Closed
Bug 1368315
Opened 7 years ago
Closed 7 years ago
Crash in mozilla::layers::APZCTreeManager::ReceiveInputEvent
Categories
(Core :: Panning and Zooming, defect, P2)
Tracking
()
RESOLVED
FIXED
mozilla55
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox53 | --- | unaffected |
firefox54 | --- | unaffected |
firefox55 | --- | fixed |
People
(Reporter: calixte, Assigned: botond)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression, Whiteboard: [gfx-noted][clouseau])
Crash Data
Attachments
(1 file)
This bug was filed from the Socorro interface and is report bp-c5855478-1dc9-4d8a-b0c6-3e4430170527. ============================================================= There is 1 crash in nightly 55 with buildid 20170526030203. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1352863. [1] https://hg.mozilla.org/mozilla-central/rev?node=f3a6eadd0a977a588b5076ece395e1e2f2929167
Flags: needinfo?(botond)
Assignee | ||
Comment 1•7 years ago
|
||
Thanks. This is actually a regression from bug 1349750, which introduced this code (bug 1352863 just moved it around a bit). The problem is that we're calling ConfirmDragBlock() and then dragBlock->SetContentResponse(), but ConfirmDragBlock() can potentially process and consume the block. We need to call SetContentResponse() first. Patch coming up.
Assignee: nobody → botond
Flags: needinfo?(botond)
Assignee | ||
Updated•7 years ago
|
Comment hidden (mozreview-request) |
Assignee | ||
Comment 3•7 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=73b1f8908ee55cc44ea9d03763cf2d6b5b2a849a
Comment 4•7 years ago
|
||
mozreview-review |
Comment on attachment 8872372 [details] Bug 1368315 - Avoid calling SetContentResponse() on an already-consumed drag block. https://reviewboard.mozilla.org/r/143860/#review147608
Attachment #8872372 -
Flags: review?(bugmail) → review+
Updated•7 years ago
|
Priority: -- → P2
Whiteboard: [clouseau] → [gfx-noted][clouseau]
Reporter | ||
Comment 5•7 years ago
|
||
Some crashes adresses indicate an UAF, so marking it as security sensitive.
Group: core-security
Comment 6•7 years ago
|
||
This landed on autoland (pulsebot can't post to this bug) https://hg.mozilla.org/integration/autoland/rev/c516c8e50993
Comment 7•7 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/c516c8e50993
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Updated•7 years ago
|
Group: core-security → core-security-release
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•