Closed Bug 1498194 Opened 6 years ago Closed 2 years ago

Linux ATK a11y crash in OOM | large | NS_ABORT_OOM | nsTSubstring<T>::SetLength when changing continuously the Devtools position

Categories

(Core :: Disability Access APIs, defect, P3)

Product:
Core
Component:
Disability Access APIs
Platform:
All
Linux
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox-esr68 --- affected
firefox62 --- wontfix
firefox63 --- wontfix
firefox64 --- wontfix
firefox65 --- wontfix
firefox68 --- wontfix
firefox69 --- fix-optional
firefox70 --- fix-optional

People

(Reporter: cgeorgiu, Unassigned)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

screencast showing the issue.mp4
4.10 MB, video/mp4
Details 
This bug was filed from the Socorro interface and is
report bp-ee06efe4-5baf-40c5-82fe-af8d70181011.
=============================================================

Top 10 frames of crashing thread:

0 libxul.so NS_ABORT_OOM xpcom/base/nsDebugImpl.cpp:628
1 libxul.so nsTSubstring<char>::SetLength xpcom/string/nsTSubstring.cpp:847
2 libxul.so mozilla::a11y::DOMtoATK::ATKStringConverterHelper::FinishUTF16toUTF8 xpcom/string/nsTSubstring.h:923
3 libxul.so mozilla::a11y::DOMtoATK::ATKStringConverterHelper::ConvertAdjusted accessible/atk/DOMtoATK.cpp:134
4 libxul.so getTextCB accessible/atk/DOMtoATK.h:128
5 libxul.so getTextSelectionCB accessible/atk/nsMaiInterfaceText.cpp:543
6 libatk-1.0.so.0.21809.1 libatk-1.0.so.0.21809.1@0x14661 
7 libatk-bridge-2.0.so.0.0.0 libatk-bridge-2.0.so.0.0.0@0x1ce02 
8 libatk-bridge-2.0.so.0.0.0 libatk-bridge-2.0.so.0.0.0@0x1cd3f 
9 libatk-bridge-2.0.so.0.0.0 libatk-bridge-2.0.so.0.0.0@0x12569 

=============================================================

[Affected versions]:
- latest Nightly 64.a01
- Beta 63.0b13

[Affected platforms]:
- Ubuntu 16.04 x64

[Steps to reproduce]:
1. Launch Firefox.
2. Press "F12" in order to open Devtools.
3. Click on the "Customize Developer Tools and Get help" button, (those thee dots) situated in the right upper corner.
4. Toggle between the first 4 options in the dialog panel for a few times; "Dock to bottom", "Dock to right", "Dock to left", "Separate window" (please see the attached screencast).

[Expected result]:
- Firefox doesn't crash.

[Actual result]:
- Firefox cashes.

[Regression range]:
- I can't seem to reproduce it on 62.0.3, but since this crash happens rather randomly, it would be hard to determinate a regression range.

[Additional notes]:
- Please note this crash is intermittent and due to this fact the above steps are not triggering the crash each time.
- Also, this issue doesn't occur on macOS 10.13 and Windows, I was able to reproduce this only on one machine of which I tested; running Ubuntu 16.04 x64 - see the about:support page of this machine: https://pastebin.com/SLeZZit6
Component: DOM → Disability Access APIs
Root cause:

Instead of being an actual OOM on 64-bit Linux, it's more likely that we reach the maximum possible length for an XPCOM string and report that as an OOM. This suggests that the repro steps cause some accessibility-exposed string to grow and grow every time the dev tools docking is changed. We should use this bug number to track down whatever it is that causes an accessibility-exposed string to grow every time the dev tools docking is changed.

Additional notes:

 * This doesn't happen on Windows or Mac, because the code involved is specific to the Linux accessibility API (ATK).

 * Repro on one machine but not another is probably caused by one machine running accessibility-API-using software that causes Firefox to report things via ATK and another not running such software so Firefox doesn't bother reporting things via ATK.

 * The current string conversion code between Gecko and ATK was introduced in bug 1346535.

 * This problem was not caused by bug 1487341 (the changeset isn't preset on beta and the crash report is from beta).

 * The conversion code looks needlessly inefficient. Filed bug 1498473.

 * Changing the Gecko-style allocations to fallible doesn't help unless the glib-style allocations are changed, too.
While this is high volume for fennec 63 beta and release, I don't see any crashes at all for beta 64 fennec. We can keep an eye on this crash for 64 release and then maybe more discussion to the follow up bugs.
status-firefox64: affectedfix-optional
status-firefox65: --- → affected
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #2)
> While this is high volume for fennec 63 beta and release, I don't see any
> crashes at all for beta 64 fennec.

This code involved in this bug only runs on desktop Linux and should not be running on Fennec. Chances are that what was observed on Fennec was something else with the same top stack frame.
The Fennec crashes seem to have been about Web Socket IPC proxying.
Maybe continued leftover crashes from Bug 1475218? Liz maybe it makes sense to make a separate bug for Fennec since the crashes seem to be different products with different causes.
Flags: needinfo?(lhenry)
Filed bug 1508740 to discuss the fennec crashes.
status-firefox65: affectedfix-optional
Flags: needinfo?(lhenry)

Chris can you get this one re-triaged -- is there any action we can take here? (Still getting lots of reports)

Flags: needinfo?(cpeterson)

This is a low-volume Linux a11y crash. The crash volume in this bug's crash graph looks higher than it actually is because this is a common crash signature. Most of those crashes are unrelated Android and Windows OOMs. In the last week, there have been 778 Android crashes, 459 Windows crashes, and no Linux crashes with this particular signature from Firefox 68/69/70 users:

https://crash-stats.mozilla.org/search/?signature=%3DOOM%20%7C%20large%20%7C%20NS_ABORT_OOM%20%7C%20nsTSubstring%3CT%3E%3A%3ASetLength&version=68.0esr&version=68.0&version=69.0b&version=70.0a1&date=%3E%3D2019-07-09T17%3A09%3A00.000Z&date=%3C2019-07-16T17%3A09%3A00.000Z&_facets=signature&_facets=version&_facets=platform&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-platform

status-firefox64: fix-optionalwontfix
status-firefox65: fix-optionalwontfix
status-firefox68: --- → affected
status-firefox69: --- → affected
status-firefox70: --- → affected
status-firefox-esr60: --- → wontfix
status-firefox-esr68: --- → affected
Flags: needinfo?(cpeterson)
Summary: Crash in OOM | large | NS_ABORT_OOM | nsTSubstring<T>::SetLength when changing continuously the Devtools position → Linux ATK a11y crash in OOM | large | NS_ABORT_OOM | nsTSubstring<T>::SetLength when changing continuously the Devtools position

Marcia's going to file a followup Fennec bug for that last OOM signature.

status-firefox68: affectedwontfix
status-firefox69: affectedfix-optional
status-firefox70: affectedfix-optional
Priority: -- → P3

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: