Closed Bug 1769869 Opened 2 years ago Closed 2 years ago

use-after-poison in [@ nsVideoFrame::GetVideoControls]

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
102 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox100 --- wontfix
firefox101 + fixed
firefox102 + verified

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed][adv-main101+r])

Attachments

(2 files)

testcase.html
879 bytes, text/html
Details
Bug 1769869 - Fix nsVideoFrame::ReflowFinished. r=dholbert,#layout-reviewers
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20220516-fb6a807eb4ab (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

The atteched test case requires full-screen-api.allow-trusted-requests-only=false.

==27401==ERROR: AddressSanitizer: use-after-poison on address 0x6250002297c8 at pc 0x7f21e7239114 bp 0x7ffd1d533a10 sp 0x7ffd1d533a08
READ of size 8 at 0x6250002297c8 thread T0 (Isolated Web Co)
    #0 0x7f21e7239113 in get /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:851:48
    #1 0x7f21e7239113 in operator-> /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:872:12
    #2 0x7f21e7239113 in nsVideoFrame::GetVideoControls() const /gecko/layout/generic/nsVideoFrame.cpp:151:8
    #3 0x7f21e72395f4 in nsVideoFrame::ReflowFinished() /gecko/layout/generic/nsVideoFrame.cpp:207:26
    #4 0x7f21e7239a1f in non-virtual thunk to nsVideoFrame::ReflowFinished() /gecko/layout/generic/nsVideoFrame.cpp
    #5 0x7f21e6da7d75 in mozilla::PresShell::HandlePostedReflowCallbacks(bool) /gecko/layout/base/PresShell.cpp:4114:21
    #6 0x7f21e6d99f0a in mozilla::PresShell::DidDoReflow(bool) /gecko/layout/base/PresShell.cpp:9396:3
    #7 0x7f21e6dab449 in mozilla::PresShell::ProcessReflowCommands(bool) /gecko/layout/base/PresShell.cpp:9794:7
    #8 0x7f21e6da9657 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /gecko/layout/base/PresShell.cpp:4361:11
    #9 0x7f21e13a5ca0 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /gecko/dom/base/Document.cpp:10878:16
    #10 0x7f21e6d972f5 in mozilla::PresShell::SimpleResizeReflow(int, int, mozilla::ResizeReflowOptions) /gecko/layout/base/PresShell.cpp:2015:16
    #11 0x7f21e6d73cbe in mozilla::PresShell::ResizeReflowIgnoreOverride(int, int, mozilla::ResizeReflowOptions) /gecko/layout/base/PresShell.cpp:2048:5
    #12 0x7f21e66b234f in nsViewManager::DoSetWindowDimensions(int, int, bool) /gecko/view/nsViewManager.cpp:183:16
    #13 0x7f21e6e74652 in nsDocumentViewer::SetBoundsWithFlags(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, unsigned int) /gecko/layout/base/nsDocumentViewer.cpp:2010:19
    #14 0x7f21ea85deb3 in nsDocShell::SetPositionAndSize(int, int, int, int, unsigned int) /gecko/docshell/base/nsDocShell.cpp:4745:27
    #15 0x7f21eb0699c2 in nsWebBrowser::SetPositionAndSize(int, int, int, int, unsigned int) /gecko/toolkit/components/browser/nsWebBrowser.cpp:936:3
    #16 0x7f21e59f62a8 in mozilla::dom::BrowserChild::RecvUpdateDimensions(mozilla::dom::DimensionInfo const&) /gecko/dom/ipc/BrowserChild.cpp:1270:12
    #17 0x7f21e5ba9ad1 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:5107:80
    #18 0x7f21e5c5ebfd in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8474:32
    #19 0x7f21dfa14ee9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:1781:25
    #20 0x7f21dfa11f57 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /gecko/ipc/glue/MessageChannel.cpp:1706:9
    #21 0x7f21dfa12ba4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1506:3
    #22 0x7f21dfa13e32 in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1604:14
    #23 0x7f21de317f92 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:475:16
    #24 0x7f21de2ddfe5 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:788:26
    #25 0x7f21de2db198 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:620:15
    #26 0x7f21de2db8c0 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:398:36
    #27 0x7f21de320b14 in operator() /gecko/xpcom/threads/TaskController.cpp:127:37
    #28 0x7f21de320b14 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
    #29 0x7f21de2fe957 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1180:16
    #30 0x7f21de308abc in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
    #31 0x7f21dfa1c684 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:107:5
    #32 0x7f21df8a2fe1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:380:10
    #33 0x7f21df8a2fe1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:373:3
    #34 0x7f21df8a2fe1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:355:3
    #35 0x7f21e67b7907 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #36 0x7f21eb69071f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:874:20
    #37 0x7f21df8a2fe1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:380:10
    #38 0x7f21df8a2fe1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:373:3
    #39 0x7f21df8a2fe1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:355:3
    #40 0x7f21eb68f8cb in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
    #41 0x557745872c1d in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #42 0x557745873050 in main /gecko/browser/app/nsBrowserApp.cpp:329:18
    #43 0x7f2203f20082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #44 0x5577457b3069 in _start (/home/worker/builds/m-c-20220516215740-fuzzing-asan-opt/firefox+0x5f069) (BuildId: 78a07d4a1ca61000c119069751fab642d8b6ae35)

0x6250002297c8 is located 3784 bytes inside of 8192-byte region [0x625000228900,0x62500022a900)
allocated by thread T0 (Isolated Web Co) here:
==27401==WARNING: Symbolizer buffer too small
==27401==WARNING: Symbolizer buffer too small
    #0 0x55774583558e in __interceptor_malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x7f21de2b6810 in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:170:15
    #2 0x7f21e6ee97ad in InternalAllocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:204:25
    #3 0x7f21e6ee97ad in Allocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:66:12
    #4 0x7f21e6ee97ad in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:70:15
    #5 0x7f21e6f5da45 in AllocateByObjectID /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:280:32
    #6 0x7f21e6f5da45 in AllocateFrame /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:272:12
    #7 0x7f21e6f5da45 in operator new /gecko/layout/generic/ViewportFrame.cpp:36:1
    #8 0x7f21e6f5da45 in NS_NewViewportFrame(mozilla::PresShell*, mozilla::ComputedStyle*) /gecko/layout/generic/ViewportFrame.cpp:33:10
    #9 0x7f21e6e350db in nsCSSFrameConstructor::ConstructRootFrame() /gecko/layout/base/nsCSSFrameConstructor.cpp:2606:7
    #10 0x7f21e6d94ac1 in mozilla::PresShell::Initialize() /gecko/layout/base/PresShell.cpp:1843:36
    #11 0x7f21e1640bc4 in nsContentSink::StartLayout(bool) /gecko/dom/base/nsContentSink.cpp:556:30
    #12 0x7f21e01f6e49 in nsHtml5TreeOpExecutor::StartLayout(bool*) /gecko/parser/html/nsHtml5TreeOpExecutor.cpp:881:18
    #13 0x7f21e0202880  (/home/worker/builds/m-c-20220516215740-fuzzing-asan-opt/libxul.so+0xb50a880) (BuildId: 84babd3c7360d4a4115ea2838eb5deadb3e0a870)
    #14 0x7f21e01f5a4f  (/home/worker/builds/m-c-20220516215740-fuzzing-asan-opt/libxul.so+0xb4fda4f) (BuildId: 84babd3c7360d4a4115ea2838eb5deadb3e0a870)
    #15 0x7f21e01f4d1a in StyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:279:14
    #16 0x7f21e01f4d1a in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:279:14
    #17 0x7f21e01f4d1a in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:279:14
    #18 0x7f21e01f4d1a in decltype(auto) mozilla::detail::VariantImplementation<unsigned char, 6ul, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>::match<nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&>(nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher&&, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&) /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:279:14
    #19 0x7f21e01ffa10 in nsHtml5TreeOpExecutor::RunFlushLoop() /gecko/parser/html/nsHtml5TreeOpExecutor.cpp:686:19
    #20 0x7f21de2cb20f in nsHtml5ExecutorReflusher::Run() /gecko/parser/html/nsHtml5TreeOpExecutor.cpp:79:16
    #21 0x7f21de317f92 in mozilla::SchedulerGroup::Runnable::Run() /gecko/xpcom/threads/SchedulerGroup.cpp:140:20
    #22 0x7f21de2ddfe5 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:475:16
    #23 0x7f21de2db198 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:788:26
    #24 0x7f21de2db8c0 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:398:36
    #25 0x7f21de320ae1 in operator() /gecko/xpcom/threads/TaskController.cpp:124:37
    #26 0x7f21de320ae1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
    #27 0x7f21de2fe957 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1180:16
    #28 0x7f21de308abc in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
    #29 0x7f21dfa1c68f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
    #30 0x7f21df8a2fe1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:380:10
    #31 0x7f21df8a2fe1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:373:3
    #32 0x7f21df8a2fe1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:355:3
    #33 0x7f21e67b7907 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #34 0x7f21eb69071f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:874:20
    #35 0x7f21df8a2fe1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:380:10
    #36 0x7f21df8a2fe1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:373:3
    #37 0x7f21df8a2fe1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:355:3
    #38 0x7f21eb68f8cb in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
    #39 0x557745872c1d in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #40 0x557745873050 in main /gecko/browser/app/nsBrowserApp.cpp:329:18
    #41 0x7f2203f20082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220517212638-383c699ac203.
The bug appears to have been introduced in the following build range:

Start: c712ec8864e2ebd4d363fefab6980ab68bff83fd (20220407213814)
End: 6a588f6d08f795ffc8594a01250e3ae3307bde92 (20220407220844)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=c712ec8864e2ebd4d363fefab6980ab68bff83fd&tochange=6a588f6d08f795ffc8594a01250e3ae3307bde92

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

ni?=emilio based on regression range.

Flags: needinfo?(emilio)
Flags: needinfo?(emilio)

ReflowFinished can happen with scripts allowed, so make sure not to
synchronously fire events, as they can fire content microtasks which
could destroy the frame.

Assignee: nobody → emilio
Status: NEW → ASSIGNED

:emilio, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(emilio)
Flags: needinfo?(emilio)
Regressed by: 1733232

Set release status flags based on info from the regressing bug 1733232

status-firefox100: --- → affected
status-firefox101: --- → affected
status-firefox-esr91: --- → unaffected

Fix nsVideoFrame::ReflowFinished. r=jfkthame
https://hg.mozilla.org/integration/autoland/rev/3b9b9e057510021c27cdafcd20bd875fa930bd97
https://hg.mozilla.org/mozilla-central/rev/3b9b9e057510

Group: media-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox102: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 102 Branch

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220518214245-11b3a2e731a9.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox102: fixedverified
Keywords: bugmon

The patch landed in nightly and beta is affected.
:emilio, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(emilio)
Has Regression Range: --- → yes

Comment on attachment 9277059 [details]
Bug 1769869 - Fix nsVideoFrame::ReflowFinished. r=dholbert,#layout-reviewers

Beta/Release Uplift Approval Request

  • User impact if declined: Use after poison in layout
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce: comment 0 if they want to, but shouldn't be needed.
  • List of other uplifts needed: none
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): very-scoped patch to avoid firing events too soon.
  • String changes made/needed: none
  • Is Android affected?: No
Flags: needinfo?(emilio)
Attachment #9277059 - Flags: approval-mozilla-beta?

Comment on attachment 9277059 [details]
Bug 1769869 - Fix nsVideoFrame::ReflowFinished. r=dholbert,#layout-reviewers

Approved for 101.0b9.

Attachment #9277059 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed][adv-main101+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: