Crash in [@ nsCOMPtr<T>::get | nsCOMPtr<T>::operator nsIContent* | nsIFrame::GetContent]
Categories
(Core :: DOM: UI Events & Focus Handling, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox123 | --- | unaffected |
| firefox124 | --- | unaffected |
| firefox125 | + | verified |
People
(Reporter: RyanVM, Assigned: masayuki)
References
(Regression)
Details
(Keywords: crash, regression, topcrash)
Crash Data
Attachments
(1 file)
Crash report: https://crash-stats.mozilla.org/report/index/b8e9f873-965c-4a2a-9b9d-a6b500240314
Reason: SIGSEGV / SEGV_MAPERR
Top 10 frames of crashing thread:
0 libxul.so nsCOMPtr<nsIContent>::get const xpcom/base/nsCOMPtr.h:751
0 libxul.so nsCOMPtr<nsIContent>::operator nsIContent* const& xpcom/base/nsCOMPtr.h:759
0 libxul.so nsIFrame::GetContent const layout/generic/nsIFrame.h:788
0 libxul.so AutoPointerEventTargetUpdater::AutoPointerEventTargetUpdater layout/base/PresShell.cpp:585
0 libxul.so mozilla::PresShell::EventHandler::HandleEventWithTarget layout/base/PresShell.cpp:8341
1 libxul.so mozilla::PresShell::HandleEventWithTarget layout/base/PresShell.h:674
2 libxul.so mozilla::PointerEventHandler::DispatchPointerFromMouseOrTouch dom/events/PointerEventHandler.cpp:701
3 libxul.so mozilla::PresShell::EventHandler::DispatchPrecedingPointerEvent layout/base/PresShell.cpp:7459
4 libxul.so mozilla::PresShell::EventHandler::HandleEventUsingCoordinates layout/base/PresShell.cpp:7258
5 libxul.so mozilla::PresShell::HandleEvent layout/base/PresShell.cpp:7020
|
Assignee | |
Updated•7 months ago
|
|
||
Comment 1•7 months ago
|
||
The bug is linked to a topcrash signature, which matches the following criterion:
- Top 10 AArch64 and ARM crashes on nightly
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 2•7 months ago
|
||
The crash occurs when PointerEventHandler::DispatchPointerFromMouseOrTouch
dispatches a pointer event for eTouchStart. In this case, aFrame of
the constructor of AutoPointerEventTargetUpdater is set to the primary frame
of the event target content [1][2] and the event target may have no frame
because touch targets are considered by TouchManager before dispatching
ePointerDown [3][4][5]. Therefore, we should make it take event target
content for the case of no event target frame.
I tried to reproduce the crash with removing the target or making the target
display:contents at first pointerdown or touchstart of multi-touch, but
I couldn't reproduce the crash. Therefore, this patch does not contain new
tests.
- https://searchfox.org/mozilla-central/rev/109bb25545f0d2df31954dc0a9afbf30d900b6bb/dom/events/PointerEventHandler.cpp#694,701
- https://searchfox.org/mozilla-central/rev/109bb25545f0d2df31954dc0a9afbf30d900b6bb/layout/base/PresShell.cpp#8319,8341
- https://searchfox.org/mozilla-central/rev/109bb25545f0d2df31954dc0a9afbf30d900b6bb/layout/base/TouchManager.cpp#115
- https://searchfox.org/mozilla-central/rev/109bb25545f0d2df31954dc0a9afbf30d900b6bb/layout/base/PresShell.cpp#7400
- https://searchfox.org/mozilla-central/rev/109bb25545f0d2df31954dc0a9afbf30d900b6bb/layout/base/PresShell.cpp#7198
|
Reporter | |
Updated•7 months ago
|
Description
•