Closed
Bug 1228306
Opened 9 years ago
Closed 5 years ago
crash in mozalloc_abort | abort_from_exception | std::vector<T>::_Xlen rising since 43.0b5
Categories
(Core :: General, defect)
Tracking
()
People
(Reporter: philipp, Unassigned)
Details
(Keywords: crash)
Crash Data
This bug was filed from the Socorro interface and is
report bp-d5d3ce4a-f97b-49c7-bb33-c1f0a2151126.
=============================================================
Crashing Thread
Frame Module Signature Source
0 mozglue.dll mozalloc_abort(char const* const) memory/mozalloc/mozalloc_abort.cpp
1 mozglue.dll abort_from_exception memory/mozalloc/msvc_raise_wrappers.cpp
2 xul.dll std::vector<int, std::allocator<int> >::_Xlen() c:/tools/vs2013/vc/include/vector:1754
3 xul.dll std::vector<int, std::allocator<int> >::operator=(std::vector<int, std::allocator<int> > const&) c:/tools/vs2013/vc/include/vector:985
4 xul.dll base::Histogram::SnapshotSample(base::Histogram::SampleSet*) ipc/chromium/src/base/histogram.cc
5 xul.dll `anonymous namespace'::IsEmpty(base::Histogram const*) toolkit/components/telemetry/Telemetry.cpp
6 xul.dll `anonymous namespace'::TelemetryImpl::CreateHistogramSnapshots(JSContext*, JS::MutableHandle<JS::Value>, bool, bool) toolkit/components/telemetry/Telemetry.cpp
7 xul.dll `anonymous namespace'::TelemetryImpl::SnapshotSubsessionHistograms(bool, JSContext*, JS::MutableHandle<JS::Value>) toolkit/components/telemetry/Telemetry.cpp
8 xul.dll NS_InvokeByIndex xpcom/reflect/xptcall/md/win32/xptcinvoke.cpp
9 xul.dll XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) js/xpconnect/src/XPCWrappedNativeJSOps.cpp
10 xul.dll js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp
11 xul.dll Interpret js/src/vm/Interpreter.cpp
12 xul.dll js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp
13 xul.dll js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp
14 xul.dll js::fun_apply(JSContext*, unsigned int, JS::Value*) js/src/jsfun.cpp
15 xul.dll js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp
16 xul.dll js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) js/src/proxy/DirectProxyHandler.cpp
17 xul.dll js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) js/src/proxy/CrossCompartmentWrapper.cpp
18 xul.dll js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp
19 xul.dll Interpret js/src/vm/Interpreter.cpp
20 xul.dll js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp
21 xul.dll js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp
22 xul.dll js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp
23 xul.dll JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) js/src/jsapi.cpp
24 xul.dll nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/xpconnect/src/XPCWrappedJSClass.cpp
25 xul.dll nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/xpconnect/src/XPCWrappedJS.cpp
26 xul.dll PrepareAndDispatch xpcom/reflect/xptcall/md/win32/xptcstubs.cpp
27 xul.dll SharedStub xpcom/reflect/xptcall/md/win32/xptcstubs.cpp
28 nss3.dll PR_Assert nsprpub/pr/src/io/prlog.c
this crash signature is noticeably increasing since firefox 43.0b5 (in early b6 crash score data it's on #21) - there are no clear correlations with modules or addons as far as i can see...
version distribution:
https://crash-stats.mozilla.com/search/?signature=%3Dmozalloc_abort+|+abort_from_exception+|+std%3A%3Avector%3CT%3E%3A%3A_Xlen&date=%3E2015-01-01&_facets=signature&_facets=version&_facets=user_comments&_facets=build_id&_facets=platform_pretty_version&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-version
graph:
https://crash-stats.mozilla.com/signature/?date=%3E2015-11-01&signature=mozalloc_abort+|+abort_from_exception+|+std%3A%3Avector%3CT%3E%3A%3A_Xlen#graphs
Comment 1•9 years ago
|
||
Guess I should get on re-writing that histogram implementation to use nsTArray instead of std::vector...
Comment 2•9 years ago
|
||
So this is interesting; looking at MSVC's <vector>, the crash stack suggests that we're copying into a vector and requesting that the target be larger than the maximum possible size of vector<int>--in this case, size_t(-1) / sizeof(int). This is really strange, as the vector we are copying from must already be that large! Furthermore, the vector that we're creating a copy of, one of:
https://dxr.mozilla.org/mozilla-central/source/ipc/chromium/src/base/histogram.h#271
we already know both of these vectors aren't terribly large, because they're related to how many buckets we have in the histogram, and that amount is reasonably small.
Maybe the crash dumps have interesting data in them? (I don't have access to those.)
Comment 3•8 years ago
|
||
Crash volume for signature 'mozalloc_abort | abort_from_exception | std::vector<T>::_Xlen':
- nightly (version 51): 0 crashes from 2016-08-01.
- aurora (version 50): 0 crashes from 2016-08-01.
- beta (version 49): 1568 crashes from 2016-08-02.
- release (version 48): 1600 crashes from 2016-07-25.
- esr (version 45): 221 crashes from 2016-05-02.
Crash volume on the last weeks (Week N is from 08-22 to 08-28):
W. N-1 W. N-2 W. N-3
- nightly 0 0 0
- aurora 0 0 0
- beta 547 541 195
- release 517 459 264
- esr 18 15 15
Affected platform: Windows
Crash rank on the last 7 days:
Browser Content Plugin
- nightly
- aurora
- beta #18
- release #35
- esr #465
status-firefox48:
--- → affected
status-firefox49:
--- → affected
status-firefox-esr45:
--- → affected
Comment 4•8 years ago
|
||
Crash volume for signature 'mozalloc_abort | abort_from_exception | std::vector<T>::_Xlen':
- nightly (version 52): 0 crashes from 2016-09-19.
- aurora (version 51): 0 crashes from 2016-09-19.
- beta (version 50): 2 crashes from 2016-09-20.
- release (version 49): 774 crashes from 2016-09-05.
- esr (version 45): 271 crashes from 2016-06-01.
Crash volume on the last weeks (Week N is from 10-03 to 10-09):
W. N-1 W. N-2
- nightly 0 0
- aurora 0 0
- beta 2 0
- release 627 147
- esr 18 20
Affected platform: Windows
Crash rank on the last 7 days:
Browser Content Plugin
- nightly
- aurora
- beta #2861
- release #73
- esr #477
status-firefox50:
--- → affected
Comment 5•5 years ago
|
||
Closing because no crashes reported for 12 weeks.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•