Closed Bug 1457136 Opened Last year Closed Last year

Crash in nsTArray_base<T>::SwapArrayElements<T> | MergeState::MergeState


(Core :: Web Painting, defect, P1, critical)




Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox59 --- unaffected
firefox60 --- unaffected
firefox61 + fixed
firefox62 + fixed


(Reporter: marcia, Assigned: mattwoodrow)


(Blocks 1 open bug)


(Keywords: crash, csectype-nullptr, regression)

Crash Data

This bug was filed from the Socorro interface and is
report bp-82889c6d-2a4c-4f61-8d72-94c360180425.

Seen while looking at nightly crashes: Small volume crashes started using 20180424220100.

Possible regression range based on Build ID:

Top 10 frames of crashing thread:

0 xul.dll nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::SwapArrayElements<nsTArrayInfallibleAllocator, nsTArrayInfallibleAllocator> xpcom/ds/nsTArray-inl.h:406
1 xul.dll MergeState::MergeState layout/painting/RetainedDisplayListBuilder.cpp:263
2 xul.dll RetainedDisplayListBuilder::MergeDisplayLists layout/painting/RetainedDisplayListBuilder.cpp:483
3 xul.dll MergeState::ProcessItemFromNewList layout/painting/RetainedDisplayListBuilder.cpp:279
4 xul.dll RetainedDisplayListBuilder::MergeDisplayLists layout/painting/RetainedDisplayListBuilder.cpp:487
5 xul.dll MergeState::ProcessItemFromNewList layout/painting/RetainedDisplayListBuilder.cpp:279
6 xul.dll RetainedDisplayListBuilder::MergeDisplayLists layout/painting/RetainedDisplayListBuilder.cpp:487
7 xul.dll MergeState::ProcessItemFromNewList layout/painting/RetainedDisplayListBuilder.cpp:279
8 xul.dll RetainedDisplayListBuilder::MergeDisplayLists layout/painting/RetainedDisplayListBuilder.cpp:487
9 xul.dll RetainedDisplayListBuilder::AttemptPartialUpdate layout/painting/RetainedDisplayListBuilder.cpp:1097

Bug 1439809 presumably based on the regression range and crash stack.
Blocks: 1439809
Duplicate of this bug: 1459766
Changing platform to all since the dupe bug has the Mac and Linux signatures.
OS: Windows 10 → All
Hardware: Unspecified → All
This is responsible for ~1.4% of all content process crashes at the moment.
Flags: needinfo?(matt.woodrow)
I'm pretty sure this is the same as bug 1459997 (getting the wrong index, it just happens to be within the array range, and we recurse into the sub-list for the wrong item type).

Leaving it open for now, but I expect the new assertions to stop us hitting this crash.
Flags: needinfo?(matt.woodrow)
Priority: -- → P1
Assignee: nobody → matt.woodrow
Status on this?
Flags: needinfo?(matt.woodrow)
No crashes in 61.0b9, so I think this is fixed.
Closed: Last year
Flags: needinfo?(matt.woodrow)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.