859780 - crash in ToNewUnicode (mozalloc_abort)

Status: RESOLVED WORKSFORME

(Thunderbird :: General, defect)

Description

[Wayne Mery (:wsmwk)]

This bug was filed from the Socorro interface and is 
report bp-b33a2006-4b19-42f8-b411-6a63f2130403 .
============================================================= 
0	mozalloc.dll	mozalloc_abort	memory/mozalloc/mozalloc_abort.cpp:23
1	mozalloc.dll	mozalloc_handle_oom	memory/mozalloc/mozalloc_oom.cpp:27
2	mozalloc.dll	moz_xmalloc	memory/mozalloc/mozalloc.cpp:59
3	xul.dll	ToNewUnicode	xpcom/string/src/nsReadableUtils.cpp:318
4	xul.dll	XPCConvert::NativeData2JS	js/xpconnect/src/XPCConvert.cpp:284
5	xul.dll	XPCWrappedNative::CallMethod	js/xpconnect/src/XPCWrappedNative.cpp:2367
6	xul.dll	XPC_WN_GetterSetter	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1526
7	mozjs.dll	JaegerTrampoline	js/src/methodjit/MethodJIT.cpp:839
8	mozjs.dll	js::mjit::EnterMethodJIT	js/src/methodjit/MethodJIT.cpp:1016
9	mozjs.dll	js::mjit::JaegerShot	js/src/methodjit/MethodJIT.cpp:1086
10	mozjs.dll	js::RunScript	js/src/jsinterp.cpp:306 

hg@1 315 PRUnichar*
hg@1 316 ToNewUnicode( const nsACString& aSource )
hg@1 317 {
hg@1 318 PRUnichar* result = AllocateStringCopy(aSource, (PRUnichar*)0); 


several signatures containing ToNewUnicode
https://crash-stats.mozilla.com/query/query?product=Thunderbird&version=ALL%3AALL&range_value=1&range_unit=weeks&date=04%2F09%2F2013+13%3A06%3A20&query_search=signature&query_type=contains&query=ToNewUnicode&reason=&build_id=&process_type=any&hang_type=any&do_query=1

Comment 1

[Wolf]

Is it possible, that the underlying problem can cause *empty replies* to some emails: today, I tried to reply to an email that had a windows registry export attached (which seems to be encoded in UNICODE)?

Comment 2

[Wolf]

(In reply to Wolf Peuker from comment #1)
> Is it possible, that the underlying problem can cause *empty replies* to
> some emails: today, I tried to reply to an email that had a windows registry
> export attached (which seems to be encoded in UNICODE)?
see Bug 958479 for details

Comment 3

[Virtual_ManPL [:Virtual] 🇵🇱 - (please needinfo? me - so I will see your comment/reply/question/etc.)]

I'm marking this bug as WORKSFORME as bug crashlog signature didn't appear from a long time (over half year).

Comment 4

[Wayne Mery (:wsmwk)]

I suspect the bug still exists but the signature has changed.

 OOM | large | mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | ToNewUnicode 
bp-25d32ccb-d965-4c15-bdc3-d31d32170318
https://crash-stats.mozilla.com/signature/?product=Thunderbird&signature=OOM%20%7C%20large%20%7C%20mozalloc_abort%20%7C%20mozalloc_handle_oom%20%7C%20moz_xmalloc%20%7C%20ToNewUnicode&date=%3E%3D2016-09-19T03%3A24%3A10.000Z&date=%3C2017-03-19T03%3A24%3A10.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_sort=-date&page=1#reports

and

 OOM | large | mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | UTF8ToNewUnicode 
bp-2e02c639-5e1f-4f32-97ff-4ade52170312
https://crash-stats.mozilla.com/signature/?product=Thunderbird&signature=OOM%20%7C%20large%20%7C%20mozalloc_abort%20%7C%20mozalloc_handle_oom%20%7C%20moz_xmalloc%20%7C%20UTF8ToNewUnicode&date=%3E%3D2016-09-19T03%3A24%3A10.000Z&date=%3C2017-03-19T03%3A24%3A10.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_sort=-date&page=1#reports

Comment 5

[Wayne Mery (:wsmwk)]

(needs more research)

Comment 6

[Wayne Mery (:wsmwk)]

Crash rate of 60.x is much lower than 50.x. What's left now is OOM | large | mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | ToNewUnicode

Are steps needed, or is cause evident from the code?
bp-e0b92ea1-e064-4e8d-a7ee-fccce0190214 60.4.0
bp-bfa387f2-271f-4aa7-92a3-997e50190214 60.5.0

0 mozglue.dll mozalloc_abort memory/mozalloc/mozalloc_abort.cpp:31
1 mozglue.dll mozalloc_handle_oom(unsigned int) memory/mozalloc/mozalloc_oom.cpp:51
2 mozglue.dll moz_xmalloc memory/mozalloc/mozalloc.cpp:70
3 xul.dll ToNewUnicode(nsTSubstring<char16_t> const&) xpcom/string/nsReadableUtils.cpp:426
4 xul.dll nsPrimitiveHelpers::CreateDataFromPrimitive(nsTSubstring<char> const&, nsISupports*, void**, unsigned int) widget/nsPrimitiveHelpers.cpp:141
5 xul.dll DataStruct::WriteCache(nsISupports*, unsigned int) widget/nsTransferable.cpp:131
6 xul.dll DataStruct::SetData(nsISupports*, unsigned int, bool) widget/nsTransferable.cpp:74
7 xul.dll nsTransferable::SetTransferData(char const*, nsISupports*, unsigned int) widget/nsTransferable.cpp:361
8 xul.dll AppendString dom/base/nsCopySupport.cpp:509
9 xul.dll SelectionCopyHelper dom/base/nsCopySupport.cpp:248
10 xul.dll nsCopySupport::HTMLCopy(nsISelection*, nsIDocument*, short, bool) dom/base/nsCopySupport.cpp:305
11 xul.dll nsCopySupport::FireClipboardEvent(mozilla::EventMessage, int, nsIPresShell*, nsISelection*, bool*) dom/base/nsCopySupport.cpp:870
12 xul.dll nsClipboardCommand::DoCommand(char const*, nsISupports*) dom/base/nsGlobalWindowCommands.cpp:528
13 xul.dll nsControllerCommandTable::DoCommand(char const*, nsISupports*) dom/commandhandler/nsControllerCommandTable.cpp:137
14 xul.dll nsBaseCommandController::DoCommand(char const*) dom/commandhandler/nsBaseCommandController.cpp:127
15 xul.dll nsXBLPrototypeHandler::DispatchXBLCommand(mozilla::dom::EventTarget*, nsIDOMEvent*) dom/xbl/nsXBLPrototypeHandler.cpp:530
16 xul.dll nsXBLPrototypeHandler::ExecuteHandler(mozilla::dom::EventTarget*, nsIDOMEvent*) dom/xbl/nsXBLPrototypeHandler.cpp:258
17 xul.dll JS::StructGCPolicy<JS::GCVector<jsid, 8, js::TempAllocPolicy> >::trace(JSTracer*, JS::GCVector<jsid, 8, js::TempAllocPolicy>, char const) js/public/GCPolicyAPI.h:74
18 xul.dll nsXBLWindowKeyHandler::WalkHandlersAndExecute(mozilla::dom::KeyboardEvent*, nsAtom*, nsXBLPrototypeHandler*, unsigned int, mozilla::IgnoreModifierState const&, bool, bool*) dom/xbl/nsXBLWindowKeyHandler.cpp:729
19 xul.dll nsXBLWindowKeyHandler::WalkHandlersInternal(mozilla::dom::KeyboardEvent*, nsAtom*, nsXBLPrototypeHandler*, bool, bool*) dom/xbl/nsXBLWindowKeyHandler.cpp:598
20 xul.dll nsXBLWindowKeyHandler::WalkHandlers(mozilla::dom::KeyboardEvent*, nsAtom*) dom/xbl/nsXBLWindowKeyHandler.cpp:268
21 xul.dll nsXBLWindowKeyHandler::HandleEvent(nsIDOMEvent*) dom/xbl/nsXBLWindowKeyHandler.cpp:476
22 xul.dll mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) dom/events/EventListenerManager.cpp:1044
23 xul.dll nsAutoPopupStatePusherInternal::nsAutoPopupStatePusherInternal(PopupControlState, bool) dom/base/nsGlobalWindowOuter.cpp:7209
24 xul.dll nsAutoPopupStatePusherInternal::nsAutoPopupStatePusherInternal(PopupControlState, bool) dom/base/nsGlobalWindowOuter.cpp:7209
25 xul.dll mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) dom/events/EventListenerManager.cpp:1292

Comment 7

[Magnus Melin [:mkmelin]]

Looks like we're just copying something too large -> out of memory. I'm not sure what we can do about that.

Comment 8

[Wayne Mery (:wsmwk)]

Will want to check 78 beta when it comes out, now that bug 1515419 is fixed

Comment 9

[Wayne Mery (:wsmwk)]

oddly, the signature dies out after 68.8.0 https://crash-stats.mozilla.org/signature/?product=Thunderbird&signature=OOM%20%7C%20large%20%7C%20mozalloc_abort%20%7C%20mozalloc_handle_oom%20%7C%20moz_xmalloc%20%7C%20ToNewUnicode&date=%3E%3D2020-01-03T15%3A25%3A00.000Z&date=%3C2020-07-03T15%3A25%3A00.000Z

I think it morphed to this which has crashes for 68.8.1 and 68.9.0 https://crash-stats.mozilla.org/signature/?signature=OOM%20%7C%20large%20%7C%20mozalloc_abort%20%7C%20moz_xmalloc%20%7C%20ToNewUnicode&product=Thunderbird&date=%3E%3D2020-04-03T15%3A27%3A00.000Z&date=%3C2020-07-03T15%3A27%3A00.000Z&_sort=-date

But there are no crashes for either signature for 69 or newer, so => WFM