Closed Bug 731176 Opened 12 years ago Closed 6 years ago

OOM Crash [@ DocumentURI] with possibly unhandled fallible alloc in nsXBLDocumentInfo constructor

Categories

(Core :: XBL, defect)

Product:
Core
Component:
XBL
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash)

Crash Data

Tested on m-c revision 66e4d53697c2: A fallible allocation (nsTHashTable), possibly in the nsXBLDocumentInfo constructor, causes the following warning and crash later:

WARNING: NS_ENSURE_TRUE(mDocumentTable.IsInitialized() || mDocumentTable.Init(16)) failed: file /srv/repos/browser/mozilla-central/content/xbl/src/nsBindingManager.cpp, line 1108
[New Thread 0x2aaac2e31700 (LWP 63400)]

Program received signal SIGSEGV, Segmentation fault.
DocumentURI (this=0x3209fb0) at /srv/repos/browser/mozilla-central/content/xbl/src/nsXBLDocumentInfo.h:65
65        nsIURI* DocumentURI() { return mDocument->GetDocumentURI(); }
#0  DocumentURI (this=0x3209fb0) at /srv/repos/browser/mozilla-central/content/xbl/src/nsXBLDocumentInfo.h:65
#1  nsXBLPrototypeBinding::Init (this=0x3210cc0, aID=..., aInfo=0x3209fb0, aElement=0x320fbc0, aFirstBinding=<optimized out>) at /srv/repos/browser/mozilla-central/content/xbl/src/nsXBLPrototypeBinding.cpp:339
#2  0x00002aaaaca750d2 in nsXBLContentSink::ConstructBinding (this=0x31f97e0, aLineNumber=<optimized out>) at /srv/repos/browser/mozilla-central/content/xbl/src/nsXBLContentSink.cpp:577
#3  0x00002aaaac5e379a in nsExpatDriver::HandleStartElement (this=0x3206d80, aValue=0x3209d90, aAtts=0x3207210) at /srv/repos/browser/mozilla-central/parser/htmlparser/src/nsExpatDriver.cpp:411
#4  0x00002aaaac5fc672 in doContent (parser=0x3206e60, startTagLevel=0, enc=0x2aaaae1de320, s=0x3205a86 "<", end=0x3206596 "", nextPtr=<optimized out>, haveMore=1 '\001') at /srv/repos/browser/mozilla-central/parser/expat/lib/xmlparse.c:2413
#5  0x00002aaaac5fce78 in contentProcessor (parser=0x3206e60, start=<optimized out>, end=<optimized out>, endPtr=<optimized out>) at /srv/repos/browser/mozilla-central/parser/expat/lib/xmlparse.c:2043
#6  0x00002aaaac5fa77f in doProlog (parser=0x3206e60, enc=<optimized out>, s=0x32058fe "<", end=0x3206596 "", tok=29, next=0x32058fe "<", nextPtr=0x7fffffff8f38, haveMore=1 '\001') at /srv/repos/browser/mozilla-central/parser/expat/lib/xmlparse.c:4024
#7  0x00002aaaac5fba9f in prologProcessor (parser=0x3206e60, s=0x32058d0 "<", end=0x3206596 "", nextPtr=0x7fffffff8f38) at /srv/repos/browser/mozilla-central/parser/expat/lib/xmlparse.c:3758


The backtrace of the failing allocation is as follows:

#0 /srv/repos/browser/mozilla-central/objdir-ff-gcc64dbg/dist/bin/libmozalloc.so(moz_malloc+0x5f) [0x2aaaaab2415c] (aab2415c)
#1 PL_DHashTableInit at objdir-ff-gcc64dbg/xpcom/build/pldhash.cpp:270
#2 nsTHashtable<nsBaseHashtableET<nsURIHashKey, nsRefPtr<nsXBLDocumentInfo> > >::Init(unsigned int) at objdir-ff-gcc64dbg/dist/include/nsTHashtable.h:425
#3 nsXBLContentSink::OnOpenContainer(unsigned short const**, unsigned int, int, nsIAtom*, unsigned int) at content/xbl/src/nsXBLContentSink.cpp:436
#4 nsXMLContentSink::HandleStartElement(unsigned short const*, unsigned short const**, unsigned int, int, unsigned int, bool) at content/xml/document/src/nsXMLContentSink.cpp:1018
#5 nsXMLContentSink::HandleStartElement(unsigned short const*, unsigned short const**, unsigned int, int, unsigned int) at content/xml/document/src/nsXMLContentSink.cpp:984
#6 nsXBLContentSink::HandleStartElement(unsigned short const*, unsigned short const**, unsigned int, int, unsigned int) at content/xbl/src/nsXBLContentSink.cpp:293
#7 nsExpatDriver::HandleStartElement(unsigned short const*, unsigned short const**) at parser/htmlparser/src/nsExpatDriver.cpp:412
#8 doContent at parser/expat/lib/xmlparse.c:2387
#9 contentProcessor at parser/expat/lib/xmlparse.c:2045
#10 doProlog at parser/expat/lib/xmlparse.c:4024
#11 prologProcessor at parser/expat/lib/xmlparse.c:3760
#12 MOZ_XML_Parse at parser/expat/lib/xmlparse.c:1522
#13 nsExpatDriver::ParseBuffer(unsigned short const*, unsigned int, bool, unsigned int*) at parser/htmlparser/src/nsExpatDriver.cpp:1011
#14 nsExpatDriver::ConsumeToken(nsScanner&, bool&) at parser/htmlparser/src/nsExpatDriver.cpp:1107
#15 nsParser::Tokenize(bool) at parser/htmlparser/src/nsParser.cpp:2277


The allocation backtrace misses some frames between #2 and #3 it seems (due to optimization), but I assume it's NS_NewXBLDocumentInfo calling the nsXBLDocumentInfo which involves some hashtables being created. If the optimization is causing problems here, let me know and I'll repeat the whole experiment with a debug-only build (I actually noticed only after the experiment that it's a debug+opt build).
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Closing because no crash reported since 12 weeks.
You need to log in before you can comment on or make changes to this bug.