Crash in InvalidArrayIndex_CRASH | mozilla::FrameProperties::GetInternal

NEW
Unassigned

Status

()

Core
Layout
--
critical
26 days ago
17 days ago

People

(Reporter: baffclan, Unassigned)

Tracking

({crash})

Trunk
x86_64
Windows 10
crash
Points:
---

Firefox Tracking Flags

(firefox59 affected)

Details

(crash signature)

(Reporter)

Description

26 days ago
This bug was filed from the Socorro interface and is
report bp-c8e94cba-8f93-41f8-bc81-e49520171227.
=============================================================

Top 10 frames of crashing thread:

0 mozglue.dll MOZ_CrashPrintf mfbt/Assertions.cpp:63
1 xul.dll InvalidArrayIndex_CRASH xpcom/ds/nsTArray.cpp:26
2 xul.dll mozilla::FrameProperties::GetInternal layout/base/FrameProperties.h:424
3 xul.dll nsIFrame::GetBidiData layout/generic/nsIFrame.h:1282
4 xul.dll BidiLineData::BidiLineData layout/base/nsBidiPresUtils.cpp:407
5 xul.dll nsBidiPresUtils::ReorderFrames layout/base/nsBidiPresUtils.cpp:1375
6 xul.dll nsLineLayout::TextAlignLine layout/generic/nsLineLayout.cpp:3222
7 xul.dll nsBlockFrame::PlaceLine layout/generic/nsBlockFrame.cpp:4622
8 xul.dll nsBlockFrame::DoReflowInlineFrames layout/generic/nsBlockFrame.cpp:4097
9 xul.dll nsBlockFrame::ReflowInlineFrames layout/generic/nsBlockFrame.cpp:3843

=============================================================
This looks quite odd.

We're hitting InvalidArrayIndex_CRASH on the final line of mozilla::FrameProperties::GetInternal(), which I've paraphrased here:

>   auto index = mProperties.IndexOf(aProperty, 0, PropertyComparator());
>   if (index == nsTArray<PropertyValue>::NoIndex) {
>     [...]
>     return nullptr;
>   }
>   [...]
>   return mProperties.ElementAt(index).mValue;

(This last line ^^ is the one where we crash.)

https://hg.mozilla.org/mozilla-central/annotate/286fe0a699dc/layout/base/FrameProperties.h#l424

The error means that "index" is out-of-bounds for the "mProperties" array. But that makes no sense, because we got "index" from a walk through that array a few lines earlier (the first line of my quoted code).

So, I don't see how this can happen, aside from memory corruption, or some other thread messing with our array while we're using it (unlikely since reflow happens in a single-threaded way), or a bug in nsTArray internals somewhere.
You need to log in before you can comment on or make changes to this bug.