Closed
Bug 1344542
Opened 8 years ago
Closed 8 years ago
Crash in InvalidArrayIndex_CRASH | nsCellMap::ShrinkWithoutRows
Categories
(Core :: Layout: Tables, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1344628
| Tracking | Status | |
|---|---|---|
| firefox54 | --- | fixed |
People
(Reporter: calixte, Assigned: neerja)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression, Whiteboard: [clouseau][webcompat])
Crash Data
This bug was filed from the Socorro interface and is
report bp-260eb6fe-bbf4-44af-96d0-789192170305.
=============================================================
There are 5 crashes on nightly 54 with buildid 20170304030205. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1285874.
[1] https://hg.mozilla.org/mozilla-central/rev?node=85613fa0c5fec9e51f428debcb1d05aaa33f73da
Flags: needinfo?(npancholi)
|
Reporter | |
Comment 1•8 years ago
|
||
There are 14 crashes with signature "InvalidArrayIndex_CRASH | nsTArray_Impl<T>::ElementAt | nsCellMap::ShrinkWithoutRows".
Crash Signature: [@ InvalidArrayIndex_CRASH | nsCellMap::ShrinkWithoutRows] → [@ InvalidArrayIndex_CRASH | nsCellMap::ShrinkWithoutRows]
[@ InvalidArrayIndex_CRASH | nsTArray_Impl<T>::ElementAt | nsCellMap::ShrinkWithoutRows ]
Keywords: regression
|
||
Updated•8 years ago
|
Whiteboard: [clouseau]
|
Assignee | |
Updated•8 years ago
|
Assignee: nobody → npancholi
Flags: needinfo?(npancholi)
|
||
Comment 2•8 years ago
|
||
We have received a report for breaking the cloudflare.com customer portal. STR are available in the linked bug report.
Whiteboard: [clouseau] → [clouseau][webcompat]
|
||
Comment 3•8 years ago
|
||
The OOM crash like bp-2890fa2d-564b-4516-99bc-e15f62170307 has stack:
NS_ABORT_OOM(unsigned long)
nsTArrayInfallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::EnsureCapacity<nsTArrayInfallibleAllocator>(unsigned long, unsigned long)
bool nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::InsertSlotsAt<nsTArrayInfallibleAllocator>(unsigned long, unsigned long, unsigned long, unsigned long)
nsCellMap::InsertRows(nsTableCellMap&, nsTArray<nsTableRowFrame*>&, int, bool, int, mozilla::TableArea&)
nsTableCellMap::InsertRows(nsTableRowGroupFrame*, nsTArray<nsTableRowFrame*>&, int, bool, mozilla::TableArea&)
nsTableFrame::InsertRows(nsTableRowGroupFrame*, nsTArray<nsTableRowFrame*>&, int, bool)
nsTableFrame::InsertRowGroups(nsFrameList::Slice const&)
nsTableFrame::HomogenousInsertFrames(mozilla::layout::FrameChildListID, nsIFrame*, nsFrameList&)
nsTableFrame::InsertFrames(mozilla::layout::FrameChildListID, nsIFrame*, nsFrameList&)
nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, bool, TreeMatchContext*)
nsCSSFrameConstructor::CreateNeededFrames(nsIContent*, TreeMatchContext&) * 15 times
nsCSSFrameConstructor::CreateNeededFrames()
mozilla::GeckoRestyleManager::ProcessPendingRestyles()
mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)
...
Which looks like related.
Crash Signature: [@ InvalidArrayIndex_CRASH | nsCellMap::ShrinkWithoutRows]
[@ InvalidArrayIndex_CRASH | nsTArray_Impl<T>::ElementAt | nsCellMap::ShrinkWithoutRows ] → [@ InvalidArrayIndex_CRASH | nsCellMap::ShrinkWithoutRows]
[@ InvalidArrayIndex_CRASH | nsTArray_Impl<T>::ElementAt | nsCellMap::ShrinkWithoutRows ]
[@ OOM | large | NS_ABORT_OOM | nsTArrayInfallibleAllocator::ResultTypeProxy nsTArray_base<T>::EnsureCap…
|
|
Assignee | |
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
|
||
Comment 5•8 years ago
|
||
FF54 was fixed in bug 1344628. Mark 54 fixed here.
You need to log in
before you can comment on or make changes to this bug.
Description
•