Closed
Bug 719531
Opened 12 years ago
Closed 12 years ago
FallibleTArray uses infallible malloc
Categories
(Core :: General, defect)
Tracking
()
RESOLVED
FIXED
mozilla12
People
(Reporter: gcp, Assigned: justin.lebar+bug)
References
Details
(Keywords: regression, Whiteboard: [qa-])
Attachments
(2 files, 1 obsolete file)
2.11 KB,
patch
|
benjamin
:
review+
akeybl
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
2.13 KB,
patch
|
benjamin
:
review+
johnath
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
From bug 702217: https://crash-stats.mozilla.com/report/index/1d2909f4-3a8f-461e-9948-0c0772120118 mozalloc_abort mozalloc_handle_oom nsTArray_base<nsTArrayFallibleAllocator>::EnsureCapacity SetCapacity is being called on a FallibleTArray, and it's causing an OOM abort instead of returning false.
Reporter | ||
Updated•12 years ago
|
Assignee: nobody → justin.lebar+bug
OS: Windows Vista → All
Version: 8 Branch → Trunk
Updated•12 years ago
|
Assignee: justin.lebar+bug → nobody
Blocks: 680556
Keywords: regression
OS: All → Windows Vista
Version: Trunk → 8 Branch
Updated•12 years ago
|
tracking-firefox11:
--- → ?
tracking-firefox12:
--- → ?
Reporter | ||
Updated•12 years ago
|
tracking-firefox11:
? → ---
tracking-firefox12:
? → ---
Updated•12 years ago
|
tracking-firefox11:
--- → ?
tracking-firefox12:
--- → ?
Assignee | ||
Comment 1•12 years ago
|
||
Assignee | ||
Comment 2•12 years ago
|
||
Assignee | ||
Comment 3•12 years ago
|
||
Hopefully failing test only: https://tbpl.mozilla.org/?tree=Try&rev=8d6754fb4812 Test plus fix: https://tbpl.mozilla.org/?tree=Try&rev=c6191becddf1
Assignee | ||
Comment 4•12 years ago
|
||
Messed up the try syntax on the first push above. Here's another attempt at failing test only: https://tbpl.mozilla.org/?tree=Try&rev=181bd403fc6e
Assignee | ||
Comment 5•12 years ago
|
||
Test (without the fix) fails with OOM, which is great.
Comment 6•12 years ago
|
||
Try run for 181bd403fc6e is complete. Detailed breakdown of the results available here: https://tbpl.mozilla.org/?tree=Try&rev=181bd403fc6e Results (out of 29 total builds): success: 25 warnings: 4 Builds (or logs if builds failed) available at: http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/jlebar@mozilla.com-181bd403fc6e
Assignee | ||
Comment 7•12 years ago
|
||
With the fix, the test doesn't fail, but we get link errors on Windows in what appears to be a C++ unit test. :-/
Comment 8•12 years ago
|
||
Try run for c6191becddf1 is complete. Detailed breakdown of the results available here: https://tbpl.mozilla.org/?tree=Try&rev=c6191becddf1 Results (out of 162 total builds): success: 139 warnings: 20 failure: 3 Builds (or logs if builds failed) available at: http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/jlebar@mozilla.com-c6191becddf1
Assignee | ||
Updated•12 years ago
|
OS: Windows Vista → All
Assignee | ||
Comment 9•12 years ago
|
||
Attachment #589963 -
Attachment is obsolete: true
Assignee | ||
Updated•12 years ago
|
Assignee: nobody → justin.lebar+bug
Assignee | ||
Comment 10•12 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=0cdc12275ed7
Comment 11•12 years ago
|
||
Try run for 0cdc12275ed7 is complete. Detailed breakdown of the results available here: https://tbpl.mozilla.org/?tree=Try&rev=0cdc12275ed7 Results (out of 165 total builds): success: 132 warnings: 28 failure: 5 Builds (or logs if builds failed) available at: http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/jlebar@mozilla.com-0cdc12275ed7
Comment 12•12 years ago
|
||
Try run for b3b4409d61a3 is complete. Detailed breakdown of the results available here: https://tbpl.mozilla.org/?tree=Try&rev=b3b4409d61a3 Results (out of 95 total builds): success: 75 warnings: 11 failure: 9 Builds (or logs if builds failed) available at: http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/jlebar@mozilla.com-b3b4409d61a3 Timed out after 06 hours without completing.
Assignee | ||
Comment 13•12 years ago
|
||
Hm, I could use a bit of help here: nsTArray is sometimes built without access to mozmemory. What the current patch tries to do is, if mozmemory is not defined, fall back to raw malloc/free. But try run in comment 12 shows that compile burning on Linux/Mac, where malloc/free are not defined. What should our fallback be when there's no mozmemory? We used to use NS_Alloc, but that's infallible, and it looks like the fallback should be fallible. Also, is it a problem to use a different allocator for code which doesn't include mozalloc? One of our constraints is that fallible and infallible need to share a free(); does the set of allocators we use when there's no mozalloc need to use moz_free() or a synonym?
Assignee | ||
Updated•12 years ago
|
Summary: FallibleTArray can cause OOM aborts → FallibleTArray uses infallible malloc
Comment 14•12 years ago
|
||
I think that malloc/free are the correct choice in the case the mozalloc is not available. I don't understand the bit about the compile errors, wouldn't you just need to #include <stdlib.h> ?
Assignee | ||
Comment 15•12 years ago
|
||
> wouldn't you just need to #include <stdlib.h> ? Oh, probably! https://tbpl.mozilla.org/?tree=Try&rev=26843cff372c
Assignee | ||
Updated•12 years ago
|
Attachment #589962 -
Flags: review?(benjamin)
Assignee | ||
Updated•12 years ago
|
Attachment #590296 -
Flags: review?(benjamin)
Comment 16•12 years ago
|
||
Try run for 26843cff372c is complete. Detailed breakdown of the results available here: https://tbpl.mozilla.org/?tree=Try&rev=26843cff372c Results (out of 206 total builds): success: 173 warnings: 32 failure: 1 Builds (or logs if builds failed) available at: http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/jlebar@mozilla.com-26843cff372c
Updated•12 years ago
|
Attachment #589962 -
Flags: review?(benjamin) → review+
Updated•12 years ago
|
Attachment #590296 -
Flags: review?(benjamin) → review+
Assignee | ||
Comment 17•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/e8c23cd5fc79 https://hg.mozilla.org/integration/mozilla-inbound/rev/1d68a3277ada
status-firefox12:
--- → fixed
Comment 18•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/e8c23cd5fc79 https://hg.mozilla.org/mozilla-central/rev/1d68a3277ada
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla12
Reporter | ||
Updated•12 years ago
|
Attachment #589962 -
Flags: approval-mozilla-aurora?
Reporter | ||
Comment 19•12 years ago
|
||
Comment on attachment 590296 [details] [diff] [review] Part 2, v3: Make FallibleTArray use moz_malloc or malloc, as appropriate. [Approval Request Comment] Can we nominate this for Aurora and get it along still? Otherwise some of the fixes in Bug 702217 won't work, and that bug is a topcrasher. Jusin & Benjamin: can you comment on the risk of taking this (if any)?
Attachment #590296 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 20•12 years ago
|
||
There's some risk: We don't know if other users of FallibleTArray are buggy in a way we'll see only with this patch. I might still take this patch to fix the topcrasher, though.
Reporter | ||
Comment 21•12 years ago
|
||
>We don't know if other users of FallibleTArray are buggy in a way we'll see only
>with this patch.
Such bugs would always start with: *instead* of crashing the browser..., right?
Assignee | ||
Comment 22•12 years ago
|
||
(In reply to Gian-Carlo Pascutto (:gcp) from comment #21) > >We don't know if other users of FallibleTArray are buggy in a way we'll see only > >with this patch. > > Such bugs would always start with: *instead* of crashing the browser..., > right? Yes, indeed. For example, "Instead of safely crashing the browser on OOM, we ignore an allocation error and introduce a security hole." :-/ Of course, by not pushing to Aurora, we may simply be delaying the inevitable -- that is, if there are security holes or other bugs, we're not likely to find them in six weeks of nightly, regardless of whether we take this patch upstream.
Comment 23•12 years ago
|
||
Note that this is basically reverting to the prior intended behavior, and we added FallibleTArray explicitly for this purpose, so it's relatively unlikely to cause bad behavior. I think we should take this path on Aurora.
Comment 24•12 years ago
|
||
Comment on attachment 590296 [details] [diff] [review] Part 2, v3: Make FallibleTArray use moz_malloc or malloc, as appropriate. [Triage Comment] This is now on Aurora post-migration, so this is a beta approval request. We think it still makes sense to take if we can get it RIGHT NOW.
Attachment #590296 -
Flags: approval-mozilla-aurora? → approval-mozilla-beta+
Assignee | ||
Comment 25•12 years ago
|
||
Landed as the first checkin to mozilla-beta after the merge. So this change should be in Firefox 11. (Actually, I landed on a completely red tree, which was perhaps not ideal. :) https://hg.mozilla.org/releases/mozilla-beta/rev/8bf4b03ed889 https://hg.mozilla.org/releases/mozilla-beta/rev/a532dbd01acf
status-firefox11:
--- → fixed
Comment 26•12 years ago
|
||
This landing broke mozilla-beta. Windows opt builds: d:/mozilla-build/python25/python2.5.exe /e/builds/moz2_slave/m-beta-w32/build/config/pythonpath.py -I../../config /e/builds/moz2_slave/m-beta-w32/build/config/expandlibs_exec.py --uselist -- link -NOLOGO -OUT:firefox.exe -PDB:firefox.pdb -SUBSYSTEM:WINDOWS -ENTRY:wmainCRTStartup -LARGEADDRESSAWARE -NXCOMPAT -DYNAMICBASE -SAFESEH -DEBUG -DEBUGTYPE:CV -DEBUG -OPT:REF -LTCG:PGINSTRUMENT /HEAP:0x40000 -LIBPATH:../../dist/lib -NODEFAULTLIB:msvcrt -NODEFAULTLIB:msvcrtd -NODEFAULTLIB:msvcprt -NODEFAULTLIB:msvcprtd -DEFAULTLIB:mozcrt nsBrowserApp.obj ./module.res e:/builds/moz2_slave/m-beta-w32/build/obj-firefox/dist/lib/xpcomglue.lib kernel32.lib user32.lib gdi32.lib winmm.lib wsock32.lib advapi32.lib comctl32.lib comdlg32.lib uuid.lib shell32.lib ole32.lib oleaut32.lib version.lib winspool.lib usp10.lib msimg32.lib nsBrowserApp.obj : error LNK2001: unresolved external symbol __imp__moz_xmalloc nsBrowserApp.obj : error LNK2001: unresolved external symbol __imp__moz_free xpcomglue.lib(nsStringAPI.obj) : error LNK2001: unresolved external symbol __imp__moz_xrealloc firefox.exe : fatal error LNK1120: 3 unresolved externals and Windows debug builds: d:/mozilla-build/python25/python2.5.exe /e/builds/moz2_slave/m-beta-w32-dbg/build/config/pythonpath.py -I../../../config /e/builds/moz2_slave/m-beta-w32-dbg/build/config/expandlibs_exec.py --uselist -- link -nologo -out:nsTestSample.exe -pdb:nsTestSample.pdb nsTestSample.obj -LARGEADDRESSAWARE -NXCOMPAT -DYNAMICBASE -SAFESEH -DEBUG -DEBUGTYPE:CV e:/builds/moz2_slave/m-beta-w32-dbg/build/obj-firefox/dist/lib/mozglue.lib e:/builds/moz2_slave/m-beta-w32-dbg/build/obj-firefox/dist/lib/xpcomglue.lib kernel32.lib user32.lib gdi32.lib winmm.lib wsock32.lib advapi32.lib xpcomglue.lib(nsGlueLinkingWin.obj) : error LNK2019: unresolved external symbol __imp__moz_xmalloc referenced in function "void * __cdecl operator new(unsigned int)" (??2@YAPAXI@Z) xpcomglue.lib(nsGlueLinkingWin.obj) : error LNK2019: unresolved external symbol __imp__moz_free referenced in function "void __cdecl operator delete(void *)" (??3@YAXPAX@Z) nsTestSample.exe : fatal error LNK1120: 2 unresolved externals
Assignee | ||
Comment 27•12 years ago
|
||
That's...odd.
Assignee | ||
Comment 28•12 years ago
|
||
Fix pushed (works locally): https://hg.mozilla.org/releases/mozilla-beta/rev/12c84a8fdd87
Comment 29•12 years ago
|
||
Comment on attachment 589962 [details] [diff] [review] Part 1, v1: Add test that FallibleTArray returns false instead of crashing. [Triage Comment] Presumably this is needed to go along with the other patch on Aurora 12.
Attachment #589962 -
Flags: approval-mozilla-aurora? → approval-mozilla-beta+
Comment 30•12 years ago
|
||
*Beta 12
Assignee | ||
Comment 31•12 years ago
|
||
I did a poor job of landing this on Beta, but here are all the relevant csets: https://hg.mozilla.org/releases/mozilla-beta/rev/ee7378639638 https://hg.mozilla.org/releases/mozilla-beta/rev/12c84a8fdd87 https://hg.mozilla.org/releases/mozilla-beta/rev/a532dbd01acf https://hg.mozilla.org/releases/mozilla-beta/rev/8bf4b03ed889
Updated•12 years ago
|
Comment 32•12 years ago
|
||
It's needed in ESR if the patch of bug 702217 lands also.
tracking-firefox-esr10:
--- → ?
Updated•12 years ago
|
status-firefox-esr10:
--- → affected
Assignee | ||
Comment 33•12 years ago
|
||
Comment on attachment 589962 [details] [diff] [review] Part 1, v1: Add test that FallibleTArray returns false instead of crashing. esr10? per bug 702217 comment 80.
Attachment #589962 -
Flags: approval-mozilla-esr10?
Assignee | ||
Updated•12 years ago
|
Attachment #590296 -
Flags: approval-mozilla-esr10?
Updated•12 years ago
|
Attachment #589962 -
Flags: approval-mozilla-esr10? → approval-mozilla-esr10+
Updated•12 years ago
|
Attachment #590296 -
Flags: approval-mozilla-esr10? → approval-mozilla-esr10+
Assignee | ||
Comment 34•12 years ago
|
||
Could you please confirm that the right thing to do is not land this unless bug 702217 is going to land on ESR? It sounds like we're not going to land bug 702217.
Comment 35•12 years ago
|
||
Wontfixing for ESR since this depends on bug 702217 which in turn relies on Telemetry code that doesn't exist in the esr10 branch. We'll have to take this when it comes for free in the next ESR cut for 17.
Updated•12 years ago
|
Attachment #589962 -
Flags: approval-mozilla-esr10+
Updated•12 years ago
|
Attachment #590296 -
Flags: approval-mozilla-esr10+
You need to log in
before you can comment on or make changes to this bug.
Description
•