Closed Bug 1503024 Opened 7 years ago Closed 6 years ago

Crash in gfxSkipCharsIterator::gfxSkipCharsIterator

Categories

(Core :: Disability Access APIs, defect, P3)

Product:
Core
Component:
Disability Access APIs
Version:
64 Branch
Platform:
Unspecified
Android
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox64 --- wontfix

People

(Reporter: marcia, Unassigned)

Details

(Keywords: crash, csectype-dos, regression, Whiteboard: [sg:dos (recursion)])

Crash Data

This bug was filed from the Socorro interface and is report bp-1f423d77-677d-496c-8aac-009b80181029. ============================================================= Seen while looking at beta crash stats: https://bit.ly/2EQam34. 14 crashes/4 installs so far. Also a few crashes when nightly was in 64. Crashes appear to be Android only. A few URLs: *https://store.docker.com/search?type=edition&offering=enterprise *https://store.docker.com/search?q=Secureage&type=image&source=verified Top 1 frames of crashing thread: 0 libxul.so gfxSkipCharsIterator::gfxSkipCharsIterator gfx/thebes/gfxSkipChars.h:179 =============================================================
Only having one frame isn't very helpful :/
Priority: -- → P3
During weekly triage Randell mentioned that this should be marked security sensitive due to the some of the crash addresses. I will take a look at some other crashes and see if there is better information in any of them.
Group: layout-core-security
The recent crashes with this signature are all on ESR60. They seem to have a good number of frames in them. For instance: bp-c55b215d-46c4-4635-90aa-661260181129 The other frames seem to involve a11y, like accessible/base/nsTextEquivUtils.cpp.
That crash, at least, is a stack overflow, and it looks like it's caused by infinite recursion in the a11y code; it has a 5-stackframe pattern of nsTextEquivUtils::AppendFromValue(mozilla::a11y::Accessible*, nsTSubstring<char16_t>*) nsTextEquivUtils::AppendFromAccessible(mozilla::a11y::Accessible*, nsTSubstring<char16_t>*) nsTextEquivUtils::AppendFromAccessibleChildren(mozilla::a11y::Accessible*, nsTSubstring<char16_t>*) nsTextEquivUtils::GetTextEquivFromSubtree(mozilla::a11y::Accessible*, nsTString<char16_t>&) mozilla::a11y::Accessible::Value(nsTString<char16_t>&) that looks like it goes down indefinitely. Probably worth the a11y team having a look at this.
Component: Layout: Text and Fonts → Disability Access APIs
Group: layout-core-security
Keywords: csectype-dos
Whiteboard: [sg:dos (recursion)]

No crashes in 68 release. Closing as WFM.

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.