Closed Bug 1326422 Opened 7 years ago Closed 2 years ago

[e10s] Crash in memcpy | Pickle::ReadBytesInto

Categories

(Core :: IPC, defect, P3)

Product:
Core
Component:
IPC
Version:
49 Branch
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE
Tracking Flags:
Tracking Status
firefox50 --- wontfix
firefox51 - wontfix
firefox52 - wontfix
firefox53 + wontfix

People

(Reporter: philipp, Unassigned)

References

Details

(Keywords: crash, regression, Whiteboard: qa-not-actionable)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-11caa2ca-0892-4527-8b54-80bd42161230.
=============================================================
Crashing Thread (0)
Frame 	Module 	Signature 	Source
0 	vcruntime140.dll 	memcpy 	f:\dd\vctools\crt\vcruntime\src\string\i386\memcpy.asm:657
1 	xul.dll 	Pickle::ReadBytesInto(PickleIterator*, void*, unsigned int) 	ipc/chromium/src/base/pickle.cc:429
2 	xul.dll 	Pickle::ReadSize(PickleIterator*, unsigned int*) 	ipc/chromium/src/base/pickle.cc:261
3 	xul.dll 	mozilla::dom::PContentBridgeChild::Read<unsigned int>(unsigned int*, IPC::Message const*, PickleIterator*) 	obj-firefox/ipc/ipdl/_ipdlheaders/mozilla/dom/PContentBridgeChild.h:470
4 	xul.dll 	mozilla::net::PHttpChannelChild::OnMessageReceived(IPC::Message const&) 	obj-firefox/ipc/ipdl/PHttpChannelChild.cpp:762
5 	winmm.dll 	timeGetTime 	
6 	xul.dll 	mozilla::detail::RunnableMethodImpl<void ( mozilla::ipc::MessageChannel::*)(void), 0, 1>::Run() 	obj-firefox/dist/include/nsThreadUtils.h:764
7 	xul.dll 	mozilla::ipc::MessageChannel::DequeueTask::Run() 	obj-firefox/dist/include/mozilla/ipc/MessageChannel.h:569
8 	xul.dll 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp:1076

this crash signature seems to be regressing since firefox 49 and mostly happens in the content process. comments from affected users indicate that firefox is crashing repeatedly for them.
the signature is accounting for 0.25% of content crashes on release past week.

Correlations for Firefox Release:
(99.17% in signature vs 12.46% overall) address = 0x0
(99.17% in signature vs 34.75% overall) reason = EXCEPTION_ACCESS_VIOLATION_READ
(100.0% in signature vs 36.81% overall) dom_ipc_enabled = 1
(36.78% in signature vs 03.83% overall) Module "AcLayers.dll" = true
I don't know this code very well, but BufferList<AllocPolicy>::ReadBytes() calls IterImpl::Advance with aBytes == RemainingInSegment(), while the comment for Advance says "aBytes must be less than RemainingInSegment()", so either the comment is wrong, or the call needs to be changed from Advance to AdvanceAcrossSegments.
Alright, given how AdvanceAcrossSegments uses it, I guess the comment should read "less than or equal to RemainingInSegment".
We have a week till the 51 RC build, and the crash is fairly low-volume. Marking fix-optional for 51.
We could still take a patch for 53/52 or even to 51 if someone figures this out and it seems low risk.
status-firefox51: affectedfix-optional
status-firefox52: affectedfix-optional
tracking-firefox51: ?-
tracking-firefox52: ?-
tracking-firefox53: ?+
Assignee: nobody → kchen
Still a low volume crash, wontfix for 53 as it's getting late in the beta cycle. 
I don't see any crashes with this signature for 54 or 55 so far. We may not see them until 54 goes to beta.
status-firefox51: fix-optionalwontfix
status-firefox52: fix-optionalwontfix
status-firefox53: affectedwontfix
Assignee: kchen → nobody
Priority: -- → P3
Whiteboard: qa-not-actionable

Very low crash rate, and the code around here has changed a lot since this was filed. Resolving as incomplete.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.