Closed Bug 1821427 Opened 2 years ago Closed 1 years ago

Crash in [@ icu_72::UVector::size]

Categories

(Core :: Internationalization, defect, P3)

Product:
Core
Component:
Internationalization
Platform:
Unspecified
Android
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox110 --- wontfix
firefox111 --- wontfix
firefox112 --- wontfix

People

(Reporter: cpeterson, Unassigned)

References

(Regression)

Details

(Keywords: crash, regression)

Crash Data

This low-volume ICU crash on Android looks like a regression in 110 from updating ICU to 72 in bug 1792775.

Crash report: https://crash-stats.mozilla.org/report/index/e1e053de-12e7-4691-a60d-0d0090230307

Reason: SIGSEGV / SEGV_MAPERR

Top 10 frames of crashing thread:

0  libxul.so  icu_72::UVector::size const  intl/icu/source/common/uvector.h:190
0  libxul.so  icu_72::TimeZoneFormat::checkAbuttingHoursAndMinutes  intl/icu/source/i18n/tzfmt.cpp:2654
0  libxul.so  icu_72::TimeZoneFormat::initGMTOffsetPatterns  intl/icu/source/i18n/tzfmt.cpp:2645
1  libxul.so  icu_72::TimeZoneFormat::TimeZoneFormat  intl/icu/source/i18n/tzfmt.cpp:407
1  libxul.so  icu_72::TimeZoneFormat::createInstance  intl/icu/source/i18n/tzfmt.cpp:515
2  libxul.so  icu_72::TimeZone::getDisplayName const  intl/icu/source/i18n/timezone.cpp:1319
3  libxul.so  mozilla::intl::TimeZone::GetDisplayName<js::intl::FormatBuffer<char16_t,   intl/components/src/TimeZone.h:106
4  libxul.so  js::DateTimeInfo::internalTimeZoneDisplayName  js/src/vm/DateTime.cpp:454
5  libxul.so  js::DateTimeInfo::timeZoneDisplayName  js/src/vm/DateTime.h:186
6  libxul.so    js/src/jsdate.cpp:2859

Set release status flags based on info from the regressing bug 1792775

:anba, since you are the author of the regressor, bug 1792775, could you take a look?

For more information, please visit auto_nag documentation.

status-firefox-esr102: --- → unaffected
Flags: needinfo?(andrebargull)

This looks like a missing OOM check in ICU code.

The icu::TimeZoneFormat constructor calls icu::TimeZoneFormat::initGMTOffsetPatterns() here. icu::TimeZoneFormat::initGMTOffsetPatterns() first calls icu::TimeZoneFormat::parseOffsetPattern() for each possible offset pattern and then it calls icu::TimeZoneFormat::checkAbuttingHoursAndMinutes() to process the parsed offset patterns. If icu::TimeZoneFormat::parseOffsetPattern() fails, icu::TimeZoneFormat::initGMTOffsetPatterns() should handle the error and return. Instead it proceeds with calling icu::TimeZoneFormat::checkAbuttingHoursAndMinutes(), but that method will crash with a null-pointer exception when one of the parsed offset patterns is nullptr in this line. This situation exactly matches the stack trace from comment #0.

Filed as https://unicode-org.atlassian.net/browse/ICU-22307.

Flags: needinfo?(andrebargull)
See Also: → https://unicode-org.atlassian.net/browse/ICU-22307

The severity field is not set for this bug.
:m_kato, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(m_kato)

low volume and this is OOM.

Severity: -- → S3
Flags: needinfo?(m_kato)
Priority: -- → P3

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 1 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.