OOM crash in nsUrlClassifierDBServiceWorker::AddNoise

VERIFIED FIXED

Status

()

Toolkit
General
--
critical
VERIFIED FIXED
7 years ago
7 years ago

People

(Reporter: Scoobidiver (away), Assigned: gcp)

Tracking

({crash, regression, topcrash})

8 Branch
x86
Windows 7
crash, regression, topcrash
Points:
---

Firefox Tracking Flags

(firefox8-)

Details

(crash signature)

(Reporter)

Description

7 years ago
It's a new crash signature that first appeared in 8.0a1/20110808030804.
It's #26 top crasher in 8.0b1.

Stack traces look like:
Frame 	Module 	Signature [Expand] 	Source
0 	mozalloc.dll 	mozalloc_abort 	memory/mozalloc/mozalloc_abort.cpp:77
1 	mozalloc.dll 	mozalloc_handle_oom 	memory/mozalloc/mozalloc_oom.cpp:54
2 	xul.dll 	nsTArray_base<nsTArrayDefaultAllocator>::EnsureCapacity 	obj-firefox/dist/include/nsTArray-inl.h:125
3 	xul.dll 	nsTArray<nsUrlClassifierLookupResult,nsTArrayDefaultAllocator>::AppendElements 	obj-firefox/dist/include/nsTArray.h:854
4 	xul.dll 	nsUrlClassifierDBServiceWorker::AddNoise 	toolkit/components/url-classifier/nsUrlClassifierDBService.cpp:1791
5 	xul.dll 	nsUrlClassifierDBServiceWorker::DoLookup 	toolkit/components/url-classifier/nsUrlClassifierDBService.cpp:1734
6 	xul.dll 	nsUrlClassifierDBServiceWorker::HandlePendingLookups 	
7 	xul.dll 	nsUrlClassifierDBServiceWorker::Lookup 	toolkit/components/url-classifier/nsUrlClassifierDBService.cpp:1812
8 	xul.dll 	UrlClassifierDBServiceWorkerProxy::LookupRunnable::Run 	toolkit/components/url-classifier/nsUrlClassifierProxies.cpp:65
9 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:631
10 	xul.dll 	nsThreadStartupEvent::Run 	xpcom/threads/nsThread.cpp:201
11 	nspr4.dll 	_PR_NativeRunThread 	nsprpub/pr/src/threads/combined/pruthr.c:426
12 	nspr4.dll 	pr_root 	nsprpub/pr/src/md/windows/w95thred.c:122
13 	msvcr80.dll 	_callthreadstartex 	f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\threadex.c:348
14 	msvcr80.dll 	_threadstartex 	f:\\dd\\vctools\\crt_bld\\self_x86\\crt\\src\\threadex.c:326
15 	kernel32.dll 	BaseThreadStart 	

More reports at:
https://crash-stats.mozilla.com/report/list?range_value=30&range_unit=days&signature=mozalloc_abort%28char%20const*%20const%29%20|%20mozalloc_handle_oom%28%29%20|%20nsTArray_base%3CnsTArrayDefaultAllocator%3E%3A%3AEnsureCapacity%28unsigned%20int%2C%20unsigned%20int%29%20|%20nsTArray%3CnsUrlClassifierLookupResult%2C%20nsTArrayDefaultAllocator%3E%3A%3AAppendElements%28unsigned%20int%29%20|%20nsUrlClass...
I've seen this in my malware tool as well (seems to be related to safe browsing), mainly with the URL punchng.com, a news site that was listed as malware infected at 2011-10-03, but has been delisted again.

Comment 3

7 years ago
According to bp-e99c1619-7eab-4d7e-800d-5e3a62111012, this is also related to the malware attacks described in http://www.theregister.co.uk/2011/10/14/mass_website_inection_grows/ for the strongdefenseiz.in variant. There is only this one instance from the associated urls since August though.
tracking-firefox8: ? → -
(Reporter)

Updated

7 years ago
Keywords: topcrash
(Assignee)

Updated

7 years ago
Assignee: nobody → gpascutto
(Assignee)

Comment 4

7 years ago
>http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=f92e021f1f44&tochange=a43c3080f472

That has:
b4165ae3685f	Gian-Carlo Pascutto — Bug 667075 - Use nsIRandomGenerator instead of querying SQLite. r=dcamp

which was backed out in:
https://bugzilla.mozilla.org/show_bug.cgi?id=706740

So this one may have been fixed in:
 * Nightly from 2011-12-02 and onward
 * Aurora from 2011-12-08 and onward
 * Beta built after 2011-12-08 (ie. 9.0b6 -- the next beta)
 * Release built after 2011-12-08 (ie. 9.0 -- the next release)

Comment 5

7 years ago
mozalloc!mozalloc_abort(char * msg = 0x5a5ba33f "???")+0x2b
mozalloc!mozalloc_handle_oom(void)+0xa
xul!nsTArray_base<nsTArrayDefaultAllocator>::EnsureCapacity(unsigned int capacity = 0, unsigned int elemSize = 0xd33fa64)+0xfb
xul!nsTArray<nsIPresShell *,nsTArrayDefaultAllocator>::AppendElements<nsIPresShell *>(class nsIPresShell ** array = 0x5a5ba33f, unsigned int arrayLen = 0xd33fa64)+0x13
xul!nsUrlClassifierStore::ReadPrefixes(class nsTArray<unsigned int,nsTArrayDefaultAllocator> * array = 0x0d33fa64, unsigned int aKey = 0xaa20e513)+0xb3

0:018:x86> ?? array->mHdr->mLength
unsigned int 0n130046

This seems like a large allocation. wasn't there logic about trying large allocs and gracefully failing them? -- answer, it's called FallibleTArray:
  http://mxr.mozilla.org/mozilla-central/ident?i=FallibleTArray

xul!nsUrlClassifierDBServiceWorker::ConstructPrefixSet(void)+0x4d
xul!nsUrlClassifierDBServiceWorker::ApplyUpdate(void)+0x4f
xul!nsUrlClassifierDBServiceWorker::FinishUpdate(void)+0x4d
xul!nsRunnableMethodImpl<unsigned int (void)+0xf
xul!nsThread::ProcessNextEvent(bool mayWait = <Memory access error>, bool * result = <Memory access error>)+0x181
xul!nsThreadStartupEvent::Run(void)+0x25
nspr4!_PR_NativeRunThread(void * arg = 0x12a5f000)+0x120
nspr4!pr_root(void * arg = 0x74752a47)+0xd
MSVCR80!_callthreadstartex(void)+0x1b
MSVCR80!_threadstartex(void * ptd = 0x777a9ed2)+0x66
KERNEL32!BaseThreadInitThunk+0xe
ntdll_77770000!__RtlUserThreadStart+0x70
ntdll_77770000!_RtlUserThreadStart+0x1b
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 702217
(Assignee)

Comment 6

7 years ago
The AppendElements with AddNoise in the callstack is distinct from the one with ReadPrefixes (and friends) in the callstack. Comment 1 and 5 indeed look like duplicates of bug 702217 but I see no evidence this is so for the original report.

As noted in comment 4, I think this may be a duplicate of 667075, specifically if it disappeared after the noted dates.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
(Assignee)

Comment 7

7 years ago
No more crashes at recent dates, so fixed by the backout of bug 667075.
Status: REOPENED → RESOLVED
Last Resolved: 7 years ago7 years ago
Resolution: --- → FIXED
(Reporter)

Comment 8

7 years ago
I see no crash signatures containing nsUrlClassifierDBServiceWorker::AddNoise in 9.0.1.
Blocks: 667075
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.