Closed Bug 1715035 Opened 4 years ago Closed 3 years ago

Crash in [@ selectors::parser::Component<T>::visit<T>]

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Platform:
x86
Windows 7
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
92 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox-esr91 --- fixed
firefox89 --- wontfix
firefox90 --- wontfix
firefox91 --- wontfix
firefox92 --- fixed

People

(Reporter: jesup, Assigned: emilio)

References

Details

(Keywords: crash, csectype-uaf, sec-high)

Crash Data

UAF crash in 32-bit windows. Appears to have started in 84 or earlier

Crash report: https://crash-stats.mozilla.org/report/index/d17ed8c7-5527-4477-b9c9-ae5da0210603

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0 xul.dll selectors::parser::Component<style::gecko::selector_parser::SelectorImpl>::visit<style::gecko::selector_parser::SelectorImpl, style::invalidation::element::invalidation_map::SelectorDependencyCollector> servo/components/selectors/parser.rs:1241
1 xul.dll style::invalidation::element::invalidation_map::SelectorDependencyCollector::visit_whole_selector_from servo/components/style/invalidation/element/invalidation_map.rs:348
2 xul.dll style::stylist::CascadeData::add_stylesheet<style::gecko::data::GeckoStyleSheet> servo/components/style/stylist.rs:2211
3 xul.dll style::stylist::CascadeData::rebuild<style::gecko::data::GeckoStyleSheet> servo/components/style/stylist.rs:2025
4 xul.dll geckoservo::glue::Servo_StyleSet_FlushStyleSheets servo/ports/geckolib/glue.rs:1928
5 xul.dll mozilla::ServoStyleSet::UpdateStylist layout/style/ServoStyleSet.cpp:1175
6 xul.dll mozilla::PresShell::DoFlushPendingNotifications layout/base/PresShell.cpp:4169
7 xul.dll mozilla::dom::Document::FlushPendingNotifications dom/base/Document.cpp:10572
8 xul.dll nsIContent::GetPrimaryFrame dom/base/Element.cpp:254
9 xul.dll nsGenericHTMLElement::GetOffsetRect dom/html/nsGenericHTMLElement.cpp:335
Severity: -- → S2
Group: core-security → layout-core-security
status-firefox89: --- → wontfix
status-firefox90: --- → affected
status-firefox91: --- → affected
status-firefox-esr78: --- → affected

Seems this was likely due to the rayon bug we fixed in 92. There are no more crashes anymore.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Assignee: nobody → emilio
status-firefox91: affectedwontfix
status-firefox92: --- → fixed
status-firefox-esr78: affectedwontfix
status-firefox-esr91: --- → fixed
Depends on: 1716028
Target Milestone: --- → 92 Branch
Group: layout-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.