Open Bug 1705548 Opened 1 month ago Updated 26 days ago

Crash in [@ InvalidArrayIndex_CRASH | CrashReporter::(anonymous namespace)::ThreadLocalDestructor]

Categories

(Toolkit :: Crash Reporting, defect)

Unspecified
macOS
defect

Tracking

()

Tracking Status
firefox-esr78 --- affected
firefox87 --- affected
firefox88 --- ?
firefox89 --- affected

People

(Reporter: mccr8, Unassigned)

Details

(Keywords: crash, Whiteboard: [not-a-fission-bug])

Crash Data

Maybe Fission related. (DOMFissionEnabled=1)

Crash report: https://crash-stats.mozilla.org/report/index/2bccd0b6-c90d-4c99-9bf8-2d6e00210415

MOZ_CRASH Reason: ElementAt(aIndex = 18446744073709551615, aLength = 7)

Top 5 frames of crashing thread:

0 XUL InvalidArrayIndex_CRASH xpcom/ds/nsTArray.cpp:28
1 XUL CrashReporter:: toolkit/crashreporter/ThreadAnnotation.cpp:196
2 libnss3.dylib _pt_root nsprpub/pr/src/pthreads/ptthread.c:248
3 libsystem_pthread.dylib libsystem_pthread.dylib@0x67a7 
4 libsystem_pthread.dylib libsystem_pthread.dylib@0x22e2 

There are a couple of these crashes. They all have aIndex = -1. I'm not sure what could be going wrong. It looks like some index value is -1, but I don't know how we'd call the destructor callback without initializing it. Unless _pr_tpd_highwater is overflowing?

The crashes seem to be coming from just one machine (everything is the same save for the Firefox version) and they're happening in the rdd process. The fact that it happens both on the release channel and on nightly makes it look like a valid issue nonetheless.

This crash doesn't look Fission-related, even though a couple crash reports have the DOMFissionEnabled=1 flag set.

Whiteboard: [not-a-fission-bug]
You need to log in before you can comment on or make changes to this bug.