Closed
Bug 1467999
Opened 6 years ago
Closed 6 years ago
Crash in mozilla::ActiveScrolledRoot::GetViewId const
Categories
(Core :: Graphics: WebRender, defect)
Tracking
()
RESOLVED
FIXED
mozilla62
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox-esr60 | --- | unaffected |
firefox60 | --- | unaffected |
firefox61 | --- | unaffected |
firefox62 | --- | disabled |
People
(Reporter: jan, Assigned: kats)
References
(Blocks 1 open bug, )
Details
(Keywords: crash, nightly-community, regression)
Crash Data
Attachments
(1 file)
I get a tab crash just by opening https://td00.de/, but only if WebRender is enabled. bp-ff564bf8-3519-4ea6-9c53-b4b520180609 09.06.18 15:31 bp-0ae6fafc-45b7-49ef-846f-b66cd0180609 09.06.18 15:31 bp-3622a850-ce6d-4483-b809-7fd430180609 09.06.18 15:30 bp-24f21ea4-f081-41f6-adfa-9634c0180609 09.06.18 15:30
Reporter | ||
Comment 1•6 years ago
|
||
mozregression --good 2018-05-15 --bad 2018-06-09 --pref gfx.webrender.all:true startup.homepage_welcome_url:'https://td00.de/' > 6:39.47 INFO: Last good revision: c09d2eeb54afcab0cf2309be154ea24957cb116d > 6:39.47 INFO: First bad revision: ada5a84764728f3d16d60f65052cf56f84aabd51 > 6:39.47 INFO: Pushlog: > https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c09d2eeb54afcab0cf2309be154ea24957cb116d&tochange=ada5a84764728f3d16d60f65052cf56f84aabd51 > ada5a8476472 Kartikaya Gupta — Bug 1465935 - Handle another edge case with hit-testing inside fixed-pos items. r=mstange > b04f4c9b15ab Kartikaya Gupta — Bug 1465935 - Fix hit-testing for fixed-pos items inside iframes. r=mstange
Blocks: 1465935
Has Regression Range: --- → yes
Has STR: --- → yes
status-firefox60:
--- → unaffected
status-firefox61:
--- → unaffected
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → unaffected
Flags: needinfo?(bugmail)
Keywords: regression
Assignee | ||
Comment 2•6 years ago
|
||
Thanks, I'll look into it.
Assignee: nobody → bugmail
Flags: needinfo?(bugmail)
Assignee | ||
Comment 3•6 years ago
|
||
mContainerASR is refcounted, but I didn't use a RefPtr in nsDisplayFixedPosition. On this page that results in a UAF. The same problem actually applies to nsDisplayStickyPosition, but I guess we haven't encountered a page that hits that crash yet. Also it turns out that there's three nsDisplayFixedPosition constructors, not two. One was hiding in the .h file and I neglected to update it, so I'll fix that too.
Comment hidden (mozreview-request) |
Reporter | ||
Updated•6 years ago
|
Crash Signature: [@ mozilla::ActiveScrolledRoot::GetViewId const ] → [@ mozilla::ActiveScrolledRoot::GetViewId const ]
[@ mozilla::ActiveScrolledRoot::GetViewId ]
OS: Linux → All
Reporter | ||
Updated•6 years ago
|
Crash Signature: [@ mozilla::ActiveScrolledRoot::GetViewId const ]
[@ mozilla::ActiveScrolledRoot::GetViewId ] → [@ mozilla::ActiveScrolledRoot::GetViewId const ]
[@ mozilla::ActiveScrolledRoot::GetViewId ]
[@ nsDisplayFixedPosition::CreateWebRenderCommands ]
Comment 5•6 years ago
|
||
mozreview-review |
Comment on attachment 8984687 [details] Bug 1467999 - Hold RefPtrs to the ASR objects to avoid UAFs. https://reviewboard.mozilla.org/r/250536/#review256920 Whoops.
Attachment #8984687 -
Flags: review?(mstange) → review+
Pushed by kgupta@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/64960572836b Hold RefPtrs to the ASR objects to avoid UAFs. r=mstange
Comment 7•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/64960572836b
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
You need to log in
before you can comment on or make changes to this bug.
Description
•