Closed Bug 1325159 Opened 7 years ago Closed 7 years ago

Null-deref in [@ ShouldBuildLayerEvenIfInvisible]

Categories

(Core :: Graphics: Layers, defect, P1)

Product:
Core
Component:
Graphics: Layers
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla53
Tracking Flags:
Tracking Status
firefox-esr45 --- unaffected
firefox50 --- wontfix
firefox51 --- wontfix
firefox52 --- fixed
firefox53 --- fixed

People

(Reporter: truber, Assigned: ethlin)

Details

(Keywords: crash, testcase, Whiteboard: [gfx-noted])

Attachments

(4 files)

testcase.html
792 bytes, text/html
Details
nullptr check
1.80 KB, patch
mattwoodrow
: review+
Details | Diff | Splinter Review
Add crashtest
1.86 KB, patch
pchang
: review+
Details | Diff | Splinter Review
patch for aurora
1.79 KB, patch
jcristau
: approval-mozilla-beta+
Details | Diff | Splinter Review
Attached file testcase.html 
The attached testcase crashes in mozilla-central rev c36fbe84042d

==23952==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9c5cd28fb4 bp 0x7fff935ba170 sp 0x7fff935ba170 T0)
    #0 0x7f9c5cd28fb3 in nsDisplayPerspective::ShouldBuildLayerEvenIfInvisible(nsDisplayListBuilder*) /home/worker/workspace/build/src/layout/base/nsDisplayList.h:4400:12
    #1 0x7f9c5ca656f3 in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) /home/worker/workspace/build/src/layout/base/FrameLayerBuilder.cpp:4207:12
    #2 0x7f9c5ca767d5 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const*, unsigned int) /home/worker/workspace/build/src/layout/base/FrameLayerBuilder.cpp:5537:5
    #3 0x7f9c5cc047be in nsDisplayOwnLayer::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /home/worker/workspace/build/src/layout/base/nsDisplayList.cpp:4938:34
    #4 0x7f9c5cc05373 in nsDisplaySubDocument::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /home/worker/workspace/build/src/layout/base/nsDisplayList.cpp:4989:25
    #5 0x7f9c5ca66d79 in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) /home/worker/workspace/build/src/layout/base/FrameLayerBuilder.cpp:4309:32
    #6 0x7f9c5ca767d5 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const*, unsigned int) /home/worker/workspace/build/src/layout/base/FrameLayerBuilder.cpp:5537:5
    #7 0x7f9c5cbc995c in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) /home/worker/workspace/build/src/layout/base/nsDisplayList.cpp:1861:12
    #8 0x7f9c5cc7edfc in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /home/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3650:7
    #9 0x7f9c5ccfd1c5 in PresShell::Paint(nsView*, nsRegion const&, unsigned int) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:6387:5
Priority: -- → P1
Whiteboard: [gfx-noted]
Attached patch nullptr checkSplinter Review 
Add nullptr check for GetTop() in ShouldBuildLayerEvenIfInvisible/DoUpdateBoundsPreserves3D.
Please feel free to take this bug if final fix is not so simple.
Attachment #8821068 - Flags: review?(matt.woodrow)
Attachment #8821068 - Flags: review?(matt.woodrow) → review+
Attached patch Add crashtestSplinter Review 
Add the testcase.html to crashtest.
Attachment #8824899 - Flags: review?(howareyou322)
Attachment #8824899 - Flags: review?(howareyou322) → review+
Assignee: nobody → ethlin
Keywords: checkin-needed
Please nominate this for Aurora approval when you get a chance.
status-firefox50: --- → wontfix
status-firefox51: --- → wontfix
status-firefox52: --- → affected
status-firefox-esr45: --- → unaffected
Flags: needinfo?(ethlin)
Flags: in-testsuite+
Comment on attachment 8821068 [details] [diff] [review]
nullptr check

Approval Request Comment
[Feature/Bug causing the regression]:
[User impact if declined]: may crash when user visit certain website 
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]: no
[List of other uplifts needed for the feature/fix]:
[Is the change risky?]: no
[Why is the change risky/not risky?]: This is just adding some null pointer checks.
[String changes made/needed]: none
Flags: needinfo?(ethlin)
Attachment #8821068 - Flags: approval-mozilla-aurora?
Comment on attachment 8821068 [details] [diff] [review]
nullptr check

Looks like there are some conflicts when applying the patch to aurora.
Attachment #8821068 - Flags: approval-mozilla-aurora?
Attached patch patch for auroraSplinter Review 
Approval Request Comment
[Feature/Bug causing the regression]:
[User impact if declined]: may crash when user visit certain website 
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]: no
[List of other uplifts needed for the feature/fix]:
[Is the change risky?]: no
[Why is the change risky/not risky?]: This is just adding some null pointer checks.
[String changes made/needed]: none
Attachment #8829026 - Flags: approval-mozilla-aurora?
Comment on attachment 8829026 [details] [diff] [review]
patch for aurora

crash fix, beta52+
Attachment #8829026 - Flags: approval-mozilla-aurora? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: