Open
Bug 1466945
Opened 6 years ago
Updated 2 years ago
Crash in mozilla::Span<T>::Subspan (from RetainedDisplayListBuilder::MergeDisplayLists)
Categories
(Core :: Web Painting, defect, P2)
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox-esr60 | --- | unaffected |
| firefox60 | --- | unaffected |
| firefox61 | - | fix-optional |
| firefox62 | --- | affected |
People
(Reporter: MatsPalmgren_bugz, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, Whiteboard: qa-not-actionable)
Crash Data
This bug was filed from the Socorro interface and is
report bp-612cbac0-1af0-4e26-8758-c35fb0180605.
=============================================================
MOZ_CRASH Reason: MOZ_RELEASE_ASSERT(aStart <= len && (aLength == dynamic_extent || (aStart + aLength <= len)))
Top 10 frames of crashing thread:
0 xul.dll mozilla::Span<Index<OldListUnits>, 4294967295>::Subspan mfbt/Span.h:704
1 xul.dll DirectedAcyclicGraph<OldListUnits>::GetDirectPredecessors layout/painting/RetainedDisplayListHelpers.h:128
2 xul.dll MergeState::Finalize layout/painting/RetainedDisplayListBuilder.cpp:322
3 xul.dll RetainedDisplayListBuilder::MergeDisplayLists layout/painting/RetainedDisplayListBuilder.cpp:517
4 xul.dll MergeState::ProcessItemFromNewList layout/painting/RetainedDisplayListBuilder.cpp:293
5 xul.dll nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::EnsureCapacity<nsTArrayInfallibleAllocator> xpcom/ds/nsTArray-inl.h:136
6 xul.dll RetainedDisplayListBuilder::MergeDisplayLists layout/painting/RetainedDisplayListBuilder.cpp:514
7 xul.dll RetainedDisplayListBuilder::AttemptPartialUpdate layout/painting/RetainedDisplayListBuilder.cpp:1206
8 xul.dll nsIFrame::GetBorderRadii layout/generic/nsFrame.cpp:1828
9 xul.dll nsTArray_Impl<imgCacheEntry*, nsTArrayInfallibleAllocator>::AppendElement<imgCacheEntry*&, nsTArrayInfallibleAllocator> xpcom/ds/nsTArray.h:2288
=============================================================
|
||
Comment 1•6 years ago
|
||
This is a fun one. Setting blocking RDLBugs since it's from RDL code, but I suspect it's not really related.
Had a look at some crash reports:
* len=7, aStart=3, aLength=0x00440001
* len=1, aStart=0, aLength=0x00700000
* len=1, aStart=0x08000000, aLength=1
* len=8, aStart=7, aLength=0x00000401
* len=79, aStart=0x0000023a, aLength=1
* len=1, aStart=0, aLength=0x00800000
The invalid number isn't consistently the same one, and they don't look like off-by-one, miscounting or overflow bugs. They look very much look the expected number, with a high bit or two flipped.
This seems like a symptom of corruption, but hard to know where it would be coming from. We have existing bugs on corruption happening during DL building though.
The pattern of corruption (bit flipping), and that it appears to be different bits every time probably is useful information, though I can't think of anything that would match that right now.
Blocks: RDLbugs
|
||
Updated•6 years ago
|
status-firefox60:
--- → unaffected
status-firefox61:
--- → fix-optional
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → unaffected
tracking-firefox61:
--- → -
|
|
||
Updated•6 years ago
|
Crash Signature: [@ mozilla::Span<T>::Subspan] → [@ mozilla::Span<T>::Subspan]
[@ InvalidArrayIndex_CRASH | DirectedAcyclicGraph<T>::GetDirectPredecessors]
[@ DirectedAcyclicGraph<T>::GetDirectPredecessors]
|
|
||
Updated•6 years ago
|
Priority: -- → P2
|
||
Updated•3 years ago
|
Whiteboard: qa-not-actionable
|
||
Updated•2 years ago
|
Severity: critical → S2
You need to log in
before you can comment on or make changes to this bug.
Description
•