Closed Bug 1677074 Opened 4 years ago Closed 3 years ago

FX 82.0.2 OOM Crash

Categories

(Core :: DOM: Content Processes, defect, P3)

Product:
Core
Component:
DOM: Content Processes
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox-esr91 --- fixed
firefox82 --- wontfix
firefox83 --- affected
firefox84 --- affected
firefox94 --- fixed

People

(Reporter: hdir.yassine, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, reporter-external, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

screenshot_and_testcase.zip
165.76 KB, application/x-zip-compressed
Details
testcase.html
17.77 KB, text/html
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0

Steps to reproduce:

bug found while fuzzing FF on linux using Grizzly
the crash signature was identified by grizzly several times but the test case attached is pretty particular, the crash still occur with the official release, but grizzly.replay failed to reproduce it.
attached you found the grizzly report with the test case and a screenshot of the crash.

Blocks: grizzly

Reducing the test case now.

Running with an ASan build this looks like an OOM.

Running with a debug build gives me:

Hit MOZ_CRASH(mozilla::LinkedList<mozilla::dom::ContentParent>::~LinkedList() [T = mozilla::dom::ContentParent] has a buggy user: it should have removed all this list's elements before the list's destruction) at /builds/worker/workspace/obj-build/dist/include/mozilla/LinkedList.h:443

#0 0x7f81f591f592 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:254:3
#1 0x7f81f591f592 in mozilla::LinkedList<mozilla::dom::ContentParent>::~LinkedList() /builds/worker/workspace/obj-build/dist/include/mozilla/LinkedList.h:439:7
#2 0x7f81f58e1a8b in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:460:5
#3 0x7f81f58e1a8b in reset /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:302:7
#4 0x7f81f58e1a8b in mozilla::UniquePtr<mozilla::LinkedList<mozilla::dom::ContentParent>, mozilla::DefaultDelete<mozilla::LinkedList<mozilla::dom::ContentParent> > >::~UniquePtr() /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:253:18
#5 0x7f8205df7a26 in __run_exit_handlers /build/glibc-ZN95T4/glibc-2.31/stdlib/exit.c:108:8
#6 0x7f8205df7bdf in exit /build/glibc-ZN95T4/glibc-2.31/stdlib/exit.c:139:3
#7 0x7f8205dd50b9 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:342:3
Attached file testcase.html

Reduced test case.

Group: firefox-core-security
Status: UNCONFIRMED → NEW
status-firefox82: --- → wontfix
status-firefox83: --- → affected
status-firefox84: --- → affected
Ever confirmed: true
Flags: in-testsuite?
Keywords: crash, testcase
Summary: FX 82.0.2 Crash for unknown reason → FX 82.0.2 OOM Crash
Version: 56 Branch → unspecified

Setting a component for this issue.
If you feel it's an incorrect one please feel free to change it to a more appropriate one.

Component: Untriaged → Performance
Product: Firefox → Core

This seems like it may be a potential regression from bug 1641211

The object here seems to line up with the stack trace:
https://searchfox.org/mozilla-central/rev/2efcda6dc74c63863fd8f04a6d9d7ac6b09c7eca/dom/ipc/ContentParent.h#737

Flags: needinfo?(kmaglione+bmo)
Flags: sec-bounty?
Component: Performance → DOM: Content Processes

Assigning this bug to kmag since it may be a regression from his change in bug 1641211 to use a static UniquePtr instead of StaticAutoPtr.

The reduced test case hangs browser chrome locally in 86 Nightly, but not 84 Release or 85 Beta. That is a different problem, possibly hitting some code that is only enabled in Nightly?

Assignee: nobody → kmaglione+bmo
See Also: → 1641211
Severity: -- → S3
Priority: -- → P3

This isn't a regression from my change. The change from StaticAutoPtr to UniquePtr only caused the LinkedList destructor to start being called at shutdown. The actual bug that causes the abrupt shutdown and the leak happens regardless.

Assignee: kmaglione+bmo → nobody
Flags: needinfo?(kmaglione+bmo)
Depends on: 1686113

(In reply to Chris Peterson [:cpeterson] from comment #5)

The reduced test case hangs browser chrome locally in 86 Nightly, but not 84 Release or 85 Beta. That is a different problem, possibly hitting some code that is only enabled in Nightly?

btw, I filed bug 1686113 for the reproducible browser chrome hang. It's a regression from WebRender bug 1686113.

Flags: sec-bounty?
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty-
Keywords: bugmon

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20201120163152-fd1683e51ec5) but not with tip (mozilla-central 20211118212756-b193f2e7a6a5.)
The bug appears to have been fixed in the following build range:

Start: 5913a4a254df767b3f74d5ec40102bbb733b9fa7 (20210210010432)
End: 9adc4db005f1af04f021d10aa60a16231823da80 (20210210031538)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=5913a4a254df767b3f74d5ec40102bbb733b9fa7&tochange=9adc4db005f1af04f021d10aa60a16231823da80
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Whiteboard: [bugmon:bisected,confirmed]

There is some Fission work in that set of patches, but nothing really stands out to me. I cannot find an option to set it fixed for 87, so setting 94. And it should have been merged to ESR 91, too.

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox94: --- → fixed
status-firefox-esr91: --- → fixed
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: