Closed
Bug 1415173
Opened 7 years ago
Closed 3 years ago
Hit MOZ_CRASH(ElementAt(aIndex = 4294967295, aLength = 0)) at /builds/worker/workspace/build/src/xpcom/ds/nsTArray.cpp:28
Categories
(Core :: DOM: Core & HTML, defect, P3)
Core
DOM: Core & HTML
Tracking
()
People
(Reporter: jkratzer, Assigned: smaug)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(1 file)
|
715 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 923836aebbc3.
==3633==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000510ea3 bp 0x7ffda6f2adf0 sp 0x7ffda6f2ac80 T0)
==3633==The signal is caused by a WRITE memory access.
==3633==Hint: address points to the zero page.
#0 0x510ea2 in MOZ_CrashPrintf /builds/worker/workspace/build/src/mfbt/Assertions.cpp:57:3
#1 0x7feb75e209a1 in InvalidArrayIndex_CRASH(unsigned long, unsigned long) /builds/worker/workspace/build/src/xpcom/ds/nsTArray.cpp:26:3
#2 0x7feb785cc476 in nsTArray_Impl<AutoTArray<RefPtr<nsDOMMutationObserver>, 4ul>, nsTArrayInfallibleAllocator>::ElementAt(unsigned long) /builds/worker/workspace/build/src/xpcom/ds/nsTArray.h:1048:7
#3 0x7feb785c88ac in nsDOMMutationObserver::AddCurrentlyHandlingObserver(nsDOMMutationObserver*, unsigned int) /builds/worker/workspace/build/src/dom/base/nsDOMMutationObserver.cpp:1016:37
#4 0x7feb785c6f93 in nsDOMMutationObserver::ScheduleForRun() /builds/worker/workspace/build/src/dom/base/nsDOMMutationObserver.cpp:591:3
#5 0x7feb785c66e1 in nsMutationReceiver::ContentRemoved(nsIDocument*, nsIContent*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/base/nsDOMMutationObserver.cpp:380:15
#6 0x7feb7870672c in nsNodeUtils::ContentRemoved(nsINode*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/base/nsNodeUtils.cpp:221:3
#7 0x7feb786bca34 in nsINode::doRemoveChildAt(unsigned int, bool, nsIContent*, nsAttrAndChildArray&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1947:5
#8 0x7feb7848c265 in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) /builds/worker/workspace/build/src/dom/base/FragmentOrElement.cpp:1336:5
#9 0x7feb786bd6ff in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:2259:18
#10 0x7feb78c45465 in mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/NodeBinding.cpp:885:45
#11 0x7feb79e34b4e in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3040:13
#12 0x7feb7ec89d31 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#13 0x7feb7ec8990a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472:16
#14 0x7feb7ec8a9b5 in InternalCall(JSContext*, js::AnyInvokeArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
#15 0x7feb7ec7f3b3 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3061:18
#16 0x7feb7ec6a824 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:12
#17 0x7feb7ec8c632 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:705:15
#18 0x7feb7ec8d0f2 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:737:12
#19 0x7feb7f553d9f in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4702:12
#20 0x7feb7f554606 in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4721:12
#21 0x7feb7f5541ee in JS_ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4742:12
#22 0x7feb786db9fb in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:268:8
#23 0x7feb7b5710b1 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2255:25
#24 0x7feb7b56df70 in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1895:10
#25 0x7feb7b55bc7a in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1596:10
#26 0x7feb7b55a803 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:147:18
#27 0x7feb7788c90e in nsIScriptElement::AttemptToExecute() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:231:18
#28 0x7feb7788b8a6 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:728:22
#29 0x7feb778883ed in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:532:7
#30 0x7feb77891a54 in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:130:20
#31 0x7feb75f00e8f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
#32 0x7feb75f21aa0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
#33 0x7feb76abdfe5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#34 0x7feb76a10137 in MessageLoop::RunInternal() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#35 0x7feb76a0ffc9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299:3
#36 0x7feb7b6a3eda in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
#37 0x7feb7e8c3e21 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:288:30
#38 0x7feb7ea389a8 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4675:22
#39 0x7feb7ea3a5ca in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4837:8
#40 0x7feb7ea3b4f9 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4932:21
#41 0x4ed558 in do_main(int, char**, char**) /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
#42 0x4ece7b in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304:16
#43 0x7feb951a582f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291Flags: in-testsuite?
|
||
Comment 1•7 years ago
|
||
This is a generic array assertion. You need to look farther up the call stack to see what is actually doing something wrong. Olli, this looks related to mutation observers.
Component: XPCOM → DOM
Flags: needinfo?(bugs)
|
||
Comment 3•7 years ago
|
||
Also hits: ASSERTION: Unexpected aDocument: 'aDocument == mDocument', file /builds/worker/workspace/build/src/layout/base/PresShell.cpp, line 4479 ASSERTION: Should be in an update while destroying frames: 'mUpdateCount != 0', file /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp, line 8573 ASSERTION: Unexpected mutation level!: 'aMutationLevel > 0', file /builds/worker/workspace/build/src/dom/base/nsDOMMutationObserver.cpp, line 997 Testcase crashes debug builds as far back as a year, which is all mozregression can bisect.
Has Regression Range: --- → no
status-firefox56:
--- → wontfix
status-firefox57:
--- → wontfix
status-firefox58:
--- → fix-optional
status-firefox-esr52:
--- → wontfix
Version: 52 Branch → unspecified
|
||
Comment 4•6 years ago
|
||
https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Move_fix-optionals
status-firefox59:
--- → ?
|
||
Updated•6 years ago
|
Priority: -- → P3
|
||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
|
Assignee | |
Comment 5•3 years ago
|
||
Seems to be WFM.
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(bugs)
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•