1346433 - Crash in OOM | large | NS_ABORT_OOM | mozilla::dom::CallbackObject::FinishSlowJSInitIfMoreThanOneOwner

Status: RESOLVED WONTFIX

(Core :: DOM: Core & HTML, defect)

Description

[[:philipp]]

This bug was filed from the Socorro interface and is 
report bp-3225f4e1-462b-4f12-b075-3898a2170117.
=============================================================
Crashing Thread (0)
Frame 	Module 	Signature 	Source
0 	xul.dll 	NS_ABORT_OOM(unsigned int) 	xpcom/base/nsDebugImpl.cpp:606
1 	xul.dll 	mozilla::dom::CallbackObject::FinishSlowJSInitIfMoreThanOneOwner(JSContext*) 	dom/bindings/CallbackObject.cpp:62
2 	xul.dll 	mozilla::dom::RootedCallback<RefPtr<mozilla::dom::binding_detail::FastEventListener> >::~RootedCallback<RefPtr<mozilla::dom::binding_detail::FastEventListener> >() 	obj-firefox/dist/include/mozilla/dom/CallbackObject.h:578
3 	xul.dll 	mozilla::dom::EventTargetBinding::addEventListener 	obj-firefox/dom/bindings/EventTargetBinding.cpp:852
4 		@0xc10a9cb

this crash signature first started showing up in firefox 53 & later. so far it's only a low volume crash though.

Comment 1

[Hsin-Yi Tsai (she/her) [:hsinyi]]

I noticed that Patch Part 2 in bug 1326105 renamed CallbackObject::HoldJSObjectsIfMoreThanOneOwner to CallbackObject::FinishSlowJSInitIfMoreThanOneOwner. So I wonder if this is something new or simply a signature change. Any thoughts, Boris? Thanks!

Note: some reports with signatures containing "mozilla::dom::CallbackObject::HoldJSObjectsIfMoreThanOneOwner": 
https://crash-stats.mozilla.com/search/?signature=~HoldJSObjectsIfMoreThanOneOwner&date=%3E%3D2017-03-07T10%3A05%3A00.000Z&date=%3C2017-03-14T10%3A05%3A00.000Z&_sort=-date&_facets=signature&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-signature

Comment 2

[Boris Zbarsky [:bzbarsky]]

This is just a signature change.

What's going on here is that we're calling HoldJSObjects(this), which tries to add us to a hashtable.  In this case that's reallocating the hashtable's storage, presumably because we failed to find a spot.  This part is clearer in https://crash-stats.mozilla.com/report/index/076dc247-d109-49c1-911d-b57c62170308 for example, which is one of the HoldJSObjectsIfMoreThanOneOwner incidents linked in comment 1.

Anyway, we're doing a 93MB allocation for that hashtable storage, we have 350MB of virtual memory free, and presumably it's too fragmented and the allocation fails.  It wouldn't take much fragmentation at all in those circumstances.

I'm not sure how feasible it would be to make the held-object storage not require a large continuous buffer while keeping it fast.  :(

Comment 3

[Andrew McCreight [:mccr8]]

93MB is a lot of objects. Presumably there's some underlying issue in the page or Firefox that is causing us to bloat up the number of callbacks. This crash is quite rare, so I don't think it is worth fixing.