Closed Bug 676918 Opened 13 years ago Closed 13 years ago

[ANGLE] crash from CanvasLayerD3D9::UpdateSurface [@ gl::Context::readPixels(int, int, int, int, unsigned int, unsigned int, void*) ]

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla8
Tracking Flags:
Tracking Status
firefox7 - wontfix
firefox8 + fixed
firefox9 + fixed
firefox10 + fixed
status1.9.2 --- unaffected

People

(Reporter: bjacob, Unassigned)

References

Details

(Keywords: crash, Whiteboard: [sg:high?][qa?]) 

I got this following the STR from bug 675634, having locked my screen as suggested in bug 675634 comment 7. The crash occured some time after unlocking. Instead of getting bug 675634, I got this new one.

Crash link:
https://crash-stats.mozilla.com/report/index/bp-b97104c7-6074-4ff8-b13f-f33742110805

Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0xffffffffc2782607

0 	libGLESv2.dll 	gl::Context::readPixels 	gfx/angle/src/libglesv2/Context.cpp:2128
1 	libGLESv2.dll 	glReadPixels 	gfx/angle/src/libglesv2/libGLESv2.cpp:3956
2 	xul.dll 	mozilla::gl::GLContext::ReadPixelsIntoImageSurface 	gfx/thebes/GLContext.cpp:1223
3 	xul.dll 	mozilla::layers::CanvasLayerD3D9::UpdateSurface 	gfx/layers/d3d9/CanvasLayerD3D9.cpp:131
4 	xul.dll 	mozilla::layers::CanvasLayerD3D9::RenderLayer 	gfx/layers/d3d9/CanvasLayerD3D9.cpp:211

The crash line is:
http://hg.mozilla.org/releases/mozilla-beta/file/f327eb465d32/gfx/angle/src/libGLESv2/Context.cpp#l2128


  2109     IDirect3DSurface9 *systemSurface;
  2110     HRESULT result = device->CreateOffscreenPlainSurface(desc.Width, desc.Height, desc.Format, D3DPOOL_SYSTEMMEM, &systemSurface, NULL);
  2111 
  2112     if (result == D3DERR_OUTOFVIDEOMEMORY || result == E_OUTOFMEMORY)
  2113     {
  2114         return error(GL_OUT_OF_MEMORY);
  2115     }
  2116 
  2117     ASSERT(SUCCEEDED(result));
  2118 
  2119     if (desc.MultiSampleType != D3DMULTISAMPLE_NONE)
  2120     {
  2121         UNIMPLEMENTED();   // FIXME: Requires resolve using StretchRect into non-multisampled render target
  2122     }
  2123 
  2124     result = device->GetRenderTargetData(renderTarget, systemSurface);
  2125 
  2126     if (FAILED(result))
  2127     {
  2128         systemSurface->Release();    ////// <--- CRASH HERE


So maybe we need to check that CreateOffscreenPlainSurface succeeded?
Checks improved in ANGLE r719.
Not sure of the severity here, potentially reading data off other pages/tabs you have open?
Keywords: crash
See Also: → http://code.google.com/p/angleproject/issues/detail?id=194
Whiteboard: [sg:high?]
Maybe, yes. Though for that you would have to trigger this bug without crashing. Will import ANGLE r719.
Imported ANGLE r719:

http://hg.mozilla.org/mozilla-central/rev/ddf7263c56d7
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
status-firefox10: --- → fixed
status-firefox7: --- → wontfix
status-firefox8: --- → fixed
status-firefox9: --- → fixed
tracking-firefox10: --- → +
tracking-firefox7: --- → -
tracking-firefox8: --- → +
tracking-firefox9: --- → +
Target Milestone: --- → mozilla8
How widespread/reproducible is this crash? Is there something QA can do to verify the fix?
Whiteboard: [sg:high?] → [sg:high?][qa?]
Group: core-security
You need to log in before you can comment on or make changes to this bug.