Closed Bug 1451477 Opened 6 years ago Closed 2 years ago

Crash in nsDisplayItem::RestoreState

Categories

(Core :: Web Painting, defect, P2)

Product:
Core
Component:
Web Painting
Version:
58 Branch
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- disabled
firefox59 --- disabled
firefox60 + disabled
firefox61 - fix-optional
firefox62 - wontfix
firefox63 --- ?

People

(Reporter: philipp, Unassigned)

References

Details

(4 keywords)

Crash Data

This bug was filed from the Socorro interface and is
report bp-bb05c64a-17c2-44b2-848d-991f20180404.
=============================================================

Top 10 frames of crashing thread:

0 xul.dll nsDisplayItem::RestoreState layout/painting/nsDisplayList.h:2134
1 xul.dll nsDisplayOpacity::RestoreState layout/painting/nsDisplayList.h:5144
2 xul.dll RetainedDisplayListBuilder::PreProcessDisplayList layout/painting/RetainedDisplayListBuilder.cpp:142
3 xul.dll RetainedDisplayListBuilder::PreProcessDisplayList layout/painting/RetainedDisplayListBuilder.cpp:126
4 xul.dll RetainedDisplayListBuilder::AttemptPartialUpdate layout/painting/RetainedDisplayListBuilder.cpp:1142
5 xul.dll nsLayoutUtils::PaintFrame layout/base/nsLayoutUtils.cpp:3868
6 xul.dll mozilla::PresShell::Paint layout/base/PresShell.cpp:6435
7 xul.dll nsViewManager::ProcessPendingUpdatesPaint view/nsViewManager.cpp:480
8 xul.dll nsViewManager::ProcessPendingUpdatesForView view/nsViewManager.cpp:412
9 xul.dll nsViewManager::ProcessPendingUpdates view/nsViewManager.cpp:1102

=============================================================

these crashes in the content process related to the retained display list are starting to show up in a somewhat higher frequency during 60.0b.
Keywords: sec-high
Group: core-security → layout-core-security
layout.display-list.retain will be disabled for 60 in bug 1454509
status-firefox60: affecteddisabled
Looks like fairly low frequency, so setting P2 for now.

The crash looks like nsDisplayItem::mClipState::mClipChain is corrupt (or UAF), we crashing trying to increment the ref count before copying the pointer into the destination.

Feels very similar to the other display item corruption bugs.
Priority: -- → P2
Like bug 1418790, also no signs of this signature either yet in 61 on Beta.
No longer blocks: RDLbugs
Multiple crashes in 61 now
Assignee: nobody → matt.woodrow
While I'm still very-much interested in fixing this in 61 if at all possible, I don't think tracking it is going to help at this point. Please don't hesitate to nominate a patch for uplift should the root cause be found and fixed in time.
status-firefox61: affectedfix-optional
status-firefox62: --- → affected
tracking-firefox61: +-
tracking-firefox62: --- → +
Blocks: 1467514
No longer blocks: 1467514
Still a low-volume crash in 62. I'm not going to track this for 62, but we can still take a patch in 62 beta.
status-firefox63: --- → ?
Keywords: stalled
Group: layout-core-security → gfx-core-security

Removing employee no longer with company from CC list of private bugs.

The bug assignee didn't login in Bugzilla in the last 7 months and this bug has priority 'P2'/severity 'critical'.
:miko, could you have a look please?
For more information, please visit auto_nag documentation.

Assignee: matt.woodrow → nobody
Flags: needinfo?(mikokm)

This code has been removed.

Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(mikokm)
Resolution: --- → WORKSFORME

Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.

Keywords: stalled
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.