Closed Bug 1217191 Opened 9 years ago Closed 9 years ago

crash in mozilla::dom::HTMLCanvasElement::OnVisibilityChange

Categories

(Core :: Graphics: Canvas2D, defect)

Product:
Core
Component:
Graphics: Canvas2D
Version:
44 Branch
Platform:
Unspecified
Windows NT
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1214571
Tracking Flags:
Tracking Status
firefox43 --- unaffected
firefox44 - affected

People

(Reporter: u279076, Unassigned)

References

Details

(Keywords: crash, regression, topcrash-win)

Crash Data

[Tracking Requested - why for this release]: topcrash regression

This bug was filed from the Socorro interface and is 
report bp-8d2fb4ad-6e0b-4bcf-8d12-720722151017.
=============================================================
0 	xul.dll 	mozilla::dom::HTMLCanvasElement::OnVisibilityChange() 	dom/html/HTMLCanvasElement.cpp
1 	xul.dll 	mozilla::dom::HTMLCanvasElementObserver::HandleEvent(nsIDOMEvent*) 	dom/html/HTMLCanvasElement.cpp
2 	xul.dll 	mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) 	dom/events/EventListenerManager.cpp
3 	xul.dll 	mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) 	dom/events/EventDispatcher.cpp
4 	xul.dll 	mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) 	dom/events/EventDispatcher.cpp
5 	xul.dll 	mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) 	dom/events/EventDispatcher.cpp
6 	xul.dll 	mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) 	dom/events/EventDispatcher.cpp
7 	xul.dll 	nsINode::DispatchEvent(nsIDOMEvent*, bool*) 	dom/base/nsINode.cpp
8 	xul.dll 	nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsAString_internal const&, bool, bool, bool, bool*, bool) 	dom/base/nsContentUtils.cpp
9 	xul.dll 	nsDocument::UpdateVisibilityState() 	dom/base/nsDocument.cpp
10 	xul.dll 	nsDocument::OnPageHide(bool, mozilla::dom::EventTarget*) 	dom/base/nsDocument.cpp
11 	xul.dll 	nsDocumentViewer::PageHide(bool) 	layout/base/nsDocumentViewer.cpp
12 	xul.dll 	nsDocShell::FirePageHideNotification(bool) 	docshell/base/nsDocShell.cpp
13 	xul.dll 	nsDocShell::CreateContentViewer(nsACString_internal const&, nsIRequest*, nsIStreamListener**) 	docshell/base/nsDocShell.cpp
14 	xul.dll 	nsDSURIContentListener::DoContent(nsACString_internal const&, bool, nsIRequest*, nsIStreamListener**, bool*) 	docshell/base/nsDSURIContentListener.cpp
15 	xul.dll 	nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) 	uriloader/base/nsURILoader.cpp
16 	xul.dll 	nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) 	uriloader/base/nsURILoader.cpp
17 	xul.dll 	nsDocumentOpenInfo::OnStartRequest(nsIRequest*, nsISupports*) 	uriloader/base/nsURILoader.cpp
18 	xul.dll 	mozilla::net::HttpChannelChild::DoOnStartRequest(nsIRequest*, nsISupports*) 	netwerk/protocol/http/HttpChannelChild.cpp
19 	xul.dll 	mozilla::net::HttpChannelChild::OnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, bool const&, bool const&, unsigned int const&, nsCString const&, nsCString const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, unsigned int const&) 	netwerk/protocol/http/HttpChannelChild.cpp
20 	xul.dll 	mozilla::net::HttpChannelChild::RecvOnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, bool const&, bool const&, unsigned int const&, nsCString const&, nsCString const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, short const&, unsigned int const&) 	netwerk/protocol/http/HttpChannelChild.cpp
21 	xul.dll 	mozilla::net::PHttpChannelChild::OnMessageReceived(IPC::Message const&) 	obj-firefox/ipc/ipdl/PHttpChannelChild.cpp
22 	xul.dll 	mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) 	obj-firefox/ipc/ipdl/PContentChild.cpp
23 	xul.dll 	mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) 	ipc/glue/MessageChannel.cpp
24 	xul.dll 	mozilla::ipc::MessageChannel::DispatchMessageW(IPC::Message const&) 	ipc/glue/MessageChannel.cpp
25 	xul.dll 	mozilla::ipc::MessageChannel::OnMaybeDequeueOne() 	ipc/glue/MessageChannel.cpp
26 	xul.dll 	RunnableMethod<mozilla::ipc::MessageChannel, void ( mozilla::ipc::MessageChannel::*)(void), Tuple0>::Run() 	ipc/chromium/src/base/task.h
27 	xul.dll 	MessageLoop::DoWork() 	ipc/chromium/src/base/message_loop.cc
28 	xul.dll 	mozilla::ipc::DoWorkRunnable::Run() 	ipc/glue/MessagePump.cpp
29 	xul.dll 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
30 	xul.dll 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
31 	xul.dll 	mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
32 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc
33 	xul.dll 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
34 	xul.dll 	nsBaseAppShell::Run() 	widget/nsBaseAppShell.cpp
35 	xul.dll 	nsAppShell::Run() 	widget/windows/nsAppShell.cpp
36 	xul.dll 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp
37 	xul.dll 	mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
38 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc
39 	xul.dll 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
40 	xul.dll 	XRE_InitChildProcess 	toolkit/xre/nsEmbedFunctions.cpp
41 	plugin-container.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp
42 	plugin-container.exe 	__tmainCRTStartup 	f:/dd/vctools/crt/crtw32/startup/crt0.c:255
43 	kernel32.dll 	BaseThreadInitThunk 	
44 	ntdll.dll 	RtlUserThreadStart 	
45 	kernel32.dll 	BasepReportFault 	
46 	kernel32.dll 	BasepReportFault 	
=============================================================
More reports: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=mozilla%3A%3Adom%3A%3AHTMLCanvasElement%3A%3AOnVisibilityChange

This is a new crash starting with Firefox 44.0a1 20151012030612 and currently ranks #8 with 1.59% of all Nightly crashes.  

Most of these report a memory address of 0x5a5a5a5e or 0xffffffffffffffff.
96.9% report on Windows (XP through 10) vs 3.1% on Linux
21.5% report as HIGH exploitibility vs 78.5% as LOW exploitibility

Pushlog:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b68eab795f9de072bee12821b0f09422e5aa0da9&tochange=0b69d304f861d0038fb78f1d52b0f5d13ef7c6fe
Based on the pushlog I'm guessing this was caused by bug 709490, Morris?
Blocks: 709490
Group: core-security
Flags: needinfo?(mtseng)
Group: core-security → dom-core-security
This should be fixed in bug 1214571.
Flags: needinfo?(mtseng)
(In reply to Morris Tseng [:mtseng] from comment #2)
> This should be fixed in bug 1214571.

Thanks!
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Group: dom-core-security
No need to track this as it's a dup and bug 1214571 is tracked for FF44.
tracking-firefox44: ?-
You need to log in before you can comment on or make changes to this bug.