Closed Bug 1787584 Opened 2 years ago Closed 2 years ago

Crash in [@ IPCError-browser | RecvSetCursor Invalid custom cursor data] when cursor is changed to a custom cursor

Categories

(Core :: DOM: Copy & Paste and Drag & Drop, defect)

Product:
Core
Component:
DOM: Copy & Paste and Drag & Drop
Version:
Firefox 106
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
106 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- unaffected
firefox104 --- unaffected
firefox105 --- unaffected
firefox106 blocking fixed

People

(Reporter: Fanolian+BMO, Assigned: evilpie, NeedInfo)

References

(Regression,
URL
)

Details

(6 keywords)

Crash Data

Attachments

(2 files)

testcase for bug 1787584 custom cursor.html
313 bytes, text/html
Details
Bug 1787584 - Revert RecvSetCursor to use the correct size comparison. r?nika,#ipc-reviewers
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Build ID: 20220826214835

Steps to reproduce

  1. Use a new profile, leave all settings as default.
  2. Visit a page with an embedded Google Maps. E.g. https://developers.google.com/maps/documentation/embed/embedding-map#place_mode or https://cloud.marketing.hktvmall.com/storelocationen
  3. Move cursor into the section of the embedded Google Maps

Actual result

Tab crashes. A crash report summary is attached below.

Expected result

No crashes.

Additional notes

There is no crashes when I visit the regular Google Maps site https://www.google.com/maps/.

Regression

Last good Nightly: 2022-08-25
First bad Nightly: 2022-08-26
pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=58735c4baea39ac2be1ebf546e9180795009720e&tochange=be22852de7df3dee3c68fac2f7b110864df559c9

Bisecting autoland builds:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a9c593b5a54ab52a22ad2733bc09055122c40d90&tochange=be22852de7df3dee3c68fac2f7b110864df559c9

This is regressed by bug 1781129.

Crash report: https://crash-stats.mozilla.org/report/index/58c4354b-687a-4aac-97fd-1174d0220827

Reason: EXCEPTION_BREAKPOINT

Top 10 frames of crashing thread:

0 xul.dll MOZ_Z_inflate_fast modules/zlib/src/inffast.c:158
1 xul.dll MOZ_Z_inflate modules/zlib/src/inflate.c:1064
2 xul.dll js::DecompressStringChunk js/src/vm/Compression.cpp:251
3 xul.dll js::ScriptSource::chunkUnits<mozilla::Utf8Unit> js/src/vm/JSScript.cpp:1037
4 xul.dll js::ScriptSource::units<mozilla::Utf8Unit> js/src/vm/JSScript.cpp:1142
5 xul.dll js::ScriptSource::PinnedUnits<mozilla::Utf8Unit>::PinnedUnits js/src/vm/JSScript.cpp:1211
6 xul.dll js::frontend::DelazifyCanonicalScriptedFunction js/src/frontend/BytecodeCompiler.cpp:1349
7 xul.dll JSFunction::delazifyLazilyInterpretedFunction js/src/vm/JSFunction.cpp:1410
8 xul.dll JSFunction::getOrCreateScript js/src/vm/JSFunction.h:452
9 xul.dll JSFunction::delazifyLazilyInterpretedFunction js/src/vm/JSFunction.cpp:1397
Flags: needinfo?(nika)

[Tracking Requested - why for this release]:
Embedded Google Maps is very common and the crash is extremely easy to trigger.

Has STR: --- → yes
tracking-firefox106: --- → ?
Keywords: crash, nightly-community, regression, reproducible
Regressed by: 1781129

Set release status flags based on info from the regressing bug 1781129

status-firefox104: --- → unaffected
status-firefox105: --- → unaffected
status-firefox106: --- → affected
status-firefox-esr102: --- → unaffected
status-firefox-esr91: --- → unaffected

A tab will crash if the cursor is changed to a custom cursor.

Sample sites:
https://custom-cursor.com/en/collection/sanrio/momousa. Move cursor into the "Hover me" area.
https://codepen.io/simonbusborg/pen/WoEqyN. Move cursor into the bottom panel.

Summary: Crash in [@ IPCError-browser | RecvSetCursor Invalid custom cursor data] when moving cursor into an embedded Google Maps → Crash in [@ IPCError-browser | RecvSetCursor Invalid custom cursor data] when cursor is changed to a custom cursor
Status: UNCONFIRMED → NEW
Ever confirmed: true

New STR:

  1. Open attached testcase.
  2. Hover on the text.

Result:
Crash.

Keywords: testcase

This issue makes Gmail crashed.

This just converts the comparison to what we had before. aHeight * aStride must be exactly equal to Size().

Assignee: nobody → evilpies
Status: NEW → ASSIGNED

The bug was introduced by changing != to >= here: https://hg.mozilla.org/mozilla-central/rev/8ab38c9b4f25ed4437804b708cb3be993c522400#l5.30.

Nightly updates stopped. Tom, unless you can get your patch reviewed and landed in the next nightly, we are going to back out the regressor.

Flags: needinfo?(evilpies)
Pushed by evilpies@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/cc0ca35ee959
Revert RecvSetCursor to use the correct size comparison.

I landed the patch as-is. It's really just a revert.

Flags: needinfo?(evilpies)
Flags: needinfo?(nika)

Viewing a twitch.tv clip seems to cause the crash as well

Just curious how this bug got past the initial developer testing! This affects a widely used app (gmail).

https://hg.mozilla.org/mozilla-central/rev/cc0ca35ee959

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox106: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 106 Branch

Can we add a test for this?

Flags: needinfo?(evilpies)

Can we add a test for this?
301

Flags: needinfo?(evilpies) → needinfo?(nika)
Flags: qe-verify+

Verified all reported scenarios.
Issue no longer reproducible on 106.0b5 Firefox.

Status: RESOLVED → VERIFIED
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: