Closed Bug 1699861 Opened 5 years ago Closed 1 years ago

crash near null in [@ BCPaintBorderIterator::SetNewData]

Categories

(Core :: Layout: Tables, defect)

Product:
Core
Component:
Layout: Tables
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
121 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- fixed
firefox88 --- wontfix
firefox89 --- wontfix
firefox90 --- wontfix
firefox91 --- wontfix
firefox121 --- fixed

People

(Reporter: tsmith, Assigned: jfkthame)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

testcase.html
188 bytes, text/html
Details
prefs.js
9.26 KB, application/x-javascript
Details
Attached file testcase.html

Found while fuzzing m-c 20210319-092ee6b0c9f2 (--enable-address-sanitizer --enable-fuzzing)

==16913==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f551a4344af bp 0x7ffcccf20dd0 sp 0x7ffcccf20cc0 T0)
==16913==The signal is caused by a READ memory access.
==16913==Hint: address points to the zero page.
    #0 0x7f551a4344af in Length /builds/worker/workspace/obj-build/dist/include/nsTArray.h:413:37
    #1 0x7f551a4344af in BCPaintBorderIterator::SetNewData(int, int) /gecko/layout/tables/nsTableFrame.cpp:6384:69
    #2 0x7f551a43c836 in nsTableFrame::IterateBCBorders(BCPaintBorderAction&, nsRect const&) /gecko/layout/tables/nsTableFrame.cpp:7418:41
    #3 0x7f551a40cc5b in PaintBCBorders /gecko/layout/tables/nsTableFrame.cpp:7440:3
    #4 0x7f551a40cc5b in nsDisplayTableBorderCollapse::Paint(nsDisplayListBuilder*, gfxContext*) /gecko/layout/tables/nsTableFrame.cpp:1219:39
    #5 0x7f551a689ccc in mozilla::FrameLayerBuilder::PaintItems(std::vector<mozilla::AssignedDisplayItem, std::allocator<mozilla::AssignedDisplayItem> >&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float) /gecko/layout/painting/FrameLayerBuilder.cpp:7113:20
    #6 0x7f551a68c3c7 in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) /gecko/layout/painting/FrameLayerBuilder.cpp:7271:19
    #7 0x7f5514ac1fb2 in mozilla::layers::BasicPaintedLayer::PaintThebes(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) /gecko/gfx/layers/basic/BasicPaintedLayer.cpp:92:9
    #8 0x7f5514abcfc2 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) /gecko/gfx/layers/basic/BasicLayerManager.cpp:705:13
    #9 0x7f5514abbecb in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) /gecko/gfx/layers/basic/BasicLayerManager.cpp
    #10 0x7f5514abcde2 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) /gecko/gfx/layers/basic/BasicLayerManager.cpp:728:7
    #11 0x7f5514abbecb in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) /gecko/gfx/layers/basic/BasicLayerManager.cpp
    #12 0x7f5514abcde2 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) /gecko/gfx/layers/basic/BasicLayerManager.cpp:728:7
    #13 0x7f5514abbecb in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) /gecko/gfx/layers/basic/BasicLayerManager.cpp
    #14 0x7f5514ab8746 in mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /gecko/gfx/layers/basic/BasicLayerManager.cpp:614:5
    #15 0x7f551a689ff9 in PaintInactiveLayer /gecko/layout/painting/FrameLayerBuilder.cpp:4275:12
    #16 0x7f551a689ff9 in mozilla::FrameLayerBuilder::PaintItems(std::vector<mozilla::AssignedDisplayItem, std::allocator<mozilla::AssignedDisplayItem> >&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float) /gecko/layout/painting/FrameLayerBuilder.cpp:7091:7
    #17 0x7f551a68c3c7 in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) /gecko/layout/painting/FrameLayerBuilder.cpp:7271:19
    #18 0x7f5514ac1fb2 in mozilla::layers::BasicPaintedLayer::PaintThebes(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) /gecko/gfx/layers/basic/BasicPaintedLayer.cpp:92:9
    #19 0x7f5514abcfc2 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) /gecko/gfx/layers/basic/BasicLayerManager.cpp:705:13
    #20 0x7f5514abbecb in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) /gecko/gfx/layers/basic/BasicLayerManager.cpp
    #21 0x7f5514abcde2 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) /gecko/gfx/layers/basic/BasicLayerManager.cpp:728:7
    #22 0x7f5514abbecb in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) /gecko/gfx/layers/basic/BasicLayerManager.cpp
    #23 0x7f5514ab8746 in mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /gecko/gfx/layers/basic/BasicLayerManager.cpp:614:5
    #24 0x7f551a6fd1b8 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) /gecko/layout/painting/nsDisplayList.cpp:2540:19
    #25 0x7f551a01c518 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /gecko/layout/base/nsLayoutUtils.cpp:3471:13
    #26 0x7f551a317b43 in nsPageSequenceFrame::PrintNextSheet() /gecko/layout/generic/nsPageSequenceFrame.cpp:674:3
    #27 0x7f551a79d60e in nsPrintJob::PrintSheet(nsPrintObject*, bool&) /gecko/layout/printing/nsPrintJob.cpp:2351:31
    #28 0x7f551a79cf31 in nsPagePrintTimer::Run() /gecko/layout/printing/nsPagePrintTimer.cpp:74:43
    #29 0x7f551204886c in mozilla::SchedulerGroup::Runnable::Run() /gecko/xpcom/threads/SchedulerGroup.cpp:143:20
    #30 0x7f5512054176 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:472:16
    #31 0x7f5512050d43 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:760:26
    #32 0x7f551204ec17 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:611:15
    #33 0x7f551204f06d in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:395:36
    #34 0x7f551205b4d4 in operator() /gecko/xpcom/threads/TaskController.cpp:136:37
    #35 0x7f551205b4d4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /gecko/xpcom/threads/nsThreadUtils.h:534:5
    #36 0x7f55120767c4 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1155:16
    #37 0x7f5512080f1c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #38 0x7f5515323b0f in bool mozilla::SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, nsGlobalWindowOuter::Print(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&)::$_4>(nsGlobalWindowOuter::Print(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&)::$_4&&, nsIThread*) /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:93:25
    #39 0x7f551531f99f in nsGlobalWindowOuter::Print(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::IsForWindowDotPrint, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&) /gecko/dom/base/nsGlobalWindowOuter.cpp:5414:5
    #40 0x7f551531dc33 in nsGlobalWindowOuter::PrintOuter(mozilla::ErrorResult&) /gecko/dom/base/nsGlobalWindowOuter.cpp:5237:3
    #41 0x7f5519fda18e in nsDocumentViewer::LoadComplete(nsresult) /gecko/layout/base/nsDocumentViewer.cpp:1191:43
    #42 0x7f551ca321dc in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /gecko/docshell/base/nsDocShell.cpp:6556:20
    #43 0x7f551ca31568 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /gecko/docshell/base/nsDocShell.cpp:5911:7
    #44 0x7f551ca332ff in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /gecko/docshell/base/nsDocShell.cpp
    #45 0x7f55141fcdb6 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:1332:3
    #46 0x7f55141fbb25 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:938:14
    #47 0x7f55141f8abc in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /gecko/uriloader/base/nsDocLoader.cpp:757:9
    #48 0x7f55141fa8f0 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:640:5
    #49 0x7f55141fb6cc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /gecko/uriloader/base/nsDocLoader.cpp
    #50 0x7f551234d06b in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /gecko/netwerk/base/nsLoadGroup.cpp:616:22
    #51 0x7f551234f7d3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /gecko/netwerk/base/nsLoadGroup.cpp:523:10
    #52 0x7f551506f25f in imgRequestProxy::RemoveFromLoadGroup() /gecko/image/imgRequestProxy.cpp:371:15
    #53 0x7f5515077028 in imgRequestProxy::OnLoadComplete(bool) /gecko/image/imgRequestProxy.cpp:1004:7
    #54 0x7f551503c987 in operator() /gecko/image/ProgressTracker.cpp:351:13
    #55 0x7f551503c987 in void mozilla::image::ImageObserverNotifier<mozilla::image::ObserverTable const*>::operator()<void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)::'lambda5'(mozilla::image::IProgressObserver*)>(mozilla::image::ObserverTable const*) /gecko/image/ProgressTracker.cpp:281:9
    #56 0x7f551503a9b9 in void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/image/ProgressTracker.cpp:350:5
    #57 0x7f5514fda803 in operator() /gecko/image/ProgressTracker.cpp:369:5
    #58 0x7f5514fda803 in Read<(lambda at /builds/worker/checkouts/gecko/image/ProgressTracker.cpp:368:19)> /gecko/image/CopyOnWrite.h:155:12
    #59 0x7f5514fda803 in mozilla::image::ProgressTracker::SyncNotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /gecko/image/ProgressTracker.cpp:368:14
    #60 0x7f5514fe63bc in mozilla::image::RasterImage::NotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::UnorientedPixel> const&, mozilla::Maybe<unsigned int> const&, mozilla::image::DecoderFlags, mozilla::image::SurfaceFlags) /gecko/image/RasterImage.cpp:1683:28
    #61 0x7f5514ff840c in NotifyForLoadEvent /gecko/image/RasterImage.cpp:977:3
    #62 0x7f5514ff840c in mozilla::image::RasterImage::NotifyDecodeComplete(mozilla::image::DecoderFinalStatus const&, mozilla::image::ImageMetadata const&, mozilla::image::DecoderTelemetry const&, unsigned int, mozilla::gfx::IntRectTyped<mozilla::UnorientedPixel> const&, mozilla::Maybe<unsigned int> const&, mozilla::image::DecoderFlags, mozilla::image::SurfaceFlags) /gecko/image/RasterImage.cpp:1780:7
    #63 0x7f5514fcfb52 in operator() /gecko/image/IDecodingTask.cpp:123:39
    #64 0x7f5514fcfb52 in mozilla::detail::RunnableFunction<mozilla::image::IDecodingTask::NotifyDecodeComplete(mozilla::NotNull<mozilla::image::RasterImage*>, mozilla::NotNull<mozilla::image::Decoder*>)::$_7>::Run() /gecko/xpcom/threads/nsThreadUtils.h:534:5
    #65 0x7f5512054176 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:472:16
    #66 0x7f5512050d43 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:760:26
    #67 0x7f551204ec17 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:611:15
    #68 0x7f551204f06d in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:395:36
    #69 0x7f551205b4a1 in operator() /gecko/xpcom/threads/TaskController.cpp:133:37
    #70 0x7f551205b4a1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /gecko/xpcom/threads/nsThreadUtils.h:534:5
    #71 0x7f55120767c4 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1155:16
    #72 0x7f5512080f1c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #73 0x7f55132abc6f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:87:21
    #74 0x7f55131b4e01 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #75 0x7f55131b4e01 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #76 0x7f55131b4e01 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #77 0x7f55199ea747 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #78 0x7f551d4cdabf in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:901:20
    #79 0x7f55131b4e01 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #80 0x7f55131b4e01 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #81 0x7f55131b4e01 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #82 0x7f551d4cd24f in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
    #83 0x55b08b423bed in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #84 0x55b08b424011 in main /gecko/browser/app/nsBrowserApp.cpp:309:18
    #85 0x7f55325950b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #86 0x55b08b377589 in _start (/home/worker/builds/m-c-20210319095339-fuzzing-asan-opt/firefox+0x5a589)
Flags: in-testsuite?
Attached file prefs.js

A Pernosco session is available here: https://pernos.co/debug/hH8WTg0GAUAwTN1C27OG9w/index.html

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210320085643-f56d2bf535d6.
The bug appears to have been introduced in the following build range:

Start: 0edbbe70c420684f0ae9c70da93f8b68db3cba60 (20200610124712)
End: 796d8685f8ce4b049e5c7a2d6150cbcb102c6a69 (20200610143744)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0edbbe70c420684f0ae9c70da93f8b68db3cba60&tochange=796d8685f8ce4b049e5c7a2d6150cbcb102c6a69

Whiteboard: [bugmon:bisected,confirmed]

FWIW, that bugmon regression range isn't really a regression range. bug 1471854 would be the relevant change there, which fixed the fact that print.always_print_silent was broken up until that point (on Linux at least).

(Note that the attached prefs.js file does use print.always_print_silent, and the testcase does use window.print().)

So this probably was broken further back than that, but we just can't discover it via bugmon.

Severity: -- → S3

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210319095339-092ee6b0c9f2) but not with tip (mozilla-central 20211210215852-9eb74149f75b.)
The bug appears to have been fixed in the following build range:

Start: f5cb6b2465f3042f3ec5bb096a75fbe24f71465e (20211116073345)
End: 5d32dbafda59a62fba936250375782a4cc9c6300 (20211116082732)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=f5cb6b2465f3042f3ec5bb096a75fbe24f71465e&tochange=5d32dbafda59a62fba936250375782a4cc9c6300
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

Comment 5's hopeful "fix range" in fact just points to a patch that broke window.print(), as described in bug 1741698.

So: this is almost certainly still an issue, and just happens to be temporarily unreproducible (for fuzzers) until we fix bug 1741698.

This might have been fixed by bug 1442018.

Tyson, can you see if this is still reproducible? (Comment 5 suggests it was fixed earlier but was probably mistaken, per comment 6.)

Crash volume for this @ BCPaintBorderIterator::SetNewData signature shows no crashes for versions greater-than 115.5.0esr / 120:

https://crash-stats.mozilla.org/signature/?signature=BCPaintBorderIterator%3A%3ASetNewData&date=%3E%3D2023-10-28T15%3A29%3A00.000Z&date=%3C2024-04-28T15%3A29%3A00.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_columns=startup_crash&_sort=-date&page=1

...which suggests that crashes in-the-wild (at least) went away as of bug 1442018.

Flags: needinfo?(twsmith)

The last report I see from the fuzzers is from m-c 20231105-c6548a743f8f.

Status: NEW → RESOLVED
Closed: 1 years ago
Flags: needinfo?(twsmith)
Resolution: --- → FIXED
Assignee: nobody → jfkthame
status-firefox121: --- → fixed
status-firefox90: affectedwontfix
status-firefox91: affectedwontfix
status-firefox-esr115: --- → fixed
Depends on: 1442018
Target Milestone: --- → 121 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: