1812136 - Firefox crashes when interacting with specific page: assertion failed: mem::size_of::<T>() <= slice.len()

Status: NEW

(Core :: Graphics, defect, P1)

Description

[Dan Burzo]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/109.0

Steps to reproduce:

Scroll around the web page: https://work.nicochilla.com/tractatus-tree/dendrogram.html

Actual results:

Firefox crashes.

Application Basics

Name: Firefox
Version: 109.0
Build ID: 20230112150232
Distribution ID:
Update Channel: release
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/109.0
OS: Darwin 22.2.0 Darwin Kernel Version 22.2.0: Fri Nov 11 02:04:44 PST 2022; root:xnu-8792.61.2~4/RELEASE_ARM64_T8103
Rosetta Translated: false
Multiprocess Windows: 1/1
Fission Windows: 1/1 Enabled by default
Remote Processes: 8
Enterprise Policies: Inactive
Google Location Service Key: Found
Google Safebrowsing Key: Found
Mozilla Location Service Key: Found
Safe Mode: false
Memory Size (RAM): 16.0 GB
Disk Space Available: 8.0 GB

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

The Bugbug bot thinks this bug should belong to the 'Core::Performance' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Comment 2

[Julien Wajsberg [:julienw]]

Kash reproduced and here is his crash => https://crash-stats.mozilla.org/report/index/7eee3edf-8862-45bd-b718-814250230224

Comment 3

[Timothy Nikkel (:tnikkel)]

Easy to reproduce, all you have to do is scroll down (perhaps rapidly).

Comment 4

[Timothy Nikkel (:tnikkel)]

Seems like the browser width is important in reproducing. I think I can reproduc consistently enough (and test each build enough to be sure) to regression range it to this
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ca774a5b6b7b6874f91abb76a422582d37169a57&tochange=5c87b1e70b4401f9282c5649c32d1953a8c9e9cc
I think that would be bug 1753404

Also pretty sure I reproduced this on Windows as well.

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1753404

:nical, since you are the author of the regressor, bug 1753404, could you take a look? Also, could you set the severity field?

For more information, please visit auto_nag documentation.

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1753404

Comment 7

[Dianna Smith [:diannaS]]

:nical is this still on the radar for a possible uplift to a 112 dot release?

Comment 8

[Nicolas Silva [:nical]]

:nical is this still on the radar for a possible uplift to a 112 dot release?

Just coming back from parental leave. No and probably not for a few other releases since the problem isn't well understood.

Comment 9

[Bob Hood [:bhood]]

Dan, is this crash still happening for you with the current Nightly build (Fx120)?

Comment 10

[Dan Burzo]

Bob, I am still able to cause a crash in Firefox 120.0a1 Nightly through sustained, frenetic interaction with the page.

Comment 11

[Bob Hood [:bhood]]

Thanks, Dan. Can you please attach a full and recent about:support dump to this report?

Comment 12

[Mayank Bansal]

easy enough to repro on my Win11 machine - just zoom in to 240% and then grab the scroll-bar and drag it down to scroll.

Comment 13

[Kelsey Gilbert [:jgilbert]]

"nical is the closest we have to a Blob owner, and it does repro for @gw, so hopefully tractable."

Comment 14

[Dan Burzo]

(Sorry, there seems to be an awful lot of info in that dump, I’d rather not attach it all publicly. If I understand correctly, the team is able to reproduce the issue.)

Comment 15

[Timothy Nikkel (:tnikkel)]

I've been debugging the fuzz bug 1805333 for the same assert (because it is reduced and easy to work with). I think it will probably turn out to be the same issue.

Comment 16

[Bob Hood [:bhood]]

Setting to P1 so it appears on my internal tracking radar.