Closed
Bug 1457136
Opened 6 years ago
Closed 6 years ago
Crash in nsTArray_base<T>::SwapArrayElements<T> | MergeState::MergeState
Categories
(Core :: Web Painting, defect, P1)
Core
Web Painting
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox-esr60 | --- | unaffected |
| firefox59 | --- | unaffected |
| firefox60 | --- | unaffected |
| firefox61 | + | fixed |
| firefox62 | + | fixed |
People
(Reporter: marcia, Assigned: mattwoodrow)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-nullptr, regression)
Crash Data
This bug was filed from the Socorro interface and is report bp-82889c6d-2a4c-4f61-8d72-94c360180425. ============================================================= Seen while looking at nightly crashes: https://bit.ly/2HvUq37. Small volume crashes started using 20180424220100. Possible regression range based on Build ID: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=dfb15917c057f17e5143f7d7c6e1972ba53efc49&tochange=6eeb97ca94f40189d5aa552da9e0b0b11bfa0441 Top 10 frames of crashing thread: 0 xul.dll nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::SwapArrayElements<nsTArrayInfallibleAllocator, nsTArrayInfallibleAllocator> xpcom/ds/nsTArray-inl.h:406 1 xul.dll MergeState::MergeState layout/painting/RetainedDisplayListBuilder.cpp:263 2 xul.dll RetainedDisplayListBuilder::MergeDisplayLists layout/painting/RetainedDisplayListBuilder.cpp:483 3 xul.dll MergeState::ProcessItemFromNewList layout/painting/RetainedDisplayListBuilder.cpp:279 4 xul.dll RetainedDisplayListBuilder::MergeDisplayLists layout/painting/RetainedDisplayListBuilder.cpp:487 5 xul.dll MergeState::ProcessItemFromNewList layout/painting/RetainedDisplayListBuilder.cpp:279 6 xul.dll RetainedDisplayListBuilder::MergeDisplayLists layout/painting/RetainedDisplayListBuilder.cpp:487 7 xul.dll MergeState::ProcessItemFromNewList layout/painting/RetainedDisplayListBuilder.cpp:279 8 xul.dll RetainedDisplayListBuilder::MergeDisplayLists layout/painting/RetainedDisplayListBuilder.cpp:487 9 xul.dll RetainedDisplayListBuilder::AttemptPartialUpdate layout/painting/RetainedDisplayListBuilder.cpp:1097 =============================================================
|
||
Updated•6 years ago
|
status-firefox59:
--- → unaffected
status-firefox60:
--- → unaffected
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → unaffected
|
||
Comment 1•6 years ago
|
||
Bug 1439809 presumably based on the regression range and crash stack.
Blocks: 1439809
tracking-firefox61:
--- → +
|
Reporter | |
Comment 2•6 years ago
|
||
Here are a few URLs groomed from the crashes: *https://www.netflix.com/browse *http://abc13.com/3389719/?sf187745472=1 *https://www.ok.ru/feed *https://colab.research.google.com/notebooks/mlcc/first_steps_with_tensor_flow.ipynb?hl=en#scrollTo=AKWstXXPzOVz
|
|
||
Updated•6 years ago
|
status-firefox62:
--- → affected
tracking-firefox62:
--- → +
|
|
Reporter | |
Comment 4•6 years ago
|
||
Changing platform to all since the dupe bug has the Mac and Linux signatures.
OS: Windows 10 → All
Hardware: Unspecified → All
|
|
||
Comment 5•6 years ago
|
||
This is responsible for ~1.4% of all content process crashes at the moment.
Flags: needinfo?(matt.woodrow)
|
||
Updated•6 years ago
|
Keywords: csectype-nullptr
|
Assignee | |
Comment 6•6 years ago
|
||
I'm pretty sure this is the same as bug 1459997 (getting the wrong index, it just happens to be within the array range, and we recurse into the sub-list for the wrong item type). Leaving it open for now, but I expect the new assertions to stop us hitting this crash.
Flags: needinfo?(matt.woodrow)
|
|
Assignee | |
Updated•6 years ago
|
Priority: -- → P1
|
||
Updated•6 years ago
|
Assignee: nobody → matt.woodrow
|
|
Assignee | |
Comment 8•6 years ago
|
||
No crashes in 61.0b9, so I think this is fixed.
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(matt.woodrow)
Resolution: --- → FIXED
|
|
||
Updated•6 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•