Crash in mozilla::layers::APZCTreeManager::StartScrollbarDrag (on about: pages only)

VERIFIED FIXED in Firefox 55

Status

()

P1
critical
VERIFIED FIXED
2 years ago
a year ago

People

(Reporter: tracy, Assigned: botond)

Tracking

({crash, reproducible})

unspecified
mozilla55
crash, reproducible
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox53 unaffected, firefox54 unaffected, firefox55 verified)

Details

(Whiteboard: [gfx-noted], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
This bug was filed from the Socorro interface and is 
report bp-169ff542-249e-49c2-933d-4920b0170531.
=============================================================


There are reports of this on Window NT and Mac OS X. It just started with the latest Nightly, 55.0a1, 20170531030204.

I crashed with only about:newtab open.  The browser seemed to crash when I clicked away from the window (click on desktop), but that may have been coincidental.  I haven't reproduced the crash yet.  One install on Mac has already submitted two reports.
status-firefox54: --- → unaffected
status-firefox55: --- → affected
(Reporter)

Comment 1

2 years ago
discovered reliable STR's

1) Open a new tab  (about:newtab, command+T or "+" in tab bar)
2) ensure the window is small enough that the vertical scroll bar is present
3) click on the scroll bar

tested result: CRASH

expected result:  scroll bar is clickable for mouse sliding

note:  mouse wheel scrolling and touch pad scrolling of about:newtab works fine.
Keywords: reproducible
(Reporter)

Comment 2

2 years ago
I haven't seen this on regular web pages.  Seem to be reproducible only on a variety of about: pages.
Summary: Crash in mozilla::layers::APZCTreeManager::StartScrollbarDrag → Crash in mozilla::layers::APZCTreeManager::StartScrollbarDrag (on about: pages only)
(Assignee)

Comment 3

2 years ago
Thanks for the STR, I am able to repro.
Assignee: nobody → botond
Component: XUL → Panning and Zooming
Priority: -- → P1
Whiteboard: [gfx-noted]
(Assignee)

Updated

2 years ago
Duplicate of this bug: 1369079
(Assignee)

Updated

2 years ago
Crash Signature: [@ mozilla::layers::APZCTreeManager::StartScrollbarDrag] → [@ mozilla::layers::APZCTreeManager::StartScrollbarDrag] [@ mozilla::layers::APZCTreeManager::NotifyScrollbarDragRejected]
(Assignee)

Comment 5

2 years ago
diagnosis
There was a latent bug in nsBaseWidget::StartAsyncScrollbarDrag(), where a uint64_t value (the roots layers ID) was temporarily coerced into a 32-bit variable, losing the top 32 bits.

This latent bug was exposed by the recently landed bug 1366915, which changed the way layers IDs are allocated to make use of the top 32 bits all the time.
Blocks: 1366915, 1199885
Comment hidden (mozreview-request)

Comment 7

2 years ago
mozreview-review
Comment on attachment 8873120 [details]
Bug 1369074 - Store the layers id in a variable of the proper type (uint64_t) in nsBaseWidget::StartAsyncScrollbarDrag().

https://reviewboard.mozilla.org/r/144592/#review148446
Attachment #8873120 - Flags: review?(bugmail) → review+

Comment 8

2 years ago
Pushed by bballo@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8709ce04de16
Store the layers id in a variable of the proper type (uint64_t) in nsBaseWidget::StartAsyncScrollbarDrag(). r=kats

Comment 9

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/8709ce04de16
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox55: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
status-firefox53: --- → unaffected
status-firefox-esr52: --- → unaffected
(Reporter)

Comment 10

2 years ago
Today's Nightly update no longer crashes clicking the scrollbar on about: pages.
Status: RESOLVED → VERIFIED
status-firefox55: fixed → verified
You need to log in before you can comment on or make changes to this bug.