Open Bug 1545196 Opened 7 months ago Updated 5 months ago

Crash in [@ mozilla::SerializedStructuredCloneBuffer::SerializedStructuredCloneBuffer] due to OOM copying indexedDB::ObjectStoreAddPutParams

Categories

(Core :: Storage: IndexedDB, defect, P2, critical)

x86
Windows 10
defect

Tracking

()

Tracking Status
firefox67 --- unaffected
firefox68 --- fix-optional

People

(Reporter: marcia, Unassigned)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: crash, regression)

Crash Data

This bug is for crash report bp-af102580-fc42-4088-856a-769030190331.

Seen while looking at nightly crash data, crashes started in 20190329220047: https://bit.ly/2VPLBID

All crashes have MOZ_RELEASE_ASSERT(data.Append(aOther.data)) (out of memory). similar to Bug 1519123. At least 2 of the Nightly 68 reports had Ghostery, but there also appear to be reports that don't have that addon installed.

Possible regression range based on Build ID: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=4e2ea1a75e878ae392e4775f2eddd9f83d1b008e&tochange=bd1e28b0143bdcff0798b0e6a4f54791c41192e8

If this is an IPC bug, Bug 1539542 was the only one in that regression range but it involved removing stuff from the exclusions list.

Top 10 frames of crashing thread:

0 xul.dll mozilla::SerializedStructuredCloneBuffer::SerializedStructuredCloneBuffer ipc/glue/IPCMessageUtils.h:81
1 xul.dll mozilla::dom::IDBObjectStore::AddOrPut dom/indexedDB/IDBObjectStore.cpp:1632
2 xul.dll struct already_AddRefed<mozilla::dom::IDBRequest> mozilla::dom::IDBObjectStore::Put dom/indexedDB/IDBObjectStore.h:179
3 xul.dll static bool mozilla::dom::IDBObjectStore_Binding::put dom/bindings/IDBObjectStoreBinding.cpp:478
4 xul.dll mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions> dom/bindings/BindingUtils.cpp:3150
5 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:534
6 xul.dll static bool InternalCall js/src/vm/Interpreter.cpp:589
7 xul.dll js::SpreadCallOperation js/src/vm/Interpreter.cpp:5088
8 xul.dll static bool Interpret js/src/vm/Interpreter.cpp:3008
9 xul.dll js::RunScript js/src/vm/Interpreter.cpp:422

This looks like the kind of OOM we were discussing today in IPC bug triage.

See Also: → 1539498

I added this OOM check in bug 1539261. Before that patch we'd probably have just failed in some other more horrible way.

Regressed by: 1539261

Setting fix-optional for 68 based on comment 2 and low volume.

The priority flag is not set for this bug.
:jld, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jld)

These all seem to be caused by IndexedDB invoking the copy constructor; it would need to be changed to std::move any structures containing SerializedStructuredCloneBuffer.

Blocks: 1539498
Component: IPC → DOM: IndexedDB
Flags: needinfo?(jld)
See Also: 1539498
Blocks: 1541370
Priority: -- → P2

there are also a couple of other crash signatures new in 68 with the same MOZ_CRASH Reason:

  • [@ static class mozilla::dom::indexedDB::ObjectStoreAddPutParams& const mozilla::dom::indexedDB::ObjectStoreAddPutParams::operator=]
  • [@ mozilla::SerializedStructuredCloneBuffer::operator=]
  • [@ mozilla::dom::indexedDB::ObjectStoreAddPutParams::operator=]

not sure if i should add those here or open new bugs for them...

(In reply to [:philipp] from comment #6)

there are also a couple of other crash signatures new in 68 with the same MOZ_CRASH Reason:

  • [@ static class mozilla::dom::indexedDB::ObjectStoreAddPutParams& const mozilla::dom::indexedDB::ObjectStoreAddPutParams::operator=]
  • [@ mozilla::SerializedStructuredCloneBuffer::operator=]
  • [@ mozilla::dom::indexedDB::ObjectStoreAddPutParams::operator=]

not sure if i should add those here or open new bugs for them...

The crashes all seem to be related to indexedDB::ObjectStoreAddPutParams copy construction/assignment, including the ones with the too-general SerializedStructuredCloneBuffer::operator= signature, so they belong to this bug.

Crash Signature: [@ mozilla::SerializedStructuredCloneBuffer::SerializedStructuredCloneBuffer] → [@ mozilla::SerializedStructuredCloneBuffer::SerializedStructuredCloneBuffer] [@ static class mozilla::dom::indexedDB::ObjectStoreAddPutParams& const mozilla::dom::indexedDB::ObjectStoreAddPutParams::operator=] [@ mozilla::SerializedStructuredCloneBuffe…
Summary: Crash in [@ mozilla::SerializedStructuredCloneBuffer::SerializedStructuredCloneBuffer] → Crash in [@ mozilla::SerializedStructuredCloneBuffer::SerializedStructuredCloneBuffer] due to OOM copying indexedDB::ObjectStoreAddPutParams
You need to log in before you can comment on or make changes to this bug.