Closed
Bug 1484045
Opened 6 years ago
Closed 6 years ago
Crash in OOM | unknown | NS_ABORT_OOM | bool `anonymous namespace'::StringBuilder::ToString called by nsContentUtils::SerializeNodeToMarkup()
Categories
(Core :: XPCOM, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla63
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox-esr60 | --- | unaffected |
| firefox61 | --- | unaffected |
| firefox62 | --- | unaffected |
| firefox63 | --- | fixed |
People
(Reporter: mccr8, Assigned: hsivonen)
References
Details
(Keywords: crash)
Crash Data
Attachments
(1 file)
This bug was filed from the Socorro interface and is
report bp-63f44ad2-c330-4622-9ecb-b80570180815.
=============================================================
Top 10 frames of crashing thread:
0 xul.dll NS_ABORT_OOM xpcom/base/nsDebugImpl.cpp:624
1 xul.dll bool `anonymous namespace'::StringBuilder::ToString dom/base/nsContentUtils.cpp:9180
2 xul.dll nsContentUtils::SerializeNodeToMarkup dom/base/nsContentUtils.cpp
3 xul.dll mozilla::dom::FragmentOrElement::GetMarkup dom/base/FragmentOrElement.cpp:2136
4 xul.dll static bool mozilla::dom::Element_Binding::get_outerHTML dom/bindings/ElementBinding.cpp:3531
5 xul.dll mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions> dom/bindings/BindingUtils.cpp:3187
6 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:533
7 xul.dll static bool InternalCall js/src/vm/Interpreter.cpp:584
8 xul.dll js::Call js/src/vm/Interpreter.cpp:603
9 xul.dll JS::Call js/src/jsapi.cpp:2915
=============================================================
This showed up in the 20180815100249 build. 19 crashes from 3 installations.
There's also a variant that shows up with "large" instead of unknown, such as this crash: bp-ad4d79ba-b88d-46db-b942-c0ac90180816
That first showed up in the 20180814220344 build with 11 crashes from 5 installations.
|
Reporter | |
Comment 1•6 years ago
|
||
Henri, could this be related to bug 1483603 or some other thing you've been working on?
Flags: needinfo?(hsivonen)
|
Assignee | |
Comment 2•6 years ago
|
||
This is fallout from bug 1402247. The code in nsContentUtils.h assumes that none of the appends causes an allocation after the fallible SetCapacity(), but bug 1402247 changed that. I'm pretty sure the bug is the boolean right about here:
https://searchfox.org/mozilla-central/source/servo/support/gecko/nsstring/src/conversions.rs#145
I.e. the code that tries to re-use the pre-existing buffer when *assigning* Latin1 to UTF-16 ends up reallocating when *appending* Latin1 to UTF-16 with prior SetCapacity().
Assignee: nobody → hsivonen
Blocks: 1402247
Status: NEW → ASSIGNED
Flags: needinfo?(hsivonen)
Priority: -- → P1
|
|
Assignee | |
Updated•6 years ago
|
Component: DOM → String
|
|
Assignee | |
Comment 3•6 years ago
|
||
Aside: There's an additional bug here: entity-encoding expands the length but those use infallible appends. StringBuilder::ToString would be a great candidate for the new API from bug 1482828.
|
|
Assignee | |
Comment 4•6 years ago
|
||
(In reply to Henri Sivonen (:hsivonen) from comment #3)
> Aside: There's an additional bug here: entity-encoding expands the length
> but those use infallible appends. StringBuilder::ToString would be a great
> candidate for the new API from bug 1482828.
Filed bug 1484143 for the pre-existing bug.
|
|
Assignee | |
Comment 5•6 years ago
|
||
(In reply to Henri Sivonen (:hsivonen) from comment #3)
> StringBuilder::ToString would be a great
> candidate for the new API from bug 1482828.
This doesn't actually make sense.
|
|
Assignee | |
Comment 6•6 years ago
|
||
This restores the old allocation semantics for "append" operations between
Latin1 and UTF-16 while keeping the buffer re-use optimization for the
"assign" cases.
MozReview-Commit-ID: 8JCw3AaCNLN
|
||
Comment 7•6 years ago
|
||
Comment on attachment 9001858 [details]
Bug 1484045 - Prohibit shrinking of the string's buffer in appends of Latin1 to UTF-16 and vice versa.
Nathan Froyd [:froydnj] has approved the revision.
Attachment #9001858 -
Flags: review+
Pushed by hsivonen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9494c03553b9
Prohibit shrinking of the string's buffer in appends of Latin1 to UTF-16 and vice versa. r=froydnj
|
||
Comment 9•6 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox63:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
|
||
Updated•6 years ago
|
status-firefox61:
--- → unaffected
status-firefox62:
--- → unaffected
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → unaffected
|
||
Updated•6 years ago
|
Crash Signature: [@ OOM | unknown | NS_ABORT_OOM | bool `anonymous namespace'::StringBuilder::ToString][@ OOM | large | NS_ABORT_OOM | bool `anonymous namespace'::StringBuilder::ToString] → [@ OOM | unknown | NS_ABORT_OOM | bool `anonymous namespace'::StringBuilder::ToString]
[@ OOM | large | NS_ABORT_OOM | bool `anonymous namespace'::StringBuilder::ToString]
[@ OOM | large | NS_ABORT_OOM | `anonymous namespace'::StringBuilder::ToString]
…
|
||
Updated•4 years ago
|
Component: String → XPCOM
You need to log in
before you can comment on or make changes to this bug.
Description
•