Closed
Bug 1980016
Opened 23 days ago
Closed 21 days ago
Hit MOZ_CRASH(Unhandlable OOM while clearing document dependent slots.) at /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:7381
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
DUPLICATE
of bug 1405521
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug, )
Details
(Keywords: crash, pernosco, topcrash)
Crash Data
Found with m-c 20250625-d6e1ecae6d1b (--enable-debug)
This was found by visiting a live website with a debug build.
STR:
- Launch browser and visit site
- scroll down to load more content
This issue was triggered by visiting https://www.acuenta.cl/store/580__843/xlarge. A Pernosco session is available here: https://pernos.co/debug/FrbZoY4merqIPdBpVH14vA/index.html
Hit MOZ_CRASH(Unhandlable OOM while clearing document dependent slots.) at /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:7381
0|0|libxul.so|nsGlobalWindowInner::ClearDocumentDependentSlots(JSContext*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsGlobalWindowInner.cpp:d7eb324b222d504f43ff0edbc431daac6df35581|7381|0x60
0|1|libxul.so|nsGlobalWindowOuter::SetNewDocument(mozilla::dom::Document*, nsISupports*, bool, mozilla::dom::WindowGlobalChild*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsGlobalWindowOuter.cpp:d7eb324b222d504f43ff0edbc431daac6df35581|2438|0x1be8
0|2|libxul.so|nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::dom::WindowGlobalChild*, mozilla::gfx::IntRectTyped<mozilla::LayoutDevicePixel> const&, bool, bool, bool)|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:d7eb324b222d504f43ff0edbc431daac6df35581|892|0x382
0|3|libxul.so|nsDocumentViewer::Init(nsIWidget*, mozilla::gfx::IntRectTyped<mozilla::LayoutDevicePixel> const&, mozilla::dom::WindowGlobalChild*)|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:d7eb324b222d504f43ff0edbc431daac6df35581|673|0x17
0|4|libxul.so|nsDocShell::SetupNewViewer(nsIDocumentViewer*, mozilla::dom::WindowGlobalChild*)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:d7eb324b222d504f43ff0edbc431daac6df35581|8230|0x485
0|5|libxul.so|nsDocShell::Embed(nsIDocumentViewer*, mozilla::dom::WindowGlobalChild*, bool, nsIRequest*, nsIURI*)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:d7eb324b222d504f43ff0edbc431daac6df35581|5593|0x43
0|6|libxul.so|nsDocShell::CreateDocumentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:d7eb324b222d504f43ff0edbc431daac6df35581|8062|0xa3c
0|7|libxul.so|nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest*, nsIStreamListener**, bool*)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDSURIContentListener.cpp:d7eb324b222d504f43ff0edbc431daac6df35581|168|0x2a0
0|8|libxul.so|nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsURILoader.cpp:d7eb324b222d504f43ff0edbc431daac6df35581|772|0x1ce
0|9|libxul.so|nsDocumentOpenInfo::DispatchContent(nsIRequest*)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsURILoader.cpp:d7eb324b222d504f43ff0edbc431daac6df35581|468|0x4dd
0|10|libxul.so|nsDocumentOpenInfo::OnStartRequest(nsIRequest*)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsURILoader.cpp:d7eb324b222d504f43ff0edbc431daac6df35581|182|0x17e
0|11|libxul.so|nsBaseChannel::OnStartRequest(nsIRequest*)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsBaseChannel.cpp:d7eb324b222d504f43ff0edbc431daac6df35581|808|0x101
0|12|libxul.so|nsInputStreamPump::OnStateStart()|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsInputStreamPump.cpp:d7eb324b222d504f43ff0edbc431daac6df35581|524|0x148
0|13|libxul.so|nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsInputStreamPump.cpp:d7eb324b222d504f43ff0edbc431daac6df35581|426|0x104
0|14|libxul.so|{virtual override thunk({offset(-24)}, nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*))}|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsInputStreamPump.cpp:d7eb324b222d504f43ff0edbc431daac6df35581||0xc
0|15|libxul.so|mozilla::NonBlockingAsyncInputStream::RunAsyncWaitCallback(mozilla::NonBlockingAsyncInputStream::AsyncWaitRunnable*, already_AddRefed<nsIInputStreamCallback>)|hg:hg.mozilla.org/mozilla-central:xpcom/io/NonBlockingAsyncInputStream.cpp:d7eb324b222d504f43ff0edbc431daac6df35581|385|0x8a
0|16|libxul.so|mozilla::NonBlockingAsyncInputStream::AsyncWaitRunnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/io/NonBlockingAsyncInputStream.cpp:d7eb324b222d504f43ff0edbc431daac6df35581|33|0x4f
0|17|libxul.so|mozilla::RunnableTask::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:d7eb324b222d504f43ff0edbc431daac6df35581|703|0x17
0|18|libxul.so|mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:d7eb324b222d504f43ff0edbc431daac6df35581|1310|0x50e
0|19|libxul.so|mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:d7eb324b222d504f43ff0edbc431daac6df35581|1133|0x57
0|20|libxul.so|mozilla::TaskController::ProcessPendingMTTask(bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskController.cpp:d7eb324b222d504f43ff0edbc431daac6df35581|639|0x65
0|21|libxul.so|mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:d7eb324b222d504f43ff0edbc431daac6df35581|548|0x16
0|22|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:d7eb324b222d504f43ff0edbc431daac6df35581|1159|0x5aa
0|23|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:d7eb324b222d504f43ff0edbc431daac6df35581|480|0x4f
0|24|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:d7eb324b222d504f43ff0edbc431daac6df35581|85|0xc0
0|25|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:d7eb324b222d504f43ff0edbc431daac6df35581|344|0x61
0|26|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:d7eb324b222d504f43ff0edbc431daac6df35581|148|0x28
0|27|libxul.so|nsAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/gtk/nsAppShell.cpp:d7eb324b222d504f43ff0edbc431daac6df35581|471|0x114
0|28|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:d7eb324b222d504f43ff0edbc431daac6df35581|647|0x6b
0|29|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:d7eb324b222d504f43ff0edbc431daac6df35581|235|0x3c
0|30|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:d7eb324b222d504f43ff0edbc431daac6df35581|344|0x61
0|31|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:d7eb324b222d504f43ff0edbc431daac6df35581|585|0xa12
0|32|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:d7eb324b222d504f43ff0edbc431daac6df35581|397|0x1df
|
||
Comment 1•23 days ago
|
||
The bug is linked to a topcrash signature, which matches the following criteria:
- Top 20 desktop browser crashes on release
- Top 10 content process crashes on release
For more information, please visit BugBot documentation.
Keywords: topcrash
|
||
Comment 2•21 days ago
|
||
We fail to get a wrapper JS object for the document, because GCRuntime::allocateArena fails. It seems to fail the heap size check.
I think this needs a look by the SpiderMonkey team.
Flags: needinfo?(jcoppeard)
|
|
||
Comment 3•21 days ago
|
||
I should have read bug 1405521 before stepping in Pernosco. This looks a lot like a direct duplicate of bug 1405521.
|
||
Comment 4•21 days ago
|
||
(In reply to Henri Sivonen (:hsivonen) from comment #2)
The heap has reached the 4GB limit so allocation fails. We have already run a last ditch GC at this point without freeing anything.
Yes, this is the same issue as bug 1405521.
I would have hoped that the last ditch GC would have freed up some memory since we are replacing the document here (I think?). Is it possible that the DOM is holding things alive that it needn't at this point? Maybe we need to do a cycle collection when we do a last ditch GC too.
Status: NEW → RESOLVED
Closed: 21 days ago
Duplicate of bug: 1405521
Flags: needinfo?(jcoppeard)
Resolution: --- → DUPLICATE
|
|
||
Comment 5•21 days ago
|
||
Filed bug 1980665 to look into doing a CC here too.
You need to log in
before you can comment on or make changes to this bug.
Description
•