Closed Bug 1467999 Opened 2 years ago Closed 2 years ago

Crash in mozilla::ActiveScrolledRoot::GetViewId const

Categories

(Core :: Graphics: WebRender, defect)

x86_64
All
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla62
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox60 --- unaffected
firefox61 --- unaffected
firefox62 --- disabled

People

(Reporter: darkspirit, Assigned: kats)

References

(Blocks 1 open bug, )

Details

(Keywords: crash, nightly-community, regression)

Crash Data

Attachments

(1 file)

I get a tab crash just by opening https://td00.de/, but only if WebRender is enabled.

bp-ff564bf8-3519-4ea6-9c53-b4b520180609	09.06.18 15:31
bp-0ae6fafc-45b7-49ef-846f-b66cd0180609	09.06.18 15:31
bp-3622a850-ce6d-4483-b809-7fd430180609	09.06.18 15:30
bp-24f21ea4-f081-41f6-adfa-9634c0180609	09.06.18 15:30
mozregression --good 2018-05-15 --bad 2018-06-09 --pref gfx.webrender.all:true startup.homepage_welcome_url:'https://td00.de/'
> 6:39.47 INFO: Last good revision: c09d2eeb54afcab0cf2309be154ea24957cb116d
> 6:39.47 INFO: First bad revision: ada5a84764728f3d16d60f65052cf56f84aabd51
> 6:39.47 INFO: Pushlog:
> https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c09d2eeb54afcab0cf2309be154ea24957cb116d&tochange=ada5a84764728f3d16d60f65052cf56f84aabd51

> ada5a8476472	Kartikaya Gupta — Bug 1465935 - Handle another edge case with hit-testing inside fixed-pos items. r=mstange
> b04f4c9b15ab	Kartikaya Gupta — Bug 1465935 - Fix hit-testing for fixed-pos items inside iframes. r=mstange
Blocks: 1465935
Has Regression Range: --- → yes
Has STR: --- → yes
Flags: needinfo?(bugmail)
Keywords: regression
Thanks, I'll look into it.
Assignee: nobody → bugmail
Flags: needinfo?(bugmail)
mContainerASR is refcounted, but I didn't use a RefPtr in nsDisplayFixedPosition. On this page that results in a UAF. The same problem actually applies to nsDisplayStickyPosition, but I guess we haven't encountered a page that hits that crash yet. Also it turns out that there's three nsDisplayFixedPosition constructors, not two. One was hiding in the .h file and I neglected to update it, so I'll fix that too.
Crash Signature: [@ mozilla::ActiveScrolledRoot::GetViewId const ] → [@ mozilla::ActiveScrolledRoot::GetViewId const ] [@ mozilla::ActiveScrolledRoot::GetViewId ]
OS: Linux → All
Crash Signature: [@ mozilla::ActiveScrolledRoot::GetViewId const ] [@ mozilla::ActiveScrolledRoot::GetViewId ] → [@ mozilla::ActiveScrolledRoot::GetViewId const ] [@ mozilla::ActiveScrolledRoot::GetViewId ] [@ nsDisplayFixedPosition::CreateWebRenderCommands ]
Comment on attachment 8984687 [details]
Bug 1467999 - Hold RefPtrs to the ASR objects to avoid UAFs.

https://reviewboard.mozilla.org/r/250536/#review256920

Whoops.
Attachment #8984687 - Flags: review?(mstange) → review+
Pushed by kgupta@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/64960572836b
Hold RefPtrs to the ASR objects to avoid UAFs. r=mstange
https://hg.mozilla.org/mozilla-central/rev/64960572836b
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
You need to log in before you can comment on or make changes to this bug.