Closed Bug 1368315 Opened 3 years ago Closed 3 years ago
Crash in mozilla::layers::APZCTree
Manager::Receive Input Event
59 bytes, text/x-review-board-request
This bug was filed from the Socorro interface and is report bp-c5855478-1dc9-4d8a-b0c6-3e4430170527. ============================================================= There is 1 crash in nightly 55 with buildid 20170526030203. In analyzing the backtrace, the regression may have been introduced by patch  to fix bug 1352863.  https://hg.mozilla.org/mozilla-central/rev?node=f3a6eadd0a977a588b5076ece395e1e2f2929167
Thanks. This is actually a regression from bug 1349750, which introduced this code (bug 1352863 just moved it around a bit). The problem is that we're calling ConfirmDragBlock() and then dragBlock->SetContentResponse(), but ConfirmDragBlock() can potentially process and consume the block. We need to call SetContentResponse() first. Patch coming up.
Assignee: nobody → botond
Comment on attachment 8872372 [details] Bug 1368315 - Avoid calling SetContentResponse() on an already-consumed drag block. https://reviewboard.mozilla.org/r/143860/#review147608
Attachment #8872372 - Flags: review?(bugmail) → review+
Priority: -- → P2
Whiteboard: [clouseau] → [gfx-noted][clouseau]
Some crashes adresses indicate an UAF, so marking it as security sensitive.
This landed on autoland (pulsebot can't post to this bug) https://hg.mozilla.org/integration/autoland/rev/c516c8e50993
You need to log in before you can comment on or make changes to this bug.