1461118 - Crash in _moz_pixman_region32_copy working with folder [Mac]

Status: RESOLVED FIXED

(Core :: Graphics, defect, P2)

Description

[Wayne Mery (:wsmwk)]

#10 crash for Macs


The user of bp-8b0e7652-e940-43fe-9381-5bad80180505 writes "While trying to create a new subfolder. "

=============================================================
Top 6 frames of crashing thread:

0 XUL _moz_pixman_region32_copy gfx/cairo/libpixman/src/pixman-region.c:523
1 XUL -[ChildView mouseUp:] /builds/slave/tb-rel-c-esr52-m64_bld-0000000/build/objdir-tb/x86_64/dist/include/nsRegion.h:67
2 AppKit -[NSWindow _handleMouseUpEvent:isDelayedEvent:] 
3 AppKit -[NSWindow _reallySendEvent:isDelayedEvent:] 
4 AppKit -[NSWindow sendEvent:] 
5 AppKit -[NSApplication sendEvent:] 
=============================================================


bp-657edeb0-fcce-4d58-ac55-ed70b0180325 is "moving folder from one account to another account"

Comment 1

[Makoto Kato [:m_kato]]

bp-8f417869-1441-4287-b9c4-d9c1a0180512 is Firefox 60, so I change component to Core

Comment 2

[David Bolter [:davidb] (NeedInfo me for attention)]

Maybe Lee knows what's going on here?

Comment 3

[Lee Salzman [:lsalzman]]

It seems like, inside the ChildView mouseUp handler that mGeckoChild is possibly a null pointer. So when it tries to call GetNonDraggableRegion() on it, it invokes the nsRegion copy constructor, which is then objecting to the source being an offset from said null pointer.

Markus, since you implemented that particular code in bug 1070710, want to take a look?

Comment 4

[Markus Stange [:mstange]]

Right on. There's even this comment just above the call:

  // This might destroy our widget (and null out mGeckoChild).

Comment 5

[Markus Stange [:mstange]]

Attachment: Bug 1461118 - Null-check mGeckoChild after calling DispatchInputEvent.

Review commit: https://reviewboard.mozilla.org/r/247352/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/247352/

Comment 6

[Stephen A Pohl [:spohl]]

Comment on attachment 8981261 [details]
Bug 1461118 - Null-check mGeckoChild after calling DispatchInputEvent.

https://reviewboard.mozilla.org/r/247352/#review253396

Comment 7

[Pulsebot]

Pushed by mstange@themasta.com:
https://hg.mozilla.org/integration/autoland/rev/f620bf59c952
Null-check mGeckoChild after calling DispatchInputEvent. r=spohl

Comment 8

[Stefan Hindli [:stefan_hindli]]

https://hg.mozilla.org/mozilla-central/rev/f620bf59c952

Comment 9

[Ryan VanderMeulen [:RyanVM]]

Does seem worth worrying about for ESR60, but a Beta uplift wouldn't hurt since we're only halfway through the cycle.

Comment 10

[Markus Stange [:mstange]]

Comment on attachment 8981261 [details]
Bug 1461118 - Null-check mGeckoChild after calling DispatchInputEvent.

Approval Request Comment
[Feature/Bug causing the regression]: probably bug 1072391, four years ago
[User impact if declined]: crashes on rare mouse interactions
[Is this code covered by automated tests?]: no
[Has the fix been verified in Nightly?]: no
[Needs manual test from QE? If yes, steps to reproduce]: no, mostly affects Thunderbird and steps to reproduce are unclear
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: it's just an addition of an obviously-necessary null check
[String changes made/needed]: none

Comment 11

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 8981261 [details]
Bug 1461118 - Null-check mGeckoChild after calling DispatchInputEvent.

Adds a null check to fix a rare crash. Approved for 61.0b10.

Comment 12

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/1a44b26d00a5

Comment 13

[Wayne Mery (:wsmwk)]

No crashes reported in Thunderbird nightly, so impossible to tell whether this is fixed until we build beta 63 (we've skipped 61 and 62)