Closed
Bug 1483603
Opened 6 years ago
Closed 6 years ago
Crash in OOM | large | NS_ABORT_OOM | nsTSubstring<T>::SetCapacity
Categories
(Core :: XPCOM, defect)
Tracking
()
RESOLVED
FIXED
mozilla63
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox-esr60 | --- | unaffected |
firefox61 | --- | unaffected |
firefox62 | --- | unaffected |
firefox63 | --- | fixed |
People
(Reporter: calixte, Assigned: hsivonen)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file, 1 obsolete file)
This bug was filed from the Socorro interface and is report bp-4c5e8fc9-b834-47fa-a230-6af1e0180815. ============================================================= Top 10 frames of crashing thread: 0 xul.dll NS_ABORT_OOM xpcom/base/nsDebugImpl.cpp:624 1 xul.dll nsTSubstring<char16_t>::SetCapacity xpcom/string/nsTSubstring.cpp:746 2 xul.dll nsresult mozilla::dom::XMLHttpRequestMainThread::AppendToResponseText dom/xhr/XMLHttpRequestMainThread.cpp:536 3 xul.dll static nsresult mozilla::dom::XMLHttpRequestMainThread::StreamReaderFunc dom/xhr/XMLHttpRequestMainThread.cpp:1602 4 xul.dll nsStringInputStream::ReadSegments xpcom/io/nsStringStream.cpp:270 5 xul.dll mozilla::dom::XMLHttpRequestMainThread::OnDataAvailable dom/xhr/XMLHttpRequestMainThread.cpp:1787 6 xul.dll mozilla::net::nsStreamListenerWrapper::OnDataAvailable netwerk/base/nsStreamListenerWrapper.h:31 7 xul.dll nsCORSListenerProxy::OnDataAvailable netwerk/protocol/http/nsCORSListenerProxy.cpp:678 8 xul.dll mozilla::net::InterceptFailedOnStop::OnDataAvailable netwerk/protocol/http/HttpBaseChannel.cpp:1231 9 xul.dll nsresult mozilla::net::nsHTTPCompressConv::do_OnDataAvailable netwerk/streamconv/converters/nsHTTPCompressConv.cpp:528 ============================================================= There are 10 crashes (from 6 installations) in nightly 63 starting with buildid 20180814220344. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1402247. [1] https://hg.mozilla.org/mozilla-central/rev?node=4ef0f163fdeb
Flags: needinfo?(hsivonen)
Reporter | ||
Updated•6 years ago
|
Crash Signature: [@ OOM | large | NS_ABORT_OOM | nsTSubstring<T>::SetCapacity] → [@ OOM | large | NS_ABORT_OOM | nsTSubstring<T>::SetCapacity]
[@ OOM | large | NS_ABORT_OOM | nsresult mozilla::dom::XMLHttpRequestMainThread::AppendToResponseText]
Assignee | ||
Comment 1•6 years ago
|
||
Is there any reason to believe that this is a new bug and not a legitimate OOM situation? I guess we should make XHR use a fallible allocation for this in any case.
Assignee: nobody → hsivonen
Status: NEW → ASSIGNED
Flags: needinfo?(hsivonen) → needinfo?(cdenizet)
Reporter | ||
Comment 3•6 years ago
|
||
For signature "OOM | large | NS_ABORT_OOM | nsTSubstring<T>::SetCapacity", the last (before the 2 we've here) buildid with 1 crash is 20180312220041 (on nightly). And for the other signature, there was no crash before. I don't know if it's a legitimate OOM situation but at least for the first signature we don't have this crash on nightly since a long time, so it could be a coincidence or a clue that something is wrong.
Flags: needinfo?(cdenizet)
Comment 6•6 years ago
|
||
There is a frequent reproducibility here by trying to request new jobs on Treeherder, e.g. for 8920abb9801d at https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&filter-resultStatus=usercancel&filter-resultStatus=runnable&filter-resultStatus=testfailed&filter-resultStatus=busted&filter-resultStatus=exception&filter-resultStatus=success&filter-resultStatus=pending&filter-resultStatus=running&group_state=expanded&tochange=34f564520a234b4318cce5be5c86adcd2be8187b&filter-searchStr=windows%20ccov%20marionette&fromchange=0dcc490db922fc504a1b92339be000260448d75b
Assignee | ||
Comment 7•6 years ago
|
||
So this is an especially bad case of bug 1472113 that I somehow missed in my audit of our code. I'm going to develop a fix based on bug 1482828 on the assumption that that one can land soon. froydnj, please let me know if that's not a reasonable assumption.
Flags: needinfo?(nfroyd)
Assignee | ||
Comment 8•6 years ago
|
||
Try run: https://treeherder.mozilla.org/#/jobs?repo=try&revision=6bac87f5027cdcb2d96c13d955aa79bcb4eced2e
Assignee | ||
Comment 9•6 years ago
|
||
Failed: https://treeherder.mozilla.org/logviewer.html#?job_id=194313020&repo=try&lineNumber=25465
Assignee | ||
Comment 10•6 years ago
|
||
Another try run: https://treeherder.mozilla.org/#/jobs?repo=try&revision=e1425c9a97849653b556ee10410648b4dc0fe5b5
Assignee | ||
Comment 11•6 years ago
|
||
Hopefully less bogus try run: https://treeherder.mozilla.org/#/jobs?repo=try&revision=e27259dc0da88a12396e93481628eff84241f1fc
Assignee | ||
Updated•6 years ago
|
Component: String → DOM
Assignee | ||
Comment 12•6 years ago
|
||
The old code assumes that it's OK to use nsAString::BeginWriting() to write past the string's logical length if the string has enough capacity. This is bogus, because the string doesn't know of data written past its logical length. The BulkWrite API has been created precisely for this purpose and allows orderly capacity-aware low-level writes to the string. MozReview-Commit-ID: FkKz5rBQu19
Assignee | ||
Comment 13•6 years ago
|
||
I'm going to pursue this as a string bug instead.
Component: DOM → String
Flags: needinfo?(nfroyd)
Assignee | ||
Comment 14•6 years ago
|
||
Try run: https://treeherder.mozilla.org/#/jobs?repo=try&revision=136eea70b238f5f47d95bf413d1296fe1e1e7bd1
Assignee | ||
Updated•6 years ago
|
Attachment #9001908 -
Attachment is obsolete: true
Assignee | ||
Comment 15•6 years ago
|
||
Shrinking the buffer is purely a memory footprint optimization and can be omitted as far as the string semantics visible to the caller are concerned. Since shrinking is optional, it doesn't make sense to propagate error when it fails due to OOM. MozReview-Commit-ID: BuyBLCBmYzZ
Reporter | ||
Updated•6 years ago
|
Crash Signature: [@ OOM | large | NS_ABORT_OOM | nsTSubstring<T>::SetCapacity]
[@ OOM | large | NS_ABORT_OOM | nsresult mozilla::dom::XMLHttpRequestMainThread::AppendToResponseText] → [@ OOM | large | NS_ABORT_OOM | nsTSubstring<T>::SetCapacity]
[@ OOM | large | NS_ABORT_OOM | nsresult mozilla::dom::XMLHttpRequestMainThread::AppendToResponseText]
[@ OOM | large | NS_ABORT_OOM | mozilla::dom::XMLHttpRequestMainThread::AppendToResponse…
Comment 16•6 years ago
|
||
Comment on attachment 9002709 [details] Bug 1483603 - Avoid propagating OOM from StartBulkWrite() when shrinking the buffer. Nathan Froyd [:froydnj] has approved the revision.
Attachment #9002709 -
Flags: review+
Comment 17•6 years ago
|
||
Pushed by hsivonen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c6a80a1c10a1 Avoid propagating OOM from StartBulkWrite() when shrinking the buffer. r=froydnj
Comment 18•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/c6a80a1c10a1
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Updated•6 years ago
|
Crash Signature: mozilla::dom::XMLHttpRequestMainThread::AppendToResponseText] → mozilla::dom::XMLHttpRequestMainThread::AppendToResponseText]
[@ OOM | unknown | NS_ABORT_OOM | mozilla::dom::XMLHttpRequestMainThread::AppendToResponseText]
Updated•3 years ago
|
Component: String → XPCOM
You need to log in
before you can comment on or make changes to this bug.
Description
•