Closed Bug 1703614 Opened 3 years ago Closed 3 years ago

Crash in [@ InvalidArrayIndex_CRASH | gfxUserFontEntry::GetFamilyNameAndURIForLogging]

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Version:
Firefox 89
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
89 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox87 --- unaffected
firefox88 --- unaffected
firefox89 --- fixed

People

(Reporter: calixte, Assigned: jfkthame)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Bug 1703614 - Check for out-of-range source index when logging a font-load failure. r=#layout-reviewers
48 bytes, text/x-phabricator-request
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/3c7e9329-42e2-4e52-9d44-bd7160210407

MOZ_CRASH Reason: ElementAt(aIndex = 6, aLength = 5)

Top 10 frames of crashing thread:

0 libxul.so InvalidArrayIndex_CRASH xpcom/ds/nsTArray.cpp:28
1 libxul.so gfxUserFontEntry::GetFamilyNameAndURIForLogging gfx/thebes/gfxUserFontSet.cpp:275
2 libxul.so mozilla::dom::FontFaceSet::LogMessage layout/style/FontFaceSet.cpp:1206
3 libxul.so gfxUserFontEntry::DoLoadNextSrc gfx/thebes/gfxUserFontSet.cpp:586
4 libxul.so gfxUserFontEntry::FontLoadFailed gfx/thebes/gfxUserFontSet.cpp:905
5 libxul.so nsFontFaceLoader::OnStreamComplete layout/style/nsFontFaceLoader.cpp:285
6 libxul.so mozilla::net::nsStreamLoader::OnStopRequest netwerk/base/nsStreamLoader.cpp:89
7 libxul.so nsCORSListenerProxy::OnStopRequest netwerk/protocol/http/nsCORSListenerProxy.cpp:610
8 libxul.so std::_Function_handler<void  /builds/worker/fetches/clang/include/c++/7.4.0/bits/std_function.h:316
9 libxul.so mozilla::net::ChannelEventQueue::FlushQueue netwerk/ipc/ChannelEventQueue.cpp:90

There is 1 crash in nightly 89 with buildid 20210407094544. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1694123.

[1] https://hg.mozilla.org/mozilla-central/rev?node=43764851d067

Flags: needinfo?(jfkthame)

Ahh... I guess it's possible for a font-load operation that ends up failing to race with a style update that ends up shortening the source list in the rule, and that could result in the index here being out of range by the time we try to log the message. We check for at the end, but not beyond it.

Flags: needinfo?(jfkthame)
Assignee: nobody → jfkthame
Status: NEW → ASSIGNED
Pushed by jkew@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e31c17c4b0a5
Check for out-of-range source index when logging a font-load failure. r=emilio

https://hg.mozilla.org/mozilla-central/rev/e31c17c4b0a5

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox89: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 89 Branch

I was looking at some old crashes, and it looks like this showed up on Android with a slightly different signature.

Crash Signature: [@ InvalidArrayIndex_CRASH | gfxUserFontEntry::GetFamilyNameAndURIForLogging] → [@ InvalidArrayIndex_CRASH | gfxUserFontEntry::GetFamilyNameAndURIForLogging] [@ InvalidArrayIndex_CRASH | nsTArray_Impl<T>::ElementAt | gfxUserFontEntry::GetFamilyNameAndURIForLogging ]
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: