Closed Bug 1676681 Opened 5 years ago Closed 4 years ago

Crash in [@ OOM | large | PLDHashTable::Add | nsFrameList::operator new], probably inside of a call to `RecordAlloc()`

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: sg, Unassigned)

References

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/de71000e-9d89-422b-a4b3-b7f000201110

MOZ_CRASH Reason: MOZ_CRASH(OOM)

Top 10 frames of crashing thread:

0 XUL PLDHashTable::Add xpcom/ds/PLDHashTable.cpp:579
1 XUL nsFrameList::operator new layout/generic/nsFrameList.cpp:29
2 XUL nsContainerFrame::PushChildrenToOverflow layout/generic/nsContainerFrame.cpp:1596
3 XUL nsInlineFrame::PushFrames layout/generic/nsInlineFrame.cpp:782
4 XUL nsInlineFrame::ReflowFrames layout/generic/nsInlineFrame.cpp:543
5 XUL nsInlineFrame::Reflow layout/generic/nsInlineFrame.cpp:358
6 XUL nsLineLayout::ReflowFrame layout/generic/nsLineLayout.cpp:878
7 XUL nsInlineFrame::ReflowFrames layout/generic/nsInlineFrame.cpp:543
8 XUL nsInlineFrame::Reflow layout/generic/nsInlineFrame.cpp:358
9 XUL nsLineLayout::ReflowFrame layout/generic/nsLineLayout.cpp:878

The allocation is >1 GB, so this seems not to be a normal memory exhaustion issue.

Crash Signature: [@ OOM | large | PLDHashTable::Add | nsFrameList::operator new] → [@ OOM | large | PLDHashTable::Add | nsFrameList::operator new] [@ OOM | large | NS_ABORT_OOM | PLDHashTable::Add | nsFrameList::operator new] [@ OOM | large | NS_ABORT_OOM | PLDHashTable::Add | static nsFrameList::operator new]
OS: macOS → Unspecified

The severity field is not set for this bug.
:boris, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(boris.chiou)

Mark S3 for now because it's rare.

Severity: -- → S3
Flags: needinfo?(boris.chiou)

Looks like we're safely crashing due to PLDHashTable::Add exceeding some size threshold, for a hashtable operation inside of nsFrameList's operator new.

This new implementation simply calls aPresShell->AllocateByObjectID, which is implemented like so:

  void* AllocateByObjectID(ArenaObjectID aID, size_t aSize) {
    void* result = mFrameArena.Allocate(aID, aSize);
    RecordAlloc(result);
    return result;
  }

I think (?) RecordAlloc is the only thing that does hashtable modifications there, and it only does them in builds that have diagnostic asserts enabled (which I think is just Nightly & DevEdition). Skimming a few of the reports, it seems they all have Release Channel set to aurora, which I think means DevEdition (correct me if I'm wrong).

So this shouldn't be a problem in release builds, which is good news.

I should've quoted RecordAlloc's hashtable modification as well -- here it is:

  void RecordAlloc(void* aPtr) {
#ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED
    MOZ_DIAGNOSTIC_ASSERT(!mAllocatedPointers.Contains(aPtr));
    mAllocatedPointers.PutEntry(aPtr);
#endif
  }

https://searchfox.org/mozilla-central/rev/ffdb6a4d934b3f5294f18cf0e1df618109ccb36b/layout/base/PresShell.h#1700

That hashtable usage comes from bug 1274443, originally (searchfox reference here) so this might sort of be a downstream effect of that bug, combined with some sort of stress-testing (I'm guessing).

Depends on: 1274443
Summary: Crash in [@ OOM | large | PLDHashTable::Add | nsFrameList::operator new] → Crash in [@ OOM | large | PLDHashTable::Add | nsFrameList::operator new], probably inside of a call to `RecordAlloc()`

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.