Closed Bug 1726080 Opened 3 years ago Closed 3 years ago

Crash in [@ mozilla::TextServicesDocument::OffsetEntryArray::SplitElementAt]

Categories

(Core :: Spelling checker, defect, P3)

Product:
Core
Component:
Spelling checker
Version:
Firefox 91
Platform:
Desktop
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
93 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox-esr91 --- unaffected
firefox91 --- unaffected
firefox92 --- fixed
firefox93 --- fixed

People

(Reporter: darktrojan, Assigned: masayuki)

References

(Regression)

Details

(Keywords: crash, regression, topcrash-thunderbird)

Crash Data

Attachments

(1 file)

Bug 1726080 - Make `TextServicesDocument` and `OffsetEntryArray` use raw pointer of `OffsetEntry` instead of reference to `UniquePtr` r=m_kato!
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
Details | Review

+++ This bug was initially created as a clone of Bug #1722748 +++

This crash is still happening in Thunderbird 92.0b2, where it should be fixed according to bug 1722748.

https://crash-stats.mozilla.org/report/index/94613668-d598-45c1-ae50-a1c1b0210817

Here's a STR which seems to work reliably:

  • Reply to a plain-text message
  • Add two spelling mistakes
  • Click the spell check button
  • Replace each mistake with a suggestion
  • Crash on the second replacement

bug still in 92.0 b2
stream
write a new message
call the spell checker
try to "replace" a word
results : freeze of thunderbird

It appears that the same crash signature was fixed for Firefox, but not for Thunderbird v92.0.
Changing the product and component to better differentiate the 2 bugs.

status-firefox92: --- → affected
Component: Spelling checker → General
Product: Core → Thunderbird
Version: Firefox 92 → Thunderbird 92

Perhaps, I got it.

leftEntry is reference to an array item before inserting new item. So, if the array data is reallocated, the reference becomes invalid.

Assignee: nobody → masayuki
Status: NEW → ASSIGNED
Component: General → Spelling checker
Keywords: regressionwindow-wanted
Product: Thunderbird → Core
Regressed by: 1718924
Version: Thunderbird 92 → Firefox 91
Has Regression Range: --- → yes

If array size grows up, the array data may be reallocated. Therefore, after
getting a reference of an array item, we shouldn't modify array.

This makes them use raw pointer if they need to modify the array. Otherwise,
keep using the reference, but adds a stack class to detect the bug only in debug
build.

Pushed by masayuki@d-toybox.com:
https://hg.mozilla.org/integration/autoland/rev/daf499187cb6
Make `TextServicesDocument` and `OffsetEntryArray` use raw pointer of `OffsetEntry` instead of reference to `UniquePtr` r=m_kato

Set release status flags based on info from the regressing bug 1718924

status-firefox91: --- → unaffected
status-firefox92: --- → affected
status-firefox93: --- → affected
status-firefox-esr78: --- → unaffected
status-firefox-esr91: --- → unaffected

Comment on attachment 9236752 [details]
Bug 1726080 - Make TextServicesDocument and OffsetEntryArray use raw pointer of OffsetEntry instead of reference to UniquePtr r=m_kato!

Beta/Release Uplift Approval Request

  • User impact if declined: May meet random crash at typing something in editor.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce: Unfortunately, there is no STR. And according to my investigation, this happens randomly unless we find specific text content to reproduce.
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The cause is, storing reference to an array which is UniquePtr, then, inserting new item into the array, then, referring the stored UniquePtr reference, but if the array buffer is reallocated, the raw ptr in the UniquePtr is accessible, but the reference points invalid address. So, this patch changes to store raw ptr if following code adds new item to the array.

The fix is only 2 lines, the others are debug only code to detect same regression in the other places.

  • String changes made/needed:
Attachment #9236752 - Flags: approval-mozilla-beta?

Unfortunately, there is no STR

I mean, in Firefox.

https://hg.mozilla.org/mozilla-central/rev/daf499187cb6

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox93: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 93 Branch
Regressions: 1726532

(In reply to Masayuki Nakano [:masayuki] (he/him)(JST, +0900) from comment #8)

Comment on attachment 9236752 [details]
Bug 1726080 - Make TextServicesDocument and OffsetEntryArray use raw pointer of OffsetEntry instead of reference to UniquePtr r=m_kato!

Beta/Release Uplift Approval Request

  • User impact if declined: May meet random crash at typing something in editor.

In addition, it is the #2 crash for Thunderbird 92.

Further - is this likely to this fix our #1 crash? mozilla::TextServicesDocument::OffsetEntryArray::SplitElementAt

Flags: needinfo?(masayuki)
Keywords: topcrash-thunderbird

I hope so. I have no more idea to crash in the method for now.

Flags: needinfo?(masayuki)
No longer regressions: 1726532

Comment on attachment 9236752 [details]
Bug 1726080 - Make TextServicesDocument and OffsetEntryArray use raw pointer of OffsetEntry instead of reference to UniquePtr r=m_kato!

Approved for 92.0b7.

Attachment #9236752 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: