Closed
Bug 1509507
Opened 6 years ago
Closed 6 years ago
Crash in encoding_rs::utf_8::Utf8Decoder::decode_to_utf16_raw
Categories
(Core :: Internationalization, defect)
Tracking
()
RESOLVED
FIXED
mozilla65
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox63 | --- | unaffected |
| firefox64 | --- | unaffected |
| firefox65 | + | fixed |
People
(Reporter: calixte, Assigned: hsivonen)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
This bug was filed from the Socorro interface and is
report bp-3ddf8112-4b1a-4225-92eb-4c4690181123.
=============================================================
Top 10 frames of crashing thread:
0 xul.dll ?MOZ_CrashOOL@@YAXPEBDH0@Z.llvm.17252753682276159622 mfbt/Assertions.h:311
1 xul.dll GeckoCrashOOL toolkit/xre/nsAppRunner.cpp:5350
2 xul.dll static void gkrust_shared::panic_hook toolkit/library/rust/shared/lib.rs:234
3 xul.dll static void core::ops::function::Fn::call<fn /libcore/ops/function.rs:78
4 xul.dll static void std::panicking::rust_panic_with_hook /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libstd/panicking.rs:481
5 xul.dll static void std::panicking::continue_panic_fmt /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libstd/panicking.rs:391
6 xul.dll static void std::panicking::rust_begin_panic /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libstd/panicking.rs:326
7 xul.dll static void core::panicking::panic_fmt /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libcore/panicking.rs:77
8 xul.dll static void core::panicking::panic_bounds_check /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libcore/panicking.rs:59
9 xul.dll static struct third_party/rust/encoding_rs/src/macros.rs:70
=============================================================
There are 22 crashes (from 21 installations) in nightly 65 starting with buildid 20181122220059. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1507726.
[1] https://hg.mozilla.org/mozilla-central/rev?node=3691033d6e78
Flags: needinfo?(hsivonen)
|
Assignee | |
Comment 1•6 years ago
|
||
This code withstood a few days of fuzzing before landing. This is a panic, so safe code is in an unexpected state.
I don't have access to crash report URLs. Steps to reproduce would be really helpful. Meanwhile, I'll run the fuzzer some more.
|
|
Assignee | |
Comment 2•6 years ago
|
||
(In reply to Henri Sivonen (:hsivonen) from comment #1)
> This is a panic,
> so safe code is in an unexpected state.
Specifically: index out of bounds: the len is 1024 but the index is 1024
|
|
Assignee | |
Comment 3•6 years ago
|
||
1024 is the size of the output buffer, in UTF-16 code units, in the HTML parser, so chances are this is a write to the output slice.
|
||
Updated•6 years ago
|
tracking-firefox65:
--- → +
|
|
Assignee | |
Comment 5•6 years ago
|
||
|
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → hsivonen
Status: NEW → ASSIGNED
Flags: needinfo?(hsivonen)
Pushed by hsivonen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e9eedbf1bd4b
Update to encoding_rs 0.8.13 to fix a panic in UTF-8 to UTF-16 decode. r=m_kato
|
||
Comment 8•6 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
| Comment hidden (Intermittent Failures Robot) |
You need to log in
before you can comment on or make changes to this bug.
Description
•