Open Bug 1646745 Opened 4 years ago Updated 9 months ago

Hit MOZ_CRASH(ElementAt(aIndex = 9999, aLength = 9999)) at /builds/worker/checkouts/gecko/xpcom/ds/nsTArray.cpp:29

Categories

(Core :: Layout: Grid, defect)

defect

Tracking

()

Tracking Status
firefox79 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev f291dd9e075c (built with --enable-debug).

Hit MOZ_CRASH(ElementAt(aIndex = 9999, aLength = 9999)) at /builds/worker/checkouts/gecko/xpcom/ds/nsTArray.cpp:29

rax = 0x000055a09022ea58   rdx = 0x0000000000000000
rcx = 0x0000000000000b40   rbx = 0x000055a09022ea60
rsi = 0x00007fa63a9908b0   rdi = 0x00007fa63a98f680
rbp = 0x00007fff70224770   rsp = 0x00007fff70224760
r8 = 0x00007fa63a9908b0    r9 = 0x00007fa63baf6780
r10 = 0x0000000000000002   r11 = 0x0000000000000000
r12 = 0x000000000000270f   r13 = 0x000000000000270f
r14 = 0x0000000000002710   r15 = 0x000055a09272bd70
rip = 0x00007fa620b2233a
OS|Linux|0.0.0 Linux 5.3.0-51-generic #44~18.04.2-Ubuntu SMP Thu Apr 23 14:27:18 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|InvalidArrayIndex_CRASH(unsigned long, unsigned long)|hg:hg.mozilla.org/mozilla-central:xpcom/ds/nsTArray.cpp:f291dd9e075c239586a5b9e266db47750d19af22|27|0x2f
0|1|libxul.so|nsComputedDOMStyle::GetGridTemplateColumnsRows(mozilla::StyleGenericGridTemplateComponent<mozilla::StyleLengthPercentageUnion, int> const&, mozilla::ComputedGridTrackInfo const&)|hg:hg.mozilla.org/mozilla-central:xpcom/ds/nsTArray.h:f291dd9e075c239586a5b9e266db47750d19af22|1152|0x8
0|2|libxul.so|nsComputedDOMStyle::DoGetGridTemplateRows()|hg:hg.mozilla.org/mozilla-central:layout/style/nsComputedDOMStyle.cpp:f291dd9e075c239586a5b9e266db47750d19af22|1741|0x20
0|3|libxul.so|nsComputedDOMStyle::GetPropertyValue(nsTSubstring<char> const&, nsTSubstring<char16_t>&)|hg:hg.mozilla.org/mozilla-central:layout/style/nsComputedDOMStyle.cpp:f291dd9e075c239586a5b9e266db47750d19af22|432|0x8
0|4|libxul.so|mozilla::dom::CSSStyleDeclaration_Binding::getPropertyValue(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&)|s3:gecko-generated-sources:b3ea423e71d96260b28cb271506423d4ad70dfea09ae9e37afc06698ba496c9a3e774a8a5dab4aab49be580f28026cbb8a8896e02186dfad2213695899c3905a/dom/bindings/CSSStyleDeclarationBinding.cpp:|299|0x1b
0|5|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:f291dd9e075c239586a5b9e266db47750d19af22|3219|0x21
0|6|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f291dd9e075c239586a5b9e266db47750d19af22|484|0x12
0|7|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f291dd9e075c239586a5b9e266db47750d19af22|576|0xe
0|8|libxul.so|InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f291dd9e075c239586a5b9e266db47750d19af22|639|0x10
0|9|libxul.so|Interpret(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f291dd9e075c239586a5b9e266db47750d19af22|643|0xa
0|10|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f291dd9e075c239586a5b9e266db47750d19af22|456|0xb
0|11|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f291dd9e075c239586a5b9e266db47750d19af22|611|0x8
0|12|libxul.so|InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f291dd9e075c239586a5b9e266db47750d19af22|639|0x10
0|13|libxul.so|<name omitted>|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f291dd9e075c239586a5b9e266db47750d19af22|656|0xb
0|14|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:f291dd9e075c239586a5b9e266db47750d19af22|2846|0x23
0|15|libxul.so|mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:2563ad09677feb8ddf64827a409899848ef6a80bfacaa11f581c512536a6fb0c779d8b29517ba6358a054c6d475f770bf7bac2913a941d0394881c5649b08603/dom/bindings/EventListenerBinding.cpp:|55|0xe
0|16|libxul.so|void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*)|s3:gecko-generated-sources:99837b3cdc69c5eb1234f9d2b3e771dcff734d56a022bedb1d00c0cf4ee6243fb5c91397a058f2ddab63bda8ed6b581ea1232a0229033866910c7289d24cbc2d/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x21
0|17|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:f291dd9e075c239586a5b9e266db47750d19af22|1082|0x2c
0|18|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:f291dd9e075c239586a5b9e266db47750d19af22|1279|0x15
0|19|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:f291dd9e075c239586a5b9e266db47750d19af22|355|0xb
0|20|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:f291dd9e075c239586a5b9e266db47750d19af22|557|0x19
0|21|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:f291dd9e075c239586a5b9e266db47750d19af22|1054|0x5
0|22|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:f291dd9e075c239586a5b9e266db47750d19af22|0|0x8
0|23|libxul.so|nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:f291dd9e075c239586a5b9e266db47750d19af22|1301|0x10
0|24|libxul.so|nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:f291dd9e075c239586a5b9e266db47750d19af22|4028|0x23
0|25|libxul.so|nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsContentUtils.cpp:f291dd9e075c239586a5b9e266db47750d19af22|3998|0x23
0|26|libxul.so|mozilla::dom::Document::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/Document.cpp:f291dd9e075c239586a5b9e266db47750d19af22|7173|0x21
0|27|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:f291dd9e075c239586a5b9e266db47750d19af22|1237|0x17
0|28|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:f291dd9e075c239586a5b9e266db47750d19af22|146|0x11
0|29|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:f291dd9e075c239586a5b9e266db47750d19af22|1234|0xe
0|30|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:f291dd9e075c239586a5b9e266db47750d19af22|501|0xc
0|31|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:f291dd9e075c239586a5b9e266db47750d19af22|87|0x7
0|32|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:f291dd9e075c239586a5b9e266db47750d19af22|315|0x17
0|33|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:f291dd9e075c239586a5b9e266db47750d19af22|290|0x8
0|34|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:f291dd9e075c239586a5b9e266db47750d19af22|137|0xd
0|35|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:f291dd9e075c239586a5b9e266db47750d19af22|913|0xe
0|36|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:f291dd9e075c239586a5b9e266db47750d19af22|237|0x5
0|37|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:f291dd9e075c239586a5b9e266db47750d19af22|315|0x17
0|38|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:f291dd9e075c239586a5b9e266db47750d19af22|290|0x8
0|39|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:f291dd9e075c239586a5b9e266db47750d19af22|744|0x5
0|40|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:f291dd9e075c239586a5b9e266db47750d19af22|56|0x11
0|41|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:f291dd9e075c239586a5b9e266db47750d19af22|303|0x20
0|42|libc.so.6||||0x21b97
0|43|firefox-bin|<name omitted>|hg:hg.mozilla.org/mozilla-central:mfbt/UniquePtr.h:f291dd9e075c239586a5b9e266db47750d19af22|253|0x17
Flags: in-testsuite?
Crash Signature: [@ InvalidArrayIndex_CRASH | nsComputedDOMStyle::GetGridTemplateColumnsRows ]
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200618094105-f291dd9e075c.
The bug appears to have been introduced in the following build range:
> Start: dc36babfbd534a7238bd363b397c7019c06c5cd6 (20200320014050)
> End: d52f097a39dc031bf62f88510eb8f9911bd8b56b (20200320014249)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=dc36babfbd534a7238bd363b397c7019c06c5cd6&tochange=d52f097a39dc031bf62f88510eb8f9911bd8b56b
Severity: normal → S3

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.