Closed Bug 984033 Opened 6 years ago Closed 6 years ago

Large OOM in nsStreamLoader::WriteSegmentFun

Categories

(Core :: Networking, defect, critical)

29 Branch
x86
Windows 7
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla33
Tracking Status
firefox29 --- wontfix
firefox30 --- wontfix
firefox31 --- wontfix
firefox32 + verified
firefox33 --- verified
b2g-v2.0 --- fixed
b2g-v2.1 --- fixed

People

(Reporter: hitesh.seth, Assigned: m_kato)

Details

(Keywords: crash, topcrash-win)

Crash Data

Attachments

(4 files)

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0 (Beta/Release)
Build ID: 20140223004001

Steps to reproduce:

User Agent:  Firefox/29.0a2
Build ID:  	20140223004001

Signature: mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xrealloc | nsStreamLoader::WriteSegmentFun(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*) 

https://crash-stats.mozilla.com/report/index/9263dc9a-cb5c-46a6-97f4-383db2140315

Date Processed	2014-03-15 19:56:25.994222
Uptime	53755
Last Crash	1207765 seconds before submission
Install Age 	1743504 since version was first installed.
Install Time 	2014-02-23 15:37:21
Product 	Firefox
Version 	29.0a2
Build ID 	20140223004001
Release Channel 	aurora
OS 	Windows NT
OS Version 	6.1.7601 Service Pack 1
Build Architecture 	x86
Build Architecture Info 	GenuineIntel family 6 model 23 stepping 10 | 2
Crash Reason 	EXCEPTION_BREAKPOINT
Crash Address 	0x71aa119c
User Comments 	Screen went black before crashing; Had many tabs open
App Notes 	

AdapterVendorID: 0x8086, AdapterDeviceID: 0x2a42, AdapterSubsysID: 02bc1028, AdapterDriverVersion: 8.15.10.2555
D2D! D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
Processor Notes 	sp-processor08_phx1_mozilla_com.27915:2012; HybridCrashProcessor

Frame 	Module 	Signature 	Source
0 	mozalloc.dll 	mozalloc_abort(char const * const) 	memory/mozalloc/mozalloc_abort.cpp
1 	mozalloc.dll 	mozalloc_handle_oom(unsigned int) 	memory/mozalloc/mozalloc_oom.cpp
2 	mozalloc.dll 	moz_xrealloc 	memory/mozalloc/mozalloc.cpp
3 	xul.dll 	nsStreamLoader::WriteSegmentFun(nsIInputStream *,void *,char const *,unsigned int,unsigned int,unsigned int *) 	netwerk/base/src/nsStreamLoader.cpp
4 	xul.dll 	nsHTTPCompressConv::do_OnDataAvailable(nsIRequest *,nsISupports *,unsigned __int64,char const *,unsigned int) 	netwerk/streamconv/converters/nsHTTPCompressConv.cpp
5 	xul.dll 	nsHTTPCompressConv::OnDataAvailable(nsIRequest *,nsISupports *,nsIInputStream *,unsigned __int64,unsigned int) 	netwerk/streamconv/converters/nsHTTPCompressConv.cpp
6 	xul.dll 	nsStreamListenerTee::OnDataAvailable(nsIRequest *,nsISupports *,nsIInputStream *,unsigned __int64,unsigned int) 	netwerk/base/src/nsStreamListenerTee.cpp
7 	xul.dll 	mozilla::net::nsHttpChannel::OnDataAvailable(nsIRequest *,nsISupports *,nsIInputStream *,unsigned __int64,unsigned int) 	netwerk/protocol/http/nsHttpChannel.cpp
8 	xul.dll 	nsInputStreamPump::OnStateTransfer() 	netwerk/base/src/nsInputStreamPump.cpp
9 	xul.dll 	nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream *) 	netwerk/base/src/nsInputStreamPump.cpp
10 	xul.dll 	nsInputStreamReadyEvent::Run() 	xpcom/io/nsStreamUtils.cpp
11 	xul.dll 	nsThread::ProcessNextEvent(bool,bool *) 	xpcom/threads/nsThread.cpp
12 	xul.dll 	NS_ProcessNextEvent(nsIThread *,bool) 	xpcom/glue/nsThreadUtils.cpp
13 	xul.dll 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate *) 	ipc/glue/MessagePump.cpp
14 	xul.dll 	_SEH_epilog4 	
15 	xul.dll 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
16 	xul.dll 	nsBaseAppShell::Run() 	widget/xpwidgets/nsBaseAppShell.cpp
17 	xul.dll 	nsAppShell::Run() 	widget/windows/nsAppShell.cpp
18 	nss3.dll 	nss3.dll@0x7930 	
19 	xul.dll 	XREMain::XRE_main(int,char * * const,nsXREAppData const *) 	toolkit/xre/nsAppRunner.cpp
20 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp
21 	firefox.exe 	do_main 	browser/app/nsBrowserApp.cpp
22 	firefox.exe 	NS_internal_main(int,char * *) 	browser/app/nsBrowserApp.cpp
23 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp

More reports at:
https://crash-stats.mozilla.com/report/list?product=Firefox&signature=mozalloc_abort%28char+const%2A+const%29+%7C+mozalloc_handle_oom%28unsigned+int%29+%7C+moz_xrealloc+%7C+nsStreamLoader%3A%3AWriteSegmentFun%28nsIInputStream%2A%2C+void%2A%2C+char+const%2A%2C+unsigned+int%2C+unsigned+int%2C+unsigned+int%2A%29
Severity: normal → critical
Crash Signature: @ mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xrealloc | nsStreamLoader::WriteSegmentFun(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*)
Component: Untriaged → Networking
Keywords: crash
Product: Firefox → Core
fix of Bug 966870 doesn't fix this issue.

Peiyong, can you fix this like bug 966870?  Use moz_realloc instead of NS_Realloc.
Status: UNCONFIRMED → NEW
Ever confirmed: true
This is showing up in Firefox 29 beta 1 and 2, somewhere in the top #50 crashers. It has a lot of comments where people seem to be browsing in Facebook when this crash happens. There a lot of other URLs in addition to Facebook.
Crash Signature: @ mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xrealloc | nsStreamLoader::WriteSegmentFun(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*) → [@ mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xrealloc | nsStreamLoader::WriteSegmentFun(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*)]
I took a memory report about 12 minutes before experiencing this crash so I'm uploading it.

I took it because I began experiencing significant jank, pauses & freezes/unresponsiveness.

In the past 3 or 4 days I have also experienced crashes with the following signatures:
bp-28b6347d-5e89-4fdf-825d-a81e82140401
bp-c765dbca-2899-44ab-8cb9-0dd332140402
bp-cb917cc6-e1a2-4cda-ad70-5aa762140325

I mention this because they've all happened to me recently, all happen with high memory and could be related.
Comment on attachment 8400434 [details] [diff] [review]
User fallible allocator instead

Use fallible allocator. Bug 966870 replaces NS_Alloc with moz_malloc, but we should replace NS_Realloc too.
Attachment #8400434 - Flags: review?(honzab.moz)
Comment on attachment 8400434 [details] [diff] [review]
User fallible allocator instead

Review of attachment 8400434 [details] [diff] [review]:
-----------------------------------------------------------------

Hmm.. another candidate for bug 966024!

We may need to fix also http://hg.mozilla.org/mozilla-central/annotate/aec6bf932306/gfx/thebes/gfxUserFontSet.cpp#l497 that adopts moz_malloc'ated data.  But still, this should be all encapsulated and allocators synchronized with something we now build in bug 966024.

r=honzab for this part.
Attachment #8400434 - Flags: review?(honzab.moz) → review+
(In reply to Honza Bambas (:mayhemer) from comment #6)
> Comment on attachment 8400434 [details] [diff] [review]
> User fallible allocator instead
> 
> Review of attachment 8400434 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> Hmm.. another candidate for bug 966024!
> 
> We may need to fix also
> http://hg.mozilla.org/mozilla-central/annotate/aec6bf932306/gfx/thebes/
> gfxUserFontSet.cpp#l497 that adopts moz_malloc'ated data.  But still, this

Ah, we should replace with moz_free too.
This is creeping up and it is within the top 20 crashers in Fx29 beta.
Crash Signature: [@ mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xrealloc | nsStreamLoader::WriteSegmentFun(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*)] → [@ mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xrealloc | nsStreamLoader::WriteSegmentFun(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*)] [@ OOM | large | mozalloc_abort(char const* const) …
Summary: @ mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xrealloc | nsStreamLoader::WriteSegmentFun(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*) → Large OOM in nsStreamLoader::WriteSegmentFun
Makoto, what is the next action here? This is in the top 20 crashers on releases.
Flags: needinfo?(m_kato)
My SO's Firefox 31.0 crashed like below so I'm commenting here to track this bug.

Let me know if there's anything worth collecting from the crashing profile.

Report ID 	Date Submitted
bp-64d78fa5-c707-4b3d-848f-b0a1c2140705	05/07/2014	01:06 p.m.
rebase and send review again by comment #6 and #7.
Flags: needinfo?(m_kato)
m_kato, could you please create such a rebased patch? This seems to be one of the top crashes we will ship in 31, I'd hope we can get it fixed at least in time for 32.

That said, the reason this has become a topcrash seems to be addons with IDs like 143f44cf-d99c-4e45-8cd9-ef929de77aa8@bdbf6038-0097-480c-8d8e-fc48e28131a8.com or 2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com (just two examples, there are more), which seems to be using the crossrider framework, see bug 1036184, and they are working on improvements.

Still, there is something here we should do and we have a patch that just needs rebasing, so let's please get this done.
Attached patch v2Splinter Review
Flags: needinfo?(m_kato)
Comment on attachment 8456695 [details] [diff] [review]
v2

I should modify nsScriptLoader.cpp, nsNSSCallbacks.cpp, and IDL comment too
Attachment #8456695 - Flags: review?(honzab.moz)
Comment on attachment 8456695 [details] [diff] [review]
v2

No deep look this time...
Attachment #8456695 - Flags: review?(honzab.moz) → review+
https://hg.mozilla.org/mozilla-central/rev/f5d1735bbe5c
Assignee: nobody → m_kato
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
(In reply to Carsten Book [:Tomcat] from comment #17)
> https://hg.mozilla.org/mozilla-central/rev/f5d1735bbe5c

This has completely dropped off on Nightly. There are 17 crashes in the last week but all are with builds created on or before July 17, 2014. I think we should uplift for Firefox 32 at the very least and consider uplifting to release as a ride-along if we end up doing a .point release for 31.
Status: RESOLVED → VERIFIED
This fix has been on 33 for a week. Can you please make an uplift request for beta 32?
Flags: needinfo?(m_kato)
Flags: needinfo?(m_kato)
Comment on attachment 8463191 [details] [diff] [review]
rebase for mozilla-beta

[Feature/regressing bug #]:
 No

[User impact if declined]:
large network stream may cause OOM.  This crash id is top 13 in 32.0b and top 5 in 31.0.

[Describe test coverage new/current, TBPL]: 
landed in 33.  Also, no regression now

[Risks and why]:
Low.  just return out of memory error.

[String/UUID change made/needed]:
No.  IDL modification is comment only
Attachment #8463191 - Flags: approval-mozilla-beta?
Comment on attachment 8463191 [details] [diff] [review]
rebase for mozilla-beta

beta+
Attachment #8463191 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.