Crash in mozilla::ActiveScrolledRoot::GetViewId const

RESOLVED FIXED in mozilla62

Status

()

defect
--
critical
RESOLVED FIXED
11 months ago
10 months ago

People

(Reporter: darkspirit, Assigned: kats)

Tracking

(Blocks 1 bug, {crash, nightly-community, regression})

Trunk
mozilla62
x86_64
All
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox-esr60 unaffected, firefox60 unaffected, firefox61 unaffected, firefox62 disabled)

Details

(crash signature, URL)

Attachments

(1 attachment)

(Reporter)

Description

11 months ago
I get a tab crash just by opening https://td00.de/, but only if WebRender is enabled.

bp-ff564bf8-3519-4ea6-9c53-b4b520180609	09.06.18 15:31
bp-0ae6fafc-45b7-49ef-846f-b66cd0180609	09.06.18 15:31
bp-3622a850-ce6d-4483-b809-7fd430180609	09.06.18 15:30
bp-24f21ea4-f081-41f6-adfa-9634c0180609	09.06.18 15:30
(Reporter)

Comment 1

11 months ago
mozregression --good 2018-05-15 --bad 2018-06-09 --pref gfx.webrender.all:true startup.homepage_welcome_url:'https://td00.de/'
> 6:39.47 INFO: Last good revision: c09d2eeb54afcab0cf2309be154ea24957cb116d
> 6:39.47 INFO: First bad revision: ada5a84764728f3d16d60f65052cf56f84aabd51
> 6:39.47 INFO: Pushlog:
> https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c09d2eeb54afcab0cf2309be154ea24957cb116d&tochange=ada5a84764728f3d16d60f65052cf56f84aabd51

> ada5a8476472	Kartikaya Gupta — Bug 1465935 - Handle another edge case with hit-testing inside fixed-pos items. r=mstange
> b04f4c9b15ab	Kartikaya Gupta — Bug 1465935 - Fix hit-testing for fixed-pos items inside iframes. r=mstange
Blocks: 1465935
Has Regression Range: --- → yes
Has STR: --- → yes
Flags: needinfo?(bugmail)
Keywords: regression
Thanks, I'll look into it.
Assignee: nobody → bugmail
Flags: needinfo?(bugmail)
mContainerASR is refcounted, but I didn't use a RefPtr in nsDisplayFixedPosition. On this page that results in a UAF. The same problem actually applies to nsDisplayStickyPosition, but I guess we haven't encountered a page that hits that crash yet. Also it turns out that there's three nsDisplayFixedPosition constructors, not two. One was hiding in the .h file and I neglected to update it, so I'll fix that too.
Comment hidden (mozreview-request)
(Reporter)

Updated

11 months ago
Crash Signature: [@ mozilla::ActiveScrolledRoot::GetViewId const ] → [@ mozilla::ActiveScrolledRoot::GetViewId const ] [@ mozilla::ActiveScrolledRoot::GetViewId ]
OS: Linux → All
(Reporter)

Updated

10 months ago
Crash Signature: [@ mozilla::ActiveScrolledRoot::GetViewId const ] [@ mozilla::ActiveScrolledRoot::GetViewId ] → [@ mozilla::ActiveScrolledRoot::GetViewId const ] [@ mozilla::ActiveScrolledRoot::GetViewId ] [@ nsDisplayFixedPosition::CreateWebRenderCommands ]

Comment 5

10 months ago
mozreview-review
Comment on attachment 8984687 [details]
Bug 1467999 - Hold RefPtrs to the ASR objects to avoid UAFs.

https://reviewboard.mozilla.org/r/250536/#review256920

Whoops.
Attachment #8984687 - Flags: review?(mstange) → review+

Comment 6

10 months ago
Pushed by kgupta@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/64960572836b
Hold RefPtrs to the ASR objects to avoid UAFs. r=mstange

Comment 7

10 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/64960572836b
Status: NEW → RESOLVED
Last Resolved: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
You need to log in before you can comment on or make changes to this bug.