Closed
Bug 1427175
Opened 6 years ago
Closed 5 years ago
Crash in InvalidArrayIndex_CRASH | mozilla::FrameProperties::GetInternal
Categories
(Core :: Layout, defect, P2)
Tracking
()
RESOLVED
WONTFIX
Tracking | Status | |
---|---|---|
firefox59 | --- | affected |
People
(Reporter: baffclan, Unassigned)
Details
(Keywords: crash)
Crash Data
This bug was filed from the Socorro interface and is report bp-c8e94cba-8f93-41f8-bc81-e49520171227. ============================================================= Top 10 frames of crashing thread: 0 mozglue.dll MOZ_CrashPrintf mfbt/Assertions.cpp:63 1 xul.dll InvalidArrayIndex_CRASH xpcom/ds/nsTArray.cpp:26 2 xul.dll mozilla::FrameProperties::GetInternal layout/base/FrameProperties.h:424 3 xul.dll nsIFrame::GetBidiData layout/generic/nsIFrame.h:1282 4 xul.dll BidiLineData::BidiLineData layout/base/nsBidiPresUtils.cpp:407 5 xul.dll nsBidiPresUtils::ReorderFrames layout/base/nsBidiPresUtils.cpp:1375 6 xul.dll nsLineLayout::TextAlignLine layout/generic/nsLineLayout.cpp:3222 7 xul.dll nsBlockFrame::PlaceLine layout/generic/nsBlockFrame.cpp:4622 8 xul.dll nsBlockFrame::DoReflowInlineFrames layout/generic/nsBlockFrame.cpp:4097 9 xul.dll nsBlockFrame::ReflowInlineFrames layout/generic/nsBlockFrame.cpp:3843 =============================================================
Comment 1•6 years ago
|
||
This looks quite odd. We're hitting InvalidArrayIndex_CRASH on the final line of mozilla::FrameProperties::GetInternal(), which I've paraphrased here: > auto index = mProperties.IndexOf(aProperty, 0, PropertyComparator()); > if (index == nsTArray<PropertyValue>::NoIndex) { > [...] > return nullptr; > } > [...] > return mProperties.ElementAt(index).mValue; (This last line ^^ is the one where we crash.) https://hg.mozilla.org/mozilla-central/annotate/286fe0a699dc/layout/base/FrameProperties.h#l424 The error means that "index" is out-of-bounds for the "mProperties" array. But that makes no sense, because we got "index" from a walk through that array a few lines earlier (the first line of my quoted code). So, I don't see how this can happen, aside from memory corruption, or some other thread messing with our array while we're using it (unlikely since reflow happens in a single-threaded way), or a bug in nsTArray internals somewhere.
Comment 2•6 years ago
|
||
[ Triage 2017/02/20: P2 ] P2 bugs may become P1's after further analysis. Please prioritize diagnosis and repair.
Priority: -- → P2
Comment 3•5 years ago
|
||
Closing because no crashes reported for 12 weeks.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•