Crash when displaying a large table if layers.force-active=true
Categories
(Core :: Panning and Zooming, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox73 | --- | unaffected |
firefox74 | --- | unaffected |
firefox75 | --- | disabled |
People
(Reporter: zrhoffman, Assigned: kats)
References
(Regression)
Details
(4 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?][sg:dos])
Attachments
(4 files)
mozilla::layers::APZCTreeManager::UpdateHitTestingTreeImpl<mozilla::layers::LayerMetricsWrapper> calls mRootNode->Dump(" "), which calls mLastChild->Dump(nsPrintfCString("%s ", aPrefix).get()), which recursively calls mPrevSibling->Dump(aPrefix) until unsafe memory is accessed.
Reporter | ||
Comment 1•4 years ago
|
||
Attached backtrace.
Reporter | ||
Comment 2•4 years ago
|
||
Tested in a trunk build from today (515608:7f41334e1044), verified in latest nightly, both on 64-bit Arch Linux.
Updated•4 years ago
|
Comment 3•4 years ago
|
||
:kats, from a quick look at the stack this looks like it got tripped by APZ (mozilla::layers::APZCTreeManager::UpdateHitTestingTreeImpl<mozilla::layers::LayerMetricsWrapper>(
), though I suppose it's quite possible for the actual bug to be elsewhere - could you take a look and/or redirect as appropriate?
Updated•4 years ago
|
Assignee | ||
Comment 4•4 years ago
|
||
Thanks, I'll investigate. Regression from bug 1616591 since prior to that the code in question was compiled out by default.
Updated•4 years ago
|
Comment 5•4 years ago
|
||
Thanks! Updating release flags based on that. :-)
Comment 6•4 years ago
|
||
This just looks like stack exhaustion, so I'm unhiding it. (Tyson said the fuzzers are hitting this a lot, too.)
Updated•4 years ago
|
Updated•4 years ago
|
Assignee | ||
Comment 7•4 years ago
|
||
So there's two problems here: one is that we're going into the logging code at all even when logging is not enabled. The other is that the logging code is poorly written (by me) and recurses across siblings as well as when descending to children. So for layer trees that are really wide, such as in this example, this results in stack exhaustion.
I have patches to fix both of these things, will put them up once my try results are back. https://treeherder.mozilla.org/#/jobs?repo=try&group_state=expanded&revision=8cf8ac8e1ada0bcbfcb43c3cd143035001079352
Assignee | ||
Comment 8•4 years ago
|
||
This avoids doing a full recursive walk of the tree for no purpose unless
the logging is actually enabled.
Assignee | ||
Comment 9•4 years ago
|
||
The HTTN dumping code recursed not only when going down the tree, but
also when traversing siblings. For "wide" trees this could result in
stack exhaustion. This patch rewrites that function to only recurse
when going down a level and uses iteration to walk the siblings at a
given level.
Depends on D64657
Assignee | ||
Comment 10•4 years ago
|
||
Updated•4 years ago
|
Comment 11•4 years ago
|
||
Pushed by kgupta@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8e3c1d399649 Don't go into the hit-testing tree dumping codepath if we're not actually dumping. r=botond https://hg.mozilla.org/integration/autoland/rev/6cb26395019b Rewrite the dumping code to not recurse so much. r=botond
Assignee | ||
Updated•4 years ago
|
Comment 12•4 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/8e3c1d399649
https://hg.mozilla.org/mozilla-central/rev/6cb26395019b
Updated•4 years ago
|
Comment 13•4 years ago
|
||
Unfortunately this kind of denial of service is not covered by our security bug bounty program.
Description
•