader::FireOnStateChange(nsIWebProgress*, nsIRequest*, int, nsresult) 	uriloader/base/nsDocLoader.cpp
9 	libxul.so 	nsDocLoader::doStartURLLoad(nsIRequest*) 	uriloader/base/nsDocLoader.cpp
Crash Signature: [@ OOM | large | NS_ABORT_OOM(unsigned int) | nsSimpleURI::SetPath(nsACString_internal const&)] → [@ OOM | large | NS_ABORT_OOM(unsigned int) | nsSimpleURI::SetPath(nsACString_internal const&)] [@ OOM | large | NS_ABORT_OOM | nsSimpleURI::SetPath]
It is surprising at first that a string assignment would cause allocation.
AIUI, it's because the caller passes in a substring, which means the assignment
triggers a copy.

I tried and failed to come up with a way to avoid this allocation. Making it
infallible is still better than the current situation.
Attachment #8775860 - Flags: review?(dholbert)
Assignee: nobody → n.nethercote
Status: NEW → ASSIGNED
Comment on attachment 8775860 [details] [diff] [review]
Make fallible a potentially large allocation in nsSimpleURI::SetPath

Seems fine (and trivial enough that I'm happy r+ing, particularly given valentin's sign-off on similar bug 1290350).
Attachment #8775860 - Flags: review?(dholbert) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/fc636e1c960864300a847b3eaadf0143e0a7f628
Bug 1156255 - Make fallible a potentially large allocation in nsSimpleURI::SetPath. r=dholbert.
https://hg.mozilla.org/mozilla-central/rev/fc636e1c9608
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox51: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 51
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.