Closed Bug 1026458 Opened 10 years ago Closed 4 years ago

Large OOM in nsACString_internal::SetLength

Categories

(DevTools :: Netmonitor, defect, P2)

Product:
DevTools
Component:
Netmonitor
Platform:
All
Linux
Type:
defect

Tracking

(firefox47 affected, firefox48 affected, firefox49 affected, firefox-esr45 affected, firefox50 affected, firefox51 affected)

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox47 --- affected
firefox48 --- affected
firefox49 --- affected
firefox-esr45 --- affected
firefox50 --- affected
firefox51 --- affected

People

(Reporter: gcp, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is report bp-cbfbf4b9-7353-4917-bb1b-f475b2140617. ============================================================= Note that although it's a 3.6G allocation, this is a 64-bit build. After some investigating, the problem is that size_type in the nsString code is not defined as size_t, but: http://dxr.mozilla.org/mozilla-central/source/xpcom/string/public/nsTSubstring.h#87
glandium/tbsaunde clarified that this crash can't be caused by web JS directly, so it's really something in Firefox trying to do something silly.
(gdb) call DumpJSStack() 0 NetUtil_readInputStreamToString(aInputStream = [xpconnect wrapped (nsISupports, nsIMultiplexInputStream, nsIInputStream, nsISeekableStream)], aCount = 3639615899) ["resource://gre/modules/NetUtil.jsm":300] this = [object Object] 1 NH_readAndConvertFromStream(aStream = [xpconnect wrapped (nsISupports, nsIMultiplexInputStream, nsIInputStream, nsISeekableStream)], aCharset = "UTF-8") ["resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/devtools/toolkit/webconsole/network-helper.js":102] <failed to get 'this' value> 2 NH_readPostTextFromRequest(aRequest = [xpconnect wrapped (nsISupports, nsIHttpChannel, nsIHttpChannelInternal, nsITraceableChannel, nsIUploadChannel)], aCharset = "UTF-8") ["resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/devtools/toolkit/webconsole/network-helper.js":137] <failed to get 'this' value> 3 NM__onRequestBodySent(aHttpActivity = [object Object]) ["resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/devtools/toolkit/webconsole/network-monitor.js":793] this = [object Object] 4 NM_observeActivity(aChannel = [xpconnect wrapped (nsISupports, nsIHttpChannel, nsIHttpChannelInternal, nsITraceableChannel)], aActivityType = 2, aActivitySubtype = 20482, aTimestamp = 1403007356104312, aExtraSizeData = 0, aExtraStringData = "") ["resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/devtools/toolkit/webconsole/network-monitor.js":568] this = [object Object] 5 anonymous(arguments = [xpconnect wrapped (nsISupports, nsIHttpChannel, nsIHttpChannelInternal, nsITraceableChannel)], 2, 20482, 1403007356104312, 0, "") ["resource://gre/modules/commonjs/toolkit/loader.js -> resource://gre/modules/devtools/DevToolsUtils.js":84] this = [object Object]
Component: String → Developer Tools: Netmonitor
Product: Core → Firefox
NH_readPostTextFromRequest + NetUtil_readInputStreamToString don't sound like a good idea if we're dealing with a multi-gigabyte request.
Did you have the devtools open while doing the transfer, or are the devtools always sniffing transfers even when they are not opened?
Devtools need to be active.
(In reply to Gian-Carlo Pascutto [:gcp] from comment #0) > Note that although it's a 3.6G allocation, this is a 64-bit build. Allocations that large should not be infallible...
Summary: crash in OOM | large | NS_ABORT_OOM(unsigned long) | nsACString_internal::SetLength(unsigned int) → Large OOM in nsACString_internal::SetLength
Crash Signature: [@ OOM | large | NS_ABORT_OOM(unsigned long) | nsACString_internal::SetLength(unsigned int)] → [@ OOM | large | NS_ABORT_OOM(unsigned long) | nsACString_internal::SetLength(unsigned int)] [@ OOM | large | NS_ABORT_OOM | nsACString_internal::SetLength]
Crash volume for signature 'OOM | large | NS_ABORT_OOM | nsACString_internal::SetLength': - nightly (version 50): 1 crash from 2016-06-06. - aurora (version 49): 5 crashes from 2016-06-07. - beta (version 48): 61 crashes from 2016-06-06. - release (version 47): 317 crashes from 2016-05-31. - esr (version 45): 13 crashes from 2016-04-07. Crash volume on the last weeks: Week N-1 Week N-2 Week N-3 Week N-4 Week N-5 Week N-6 Week N-7 - nightly 1 0 0 0 0 0 0 - aurora 0 0 2 0 1 2 0 - beta 13 7 7 7 8 15 2 - release 43 55 49 56 35 49 13 - esr 1 1 0 2 1 0 4 Affected platforms: Windows, Mac OS X, Linux
status-firefox47: --- → affected
status-firefox48: --- → affected
status-firefox49: --- → affected
status-firefox50: --- → affected
status-firefox-esr45: --- → affected
Crash volume for signature 'OOM | large | NS_ABORT_OOM | nsACString_internal::SetLength': - nightly (version 51): 3 crashes from 2016-08-01. - aurora (version 50): 1 crash from 2016-08-01. - beta (version 49): 29 crashes from 2016-08-02. - release (version 48): 49 crashes from 2016-07-25. - esr (version 45): 19 crashes from 2016-05-02. Crash volume on the last weeks (Week N is from 08-22 to 08-28): W. N-1 W. N-2 W. N-3 - nightly 2 1 0 - aurora 1 0 0 - beta 8 7 4 - release 17 16 8 - esr 1 2 2 Affected platforms: Windows, Mac OS X, Linux Crash rank on the last 7 days: Browser Content Plugin - nightly - aurora - beta #1217 - release #1495 - esr #3331
status-firefox51: --- → affected
This might be dup of bug 1297525 Honza
Priority: -- → P2
Product: Firefox → DevTools

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.