Closed
Bug 1325159
Opened 7 years ago
Closed 7 years ago
Null-deref in [@ ShouldBuildLayerEvenIfInvisible]
Categories
(Core :: Graphics: Layers, defect, P1)
Core
Graphics: Layers
Tracking
()
RESOLVED
FIXED
mozilla53
Tracking | Status | |
---|---|---|
firefox-esr45 | --- | unaffected |
firefox50 | --- | wontfix |
firefox51 | --- | wontfix |
firefox52 | --- | fixed |
firefox53 | --- | fixed |
People
(Reporter: truber, Assigned: ethlin)
Details
(Keywords: crash, testcase, Whiteboard: [gfx-noted])
Attachments
(4 files)
792 bytes,
text/html
|
Details | |
1.80 KB,
patch
|
mattwoodrow
:
review+
|
Details | Diff | Splinter Review |
1.86 KB,
patch
|
pchang
:
review+
|
Details | Diff | Splinter Review |
1.79 KB,
patch
|
jcristau
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
The attached testcase crashes in mozilla-central rev c36fbe84042d ==23952==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9c5cd28fb4 bp 0x7fff935ba170 sp 0x7fff935ba170 T0) #0 0x7f9c5cd28fb3 in nsDisplayPerspective::ShouldBuildLayerEvenIfInvisible(nsDisplayListBuilder*) /home/worker/workspace/build/src/layout/base/nsDisplayList.h:4400:12 #1 0x7f9c5ca656f3 in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) /home/worker/workspace/build/src/layout/base/FrameLayerBuilder.cpp:4207:12 #2 0x7f9c5ca767d5 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const*, unsigned int) /home/worker/workspace/build/src/layout/base/FrameLayerBuilder.cpp:5537:5 #3 0x7f9c5cc047be in nsDisplayOwnLayer::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /home/worker/workspace/build/src/layout/base/nsDisplayList.cpp:4938:34 #4 0x7f9c5cc05373 in nsDisplaySubDocument::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /home/worker/workspace/build/src/layout/base/nsDisplayList.cpp:4989:25 #5 0x7f9c5ca66d79 in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) /home/worker/workspace/build/src/layout/base/FrameLayerBuilder.cpp:4309:32 #6 0x7f9c5ca767d5 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const*, unsigned int) /home/worker/workspace/build/src/layout/base/FrameLayerBuilder.cpp:5537:5 #7 0x7f9c5cbc995c in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) /home/worker/workspace/build/src/layout/base/nsDisplayList.cpp:1861:12 #8 0x7f9c5cc7edfc in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /home/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3650:7 #9 0x7f9c5ccfd1c5 in PresShell::Paint(nsView*, nsRegion const&, unsigned int) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:6387:5
Assignee | ||
Updated•7 years ago
|
Priority: -- → P1
Whiteboard: [gfx-noted]
Assignee | ||
Comment 1•7 years ago
|
||
Add nullptr check for GetTop() in ShouldBuildLayerEvenIfInvisible/DoUpdateBoundsPreserves3D. Please feel free to take this bug if final fix is not so simple.
Attachment #8821068 -
Flags: review?(matt.woodrow)
Updated•7 years ago
|
Attachment #8821068 -
Flags: review?(matt.woodrow) → review+
Assignee | ||
Comment 2•7 years ago
|
||
Add the testcase.html to crashtest.
Attachment #8824899 -
Flags: review?(howareyou322)
Updated•7 years ago
|
Attachment #8824899 -
Flags: review?(howareyou322) → review+
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → ethlin
Assignee | ||
Updated•7 years ago
|
Keywords: checkin-needed
Pushed by cbook@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/47dd6b1e1dbd Add nullptr check for GetTop(). r=mattwoodrow https://hg.mozilla.org/integration/mozilla-inbound/rev/59ff490ac047 Add crash test for bug 1325159. r=pchang
Keywords: checkin-needed
Comment 4•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/47dd6b1e1dbd https://hg.mozilla.org/mozilla-central/rev/59ff490ac047
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Comment 5•7 years ago
|
||
Please nominate this for Aurora approval when you get a chance.
status-firefox50:
--- → wontfix
status-firefox51:
--- → wontfix
status-firefox52:
--- → affected
status-firefox-esr45:
--- → unaffected
Flags: needinfo?(ethlin)
Flags: in-testsuite+
Assignee | ||
Comment 6•7 years ago
|
||
Comment on attachment 8821068 [details] [diff] [review] nullptr check Approval Request Comment [Feature/Bug causing the regression]: [User impact if declined]: may crash when user visit certain website [Is this code covered by automated tests?]: yes [Has the fix been verified in Nightly?]: yes [Needs manual test from QE? If yes, steps to reproduce]: no [List of other uplifts needed for the feature/fix]: [Is the change risky?]: no [Why is the change risky/not risky?]: This is just adding some null pointer checks. [String changes made/needed]: none
Flags: needinfo?(ethlin)
Attachment #8821068 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 7•7 years ago
|
||
Comment on attachment 8821068 [details] [diff] [review] nullptr check Looks like there are some conflicts when applying the patch to aurora.
Attachment #8821068 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 8•7 years ago
|
||
Approval Request Comment [Feature/Bug causing the regression]: [User impact if declined]: may crash when user visit certain website [Is this code covered by automated tests?]: yes [Has the fix been verified in Nightly?]: yes [Needs manual test from QE? If yes, steps to reproduce]: no [List of other uplifts needed for the feature/fix]: [Is the change risky?]: no [Why is the change risky/not risky?]: This is just adding some null pointer checks. [String changes made/needed]: none
Attachment #8829026 -
Flags: approval-mozilla-aurora?
Comment 9•7 years ago
|
||
Comment on attachment 8829026 [details] [diff] [review] patch for aurora crash fix, beta52+
Attachment #8829026 -
Flags: approval-mozilla-aurora? → approval-mozilla-beta+
Comment 10•7 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/a9a756031446 https://hg.mozilla.org/releases/mozilla-beta/rev/89e4f1010091
You need to log in
before you can comment on or make changes to this bug.
Description
•