Crash in OOM | unknown | js::AutoEnterOOMUnsafeRegion::crash | js::detail::HashTable<T>::prepareHash | js::SavedStacks::getOrCreateSavedFrame

RESOLVED FIXED in Firefox 48

Status

()

--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: marcia, Assigned: jonco)

Tracking

({crash, topcrash})

48 Branch
mozilla51
x86
Windows 7
crash, topcrash
Points:
---

Firefox Tracking Flags

(firefox47 wontfix, firefox48+ fixed, firefox49 fixed, relnote-firefox 48+, firefox50 fixed, firefox51 fixed)

Details

(crash signature)

Attachments

(1 attachment)

This bug was filed from the Socorro interface and is 
report bp-0bb416de-6370-4968-a9a7-a5adf2160729.
=============================================================

Crash showing up in RC2 Beta: http://bit.ly/2am0xZO

It was present in very small numbers in one previous beta, and seems to have risen in early crash data for RC2. Largest percentage of crashes are on Windows 7.
Fairly high correlation to Kaspersky Light Plugin:

OOM | unknown | js::AutoEnterOOMUnsafeRegion::crash | js::detail::HashTable<T>::prepareHash | js::SavedStacks::getOrCreateSavedFrame|EXCEPTION_BREAKPOINT (17 crashes)
     59% (10/17) vs.   2% (229/12243) light_plugin_ACF0E80077C511E59DED005056C00008@kaspersky.com (4.6.3-7)
     18% (3/17) vs.   2% (286/12243) light_plugin_D772DC8D6FAF43A29B25C4EBAA5AD1DE@kaspersky.com
          0% (0/17) vs.   0% (1/12243) 4.6.0.375
         18% (3/17) vs.   2% (268/12243) 4.6.2-40
          0% (0/17) vs.   0% (5/12243) 4.6.2.21
          0% (0/17) vs.   0% (1/12243) 4.6.2.23.1
          0% (0/17) vs.   0% (11/12243) 4.6.2.31
(Assignee)

Comment 2

3 years ago
We can make this fallible in the same way as was done for all the bare instances of MovableCellHasher.
Assignee: nobody → jcoppeard
Attachment #8776033 - Flags: review?(terrence)
Comment on attachment 8776033 [details] [diff] [review]
bug1290469-fallible-saved-frame-hasher

Review of attachment 8776033 [details] [diff] [review]:
-----------------------------------------------------------------

Nice!
Attachment #8776033 - Flags: review?(terrence) → review+
Crash volume for signature 'OOM | unknown | js::AutoEnterOOMUnsafeRegion::crash | js::detail::HashTable<T>::prepareHash | js::SavedStacks::getOrCreateSavedFrame':
 - nightly(version 50):0 crashes from 2016-06-06.
 - aurora (version 49):0 crashes from 2016-06-07.
 - beta   (version 48):399 crashes from 2016-06-06.
 - release(version 47):594 crashes from 2016-05-31.
 - esr    (version 45):0 crashes from 2016-04-07.

Crash volume on the last weeks:
            W. N-1  W. N-2  W. N-3  W. N-4  W. N-5  W. N-6  W. N-7
 - nightly       0       0       0       0       0       0       0
 - aurora        0       0       0       0       0       0       0
 - beta        303      37      37       0       0       0       0
 - release      88      77      83      65      81      93      77
 - esr           0       0       0       0       0       0       0

Affected platform: Windows
status-firefox47: --- → affected

Comment 5

3 years ago
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/63293464e2a2
Use fallible hashing for SavedFrame r=terrence

Comment 6

3 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/63293464e2a2
Status: NEW → RESOLVED
Last Resolved: 3 years ago
status-firefox51: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
#20 top crasher on Firefox 48. Also affects many users with AdBlock Plus (~50% of crashes with this signature have AdBlock Plus installed vs ~20% overall).

Should we consider uplifting?
Flags: needinfo?(terrence)
Also affects 49 and 50, but changed signature.
Crash Signature: [@ OOM | unknown | js::AutoEnterOOMUnsafeRegion::crash | js::detail::HashTable<T>::prepareHash | js::SavedStacks::getOrCreateSavedFrame] → [@ OOM | unknown | js::AutoEnterOOMUnsafeRegion::crash | js::detail::HashTable<T>::prepareHash | js::SavedStacks::getOrCreateSavedFrame] [@ OOM | unknown | js::AutoEnterOOMUnsafeRegion::crash | js::SavedStacks::getOrCreateSavedFrame]
status-firefox49: --- → affected
status-firefox50: --- → affected
We already lifted the infrastructure, so I think it should be doable. Jon, what do you think?
Flags: needinfo?(terrence) → needinfo?(jcoppeard)
We could take it as a ride along in 48 it is super safe
status-firefox47: affected → wontfix
tracking-firefox48: --- → +
Keywords: topcrash
(Assignee)

Comment 11

3 years ago
Comment on attachment 8776033 [details] [diff] [review]
bug1290469-fallible-saved-frame-hasher

Approval Request Comment
[Feature/regressing bug #]: Bug 1224044.
[User impact if declined]: Possible crash on OOM.
[Describe test coverage new/current, TreeHerder]: On m-c since 1st August.
[Risks and why]: Low.
[String/UUID change made/needed]: None.
Flags: needinfo?(jcoppeard)
Attachment #8776033 - Flags: approval-mozilla-beta?
Attachment #8776033 - Flags: approval-mozilla-aurora?
Comment on attachment 8776033 [details] [diff] [review]
bug1290469-fallible-saved-frame-hasher

Fix a top crash, let's take it on aurora & beta.
Attachment #8776033 - Flags: approval-mozilla-beta?
Attachment #8776033 - Flags: approval-mozilla-beta+
Attachment #8776033 - Flags: approval-mozilla-aurora?
Attachment #8776033 - Flags: approval-mozilla-aurora+
(Assignee)

Comment 14

3 years ago
Comment on attachment 8776033 [details] [diff] [review]
bug1290469-fallible-saved-frame-hasher

Approval Request Comment
[Feature/regressing bug #]: Bug 1224044.
[User impact if declined]: Possible crash on OOM
[Describe test coverage new/current, TreeHerder]: On m-c since 1st August.
[Risks and why]: Low.
[String/UUID change made/needed]: None.
Attachment #8776033 - Flags: approval-mozilla-release?
status-firefox49: affected → fixed
status-firefox50: affected → fixed
Comment on attachment 8776033 [details] [diff] [review]
bug1290469-fallible-saved-frame-hasher

Taking it as it is a top crash, hopefully won't cause a regression.
Attachment #8776033 - Flags: approval-mozilla-release? → approval-mozilla-release+

Comment 16

3 years ago
bugherderuplift
https://hg.mozilla.org/releases/mozilla-release/rev/a86f28044dd4
status-firefox48: affected → fixed
Added in the 48.0.1 release notes: "Fix a top crash in the JavaScript engine".
relnote-firefox: --- → 48+
You need to log in before you can comment on or make changes to this bug.