Closed Bug 1787320 Opened 2 years ago Closed 2 years ago

Crash in [@ mozilla::dom::ResponsiveImageSelector::Content]

Tracking

()

Status:

RESOLVED FIXED

Milestone:

106 Branch

Tracking Flags:

Tracking

Status

firefox-esr91

---

unaffected

firefox-esr102

---

unaffected

firefox104

---

unaffected

firefox105

---

unaffected

firefox106

---

fixed

People

(Reporter: mccr8, Assigned: boris)

References

(Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Bug 1787320 - Add the missing null check for mResponsiveSelector. 2 years ago Boris Chiou [:boris] 48 bytes, text/x-phabricator-request		Details \| Review

Andrew McCreight [:mccr8]

Reporter

Description

•

2 years ago

Crash report: https://crash-stats.mozilla.org/report/index/e544b670-19da-4447-addd-7459c0220824

Reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS

Top 10 frames of crashing thread:

0 XUL mozilla::dom::ResponsiveImageSelector::Content dom/base/ResponsiveImageSelector.cpp:199
1 XUL mozilla::dom::HTMLImageElement::PictureSourceDimensionChanged dom/html/HTMLImageElement.cpp:1031
2 XUL mozilla::dom::HTMLSourceElement::AfterSetAttr dom/html/HTMLSourceElement.cpp:144
3 XUL mozilla::dom::Element::SetAttr dom/base/Element.cpp:2493
4 XUL mozilla::dom::Element_Binding::setAttribute dom/bindings/ElementBinding.cpp:1697
5 XUL mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions> dom/bindings/BindingUtils.cpp:3287
6 None @0x0000283c78ecc454 
7 None @0x0000283c78ecc454 
8 None @0x0000283c7907110c 
9 None @0x0000283c78ecc0fc

Null deref crash. This signature is present in older versions, but it looks like it has started popping up fairly frequently on Nightly, so I think this is a regression, probably from bug 1694741, which has code in the stack and just landed.

Maybe mResponsiveSelector is null on this line?
if (mResponsiveSelector->Content() == aSourceNode) {

Flags: needinfo?(boris.chiou)

Andrew McCreight [:mccr8]

Reporter

Updated

•

2 years ago

status-firefox104: --- → unaffected

status-firefox105: --- → unaffected

status-firefox106: --- → affected

status-firefox-esr102: --- → unaffected

status-firefox-esr91: --- → unaffected

Boris Chiou [:boris]

Assignee

Comment 1

•

2 years ago

Yes. My fault. We should do the null check in this line. Sorry for this.

Flags: needinfo?(boris.chiou)

Boris Chiou [:boris]

Assignee

Comment 2

•

2 years ago

Attached file Bug 1787320 - Add the missing null check for mResponsiveSelector. — Details

PictureSourceDimensionChanged may be called by an image element with a null
selector (because we call this function on all the image elements after
the source element).

Phabricator Automation

Updated

•

2 years ago

Assignee: nobody → boris.chiou

Status: NEW → ASSIGNED

Pulsebot

Comment 3

•

2 years ago

Pushed by bchiou@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0a4882c4bafb
Add the missing null check for mResponsiveSelector. r=emilio

Marian-Vasile Laza

Comment 4

•

2 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/0a4882c4bafb

Status: ASSIGNED → RESOLVED

Closed: 2 years ago

status-firefox106: affected → fixed

Resolution: --- → FIXED

Target Milestone: --- → 106 Branch

Marian-Vasile Laza

Comment 5

•

2 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/0a4882c4bafb

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Crash in [@ mozilla::dom::ResponsiveImageSelector::Content]

Categories

(Core :: Layout, defect)

Tracking

()

People

(Reporter: mccr8, Assigned: boris)

References

(Regression)

Details

(Keywords: crash, regression)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Comment 1

Comment 2

Updated

Comment 3

Comment 4

Comment 5

Attachment

General

Description

File Name

Content Type