Open Bug 1872660 Opened 2 years ago Updated 1 year ago

Codepen demo with large modified values will crash

Categories

(Core :: Web Painting, enhancement)

Product:
Core
Component:
Web Painting
Type:
enhancement

Tracking

()

People

(Reporter: mayankleoboy1, Unassigned)

References

(
URL
)

Details

Crash Data

Go to https://codepen.io/meodai/pen/ExMVVZd?editors=1010
In the HTML pane, increase the range of the sliders for "hs" and "s" by 100x:

hs : 24->2400
s: 12->1200
Let the demo recompile
Increase "hs" to maximum
Start playing with the "s" slider - take it to maximum, or rapidly change it.. Just keep playing with it for some time.

AR: Crash
https://crash-stats.mozilla.org/report/index/6cc8e639-a6cf-40cb-ac1e-733f70240102
https://crash-stats.mozilla.org/report/index/76ff5940-c199-47e0-9add-5ccc50240102

This is an intentionally stress-inducing test. I dont expect the browser to handle this. The intention of filing this bug is if there is anything obvious or security related that needs to be fixed.

Crash Signature: @ nsCSSPropertyIDSet::AssertInSetRange ] [@ mozilla::ipc::PortLink::SendMessage | IPC_Message_Name=PWebRenderBridge::Msg_SetDisplayList ]
Crash Signature: @ nsCSSPropertyIDSet::AssertInSetRange ] [@ mozilla::ipc::PortLink::SendMessage | IPC_Message_Name=PWebRenderBridge::Msg_SetDisplayList ] → [@ nsCSSPropertyIDSet::AssertInSetRange ] [@ mozilla::ipc::PortLink::SendMessage | IPC_Message_Name=PWebRenderBridge::Msg_SetDisplayList ]

The Msg_SetDisplayList crash is probably expected based on the description.

The nsCSSPropertyIDSet::AssertInSetRange crash is interesting and doesn't seem expected. Should probably look into that.

See Also: → 1881412
You need to log in before you can comment on or make changes to this bug.