Closed Bug 1484045 Opened Last year Closed Last year

Crash in OOM | unknown | NS_ABORT_OOM | bool `anonymous namespace'::StringBuilder::ToString called by nsContentUtils::SerializeNodeToMarkup()

Categories

(Core :: String, defect, P1, critical)

Unspecified
Windows 7
defect

Tracking

()

RESOLVED FIXED
mozilla63
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox61 --- unaffected
firefox62 --- unaffected
firefox63 --- fixed

People

(Reporter: mccr8, Assigned: hsivonen)

References

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

This bug was filed from the Socorro interface and is
report bp-63f44ad2-c330-4622-9ecb-b80570180815.
=============================================================

Top 10 frames of crashing thread:

0 xul.dll NS_ABORT_OOM xpcom/base/nsDebugImpl.cpp:624
1 xul.dll bool `anonymous namespace'::StringBuilder::ToString dom/base/nsContentUtils.cpp:9180
2 xul.dll nsContentUtils::SerializeNodeToMarkup dom/base/nsContentUtils.cpp
3 xul.dll mozilla::dom::FragmentOrElement::GetMarkup dom/base/FragmentOrElement.cpp:2136
4 xul.dll static bool mozilla::dom::Element_Binding::get_outerHTML dom/bindings/ElementBinding.cpp:3531
5 xul.dll mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions> dom/bindings/BindingUtils.cpp:3187
6 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:533
7 xul.dll static bool InternalCall js/src/vm/Interpreter.cpp:584
8 xul.dll js::Call js/src/vm/Interpreter.cpp:603
9 xul.dll JS::Call js/src/jsapi.cpp:2915

=============================================================

This showed up in the 20180815100249 build. 19 crashes from 3 installations.

There's also a variant that shows up with "large" instead of unknown, such as this crash: bp-ad4d79ba-b88d-46db-b942-c0ac90180816

That first showed up in the 20180814220344 build with 11 crashes from 5 installations.
Henri, could this be related to bug 1483603 or some other thing you've been working on?
Flags: needinfo?(hsivonen)
This is fallout from bug 1402247. The code in nsContentUtils.h assumes that none of the appends causes an allocation after the fallible SetCapacity(), but bug 1402247 changed that. I'm pretty sure the bug is the boolean right about here:
https://searchfox.org/mozilla-central/source/servo/support/gecko/nsstring/src/conversions.rs#145

I.e. the code that tries to re-use the pre-existing buffer when *assigning* Latin1 to UTF-16 ends up reallocating when *appending* Latin1 to UTF-16 with prior SetCapacity().
Assignee: nobody → hsivonen
Blocks: 1402247
Status: NEW → ASSIGNED
Flags: needinfo?(hsivonen)
Priority: -- → P1
Component: DOM → String
Aside: There's an additional bug here: entity-encoding expands the length but those use infallible appends. StringBuilder::ToString would be a great candidate for the new API from bug 1482828.
(In reply to Henri Sivonen (:hsivonen) from comment #3)
> Aside: There's an additional bug here: entity-encoding expands the length
> but those use infallible appends. StringBuilder::ToString would be a great
> candidate for the new API from bug 1482828.

Filed bug 1484143 for the pre-existing bug.
(In reply to Henri Sivonen (:hsivonen) from comment #3)
> StringBuilder::ToString would be a great
> candidate for the new API from bug 1482828.

This doesn't actually make sense.
This restores the old allocation semantics for "append" operations between
Latin1 and UTF-16 while keeping the buffer re-use optimization for the
"assign" cases.

MozReview-Commit-ID: 8JCw3AaCNLN
Comment on attachment 9001858 [details]
Bug 1484045 - Prohibit shrinking of the string's buffer in appends of Latin1 to UTF-16 and vice versa.

Nathan Froyd [:froydnj] has approved the revision.
Attachment #9001858 - Flags: review+
Pushed by hsivonen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9494c03553b9
Prohibit shrinking of the string's buffer in appends of Latin1 to UTF-16 and vice versa. r=froydnj
https://hg.mozilla.org/mozilla-central/rev/9494c03553b9
Status: ASSIGNED → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Crash Signature: [@ OOM | unknown | NS_ABORT_OOM | bool `anonymous namespace'::StringBuilder::ToString][@ OOM | large | NS_ABORT_OOM | bool `anonymous namespace'::StringBuilder::ToString] → [@ OOM | unknown | NS_ABORT_OOM | bool `anonymous namespace'::StringBuilder::ToString] [@ OOM | large | NS_ABORT_OOM | bool `anonymous namespace'::StringBuilder::ToString] [@ OOM | large | NS_ABORT_OOM | `anonymous namespace'::StringBuilder::ToString] …
You need to log in before you can comment on or make changes to this bug.