Closed
Bug 1245870
Opened 8 years ago
Closed 8 years ago
crash in mozilla::detail::RefCounted<T>::Release while PopClip in D2D
Categories
(Core :: Graphics: Layers, defect)
Tracking
()
RESOLVED
FIXED
mozilla47
People
(Reporter: lizzard, Assigned: bas.schouten)
Details
(Keywords: crash, topcrash)
Crash Data
Attachments
(1 file)
58 bytes,
text/x-review-board-request
|
jrmuizel
:
review+
lizzard
:
approval-mozilla-aurora+
|
Details |
This bug was filed from the Socorro interface and is report bp-bcddf6f7-ff8b-4aed-90b4-807ee2160204. ============================================================= #1 topcrash for aurora 46. Comments and urls reflect problems with gradle.org. Crashing thread: 1 xul.dll RefPtr<mozilla::gfx::PathRecording>::~RefPtr<mozilla::gfx::PathRecording>() mfbt/RefPtr.h 2 xul.dll mozilla::gfx::DrawTargetD2D1::PopClip() gfx/2d/DrawTargetD2D1.cpp 3 xul.dll mozilla::gfx::DrawTargetDual::PopClip() gfx/2d/DrawTargetDual.h 4 xul.dll gfxContext::~gfxContext() gfx/thebes/gfxContext.cpp 5 xul.dll RefPtr<gfxContext>::assign_with_AddRef(gfxContext*) mfbt/RefPtr.h 6 xul.dll mozilla::layers::ClientPaintedLayer::PaintThebes() gfx/layers/client/ClientPaintedLayer.cpp 7 xul.dll mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) gfx/layers/client/ClientPaintedLayer.cpp 8 xul.dll mozilla::layers::ClientContainerLayer::RenderLayer() gfx/layers/client/ClientContainerLayer.h 9 xul.dll mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) gfx/layers/client/ClientLayerManager.cpp 10 xul.dll mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) gfx/layers/client/ClientLayerManager.cpp
Reporter | ||
Comment 1•8 years ago
|
||
The crash signature seems to be spiking for 47, while it exists in very low volume for earlier versions.
status-firefox46:
--- → affected
status-firefox47:
--- → affected
tracking-firefox46:
--- → +
tracking-firefox47:
--- → +
Comment 2•8 years ago
|
||
Bas, I expect you caused this one.
Assignee: nobody → bas
Flags: needinfo?(bas)
Summary: crash in mozilla::detail::RefCounted<T>::Release → crash in mozilla::detail::RefCounted<T>::Release while PopClip in D2D
Assignee | ||
Comment 3•8 years ago
|
||
Hrm, the page seems to load just fine for me, seeing if I can reproduce this somehow. I'm not sure how PathRecording got involved here.. that should only be used for printing.
Flags: needinfo?(bas)
Assignee | ||
Comment 4•8 years ago
|
||
Ugh, that's just a red herring, optimized merging RefPtr destructors, never mind that bit.
Assignee | ||
Comment 5•8 years ago
|
||
Review commit: https://reviewboard.mozilla.org/r/33701/diff/#index_header See other reviews: https://reviewboard.mozilla.org/r/33701/
Attachment #8716045 -
Flags: review?(jmuizelaar)
Comment 6•8 years ago
|
||
Comment on attachment 8716045 [details] MozReview Request: Bug 1245870: When concluding there is nothing to draw inside the clip be sure to balance the Save() since it won't be balanced in PopGroupForlayer. r=jrmuizel https://reviewboard.mozilla.org/r/33701/#review30395
Attachment #8716045 -
Flags: review?(jmuizelaar) → review+
Comment 8•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/afd7858792c9
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
Assignee | ||
Comment 9•8 years ago
|
||
Comment on attachment 8716045 [details] MozReview Request: Bug 1245870: When concluding there is nothing to draw inside the clip be sure to balance the Save() since it won't be balanced in PopGroupForlayer. r=jrmuizel Approval Request Comment [Feature/regressing bug #]: Native push/poplayer [User impact if declined]: Crash when layers heuristics go a certain way [Describe test coverage new/current, TreeHerder]: Several days nightly coverage [Risks and why]: Low, causes balance in previously unbalanced save/restore [String/UUID change made/needed]: None
Attachment #8716045 -
Flags: approval-mozilla-aurora?
Reporter | ||
Comment 10•8 years ago
|
||
Comment on attachment 8716045 [details] MozReview Request: Bug 1245870: When concluding there is nothing to draw inside the clip be sure to balance the Save() since it won't be balanced in PopGroupForlayer. r=jrmuizel Fix for top crash, please uplift to aurora
Attachment #8716045 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Comment 11•8 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/6a9b6a1e2454
Comment 12•8 years ago
|
||
(In reply to Bas Schouten (:bas.schouten) from comment #11) > https://hg.mozilla.org/releases/mozilla-aurora/rev/6a9b6a1e2454 setting flags
Updated•8 years ago
|
Group: core-security
Status: RESOLVED → REOPENED
status-firefox48:
--- → ?
status-firefox49:
--- → affected
status-firefox50:
--- → affected
Flags: needinfo?(bas)
Keywords: csectype-uaf,
sec-critical
Resolution: FIXED → ---
Assignee | ||
Updated•8 years ago
|
Flags: needinfo?(bas)
Updated•8 years ago
|
Status: REOPENED → RESOLVED
Closed: 8 years ago → 8 years ago
status-firefox48:
? → ---
status-firefox49:
affected → ---
status-firefox50:
affected → ---
Keywords: csectype-uaf,
sec-critical
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•