Null deref crash in [@ mozilla::dom::BrowserParent::GetOwnerElement] from AppWindow::GetPrimaryRemoteTabSize()
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
People
(Reporter: mccr8, Unassigned)
Details
(Keywords: crash)
Crash Data
Crash report: https://crash-stats.mozilla.org/report/index/c7b113f5-2254-4c1b-bb91-4309f0231101
Reason: SIGSEGV / SEGV_MAPERR
Top 10 frames of crashing thread:
0 libxul.so RefPtr<mozilla::dom::Element>::get const mfbt/RefPtr.h:325
0 libxul.so RefPtr<mozilla::dom::Element>::operator mozilla::dom::Element* const& mfbt/RefPtr.h:338
0 libxul.so mozilla::dom::BrowserParent::GetOwnerElement const dom/ipc/BrowserParent.h:142
0 libxul.so mozilla::dom::BrowserHost::GetOwnerElement const dom/ipc/BrowserHost.h:68
0 libxul.so mozilla::AppWindow::GetPrimaryRemoteTabSize xpfe/appshell/AppWindow.cpp:2191
1 libxul.so mozilla::AppWindow::ForceRoundedDimensions xpfe/appshell/AppWindow.cpp:1152
2 libxul.so mozilla::AppWindow::SizeShell xpfe/appshell/AppWindow.cpp:2715
3 libxul.so mozilla::AppWindow::OnChromeLoaded xpfe/appshell/AppWindow.cpp:1183
4 libxul.so mozilla::AppWindow::OnStateChange xpfe/appshell/AppWindow.cpp:3337
4 libxul.so {virtual override thunk} xpfe/appshell/AppWindow.cpp
This is a null deref. I'm not sure if host is null or mRoot is.
I'm not sure if this counts are more DOM or Layout or Widget.
|
Reporter | |
Comment 1•2 years ago
|
||
The crash volume is quite low so I'm going to mark this S3.
|
|
Reporter | |
Comment 2•2 years ago
|
||
It looks like host is actually just a static_cast of mPrimaryBrowserParent. Most of the other users of mPrimaryBrowserParent do a null check first, so maybe that's the issue.
|
||
Comment 3•7 days ago
|
||
There is a bit of an increase in volume under this signature in the beta and nightly branch. The entirety of this increase is due to users with faulty Intel Raptor Lake system, so you can disregard it for the purpose of assessing the bug's severity and user impact.
Description
•