Closed Bug 1819957 Opened 2 years ago Closed 2 years ago

heap-use-after-free in [@ mozilla::nsDisplayText::CreateWebRenderCommands]

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
112 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox110 --- unaffected
firefox111 --- unaffected
firefox112 --- fixed

People

(Reporter: tsmith, Assigned: jfkthame)

References

(Blocks 1 open bug, Regression)

Details

(6 keywords, Whiteboard: [bugmon:bisected,confirmed][post-critsmash-triage][adv-main112+r])

Crash Data

Attachments

(2 files)

testcase.html
249 bytes, text/html
Details
Bug 1819957 - Split out nsTextPaintStyle into its own source file. r=#layout-reviewers
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20230302-da5d9cb0388f (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

==628171==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600026e7e8 at pc 0x7fa4808ead3e bp 0x7ffec55a8310 sp 0x7ffec55a8308
READ of size 4 at 0x60600026e7e8 thread T0 (Isolated Web Co)
    #0 0x7fa4808ead3d in IsZero /builds/worker/workspace/obj-build/dist/include/mozilla/ServoStyleConstsInlines.h:536:51
    #1 0x7fa4808ead3d in ToAppUnits /builds/worker/workspace/obj-build/dist/include/mozilla/ServoStyleConstsInlines.h:553:7
    #2 0x7fa4808ead3d in mozilla::nsDisplayText::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*)::$_9::operator()(mozilla::Span<mozilla::StyleGenericSimpleShadow<mozilla::StyleGenericColor<mozilla::StyleRGBA, mozilla::StylePercentage>, mozilla::StyleCSSPixelLength, mozilla::StyleCSSPixelLength> const, 18446744073709551615ul>) const /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:7545:44
    #3 0x7fa4808ea3b7 in mozilla::nsDisplayText::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:7563:5
    #4 0x7fa47942c32a in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1829:41
    #5 0x7fa47942a248 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2095:7
    #6 0x7fa4808ce215 in mozilla::nsDisplayWrapList::CreateWebRenderCommandsNewClipListOption(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*, bool) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:4633:30
    #7 0x7fa4808d3a8f in CreateWebRenderCommands /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:4976:12
    #8 0x7fa4808d3a8f in mozilla::nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:5272:22
    #9 0x7fa47942c32a in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1829:41
    #10 0x7fa47942a248 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2095:7
    #11 0x7fa479427fac in mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, mozilla::layers::WebRenderScrollData&, WrFiltersHolder&&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1750:5
    #12 0x7fa479447e10 in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*, double) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderLayerManager.cpp:362:30
    #13 0x7fa4808b1d9c in mozilla::nsDisplayList::PaintRoot(mozilla::nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2299:18
    #14 0x7fa48021ede3 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3413:9
    #15 0x7fa48012ae74 in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6430:5
    #16 0x7fa47f97981d in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:433:18
    #17 0x7fa47f978fbb in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:368:22
    #18 0x7fa47f97aeda in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:941:5
    #19 0x7fa48009e9c8 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2824:11
    #20 0x7fa4800ab606 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:373:13
    #21 0x7fa4800ab606 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:7
    #22 0x7fa4800ab36e in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:5
    #23 0x7fa4800ab0f5 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:911:5
    #24 0x7fa4800aa38f in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:825:5
    #25 0x7fa4800a95c2 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:746:5
    #26 0x7fa4800a8dbb in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
    #27 0x7fa4800a8958 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:549:9
    #28 0x7fa47eaf493c in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:66:15
    #29 0x7fa47f00e943 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:228:78
    #30 0x7fa47ede61cc in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8784:32
    #31 0x7fa47840c4a9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1800:25
    #32 0x7fa4784094bd in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1725:9
    #33 0x7fa47840a08e in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
    #34 0x7fa47840b2be in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
    #35 0x7fa476bc24c9 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:541:16
    #36 0x7fa476bb885c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:855:26
    #37 0x7fa476bb5ad8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:686:15
    #38 0x7fa476bb6200 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:464:36
    #39 0x7fa476bc89d4 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:191:37
    #40 0x7fa476bc89d4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:547:5
    #41 0x7fa476bed29e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1239:16
    #42 0x7fa476bf7814 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
    #43 0x7fa4784140a3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
    #44 0x7fa478292427 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #45 0x7fa478292427 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #46 0x7fa478292427 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #47 0x7fa47fa70499 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #48 0x7fa484ab81c8 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:20
    #49 0x7fa478292427 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #50 0x7fa478292427 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #51 0x7fa478292427 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #52 0x7fa484ab795f in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:671:34
    #53 0x561c2212b824 in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #54 0x561c2212bce7 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353:18
    #55 0x7fa499999d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #56 0x7fa499999e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #57 0x561c2206a2a8 in _start (/home/user/workspace/browsers/m-c-20230302045723-fuzzing-asan-opt/firefox+0x1122a8) (BuildId: 440630ac0957dd6673e935192733e5664639b1e8)

0x60600026e7e8 is located 40 bytes inside of 56-byte region [0x60600026e7c0,0x60600026e7f8)
freed by thread T0 (Isolated Web Co) here:
    #0 0x561c220ee9d2 in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
    #1 0x7fa480084d4c in mozilla::StyleArcSlice<mozilla::StyleGenericSimpleShadow<mozilla::StyleGenericColor<mozilla::StyleRGBA, mozilla::StylePercentage>, mozilla::StyleCSSPixelLength, mozilla::StyleCSSPixelLength>>::Release() /builds/worker/workspace/obj-build/dist/include/mozilla/ServoStyleConstsInlines.h:250:3
    #2 0x7fa48005c67d in ~StyleArcSlice /builds/worker/workspace/obj-build/dist/include/mozilla/ServoStyleConstsInlines.h:255:3
    #3 0x7fa48005c67d in nsStyleText::~nsStyleText() /builds/worker/checkouts/gecko/layout/style/nsStyleStruct.cpp:3004:60
    #4 0x7fa48ce9390d in style::gecko_properties::_$LT$impl$u20$core..ops..drop..Drop$u20$for$u20$style..gecko_bindings..structs..root..mozilla..GeckoText$GT$::drop::h8123c0ede33b62b3 /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/release/build/style-77fdb6f473e4e76e/out/gecko_properties.rs:18469:13
    #5 0x7fa48ce9390d in core::ptr::drop_in_place$LT$style..gecko_bindings..structs..root..mozilla..GeckoText$GT$::h1d2ff8a74efc03a4 /builds/worker/fetches/rust/library/core/src/ptr/mod.rs:490:1
    #6 0x7fa48ce9390d in core::ptr::drop_in_place$LT$servo_arc..ArcInner$LT$style..gecko_bindings..structs..root..mozilla..GeckoText$GT$$GT$::h26860692b70085b8 /builds/worker/fetches/rust/library/core/src/ptr/mod.rs:490:1
    #7 0x7fa48ce9390d in core::ptr::drop_in_place$LT$alloc..boxed..Box$LT$servo_arc..ArcInner$LT$style..gecko_bindings..structs..root..mozilla..GeckoText$GT$$GT$$GT$::h50d404b69f1faccc /builds/worker/fetches/rust/library/core/src/ptr/mod.rs:490:1
    #8 0x7fa48ce9390d in servo_arc::Arc$LT$T$GT$::drop_slow::h0c70ff57df0451d9 /builds/worker/checkouts/gecko/servo/components/servo_arc/lib.rs:365:42
    #9 0x7fa48ce9bb73 in _$LT$servo_arc..Arc$LT$T$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::he4348a2f073e5d12 /builds/worker/checkouts/gecko/servo/components/servo_arc/lib.rs:551:13
    #10 0x7fa48ce9bb73 in core::ptr::drop_in_place$LT$servo_arc..Arc$LT$style..gecko_bindings..structs..root..mozilla..GeckoText$GT$$GT$::h7dd2486dd2e69d2c /builds/worker/fetches/rust/library/core/src/ptr/mod.rs:490:1
    #11 0x7fa48ce9bb73 in _$LT$servo_arc..RawOffsetArc$LT$T$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::h472294d059fa0ff6 /builds/worker/checkouts/gecko/servo/components/servo_arc/lib.rs:1133:11
    #12 0x7fa48ce9bb73 in core::ptr::drop_in_place$LT$servo_arc..RawOffsetArc$LT$style..gecko_bindings..structs..root..mozilla..GeckoText$GT$$GT$::h4a8eb122b089a8f9 /builds/worker/fetches/rust/library/core/src/ptr/mod.rs:490:1
    #13 0x7fa48ce9bb73 in core::ptr::drop_in_place$LT$style..gecko_bindings..structs..root..ServoComputedData$GT$::hfffc58f404c0e171 /builds/worker/fetches/rust/library/core/src/ptr/mod.rs:490:1
    #14 0x7fa48ce9bb73 in core::ptr::drop_in_place$LT$style..gecko_bindings..structs..root..mozilla..ComputedStyle$GT$::h50a1d3b7ac15b45f /builds/worker/fetches/rust/library/core/src/ptr/mod.rs:490:1
    #15 0x7fa48ce9bb73 in core::ptr::drop_in_place$LT$style..gecko_properties..ComputedValues$GT$::h01208978686fc2e8 /builds/worker/fetches/rust/library/core/src/ptr/mod.rs:490:1
    #16 0x7fa48ce9bb73 in core::ptr::drop_in_place$LT$servo_arc..ArcInner$LT$style..gecko_properties..ComputedValues$GT$$GT$::h9055747d4b0c5018 /builds/worker/fetches/rust/library/core/src/ptr/mod.rs:490:1
    #17 0x7fa48ce9bb73 in core::ptr::drop_in_place$LT$alloc..boxed..Box$LT$servo_arc..ArcInner$LT$style..gecko_properties..ComputedValues$GT$$GT$$GT$::heab918397c2a403e /builds/worker/fetches/rust/library/core/src/ptr/mod.rs:490:1
    #18 0x7fa48ce9bb73 in servo_arc::Arc$LT$T$GT$::drop_slow::he1b22ce09e7451d9 /builds/worker/checkouts/gecko/servo/components/servo_arc/lib.rs:365:42
    #19 0x7fa48d56bfda in _$LT$servo_arc..Arc$LT$T$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::h991358f73c373249 /builds/worker/checkouts/gecko/servo/components/servo_arc/lib.rs:551:13
    #20 0x7fa48d56bfda in core::ptr::drop_in_place$LT$servo_arc..Arc$LT$style..gecko_properties..ComputedValues$GT$$GT$::h10fd95316d1983e1 /builds/worker/fetches/rust/library/core/src/ptr/mod.rs:490:1
    #21 0x7fa48d56bfda in style::gecko::arc_types::Servo_ComputedStyle_Release::_$u7b$$u7b$closure$u7d$$u7d$::h06c4d314b0141ca3 /builds/worker/checkouts/gecko/servo/components/style/gecko/arc_types.rs:133:50
    #22 0x7fa48d56bfda in servo_arc::ArcBorrow$LT$T$GT$::with_arc::h4043d0b5ead559a5 /builds/worker/checkouts/gecko/servo/components/servo_arc/lib.rs:1292:22
    #23 0x7fa48d56bfda in Servo_ComputedStyle_Release /builds/worker/checkouts/gecko/servo/components/style/gecko/arc_types.rs:132:5
    #24 0x7fa48057e9e7 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/ServoBindingTypes.h:155:1
    #25 0x7fa48057e9e7 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
    #26 0x7fa48057e9e7 in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
    #27 0x7fa48057e9e7 in ~nsTextPaintStyle /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:408:7
    #28 0x7fa48057e9e7 in nsTextFrame::GetSelectionTextShadow(mozilla::SelectionType, mozilla::Span<mozilla::StyleGenericSimpleShadow<mozilla::StyleGenericColor<mozilla::StyleRGBA, mozilla::StylePercentage>, mozilla::StyleCSSPixelLength, mozilla::StyleCSSPixelLength> const, 18446744073709551615ul>*, nsTextPaintStyle*) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:6239:5
    #29 0x7fa4808ea386 in mozilla::nsDisplayText::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:7562:8
    #30 0x7fa47942c32a in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1829:41
    #31 0x7fa47942a248 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2095:7
    #32 0x7fa4808ce215 in mozilla::nsDisplayWrapList::CreateWebRenderCommandsNewClipListOption(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*, bool) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:4633:30
    #33 0x7fa4808d3a8f in CreateWebRenderCommands /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:4976:12
    #34 0x7fa4808d3a8f in mozilla::nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:5272:22
    #35 0x7fa47942c32a in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1829:41
    #36 0x7fa47942a248 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2095:7
    #37 0x7fa479427fac in mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, mozilla::layers::WebRenderScrollData&, WrFiltersHolder&&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1750:5
    #38 0x7fa479447e10 in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*, double) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderLayerManager.cpp:362:30
    #39 0x7fa4808b1d9c in mozilla::nsDisplayList::PaintRoot(mozilla::nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2299:18
    #40 0x7fa48021ede3 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3413:9
    #41 0x7fa48012ae74 in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6430:5
    #42 0x7fa47f97981d in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:433:18
    #43 0x7fa47f978fbb in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:368:22
    #44 0x7fa47f97aeda in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:941:5
    #45 0x7fa48009e9c8 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2824:11
    #46 0x7fa4800ab606 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:373:13
    #47 0x7fa4800ab606 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:7
    #48 0x7fa4800ab36e in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:367:5
    #49 0x7fa4800ab0f5 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:911:5
    #50 0x7fa4800aa38f in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:825:5
    #51 0x7fa4800a95c2 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:746:5
    #52 0x7fa4800a8dbb in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:592:14
    #53 0x7fa4800a8958 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:549:9

previously allocated by thread T0 (Isolated Web Co) here:
    #0 0x561c220eec7e in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x7fa48dd0078c in alloc::alloc::alloc::hfd4840f40062c30e /builds/worker/fetches/rust/library/alloc/src/alloc.rs:95:14
    #2 0x7fa48dd0078c in alloc::alloc::Global::alloc_impl::hfe0f7428b77cab4e /builds/worker/fetches/rust/library/alloc/src/alloc.rs:177:73
    #3 0x7fa48dd0078c in _$LT$alloc..alloc..Global$u20$as$u20$core..alloc..Allocator$GT$::allocate::h331bbcc371f94af5 /builds/worker/fetches/rust/library/alloc/src/alloc.rs:237:9
    #4 0x7fa48dd0078c in alloc::raw_vec::RawVec$LT$T$C$A$GT$::allocate_in::h85a69f0b2b2d63db /builds/worker/fetches/rust/library/alloc/src/raw_vec.rs:185:45
    #5 0x7fa48dd0078c in alloc::raw_vec::RawVec$LT$T$C$A$GT$::with_capacity_in::hf629e606d45283eb /builds/worker/fetches/rust/library/alloc/src/raw_vec.rs:131:9
    #6 0x7fa48dd0078c in alloc::vec::Vec$LT$T$C$A$GT$::with_capacity_in::h31963f8af170f6d9 /builds/worker/fetches/rust/library/alloc/src/vec/mod.rs:673:20
    #7 0x7fa48dd0078c in alloc::vec::Vec$LT$T$GT$::with_capacity::h0555d9ee698e23b2 /builds/worker/fetches/rust/library/alloc/src/vec/mod.rs:483:9
    #8 0x7fa48dd0078c in servo_arc::Arc$LT$servo_arc..HeaderSlice$LT$H$C$$u5b$T$u5d$$GT$$GT$::allocate_buffer::h1c29c474f4f03881 /builds/worker/checkouts/gecko/servo/components/servo_arc/lib.rs:845:23
    #9 0x7fa48dd0078c in servo_arc::Arc$LT$servo_arc..HeaderSlice$LT$H$C$$u5b$T$u5d$$GT$$GT$::from_header_and_iter::_$u7b$$u7b$closure$u7d$$u7d$::h17ea2867bc1f7b9e /builds/worker/checkouts/gecko/servo/components/servo_arc/lib.rs:826:25
    #10 0x7fa48dd0078c in servo_arc::Arc$LT$servo_arc..HeaderSlice$LT$H$C$$u5b$T$u5d$$GT$$GT$::from_header_and_iter_alloc::hc9fbbf36e4574133 /builds/worker/checkouts/gecko/servo/components/servo_arc/lib.rs:744:26
    #11 0x7fa48dd0078c in servo_arc::Arc$LT$servo_arc..HeaderSlice$LT$H$C$$u5b$T$u5d$$GT$$GT$::from_header_and_iter::h8a98ee49c017aed3 /builds/worker/checkouts/gecko/servo/components/servo_arc/lib.rs:820:9
    #12 0x7fa48dd0078c in servo_arc::ThinArc$LT$H$C$T$GT$::from_header_and_iter::h0b5f38ed008e40a6 /builds/worker/checkouts/gecko/servo/components/servo_arc/lib.rs:947:24
    #13 0x7fa48dd0078c in style_traits::arc_slice::ArcSlice$LT$T$GT$::from_iter::h5e6567e017879915 /builds/worker/checkouts/gecko/servo/components/style_traits/arc_slice.rs:103:18
    #14 0x7fa48dd0078c in _$LT$style..properties..longhands..text_shadow..SpecifiedValue$u20$as$u20$style..values..computed..ToComputedValue$GT$::to_computed_value::h24f6bafb1110fa95 /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/release/build/style-77fdb6f473e4e76e/out/longhands/inherited_text.rs:1878:38
    #15 0x7fa48dd02094 in style::properties::longhands::text_shadow::cascade_property::he231d7d03de4e5e0 /builds/worker/workspace/obj-build/x86_64-unknown-linux-gnu/release/build/style-77fdb6f473e4e76e/out/longhands/inherited_text.rs:1923:32
    #16 0x7fa48c6be31c in style::properties::cascade::Cascade::apply_declaration::h13d339d25b2e1314 /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:613:9
    #17 0x7fa48c6be31c in style::properties::cascade::Cascade::apply_properties::h5808022f262dc357 /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:718:13
    #18 0x7fa48c6bba0d in style::properties::cascade::apply_declarations::h59ca640e5f2c78d2 /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:372:5
    #19 0x7fa48c6bba0d in style::properties::cascade::cascade_rules::ha8830d621789ae71 /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:197:5
    #20 0x7fa48c74ef9a in style::properties::cascade::cascade::ha6f77b20d556b22d /builds/worker/checkouts/gecko/servo/components/style/properties/cascade.rs:73:5
    #21 0x7fa48c74ef9a in style::stylist::Stylist::cascade_style_and_visited::hf06e496dd439a39d /builds/worker/checkouts/gecko/servo/components/style/stylist.rs:1089:9
    #22 0x7fa48ca065c7 in style::stylist::Stylist::compute_pseudo_element_style_with_inputs::h646f9c788f0bb9d0 /builds/worker/checkouts/gecko/servo/components/style/stylist.rs:1026:9
    #23 0x7fa48ca065c7 in style::stylist::Stylist::lazily_compute_pseudo_element_style::h92dcfa2e0d38bf6e /builds/worker/checkouts/gecko/servo/components/style/stylist.rs:988:14
    #24 0x7fa48ca065c7 in geckoservo::glue::get_pseudo_style::hfe6bddf9c79f108b /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:4235:13
    #25 0x7fa48c9fd493 in Servo_ResolvePseudoStyle /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:4025:17
    #26 0x7fa47fff423d in mozilla::ServoStyleSet::ResolvePseudoElementStyle(mozilla::dom::Element const&, mozilla::PseudoStyleType, mozilla::ComputedStyle*, mozilla::ServoStyleSet::IsProbe) /builds/worker/checkouts/gecko/layout/style/ServoStyleSet.cpp:480:13
    #27 0x7fa480453fe8 in ProbePseudoElementStyle /builds/worker/workspace/obj-build/dist/include/mozilla/ServoStyleSet.h:221:12
    #28 0x7fa480453fe8 in nsIFrame::ComputeSelectionStyle(short) const /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:2442:34
    #29 0x7fa48056cc76 in nsTextPaintStyle::InitSelectionColorsAndShadow() /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:4288:19
    #30 0x7fa48056fd81 in nsTextPaintStyle::GetSelectionShadow(mozilla::Span<mozilla::StyleGenericSimpleShadow<mozilla::StyleGenericColor<mozilla::StyleRGBA, mozilla::StylePercentage>, mozilla::StyleCSSPixelLength, mozilla::StyleCSSPixelLength> const, 18446744073709551615ul>*) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:4458:8
    #31 0x7fa48057e9bb in nsTextFrame::GetSelectionTextShadow(mozilla::SelectionType, mozilla::Span<mozilla::StyleGenericSimpleShadow<mozilla::StyleGenericColor<mozilla::StyleRGBA, mozilla::StylePercentage>, mozilla::StyleCSSPixelLength, mozilla::StyleCSSPixelLength> const, 18446744073709551615ul>*, nsTextPaintStyle*) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:6239:28
    #32 0x7fa4808ea386 in mozilla::nsDisplayText::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:7562:8
    #33 0x7fa47942c32a in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1829:41
    #34 0x7fa47942a248 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2095:7
    #35 0x7fa4808ce215 in mozilla::nsDisplayWrapList::CreateWebRenderCommandsNewClipListOption(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*, bool) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:4633:30
    #36 0x7fa4808d3a8f in CreateWebRenderCommands /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:4976:12
    #37 0x7fa4808d3a8f in mozilla::nsDisplayOwnLayer::CreateWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::layers::RenderRootStateManager*, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:5272:22
    #38 0x7fa47942c32a in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommands(mozilla::nsDisplayItem*, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::layers::StackingContextHelper const&, mozilla::nsDisplayListBuilder*) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1829:41
    #39 0x7fa47942a248 in mozilla::layers::WebRenderCommandBuilder::CreateWebRenderCommandsFromDisplayList(mozilla::nsDisplayList*, mozilla::nsDisplayItem*, mozilla::nsDisplayListBuilder*, mozilla::layers::StackingContextHelper const&, mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, bool) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:2095:7
    #40 0x7fa479427fac in mozilla::layers::WebRenderCommandBuilder::BuildWebRenderCommands(mozilla::wr::DisplayListBuilder&, mozilla::wr::IpcResourceUpdateQueue&, mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, mozilla::layers::WebRenderScrollData&, WrFiltersHolder&&) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderCommandBuilder.cpp:1750:5
    #41 0x7fa479447e10 in mozilla::layers::WebRenderLayerManager::EndTransactionWithoutLayer(mozilla::nsDisplayList*, mozilla::nsDisplayListBuilder*, WrFiltersHolder&&, mozilla::layers::WebRenderBackgroundData*, double) /builds/worker/checkouts/gecko/gfx/layers/wr/WebRenderLayerManager.cpp:362:30
    #42 0x7fa4808b1d9c in mozilla::nsDisplayList::PaintRoot(mozilla::nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2299:18
    #43 0x7fa48021ede3 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3413:9
    #44 0x7fa48012ae74 in mozilla::PresShell::PaintInternal(nsView*, mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6430:5
    #45 0x7fa47f97981d in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:433:18
    #46 0x7fa47f978fbb in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:368:22
    #47 0x7fa47f97aeda in nsViewManager::ProcessPendingUpdates() /builds/worker/checkouts/gecko/view/nsViewManager.cpp:941:5
    #48 0x7fa48009e9c8 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2824:11
    #49 0x7fa4800ab606 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:373:13
    #50 0x7fa4800ab606 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver>>&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:7
Flags: in-testsuite?

This seems at least S2-level, given use-after-free.

Could you generate a pernosco trace? Thanks!

Flags: needinfo?(twsmith)

Bugmon should be able to do this one.

Keywords: pernosco-wanted

Verified bug as reproducible on mozilla-central 20230302212231-ba36dea109e7.
The bug appears to have been introduced in the following build range:

Start: 8aca58bfd700721a1d20f1de5b04eecbb64fb3e2 (20230301225323)
End: d8665c8f9ec9d37957a7a5b8c5f69bfb27e81d9d (20230301130851)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=8aca58bfd700721a1d20f1de5b04eecbb64fb3e2&tochange=d8665c8f9ec9d37957a7a5b8c5f69bfb27e81d9d

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Keywords: pernosco-wantedpernosco, regression
Whiteboard: [bugmon:bisected,confirmed]

A pernosco session for this bug can be found here.

Flags: needinfo?(twsmith)
Keywords: sec-high

Looks like this was regressed by bug 1818654

Flags: needinfo?(jfkthame)

Oh, I see ... we mustn't use a temporary nsTextPaintStyle within GetSelectionTextShadow, because it needs to outlive the pointers to the shadow(s) being returned in the Span<>. So we'll need the nsTextPaintStyle to be instantiated by the nsDisplayText caller.

Flags: needinfo?(jfkthame)

This lets us instantiate it on the stack in nsDisplayText::Paint.

Assignee: nobody → jfkthame
Status: NEW → ASSIGNED
Regressed by: 1818654
Severity: -- → S2
Component: CSS Parsing and Computation → Layout: Text and Fonts

Set release status flags based on info from the regressing bug 1818654

status-firefox110: --- → unaffected
status-firefox111: --- → unaffected
status-firefox-esr102: --- → unaffected

Split out nsTextPaintStyle into its own source file. r=emilio
https://hg.mozilla.org/integration/autoland/rev/5ded58486abab5712f305a88bbdd746ae74dcdef
https://hg.mozilla.org/mozilla-central/rev/5ded58486aba

Group: layout-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox112: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 112 Branch
Flags: qe-verify-
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed][post-critsmash-triage]

Verified bug as fixed on rev mozilla-central 20230306094520-a324d94d25a4.

Status: RESOLVED → VERIFIED
See Also: → 1820514
Duplicate of this bug: 1820514

Copying crash signatures from duplicate bugs.

Crash Signature: [@ mozilla::StyleCSSPixelLength::IsZero]
Whiteboard: [bugmon:bisected,confirmed][post-critsmash-triage] → [bugmon:bisected,confirmed][post-critsmash-triage][adv-main112+r]
Group: core-security-release
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: