Closed Bug 813945 Opened 13 years ago Closed 7 years ago

OOM crash in XPCWrappedNative::GetAttribute with DataMngrHlpFF17.dll

Categories

(Core :: XPConnect, defect)

17 Branch
x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED INACTIVE
Tracking Status
firefox17 - ---

People

(Reporter: scoobidiver, Unassigned)

References

Details

(Keywords: crash)

Crash Data

It's currently #10 top browser crasher in 17.0. A manual check of crash reports shows a correlation to the DataMngr extension and DataMngrHlpFF17.dll. It's similar to bug 812307. Signature mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xmalloc | XPCWrappedNative::GetAttribute(XPCCallContext&) More Reports Search UUID 874ffef6-4e83-4fe9-83fa-471802121121 Date Processed 2012-11-21 08:44:22 Uptime 20 Last Crash 22 seconds before submission Install Age 12.0 hours since version was first installed. Install Time 2012-11-20 20:43:07 Product Firefox Version 17.0 Build ID 20121119183901 Release Channel release OS Windows NT OS Version 5.1.2600 Service Pack 2 Build Architecture x86 Build Architecture Info GenuineIntel family 6 model 23 stepping 10 Crash Reason EXCEPTION_BREAKPOINT Crash Address 0x11a1988 App Notes AdapterVendorID: 0x1002, AdapterDeviceID: 0x954f, AdapterSubsysID: 24621682, AdapterDriverVersion: 8.582.0.0 D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers- EMCheckCompatibility True Adapter Vendor ID 0x1002 Adapter Device ID 0x954f Total Virtual Memory 2147352576 Available Virtual Memory 1938837504 System Memory Use Percentage 57 Available Page File 2060955648 Available Physical Memory 450621440 OOMAllocationSize 12 Frame Module Signature Source 0 mozalloc.dll mozalloc_abort memory/mozalloc/mozalloc_abort.cpp:23 1 mozalloc.dll mozalloc_handle_oom memory/mozalloc/mozalloc_oom.cpp:27 2 mozalloc.dll moz_xmalloc memory/mozalloc/mozalloc.cpp:59 3 xul.dll XPCWrappedNative::GetAttribute js/xpconnect/src/xpcprivate.h:2823 4 xul.dll XPC_WN_GetterSetter js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1526 5 xul.dll nsXPConnect::GetXPConnect js/xpconnect/src/nsXPConnect.cpp:139 6 xul.dll XPC_WN_NoHelper_Resolve js/xpconnect/src/XPCWrappedNativeJSOps.cpp:690 7 mozjs.dll js::mjit::ic::GetProp js/src/methodjit/PolyIC.cpp:2020 8 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:363 9 mozjs.dll js::Invoke js/src/jsinterp.cpp:396 10 mozjs.dll JS_CallFunctionValue js/src/jsapi.cpp:5846 11 xul.dll nsXPCWrappedJSClass::CallMethod js/xpconnect/src/XPCWrappedJSClass.cpp:1442 12 xul.dll nsXPCWrappedJS::CallMethod js/xpconnect/src/XPCWrappedJS.cpp:580 13 xul.dll PrepareAndDispatch xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:85 14 xul.dll SharedStub xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:112 15 xul.dll nsObserverService::NotifyObservers xpcom/ds/nsObserverService.cpp:149 16 DataMngrHlpFF17.dll DataMngrHlpFF17.dll@0x9fa4 17 DataMngrHlpFF17.dll DataMngrHlpFF17.dll@0x5879 ... More reports at: https://crash-stats.mozilla.com/report/list?signature=mozalloc_abort%28char+const*+const%29+|+mozalloc_handle_oom%28unsigned+int%29+|+moz_xmalloc+|+XPCWrappedNative%3A%3AGetAttribute%28XPCCallContext%26%29
Crash Signature: [@ mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xmalloc | XPCWrappedNative::GetAttribute(XPCCallContext&)] → [@ mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xmalloc | XPCWrappedNative::GetAttribute(XPCCallContext&)] [@ mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xmalloc | XPCWrappedNative::FindTearO…
Crash Signature: XPCWrappedNative::FindTearOff(XPCCallContext&, XPCNativeInterface*, int, unsigned int*)] → XPCWrappedNative::FindTearOff(XPCCallContext&, XPCNativeInterface*, int, unsigned int*)] [@ mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xmalloc | XPCConvert::JSData2Native(XPCCallContext&, void*, JS::Value nsXPTType const&…
We've reached out to Bandoo, are attempting to reproduce internally, and are exploring blocklisting the DataMngr add-on in bug 812456. I've included some xpconnect experts to see if they can take a look at this stack and suggest any changes that we could make to Firefox to guard against this crash.
I've we're crashing in infallible malloc then either some prior operation is causing us to allocate way too much memory, or the heap is corrupted. Either way, not much we can do about it on the XPConnect end.
These are all small allocations (12 bytes?) and I looked at a few crash reports and they didn't seem to have a particularly huge amount of memory used, so it seems likely this is being caused by some kind of memory corruption.
This is almost certainly a dupe of 812307, which involves various crashes in jemalloc with this same addon.
It's #36 top browser crasher w/o hangs in 17.0 so no longer a top crasher.
Crash Signature: , nsXPTType const&, int, nsID const*, unsigned int*)] → , nsXPTType const&, int, nsID const*, unsigned int*)] [@ mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | XPCWrappedNative::GetAttribute] [@ mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | XPCWrappedNative::FindTearOff] [@ mozalloc_abort | moz…
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.