Closed Bug 956630 Opened 6 years ago Closed 6 years ago

@ mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xmalloc | nsHTTPCompressConv::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned __int64, unsigned int)

Categories

(Core :: Networking: HTTP, defect, critical)

26 Branch
x86
All
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla29
Tracking Status
firefox26 --- affected
firefox27 --- affected

People

(Reporter: hitesh.seth, Assigned: nl)

References

(Blocks 1 open bug)

Details

(Keywords: crash, Whiteboard: [mentor=jdm][lang=c++][good first bug])

Crash Data

Attachments

(1 file, 1 obsolete file)

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:26.0) Gecko/20100101 Firefox/26.0 (Beta/Release)
Build ID: 20131205075310

Steps to reproduce:

Signature: @ mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xmalloc | nsHTTPCompressConv::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned __int64, unsigned int)

https://crash-stats.mozilla.com/report/index/8f5fb310-b77a-4dab-ad51-c403e2140106

Date Processed	2014-01-06 04:46:39.134209
Uptime	307736
Last Crash	307765 seconds before submission
Install Age 	1558345 since version was first installed.
Install Time 	2013-12-18 04:25:51
Product 	Firefox
Version 	26.0
Build ID 	20131205075310
Release Channel 	release
OS 	Windows NT
OS Version 	6.1.7601 Service Pack 1
Build Architecture 	x86
Build Architecture Info 	GenuineIntel family 6 model 23 stepping 10 | 2
Crash Reason 	EXCEPTION_BREAKPOINT
Crash Address 	0x672e119c
User Comments 	opened facebook
App Notes 	

AdapterVendorID: 0x8086, AdapterDeviceID: 0x2a42, AdapterSubsysID: 02bc1028, AdapterDriverVersion: 8.15.10.2555
D2D! D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 

Processor Notes 	sp-processor06_phx1_mozilla_com.6264:2012; HybridCrashProcessor

Frame 	Module 	Signature 	Source
0 	mozalloc.dll 	mozalloc_abort(char const * const) 	memory/mozalloc/mozalloc_abort.cpp
1 	mozalloc.dll 	mozalloc_handle_oom(unsigned int) 	memory/mozalloc/mozalloc_oom.cpp
2 	mozalloc.dll 	moz_xmalloc 	memory/mozalloc/mozalloc.cpp
3 	xul.dll 	nsHTTPCompressConv::OnDataAvailable(nsIRequest *,nsISupports *,nsIInputStream *,unsigned __int64,unsigned int) 	netwerk/streamconv/converters/nsHTTPCompressConv.cpp
4 	xul.dll 	nsStreamListenerTee::OnDataAvailable(nsIRequest *,nsISupports *,nsIInputStream *,unsigned __int64,unsigned int) 	netwerk/base/src/nsStreamListenerTee.cpp
5 	xul.dll 	mozilla::net::nsHttpChannel::OnDataAvailable(nsIRequest *,nsISupports *,nsIInputStream *,unsigned __int64,unsigned int) 	netwerk/protocol/http/nsHttpChannel.cpp
6 	xul.dll 	nsInputStreamPump::OnStateTransfer() 	netwerk/base/src/nsInputStreamPump.cpp
7 	xul.dll 	nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream *) 	netwerk/base/src/nsInputStreamPump.cpp
8 	xul.dll 	nsInputStreamReadyEvent::Run() 	xpcom/io/nsStreamUtils.cpp
9 	xul.dll 	nsThread::ProcessNextEvent(bool,bool *) 	xpcom/threads/nsThread.cpp
10 	xul.dll 	nsThread::ThreadFunc(void *) 	xpcom/threads/nsThread.cpp
11 	nss3.dll 	_PR_NativeRunThread 	nsprpub/pr/src/threads/combined/pruthr.c

More Reports at:
https://crash-stats.mozilla.com/report/list?product=Firefox&signature=mozalloc_abort%28char+const%2A+const%29+%7C+mozalloc_handle_oom%28unsigned+int%29+%7C+moz_xmalloc+%7C+nsHTTPCompressConv%3A%3AOnDataAvailable%28nsIRequest%2A%2C+nsISupports%2A%2C+nsIInputStream%2A%2C+unsigned+__int64%2C+unsigned+int%29
Severity: normal → critical
Crash Signature: @ mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xmalloc | nsHTTPCompressConv::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned __int64, unsigned int)
Keywords: crash
Blocks: 943017
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows 7 → All
Component: Untriaged → Networking: HTTP
Product: Firefox → Core
http://mxr.mozilla.org/mozilla-central/source/netwerk/streamconv/converters/nsHTTPCompressConv.cpp#145

nsHTTPCompressConv has code that is checking for memory allocation failure, but it's using infallible allocators (ie. nsMemory::Alloc, nsMemory::Realloc) that will abort instead of returning null. This should use moz_malloc and moz_realloc instead.
Whiteboard: [mentor=jdm][lang=c++][good first bug]
I would like to try to fix this crash. Could you please assign this bug to me?
Assignee: nobody → nicklebedev37
I've mentioned a lot of others usages of nsMemory::(Re)Alloc in the netwerk/streamconv/converters which followed by check for zero allocated memory.

E.g.:
http://mxr.mozilla.org/mozilla-central/source/netwerk/streamconv/converters/nsBinHexDecoder.cpp#445,
http://mxr.mozilla.org/mozilla-central/source/netwerk/streamconv/converters/nsIndexedToHTML.cpp#713

I believe they may cause crash too. Please let me know if i need to file a new bug for it or fix them in this bug.
Attachment #8359238 - Flags: review?(josh)
Please go ahead and fix those too!
Fixed a few other calls of nsMemory::(Re)Alloc at files from folder netwerk/streamconv/converters.
Attachment #8359238 - Attachment is obsolete: true
Attachment #8359238 - Flags: review?(josh)
Attachment #8359626 - Flags: review?(josh)
Comment on attachment 8359626 [details] [diff] [review]
Replace nsMemory::Alloc/nsMemory::Realloc calls with moz_malloc/moz_realloc to avoid application aborts and successfully check for not allocated memory.

Yes, this looks totally fine to me, and apologies for the extreme delay. Let's get an official network peer's review for this.
Attachment #8359626 - Flags: review?(josh)
Attachment #8359626 - Flags: review?(jduell.mcbugs)
Attachment #8359626 - Flags: feedback+
Attachment #8359626 - Flags: review?(jduell.mcbugs) → review+
As penance for my earlier tardiness, I have pushed this with the proper reviewer annotation.

https://hg.mozilla.org/integration/mozilla-inbound/rev/98d0a4876836
https://hg.mozilla.org/mozilla-central/rev/98d0a4876836
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.