Closed Bug 1427091 Opened 2 years ago Closed 2 years ago

Crash in OOM | large | NS_ABORT_OOM | AppendUTF16toUTF8 | mozilla::dom::MultipartBlobImpl::InitializeBlob

Categories

(Core :: DOM: Core & HTML, defect, critical)

58 Branch
x86
Windows
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla59
Tracking Status
firefox-esr52 --- unaffected
firefox57 --- unaffected
firefox58 --- fixed
firefox59 --- fixed

People

(Reporter: philipp, Assigned: baku)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(2 files)

This bug was filed from the Socorro interface and is
report bp-7d48265e-a530-4d09-82a2-486550171226.
=============================================================

Top 10 frames of crashing thread:

0 xul.dll NS_ABORT_OOM xpcom/base/nsDebugImpl.cpp:620
1 xul.dll AppendUTF16toUTF8 xpcom/string/nsReadableUtils.cpp:251
2 xul.dll mozilla::dom::MultipartBlobImpl::InitializeBlob dom/file/MultipartBlobImpl.cpp:192
3 xul.dll mozilla::dom::Blob::Constructor dom/file/Blob.cpp:254
4 xul.dll mozilla::dom::BlobBinding::_constructor dom/bindings/BlobBinding.cpp:919
5 xul.dll InternalConstruct js/src/vm/Interpreter.cpp:580
6 xul.dll Interpret js/src/vm/Interpreter.cpp:3090
7 xul.dll js::RunScript js/src/vm/Interpreter.cpp:423
8 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:495
9 xul.dll InternalCall js/src/vm/Interpreter.cpp:522

=============================================================

this crash signature started showing up with a ow-to-mid-level in 58.0b3 on win32bit builds.
*low to mid level volume
Attached patch blob.patchSplinter Review
Assignee: nobody → amarchesini
Attachment #8939568 - Flags: review?(bugs)
Comment on attachment 8939568 [details] [diff] [review]
blob.patch

Use nsCString, not nsAutoCString, since the data will be assigned immediately to an nsCString anyhow, so no need to assign first short strings to nsAutoCString's local storage and then copying to stringbuffer. nsCString ends up using string buffer from the beginning.
Attachment #8939568 - Flags: review?(bugs) → review+
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/5360fdf49a84
BlobSet must propagate the OOM error when appending a big string, r=smaug
https://hg.mozilla.org/mozilla-central/rev/5360fdf49a84
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Please request Beta approval on this when you get a chance.
Flags: needinfo?(amarchesini)
Comment on attachment 8939568 [details] [diff] [review]
blob.patch

Approval Request Comment
[Feature/Bug causing the regression]: Blob
[User impact if declined]: OOM crash
[Is this code covered by automated tests?]: no
[Has the fix been verified in Nightly?]: no. Hard to reproduce.
[Needs manual test from QE? If yes, steps to reproduce]: no
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: No risk because here it's just about checking the return value of AppendUTF16toUTF8 and propagate it in case of a failure.
[String changes made/needed]: none
Flags: needinfo?(amarchesini)
Attachment #8939568 - Flags: approval-mozilla-beta?
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/bc51fb4054fb
BlobSet must use nsCString instead of nsAutoCString, r=me
Comment on attachment 8939568 [details] [diff] [review]
blob.patch

Take this one because the crash starts from 58.0b12. Beta58+.
Attachment #8939568 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Tried to Uplift this bug to Beta and I have encountered conflicts.

:baku could you please take a look?
Flags: needinfo?(amarchesini)
Attached patch m-bSplinter Review
Flags: needinfo?(amarchesini)
Attachment #8940675 - Attachment is patch: true
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.