Closed Bug 1421592 Opened 2 years ago Closed 2 years ago

Crash in InvalidArrayIndex_CRASH | nsComputedDOMStyle::GetGridTemplateColumnsRows

Categories

(Core :: Layout, defect, critical)

59 Branch
x86
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED WONTFIX
Tracking Status
firefox57 - wontfix
firefox58 --- wontfix
firefox59 --- unaffected

People

(Reporter: calixte, Unassigned)

Details

(Keywords: crash, topcrash)

Crash Data

This bug was filed from the Socorro interface and is
report bp-430a6f1b-e237-4f14-b03d-35aeb0171129.
=============================================================

Top 10 frames of crashing thread:

0 mozglue.dll MOZ_CrashPrintf mfbt/Assertions.cpp:50
1 xul.dll InvalidArrayIndex_CRASH xpcom/ds/nsTArray.cpp:26
2 xul.dll nsComputedDOMStyle::GetGridTemplateColumnsRows layout/style/nsComputedDOMStyle.cpp:2903
3 xul.dll nsComputedDOMStyle::DoGetGridTemplateRows layout/style/nsComputedDOMStyle.cpp:3154
4 xul.dll nsComputedDOMStyle::GetPropertyCSSValue layout/style/nsComputedDOMStyle.cpp:1046
5 xul.dll nsComputedDOMStyle::GetPropertyValue layout/style/nsComputedDOMStyle.cpp:383
6 xul.dll mozilla::dom::CSSStyleDeclarationBinding::getPropertyValue dom/bindings/CSSStyleDeclarationBinding.cpp:172
7 xul.dll mozilla::dom::GenericBindingMethod dom/bindings/BindingUtils.cpp:3041
8 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:495
9 xul.dll js::Call js/src/vm/Interpreter.cpp:559

=============================================================

There are 1307 crashes in release 57.0. The crash began to spike the 2017-11-26.
Most of the user are french and a lot of crashy urls are related to http://www.meteofrance.com/ (confirmed by user comments in crash reports).
:xidorn, could you investigate please ?
Flags: needinfo?(xidorn+moz)
[Tracking Requested - why for this release]:
The signature is ranked #11 in top-crashers for content process and is a startup crash.
Keywords: topcrash
51.5% happens on 57.0, and 41.8% on 52esr?!

The crash stack of bp-430a6f1b-e237-4f14-b03d-35aeb0171129 is weird:
1. It is in subgrid serialization code: although we accidentally exposed this in stylo (see bug 1421645), given that no browser actually supports it, it is unlikely any website would be using it.
2. The lines immediately above indicates that this shouldn't happen at all.

There are several reports with the same signature pointing to https://hg.mozilla.org/releases/mozilla-release/annotate/3702966a64c8/layout/style/nsComputedDOMStyle.cpp#l3037 (e.g. bp-cf5aa99b-611d-4d7a-861b-32ab70171129) which seems to be something makes more sense.

Redirect ni? to mats and see whether he has some thought about this.
Flags: needinfo?(xidorn+moz) → needinfo?(mats)
Closing, just in case...
Group: core-security
Also given that it happens in 52esr as well, I don't think this should tracking 57... It could probably just be that some popular website start triggering it somehow in 57 time frame.
It looks like this is a safe crash since we fail a runtime assertion:
MOZ_CRASH Reason: ElementAt(aIndex = 0, aLength = 0)
Maybe a dupe of bug 1350780?
Flags: needinfo?(mats) → needinfo?(bwerth)
I guess we could just uplift that fix to see if the crashes stop...
It's a low risk change IMO.
Group: core-security → dom-core-security
We're hitting a runtime check that is being shipped in all version, so this does not need to be hidden.
Group: dom-core-security
(In reply to Mats Palmgren (:mats) from comment #6)
> Maybe a dupe of bug 1350780?

I can't tell if the patch for Bug 1350780 helps here. I can't replicate the crash in Nightly (which includes the fix for that bug). However, I do get a memory leak in Nightly after navigating to http://www.meteofrance.com/. I'll start trying to reduce a testcase.
(In reply to Brad Werth [:bradwerth] from comment #9)
> (In reply to Mats Palmgren (:mats) from comment #6)
> > Maybe a dupe of bug 1350780?
> 
> I can't tell if the patch for Bug 1350780 helps here. I can't replicate the
> crash in Nightly (which includes the fix for that bug). However, I do get a
> memory leak in Nightly after navigating to http://www.meteofrance.com/. I'll
> start trying to reduce a testcase.

Hmmm... memory leak isn't reproducible -- not sure what went wrong with my local build. I fear I have no special insight into this bug. I can navigate to and around http://www.meteofrance.com/ without incident.
Flags: needinfo?(bwerth)
Component: DOM → Layout
We shipped 57 with it, while the volume was pretty high, as it fixed in 59, not tracking and marking it as wontfix.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.