Crash in [@ IPCError-browser | RecvSetCursor Invalid custom cursor data] when cursor is changed to a custom cursor
Categories
(Core :: DOM: Copy & Paste and Drag & Drop, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr91 | --- | unaffected |
firefox-esr102 | --- | unaffected |
firefox104 | --- | unaffected |
firefox105 | --- | unaffected |
firefox106 | blocking | fixed |
People
(Reporter: Fanolian+BMO, Assigned: evilpie, NeedInfo)
References
(Regression, )
Details
(6 keywords)
Crash Data
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Build ID: 20220826214835
Steps to reproduce
- Use a new profile, leave all settings as default.
- Visit a page with an embedded Google Maps. E.g. https://developers.google.com/maps/documentation/embed/embedding-map#place_mode or https://cloud.marketing.hktvmall.com/storelocationen
- Move cursor into the section of the embedded Google Maps
Actual result
Tab crashes. A crash report summary is attached below.
Expected result
No crashes.
Additional notes
There is no crashes when I visit the regular Google Maps site https://www.google.com/maps/.
Regression
Last good Nightly: 2022-08-25
First bad Nightly: 2022-08-26
pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=58735c4baea39ac2be1ebf546e9180795009720e&tochange=be22852de7df3dee3c68fac2f7b110864df559c9
Bisecting autoland builds:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a9c593b5a54ab52a22ad2733bc09055122c40d90&tochange=be22852de7df3dee3c68fac2f7b110864df559c9
This is regressed by bug 1781129.
Crash report: https://crash-stats.mozilla.org/report/index/58c4354b-687a-4aac-97fd-1174d0220827
Reason: EXCEPTION_BREAKPOINT
Top 10 frames of crashing thread:
0 xul.dll MOZ_Z_inflate_fast modules/zlib/src/inffast.c:158
1 xul.dll MOZ_Z_inflate modules/zlib/src/inflate.c:1064
2 xul.dll js::DecompressStringChunk js/src/vm/Compression.cpp:251
3 xul.dll js::ScriptSource::chunkUnits<mozilla::Utf8Unit> js/src/vm/JSScript.cpp:1037
4 xul.dll js::ScriptSource::units<mozilla::Utf8Unit> js/src/vm/JSScript.cpp:1142
5 xul.dll js::ScriptSource::PinnedUnits<mozilla::Utf8Unit>::PinnedUnits js/src/vm/JSScript.cpp:1211
6 xul.dll js::frontend::DelazifyCanonicalScriptedFunction js/src/frontend/BytecodeCompiler.cpp:1349
7 xul.dll JSFunction::delazifyLazilyInterpretedFunction js/src/vm/JSFunction.cpp:1410
8 xul.dll JSFunction::getOrCreateScript js/src/vm/JSFunction.h:452
9 xul.dll JSFunction::delazifyLazilyInterpretedFunction js/src/vm/JSFunction.cpp:1397
[Tracking Requested - why for this release]:
Embedded Google Maps is very common and the crash is extremely easy to trigger.
Comment 2•2 years ago
|
||
Set release status flags based on info from the regressing bug 1781129
A tab will crash if the cursor is changed to a custom cursor.
Sample sites:
https://custom-cursor.com/en/collection/sanrio/momousa. Move cursor into the "Hover me" area.
https://codepen.io/simonbusborg/pen/WoEqyN. Move cursor into the bottom panel.
Updated•2 years ago
|
New STR:
- Open attached testcase.
- Hover on the text.
Result:
Crash.
Comment 5•2 years ago
|
||
This issue makes Gmail crashed.
Assignee | ||
Comment 6•2 years ago
|
||
This just converts the comparison to what we had before. aHeight * aStride must be exactly equal to Size().
Updated•2 years ago
|
Assignee | ||
Comment 7•2 years ago
•
|
||
The bug was introduced by changing !=
to >=
here: https://hg.mozilla.org/mozilla-central/rev/8ab38c9b4f25ed4437804b708cb3be993c522400#l5.30.
Comment 8•2 years ago
|
||
Nightly updates stopped. Tom, unless you can get your patch reviewed and landed in the next nightly, we are going to back out the regressor.
Pushed by evilpies@gmail.com: https://hg.mozilla.org/integration/autoland/rev/cc0ca35ee959 Revert RecvSetCursor to use the correct size comparison.
Assignee | ||
Comment 10•2 years ago
|
||
I landed the patch as-is. It's really just a revert.
Assignee | ||
Updated•2 years ago
|
Comment 11•2 years ago
|
||
Viewing a twitch.tv clip seems to cause the crash as well
Comment 12•2 years ago
|
||
Just curious how this bug got past the initial developer testing! This affects a widely used app (gmail).
Comment 13•2 years ago
|
||
bugherder |
Comment 14•2 years ago
|
||
bugherder |
Assignee | ||
Comment 16•2 years ago
|
||
Can we add a test for this?
301
Updated•2 years ago
|
Comment 17•2 years ago
|
||
Verified all reported scenarios.
Issue no longer reproducible on 106.0b5 Firefox.
Description
•