Crash in [@ InvalidArrayIndex_CRASH | mozilla::EventStateManager::LookForAccessKeyAndExecute]
Categories
(Core :: DOM: Events, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox89 | --- | unaffected |
| firefox90 | --- | wontfix |
| firefox91 | --- | wontfix |
| firefox92 | --- | fixed |
People
(Reporter: sefeng211, Assigned: sefeng211)
References
Details
(Keywords: crash, Whiteboard: [not-a-fission-bug])
Crash Data
Attachments
(1 file)
Maybe Fission related. (DOMFissionEnabled=1)
Crash report: https://crash-stats.mozilla.org/report/index/504a836e-8f02-4d86-b042-a72b80210613
MOZ_CRASH Reason: ElementAt(aIndex = 11, aLength = 11)
Top 10 frames of crashing thread:
0 libxul.so InvalidArrayIndex_CRASH xpcom/ds/nsTArray.cpp:28
1 libxul.so mozilla::EventStateManager::LookForAccessKeyAndExecute dom/events/EventStateManager.cpp:1097
2 libxul.so mozilla::EventStateManager::WalkESMTreeToHandleAccessKey dom/events/EventStateManager.cpp:1204
3 libxul.so mozilla::EventStateManager::PreHandleEvent dom/events/EventStateManager.cpp:783
4 libxul.so mozilla::PresShell::EventHandler::DispatchEvent layout/base/PresShell.cpp:8212
5 libxul.so mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo layout/base/PresShell.cpp:8181
6 libxul.so mozilla::PresShell::EventHandler::HandleEventAtFocusedContent layout/base/PresShell.cpp:7910
7 libxul.so mozilla::PresShell::EventHandler::HandleEvent layout/base/PresShell.cpp:6929
8 libxul.so mozilla::PresShell::HandleEvent layout/base/PresShell.cpp:6829
9 libxul.so nsViewManager::DispatchEvent view/nsViewManager.cpp:704
|
||
Comment 1•4 years ago
|
||
Is this a regression? All the crash reports are from Nightly 90.a1 and 91.0a1 on Linux, but there are no reports yet from Beta 90.0b yet. Is this code for a Nightly-only feature? The earliest build ID in a crash report is 20210428100720.
(Adding [not-a-fission-bug] whiteboard tag because this doesn't look like a Fission bug, even though some of the recent crash reports (including comment 0's) have "DOMFissionEnabled=1".)
|
Assignee | |
Comment 2•4 years ago
|
||
We've used a remainder already, so I don't see a reason for the crash.
The only possibility that I see is the length of the array gets changed
in the loop, so I added this assertion to see if that was the case.
|
||
Updated•4 years ago
|
|
||
Comment 4•4 years ago
|
||
| bugherder | ||
|
||
Comment 5•4 years ago
|
||
The patch landed in nightly and beta is affected.
:sefeng, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.
For more information, please visit auto_nag documentation.
|
||
Updated•4 years ago
|
New crash report: https://crash-stats.mozilla.org/report/index/d8e36cda-d0ab-451a-9c10-af12d0210726
Happens after this handler returns:
this.body.addEventListener('click', (function (event) {
if (!(event.target instanceof HTMLAnchorElement)) {
return
}
var url = new URL(event.target.href)
, current = location.origin + location.pathname
, clicked = url.origin + url.pathname
if (current !== clicked) {
return
}
this.virtualNavigate(url.hash.replace(/^#/, ''))
event.preventDefault()
event.stopImmediatePropagation()
}).bind(this))
for reference
that.virtualNavigate = function (hash) {
var step = null
, path = hash.split ('/')
, o = this.fs
while (step = this.fsCleanup.pop())
step.call(this)
while (path.length > 0) {
step = path.shift()
if (step in o) {
o = o[step]
} else {
return
}
if (o['/<'] instanceof Function)
this.fsCleanup.push(o['/<'])
if (o['/>'] instanceof Function)
if (o['/>'].call(this, path))
return
}
if (o['/v'] instanceof Function)
o['/v'].call(this)
}
I should add that this happens only if the link was "clicked" using Alt+Shift+1 (see accesskey attribute) while link's parent is display:none at the same time.
Description
•