Closed Bug 1228306 Opened 9 years ago Closed 5 years ago

crash in mozalloc_abort | abort_from_exception | std::vector<T>::_Xlen rising since 43.0b5

Categories

(Core :: General, defect)

43 Branch
x86
Windows NT
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox43 --- affected
firefox48 --- affected
firefox49 --- affected
firefox-esr45 --- affected
firefox50 --- affected

People

(Reporter: philipp, Unassigned)

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is report bp-d5d3ce4a-f97b-49c7-bb33-c1f0a2151126. ============================================================= Crashing Thread Frame Module Signature Source 0 mozglue.dll mozalloc_abort(char const* const) memory/mozalloc/mozalloc_abort.cpp 1 mozglue.dll abort_from_exception memory/mozalloc/msvc_raise_wrappers.cpp 2 xul.dll std::vector<int, std::allocator<int> >::_Xlen() c:/tools/vs2013/vc/include/vector:1754 3 xul.dll std::vector<int, std::allocator<int> >::operator=(std::vector<int, std::allocator<int> > const&) c:/tools/vs2013/vc/include/vector:985 4 xul.dll base::Histogram::SnapshotSample(base::Histogram::SampleSet*) ipc/chromium/src/base/histogram.cc 5 xul.dll `anonymous namespace'::IsEmpty(base::Histogram const*) toolkit/components/telemetry/Telemetry.cpp 6 xul.dll `anonymous namespace'::TelemetryImpl::CreateHistogramSnapshots(JSContext*, JS::MutableHandle<JS::Value>, bool, bool) toolkit/components/telemetry/Telemetry.cpp 7 xul.dll `anonymous namespace'::TelemetryImpl::SnapshotSubsessionHistograms(bool, JSContext*, JS::MutableHandle<JS::Value>) toolkit/components/telemetry/Telemetry.cpp 8 xul.dll NS_InvokeByIndex xpcom/reflect/xptcall/md/win32/xptcinvoke.cpp 9 xul.dll XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) js/xpconnect/src/XPCWrappedNativeJSOps.cpp 10 xul.dll js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp 11 xul.dll Interpret js/src/vm/Interpreter.cpp 12 xul.dll js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp 13 xul.dll js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp 14 xul.dll js::fun_apply(JSContext*, unsigned int, JS::Value*) js/src/jsfun.cpp 15 xul.dll js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp 16 xul.dll js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) js/src/proxy/DirectProxyHandler.cpp 17 xul.dll js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) js/src/proxy/CrossCompartmentWrapper.cpp 18 xul.dll js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp 19 xul.dll Interpret js/src/vm/Interpreter.cpp 20 xul.dll js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp 21 xul.dll js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp 22 xul.dll js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp 23 xul.dll JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) js/src/jsapi.cpp 24 xul.dll nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/xpconnect/src/XPCWrappedJSClass.cpp 25 xul.dll nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/xpconnect/src/XPCWrappedJS.cpp 26 xul.dll PrepareAndDispatch xpcom/reflect/xptcall/md/win32/xptcstubs.cpp 27 xul.dll SharedStub xpcom/reflect/xptcall/md/win32/xptcstubs.cpp 28 nss3.dll PR_Assert nsprpub/pr/src/io/prlog.c this crash signature is noticeably increasing since firefox 43.0b5 (in early b6 crash score data it's on #21) - there are no clear correlations with modules or addons as far as i can see... version distribution: https://crash-stats.mozilla.com/search/?signature=%3Dmozalloc_abort+|+abort_from_exception+|+std%3A%3Avector%3CT%3E%3A%3A_Xlen&date=%3E2015-01-01&_facets=signature&_facets=version&_facets=user_comments&_facets=build_id&_facets=platform_pretty_version&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-version graph: https://crash-stats.mozilla.com/signature/?date=%3E2015-11-01&signature=mozalloc_abort+|+abort_from_exception+|+std%3A%3Avector%3CT%3E%3A%3A_Xlen#graphs
Guess I should get on re-writing that histogram implementation to use nsTArray instead of std::vector...
So this is interesting; looking at MSVC's <vector>, the crash stack suggests that we're copying into a vector and requesting that the target be larger than the maximum possible size of vector<int>--in this case, size_t(-1) / sizeof(int). This is really strange, as the vector we are copying from must already be that large! Furthermore, the vector that we're creating a copy of, one of: https://dxr.mozilla.org/mozilla-central/source/ipc/chromium/src/base/histogram.h#271 we already know both of these vectors aren't terribly large, because they're related to how many buckets we have in the histogram, and that amount is reasonably small. Maybe the crash dumps have interesting data in them? (I don't have access to those.)
Crash volume for signature 'mozalloc_abort | abort_from_exception | std::vector<T>::_Xlen': - nightly (version 51): 0 crashes from 2016-08-01. - aurora (version 50): 0 crashes from 2016-08-01. - beta (version 49): 1568 crashes from 2016-08-02. - release (version 48): 1600 crashes from 2016-07-25. - esr (version 45): 221 crashes from 2016-05-02. Crash volume on the last weeks (Week N is from 08-22 to 08-28): W. N-1 W. N-2 W. N-3 - nightly 0 0 0 - aurora 0 0 0 - beta 547 541 195 - release 517 459 264 - esr 18 15 15 Affected platform: Windows Crash rank on the last 7 days: Browser Content Plugin - nightly - aurora - beta #18 - release #35 - esr #465
Crash volume for signature 'mozalloc_abort | abort_from_exception | std::vector<T>::_Xlen': - nightly (version 52): 0 crashes from 2016-09-19. - aurora (version 51): 0 crashes from 2016-09-19. - beta (version 50): 2 crashes from 2016-09-20. - release (version 49): 774 crashes from 2016-09-05. - esr (version 45): 271 crashes from 2016-06-01. Crash volume on the last weeks (Week N is from 10-03 to 10-09): W. N-1 W. N-2 - nightly 0 0 - aurora 0 0 - beta 2 0 - release 627 147 - esr 18 20 Affected platform: Windows Crash rank on the last 7 days: Browser Content Plugin - nightly - aurora - beta #2861 - release #73 - esr #477

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.