Closed Bug 1290469 Opened 9 years ago Closed 9 years ago

Crash in OOM | unknown | js::AutoEnterOOMUnsafeRegion::crash | js::detail::HashTable<T>::prepareHash | js::SavedStacks::getOrCreateSavedFrame

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
48 Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla51
Tracking Flags:
Tracking Status
firefox47 --- wontfix
firefox48 + fixed
firefox49 --- fixed
relnote-firefox --- 48+
firefox50 --- fixed
firefox51 --- fixed

People

(Reporter: marcia, Assigned: jonco)

Details

(Keywords: crash, topcrash)

Crash Data

Attachments

(1 file)

bug1290469-fallible-saved-frame-hasher
3.10 KB, patch
terrence
: review+
Sylvestre
: approval-mozilla-aurora+
Sylvestre
: approval-mozilla-beta+
Sylvestre
: approval-mozilla-release+
Details | Diff | Splinter Review
This bug was filed from the Socorro interface and is report bp-0bb416de-6370-4968-a9a7-a5adf2160729. ============================================================= Crash showing up in RC2 Beta: http://bit.ly/2am0xZO It was present in very small numbers in one previous beta, and seems to have risen in early crash data for RC2. Largest percentage of crashes are on Windows 7.
Fairly high correlation to Kaspersky Light Plugin: OOM | unknown | js::AutoEnterOOMUnsafeRegion::crash | js::detail::HashTable<T>::prepareHash | js::SavedStacks::getOrCreateSavedFrame|EXCEPTION_BREAKPOINT (17 crashes) 59% (10/17) vs. 2% (229/12243) light_plugin_ACF0E80077C511E59DED005056C00008@kaspersky.com (4.6.3-7) 18% (3/17) vs. 2% (286/12243) light_plugin_D772DC8D6FAF43A29B25C4EBAA5AD1DE@kaspersky.com 0% (0/17) vs. 0% (1/12243) 4.6.0.375 18% (3/17) vs. 2% (268/12243) 4.6.2-40 0% (0/17) vs. 0% (5/12243) 4.6.2.21 0% (0/17) vs. 0% (1/12243) 4.6.2.23.1 0% (0/17) vs. 0% (11/12243) 4.6.2.31
We can make this fallible in the same way as was done for all the bare instances of MovableCellHasher.
Assignee: nobody → jcoppeard
Attachment #8776033 - Flags: review?(terrence)
Comment on attachment 8776033 [details] [diff] [review] bug1290469-fallible-saved-frame-hasher Review of attachment 8776033 [details] [diff] [review]: ----------------------------------------------------------------- Nice!
Attachment #8776033 - Flags: review?(terrence) → review+
Crash volume for signature 'OOM | unknown | js::AutoEnterOOMUnsafeRegion::crash | js::detail::HashTable<T>::prepareHash | js::SavedStacks::getOrCreateSavedFrame': - nightly(version 50):0 crashes from 2016-06-06. - aurora (version 49):0 crashes from 2016-06-07. - beta (version 48):399 crashes from 2016-06-06. - release(version 47):594 crashes from 2016-05-31. - esr (version 45):0 crashes from 2016-04-07. Crash volume on the last weeks: W. N-1 W. N-2 W. N-3 W. N-4 W. N-5 W. N-6 W. N-7 - nightly 0 0 0 0 0 0 0 - aurora 0 0 0 0 0 0 0 - beta 303 37 37 0 0 0 0 - release 88 77 83 65 81 93 77 - esr 0 0 0 0 0 0 0 Affected platform: Windows
status-firefox47: --- → affected
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/63293464e2a2 Use fallible hashing for SavedFrame r=terrence
https://hg.mozilla.org/mozilla-central/rev/63293464e2a2
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox51: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
#20 top crasher on Firefox 48. Also affects many users with AdBlock Plus (~50% of crashes with this signature have AdBlock Plus installed vs ~20% overall). Should we consider uplifting?
Flags: needinfo?(terrence)
Also affects 49 and 50, but changed signature.
Crash Signature: [@ OOM | unknown | js::AutoEnterOOMUnsafeRegion::crash | js::detail::HashTable<T>::prepareHash | js::SavedStacks::getOrCreateSavedFrame] → [@ OOM | unknown | js::AutoEnterOOMUnsafeRegion::crash | js::detail::HashTable<T>::prepareHash | js::SavedStacks::getOrCreateSavedFrame] [@ OOM | unknown | js::AutoEnterOOMUnsafeRegion::crash | js::SavedStacks::getOrCreateSavedFrame]
status-firefox49: --- → affected
status-firefox50: --- → affected
We already lifted the infrastructure, so I think it should be doable. Jon, what do you think?
Flags: needinfo?(terrence) → needinfo?(jcoppeard)
We could take it as a ride along in 48 it is super safe
status-firefox47: affectedwontfix
tracking-firefox48: --- → +
Comment on attachment 8776033 [details] [diff] [review] bug1290469-fallible-saved-frame-hasher Approval Request Comment [Feature/regressing bug #]: Bug 1224044. [User impact if declined]: Possible crash on OOM. [Describe test coverage new/current, TreeHerder]: On m-c since 1st August. [Risks and why]: Low. [String/UUID change made/needed]: None.
Flags: needinfo?(jcoppeard)
Attachment #8776033 - Flags: approval-mozilla-beta?
Attachment #8776033 - Flags: approval-mozilla-aurora?
Comment on attachment 8776033 [details] [diff] [review] bug1290469-fallible-saved-frame-hasher Fix a top crash, let's take it on aurora & beta.
Attachment #8776033 - Flags: approval-mozilla-beta?
Attachment #8776033 - Flags: approval-mozilla-beta+
Attachment #8776033 - Flags: approval-mozilla-aurora?
Attachment #8776033 - Flags: approval-mozilla-aurora+
Comment on attachment 8776033 [details] [diff] [review] bug1290469-fallible-saved-frame-hasher Approval Request Comment [Feature/regressing bug #]: Bug 1224044. [User impact if declined]: Possible crash on OOM [Describe test coverage new/current, TreeHerder]: On m-c since 1st August. [Risks and why]: Low. [String/UUID change made/needed]: None.
Attachment #8776033 - Flags: approval-mozilla-release?
Comment on attachment 8776033 [details] [diff] [review] bug1290469-fallible-saved-frame-hasher Taking it as it is a top crash, hopefully won't cause a regression.
Attachment #8776033 - Flags: approval-mozilla-release? → approval-mozilla-release+
Added in the 48.0.1 release notes: "Fix a top crash in the JavaScript engine".
relnote-firefox: --- → 48+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: