Closed Bug 1616327 Opened 1 year ago Closed 1 year ago

Crash in [@ OOM | large | NS_ABORT_OOM | Gecko_SetLengthCString | XPCConvert::JSData2Native]

Categories

(Core :: XPConnect, defect)

Unspecified
Windows 10
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla75
Tracking Status
firefox-esr68 --- wontfix
firefox73 --- wontfix
firefox74 --- wontfix
firefox75 --- fixed

People

(Reporter: mccr8, Assigned: mccr8)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

This bug is for crash report bp-8d2810d5-47da-4a21-94a6-4a0500200215.

Top 10 frames of crashing thread:

0 xul.dll NS_ABORT_OOM xpcom/base/nsDebugImpl.cpp:608
1 xul.dll Gecko_SetLengthCString xpcom/string/nsTSubstring.cpp:941
2 xul.dll static XPCConvert::JSData2Native js/xpconnect/src/XPCConvert.cpp:728
3 xul.dll static XPCWrappedNative::CallMethod js/xpconnect/src/XPCWrappedNative.cpp:1146
4 xul.dll XPC_WN_CallMethod js/xpconnect/src/XPCWrappedNativeJSOps.cpp:947
5 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:569
6 xul.dll Interpret js/src/vm/Interpreter.cpp:3049
7 xul.dll js::RunScript js/src/vm/Interpreter.cpp:449
8 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:604
9 xul.dll js::Call js/src/vm/Interpreter.cpp:649

It looks like this SetLength call should be fallible, because it can probably end up with random gigantic data from web content.

Assignee: nobody → continuation
Pushed by amccreight@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/66e8f8552963
Use fallible SetLength in XPCConvert::JSData2Native. r=nika
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla75

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression

This crash also affects esr68. The signature is just different because this particular Gecko_SetLengthCString thing happens because of some kind of Rust FFI optimization. After some digging, I did find this crash that looks the same on ESR: bp-1879ffc7-3263-412f-9662-6ee400200220

Note that the signature is much worse because nsTSubstring<T>::SetLength is apparently not on the prefix list, so that crash signature includes lots of other unrelated crashes.

It doesn't look like a very common crash, so I'll put it as WONTFIX.

Is this worth uplifting to beta? (it's low volume, basically invisible in nightly, a couple of crashes per beta build, so I'm thinking probably not)

Flags: needinfo?(continuation)

It is very low risk, but yeah, it seems to be almost never happening on beta, so I wouldn't bother.

Flags: needinfo?(continuation)
You need to log in before you can comment on or make changes to this bug.