Closed
Bug 1326422
Opened 7 years ago
Closed 2 years ago
[e10s] Crash in memcpy | Pickle::ReadBytesInto
Categories
(Core :: IPC, defect, P3)
Tracking
()
People
(Reporter: philipp, Unassigned)
References
Details
(Keywords: crash, regression, Whiteboard: qa-not-actionable)
Crash Data
This bug was filed from the Socorro interface and is report bp-11caa2ca-0892-4527-8b54-80bd42161230. ============================================================= Crashing Thread (0) Frame Module Signature Source 0 vcruntime140.dll memcpy f:\dd\vctools\crt\vcruntime\src\string\i386\memcpy.asm:657 1 xul.dll Pickle::ReadBytesInto(PickleIterator*, void*, unsigned int) ipc/chromium/src/base/pickle.cc:429 2 xul.dll Pickle::ReadSize(PickleIterator*, unsigned int*) ipc/chromium/src/base/pickle.cc:261 3 xul.dll mozilla::dom::PContentBridgeChild::Read<unsigned int>(unsigned int*, IPC::Message const*, PickleIterator*) obj-firefox/ipc/ipdl/_ipdlheaders/mozilla/dom/PContentBridgeChild.h:470 4 xul.dll mozilla::net::PHttpChannelChild::OnMessageReceived(IPC::Message const&) obj-firefox/ipc/ipdl/PHttpChannelChild.cpp:762 5 winmm.dll timeGetTime 6 xul.dll mozilla::detail::RunnableMethodImpl<void ( mozilla::ipc::MessageChannel::*)(void), 0, 1>::Run() obj-firefox/dist/include/nsThreadUtils.h:764 7 xul.dll mozilla::ipc::MessageChannel::DequeueTask::Run() obj-firefox/dist/include/mozilla/ipc/MessageChannel.h:569 8 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1076 this crash signature seems to be regressing since firefox 49 and mostly happens in the content process. comments from affected users indicate that firefox is crashing repeatedly for them. the signature is accounting for 0.25% of content crashes on release past week. Correlations for Firefox Release: (99.17% in signature vs 12.46% overall) address = 0x0 (99.17% in signature vs 34.75% overall) reason = EXCEPTION_ACCESS_VIOLATION_READ (100.0% in signature vs 36.81% overall) dom_ipc_enabled = 1 (36.78% in signature vs 03.83% overall) Module "AcLayers.dll" = true
Comment 1•7 years ago
|
||
I don't know this code very well, but BufferList<AllocPolicy>::ReadBytes() calls IterImpl::Advance with aBytes == RemainingInSegment(), while the comment for Advance says "aBytes must be less than RemainingInSegment()", so either the comment is wrong, or the call needs to be changed from Advance to AdvanceAcrossSegments.
Comment 2•7 years ago
|
||
Alright, given how AdvanceAcrossSegments uses it, I guess the comment should read "less than or equal to RemainingInSegment".
Updated•7 years ago
|
Comment 3•7 years ago
|
||
We have a week till the 51 RC build, and the crash is fairly low-volume. Marking fix-optional for 51. We could still take a patch for 53/52 or even to 51 if someone figures this out and it seems low risk.
Updated•7 years ago
|
Assignee: nobody → kchen
Comment 4•7 years ago
|
||
Still a low volume crash, wontfix for 53 as it's getting late in the beta cycle. I don't see any crashes with this signature for 54 or 55 so far. We may not see them until 54 goes to beta.
Updated•7 years ago
|
Assignee: kchen → nobody
Priority: -- → P3
Comment 5•2 years ago
|
||
Very low crash rate, and the code around here has changed a lot since this was filed. Resolving as incomplete.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•