Closed Bug 1703762 Opened 3 years ago Closed 3 years ago

macOS Crash in [@ nsBaseWidget::StartAsyncAutoscroll]

Categories

(Core :: Panning and Zooming, defect)

All
macOS
defect

Tracking

()

RESOLVED FIXED
89 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox87 --- unaffected
firefox88 --- fixed
firefox89 --- fixed

People

(Reporter: aryx, Assigned: hiro)

References

(Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

8 crashes on 4+ devices, macOS 10.15 + 11, reported versions 88.0b6 + 88.0b7 + 89.0a1

Crash report: https://crash-stats.mozilla.org/report/index/83177606-08a0-4877-8bc9-6b1670210406

Reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS

Top 10 frames of crashing thread:

0 XUL nsBaseWidget::StartAsyncAutoscroll widget/nsBaseWidget.cpp:1873
1 XUL mozilla::dom::BrowserParent::StartApzAutoscroll dom/ipc/BrowserParent.cpp:3489
2 XUL {virtual override thunk} 
3 XUL NS_InvokeByIndex 
4 XUL XPCWrappedNative::CallMethod js/xpconnect/src/XPCWrappedNative.cpp:1142
5 XUL XPC_WN_CallMethod js/xpconnect/src/XPCWrappedNativeJSOps.cpp:925
6 XUL js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:520
7 XUL Interpret js/src/vm/Interpreter.cpp:3244
8 XUL js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:552
9 XUL JS::Call js/src/jsapi.cpp:2856
Component: Widget: Cocoa → Panning and Zooming

Not sure by inspection why this would be crashing. The most obvious way would be if mAPZC is null here, but the caller checks for that here.

If anyone can reproduce this crash, STR would be helpful.

Just eyeballing the code, the AsyncPanZoomEnabled() check might return true because of the popup delegation but then the autoscroll start function tries to use mAPZC from the root widget which might be null. So the STR would be to start an autoscroll in an extension popup, probably.

Ah good catch!

I guess StartAsyncAutoscroll() and StopAsyncAutoscroll() should be delegated to the popup window as well?

Sounds reasonable.

I am on it.

Assignee: nobody → hikezoe.birchill
Status: NEW → ASSIGNED
Pushed by hikezoe.birchill@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5791073c28b7
Delegate StartAsyncAutoscroll and StopAsyncAutoscroll calls to the proper widget mPopupContentView. r=botond
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 89 Branch

Looks like a low-volume regression from bug 1694898, but feel free to nominate for Release approval if you think it should be on the radar as a ride-along for an RC respin or dot release.

Flags: needinfo?(hikezoe.birchill)
Flags: in-testsuite+
Regressed by: 1694898
Has Regression Range: --- → yes

Comment on attachment 9215014 [details]
Bug 1703762 - Delegate StartAsyncAutoscroll and StopAsyncAutoscroll calls to the proper widget mPopupContentView. r?botond!

Beta/Release Uplift Approval Request

  • User impact if declined: Crash
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): It simply delegates two functions to the proper class.
  • String changes made/needed: none
Attachment #9215014 - Flags: approval-mozilla-beta?
Attachment #9215014 - Flags: approval-mozilla-beta? → approval-mozilla-release?

Comment on attachment 9215014 [details]
Bug 1703762 - Delegate StartAsyncAutoscroll and StopAsyncAutoscroll calls to the proper widget mPopupContentView. r?botond!

Approved for 88.0rc2, thanks.

Flags: needinfo?(hikezoe.birchill)
Attachment #9215014 - Flags: approval-mozilla-release? → approval-mozilla-release+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: