956630 - @ mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xmalloc | nsHTTPCompressConv::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned __int64, unsigned int)

Status: VERIFIED FIXED

(Core :: Networking: HTTP, defect)

Description

[hitesh.seth@yahoo.co.in]

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:26.0) Gecko/20100101 Firefox/26.0 (Beta/Release)
Build ID: 20131205075310

Steps to reproduce:

Signature: @ mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xmalloc | nsHTTPCompressConv::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned __int64, unsigned int)

https://crash-stats.mozilla.com/report/index/8f5fb310-b77a-4dab-ad51-c403e2140106

Date Processed	2014-01-06 04:46:39.134209
Uptime	307736
Last Crash	307765 seconds before submission
Install Age 	1558345 since version was first installed.
Install Time 	2013-12-18 04:25:51
Product 	Firefox
Version 	26.0
Build ID 	20131205075310
Release Channel 	release
OS 	Windows NT
OS Version 	6.1.7601 Service Pack 1
Build Architecture 	x86
Build Architecture Info 	GenuineIntel family 6 model 23 stepping 10 | 2
Crash Reason 	EXCEPTION_BREAKPOINT
Crash Address 	0x672e119c
User Comments 	opened facebook
App Notes 	

AdapterVendorID: 0x8086, AdapterDeviceID: 0x2a42, AdapterSubsysID: 02bc1028, AdapterDriverVersion: 8.15.10.2555
D2D! D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 

Processor Notes 	sp-processor06_phx1_mozilla_com.6264:2012; HybridCrashProcessor

Frame 	Module 	Signature 	Source
0 	mozalloc.dll 	mozalloc_abort(char const * const) 	memory/mozalloc/mozalloc_abort.cpp
1 	mozalloc.dll 	mozalloc_handle_oom(unsigned int) 	memory/mozalloc/mozalloc_oom.cpp
2 	mozalloc.dll 	moz_xmalloc 	memory/mozalloc/mozalloc.cpp
3 	xul.dll 	nsHTTPCompressConv::OnDataAvailable(nsIRequest *,nsISupports *,nsIInputStream *,unsigned __int64,unsigned int) 	netwerk/streamconv/converters/nsHTTPCompressConv.cpp
4 	xul.dll 	nsStreamListenerTee::OnDataAvailable(nsIRequest *,nsISupports *,nsIInputStream *,unsigned __int64,unsigned int) 	netwerk/base/src/nsStreamListenerTee.cpp
5 	xul.dll 	mozilla::net::nsHttpChannel::OnDataAvailable(nsIRequest *,nsISupports *,nsIInputStream *,unsigned __int64,unsigned int) 	netwerk/protocol/http/nsHttpChannel.cpp
6 	xul.dll 	nsInputStreamPump::OnStateTransfer() 	netwerk/base/src/nsInputStreamPump.cpp
7 	xul.dll 	nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream *) 	netwerk/base/src/nsInputStreamPump.cpp
8 	xul.dll 	nsInputStreamReadyEvent::Run() 	xpcom/io/nsStreamUtils.cpp
9 	xul.dll 	nsThread::ProcessNextEvent(bool,bool *) 	xpcom/threads/nsThread.cpp
10 	xul.dll 	nsThread::ThreadFunc(void *) 	xpcom/threads/nsThread.cpp
11 	nss3.dll 	_PR_NativeRunThread 	nsprpub/pr/src/threads/combined/pruthr.c

More Reports at:
https://crash-stats.mozilla.com/report/list?product=Firefox&signature=mozalloc_abort%28char+const%2A+const%29+%7C+mozalloc_handle_oom%28unsigned+int%29+%7C+moz_xmalloc+%7C+nsHTTPCompressConv%3A%3AOnDataAvailable%28nsIRequest%2A%2C+nsISupports%2A%2C+nsIInputStream%2A%2C+unsigned+__int64%2C+unsigned+int%29

Comment 1

[Josh Matthews [:jdm]]

http://mxr.mozilla.org/mozilla-central/source/netwerk/streamconv/converters/nsHTTPCompressConv.cpp#145

nsHTTPCompressConv has code that is checking for memory allocation failure, but it's using infallible allocators (ie. nsMemory::Alloc, nsMemory::Realloc) that will abort instead of returning null. This should use moz_malloc and moz_realloc instead.

Comment 2

[Nick Lebedev [:nl]]

I would like to try to fix this crash. Could you please assign this bug to me?

Comment 3

[Nick Lebedev [:nl]]

Attachment: Replace nsMemory::Alloc/nsMemory::Realloc calls with moz_malloc/moz_realloc to avoid application aborts and successfully check for not allocated memory.

I've mentioned a lot of others usages of nsMemory::(Re)Alloc in the netwerk/streamconv/converters which followed by check for zero allocated memory.

E.g.:
http://mxr.mozilla.org/mozilla-central/source/netwerk/streamconv/converters/nsBinHexDecoder.cpp#445,
http://mxr.mozilla.org/mozilla-central/source/netwerk/streamconv/converters/nsIndexedToHTML.cpp#713

I believe they may cause crash too. Please let me know if i need to file a new bug for it or fix them in this bug.

Comment 4

[Josh Matthews [:jdm]]

Please go ahead and fix those too!

Comment 5

[Nick Lebedev [:nl]]

Attachment: Replace nsMemory::Alloc/nsMemory::Realloc calls with moz_malloc/moz_realloc to avoid application aborts and successfully check for not allocated memory.

Fixed a few other calls of nsMemory::(Re)Alloc at files from folder netwerk/streamconv/converters.

Comment 6

[Josh Matthews [:jdm]]

Comment on attachment 8359626 [details] [diff] [review]
Replace nsMemory::Alloc/nsMemory::Realloc calls with moz_malloc/moz_realloc to avoid application aborts and successfully check for not allocated memory.

Yes, this looks totally fine to me, and apologies for the extreme delay. Let's get an official network peer's review for this.

Comment 7

[Josh Matthews [:jdm]]

As penance for my earlier tardiness, I have pushed this with the proper reviewer annotation.

https://hg.mozilla.org/integration/mozilla-inbound/rev/98d0a4876836

Comment 8

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/98d0a4876836

Comment 9

[Ioana (away)]

Socorro shows no recent crashes with this signature for Firefox 29 or newer:
https://crash-stats.mozilla.com/report/list?signature=mozalloc_abort%28char+const%2A+const%29+%7C+mozalloc_handle_oom%28unsigned+int%29+%7C+moz_xmalloc+%7C+nsHTTPCompressConv%3A%3AOnDataAvailable%28nsIRequest%2A%2C+nsISupports%2A%2C+nsIInputStream%2A%2C+unsigned+__int64%2C+unsigned+int%29&product=Firefox&query_type=contains&range_unit=weeks&process_type=any&hang_type=any&date=2014-03-26+12%3A00%3A00&range_value=4#tab-sigsummary