Closed Bug 1416866 Opened 8 years ago Closed 4 years ago

Crash in moveToRoot

Categories

(Core :: SQLite and Embedded Database Bindings, defect, P3)

Product:
Core
Component:
SQLite and Embedded Database Bindings
Version:
58 Branch
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE
Tracking Flags:
Tracking Status
firefox58 --- wontfix
firefox59 --- wontfix

People

(Reporter: philipp, Unassigned)

Details

(Keywords: crash, regression)

Crash Data

This bug was filed from the Socorro interface and is report bp-c895925e-fd91-40c6-b956-3d5c70171105. ============================================================= Crashing Thread (0) Frame Module Signature Source 0 nss3.dll moveToRoot db/sqlite3/src/sqlite3.c:64538 1 nss3.dll sqlite3BtreeMovetoUnpacked db/sqlite3/src/sqlite3.c:64773 2 nss3.dll sqlite3VdbeExec db/sqlite3/src/sqlite3.c:83099 3 nss3.dll sqlite3Step db/sqlite3/src/sqlite3.c:77342 4 nss3.dll sqlite3_step db/sqlite3/src/sqlite3.c:77407 5 xul.dll mozilla::storage::Connection::stepStatement(sqlite3*, sqlite3_stmt*) storage/mozStorageConnection.cpp:1131 6 xul.dll mozilla::storage::Statement::ExecuteStep(bool*) storage/mozStorageStatement.cpp:583 7 xul.dll nsNavBookmarks::QueryFolderChildren(__int64, nsNavHistoryQueryOptions*, nsCOMArray<nsNavHistoryResultNode>*) toolkit/components/places/nsNavBookmarks.cpp:2169 8 xul.dll nsNavHistoryFolderResultNode::FillChildren() toolkit/components/places/nsNavHistoryResult.cpp:3190 9 xul.dll nsNavHistoryFolderResultNode::GetHasChildren(bool*) toolkit/components/places/nsNavHistoryResult.cpp:3084 10 xul.dll NS_InvokeByIndex xpcom/reflect/xptcall/md/win32/xptcinvoke_asm_x86_msvc.asm:54 11 xul.dll XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) js/xpconnect/src/XPCWrappedNative.cpp:1282 12 xul.dll XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) js/xpconnect/src/XPCWrappedNativeJSOps.cpp:965 13 xul.dll js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp:472 14 xul.dll js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:540 15 xul.dll js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:4379 16 xul.dll js::jit::IonGetPropertyIC::update(JSContext*, JS::Handle<JSScript*>, js::jit::IonGetPropertyIC*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) js/src/jit/IonIC.cpp:174 17 @0x246346d5 ============================================================= this crash signature is rising cross-platform since the 58.0a1 cycle. first affected build was so maybe it's related to bug 1095427 landing the day before. user comments also say they were trying to import bookmarks from a html file: *bp-33ced9cf-1772-49f1-847e-87ef50171110 *bp-b346f061-fec4-498b-bdd1-7e2500171109 *bp-090fadc8-4f88-4395-a63f-e72770171024
Looking at the history of this crash, it's not new indeed I can easily find signatures far in the past. By looking up to January 2017, looks like the number of crashes per day was actually higher then the current one until August, then about the same until September, then there has been a small reduction until now, where we moved back to September's levels. Thus, it doesn't look like a direct consequence of a specific code change, rather a shift due to the code changes. Moving to Storage for now. I'm not sure which are the conditions where we could crash in moveToRoot, it's possible we're doing something unsafe, but I'm not sure where to start the investigation. Maybe the Sqlite team has some hints on what could be plausible causes for this kind of crash?
Component: Places → Storage
Flags: needinfo?(drh)
This is an odd place to crash. moveToRoot() is unwinding a stack of b-tree pages. You would think that if something were amiss that it would hit problems while descending into the tree, not while unwinding it. So, no, we don't have any clues about this one. Our temptation is to chalk it up to that old bugbear - unrelated heap corruption (possibly in a different thread) that SQLite is merely stumbling over. We have had no other reports of problems in this area recently. We'll continue looking, and monitoring this ticket in case new information comes to light.
Flags: needinfo?(drh)
Thank you very much. Indeed it's a really strange looking stack, thus heap corruption is surely a possibility.
Priority: -- → P3

I don't see other crashes with this signature, closing as incomplete.

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox59: ?wontfix
Resolution: --- → INCOMPLETE
Product: Toolkit → Core
You need to log in before you can comment on or make changes to this bug.