Crash in [@ mozilla::detail::InvalidArrayIndex_CRASH | nsTArray_Impl<T>::ElementAt | nsTArray_Impl<T>::operator[] | nsSHistory::EnsureCorrectEntryAtCurrIndex]
Categories
(Core :: DOM: Navigation, defect)
Tracking
()
People
(Reporter: mccr8, Unassigned, NeedInfo)
Details
(Keywords: crash)
Crash Data
Crash report: https://crash-stats.mozilla.org/report/index/b19daac8-734b-4916-a409-048b80251104
MOZ_CRASH Reason:
ElementAt(aIndex = 3, aLength = 3)
Top 10 frames:
0 libmozglue.so MOZ_CrashSequence(void*, long) mfbt/Assertions.h:253
0 libmozglue.so MOZ_Crash(char const*, int, char const*) mfbt/Assertions.h:381
0 libmozglue.so mozilla::detail::InvalidArrayIndex_CRASH(unsigned long, unsigned long) mfbt/Assertions.cpp:77
1 libxul.so nsTArray_Impl<nsCOMPtr<nsISHEntry>, nsTArrayInfallibleAllocator>::ElementAt(u... xpcom/ds/nsTArray.h:1069
1 libxul.so nsTArray_Impl<nsCOMPtr<nsISHEntry>, nsTArrayInfallibleAllocator>::operator[](... xpcom/ds/nsTArray.h:1116
1 libxul.so nsSHistory::EnsureCorrectEntryAtCurrIndex(nsISHEntry*) docshell/shistory/nsSHistory.cpp:2235
2 libxul.so nsDocShell::OnNewURI(nsIURI*, nsIChannel*, nsIPrincipal*, nsIPrincipal*, nsIP... docshell/base/nsDocShell.cpp:11561
3 libxul.so nsDocShell::CreateDocumentViewer(nsTSubstring<char> const&, nsIRequest*, nsIS... docshell/base/nsDocShell.cpp:8007
4 libxul.so nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest... docshell/base/nsDSURIContentListener.cpp:168
5 libxul.so nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) uriloader/base/nsURILoader.cpp:772
I did some work recently to split up array bounds crashes and this is one that popped out. Android-only. All of them seem to have aIndex == aLength, so maybe there's some kind of off-by-one error in this code.
|
||
Updated•15 days ago
|
|
||
Comment 1•9 days ago
•
|
||
(In reply to Andrew McCreight [:mccr8] from comment #0)
Crash report: https://crash-stats.mozilla.org/report/index/b19daac8-734b-4916-a409-048b80251104
Top 10 frames:
0 libmozglue.so MOZ_CrashSequence(void*, long) mfbt/Assertions.h:253 0 libmozglue.so MOZ_Crash(char const*, int, char const*) mfbt/Assertions.h:381 0 libmozglue.so mozilla::detail::InvalidArrayIndex_CRASH(unsigned long, unsigned long) mfbt/Assertions.cpp:77 1 libxul.so nsTArray_Impl<nsCOMPtr<nsISHEntry>, nsTArrayInfallibleAllocator>::ElementAt(u... xpcom/ds/nsTArray.h:1069 1 libxul.so nsTArray_Impl<nsCOMPtr<nsISHEntry>, nsTArrayInfallibleAllocator>::operator[](... xpcom/ds/nsTArray.h:1116 1 libxul.so nsSHistory::EnsureCorrectEntryAtCurrIndex(nsISHEntry*) docshell/shistory/nsSHistory.cpp:2235
This is called from https://hg-edge.mozilla.org/releases/mozilla-release/file/5f480a9ab713ba79e5a14face39aacb038c36f30/docshell/base/nsDocShell.cpp#l11561, which is in non-SHIP code path. Maybe this is a non-SHIP-only issue and no longer valid after Android enable SHIP? :smaug or :farre might know better.
2 libxul.so nsDocShell::OnNewURI(nsIURI*, nsIChannel*, nsIPrincipal*, nsIPrincipal*, nsIP... docshell/base/nsDocShell.cpp:11561
3 libxul.so nsDocShell::CreateDocumentViewer(nsTSubstring<char> const&, nsIRequest*, nsIS... docshell/base/nsDocShell.cpp:8007
4 libxul.so nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest... docshell/base/nsDSURIContentListener.cpp:168
5 libxul.so nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) uriloader/base/nsURILoader.cpp:772
|
||
Comment 2•7 days ago
|
||
Yeah, it hurts fixing non-SHIP issues when we're so close to removing it entirely.
I'll defer to :smaug though.
|
Reporter | |
Comment 3•7 days ago
|
||
The volume is rather low so if there's not an obvious fix I think it is okay to ignore this.
|
||
Updated•7 days ago
|
Description
•