crash in mozilla::image::DrawableFrameRef::DrawableFrameRef(mozilla::image::imgFrame*)

RESOLVED FIXED in Firefox 54

Status

()

P3
critical
RESOLVED FIXED
4 years ago
2 years ago

People

(Reporter: aaronmt, Assigned: aosmond)

Tracking

({crash})

54 Branch
mozilla55
All
Android
crash
Points:
---

Firefox Tracking Flags

(firefox52 unaffected, firefox-esr52 unaffected, firefox53 unaffected, firefox54 fixed, firefox55 fixed)

Details

(Whiteboard: gfx-noted, crash signature)

Attachments

(2 obsolete attachments)

(Reporter)

Description

4 years ago
This bug was filed from the Socorro interface and is 
report bp-fe12f0ff-8e05-4cdb-a391-5cb102140928.
=============================================================

Updated

3 years ago
Crash Signature: [@ mozilla::image::DrawableFrameRef::DrawableFrameRef(mozilla::image::imgFrame*)] → [@ mozilla::image::DrawableFrameRef::DrawableFrameRef(mozilla::image::imgFrame*)] [@ mozilla::image::DrawableFrameRef::DrawableFrameRef]
(Assignee)

Comment 1

2 years ago
This has resurfaced as a low volume crash in recent builds, related to bug 1331938.
Assignee: nobody → aosmond
Status: NEW → ASSIGNED
status-firefox53: --- → unaffected
status-firefox54: --- → affected
status-firefox55: --- → affected
Depends on: 1331938
Priority: -- → P3
Whiteboard: gfx-noted
Version: 35 Branch → 54 Branch
(Assignee)

Comment 2

2 years ago
Created attachment 8847579 [details] [diff] [review]
Hold imgFrame mutex when creating DrawableFrameRef, v1

When drawing an image on the main thread, imgFrame::Optimize can be called trigging a release of mRawSurface. In the meantime, a decoder thread could be calling imgFrame::DrawableFrameRef which depends on mRawSurface -- if it changes in the middle of the transaction, we are in trouble.
Attachment #8847579 - Flags: review?(tnikkel)
Comment hidden (mozreview-request)
(Assignee)

Updated

2 years ago
Attachment #8847579 - Attachment is obsolete: true
Attachment #8847579 - Flags: review?(tnikkel)

Comment 4

2 years ago
mozreview-review
Comment on attachment 8847699 [details]
Bug 1074192 - Hold the mutex in imgFrame when creating a DrawableFrameRef;

https://reviewboard.mozilla.org/r/120626/#review122900
Attachment #8847699 - Flags: review?(tnikkel) → review+

Comment 5

2 years ago
Pushed by aosmond@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/5c8ae52e3fc7
Hold the mutex in imgFrame when creating a DrawableFrameRef. r=tnikkel

Comment 6

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/5c8ae52e3fc7
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
status-firefox55: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Please request Aurora approval on this when you get a chance.
status-firefox52: --- → unaffected
status-firefox-esr52: --- → unaffected
Flags: needinfo?(aosmond)
(Assignee)

Comment 8

2 years ago
Comment on attachment 8847699 [details]
Bug 1074192 - Hold the mutex in imgFrame when creating a DrawableFrameRef;

Approval Request Comment
[Feature/Bug causing the regression]: bug 1331938
[User impact if declined]: Low volume browser crash due to null pointer dereference.
[Is this code covered by automated tests?]: Yes, the modified code is on a frequently executed path, although the bug only occurs in particular cases for thread timing.
[Has the fix been verified in Nightly?]: Yes, to the extent it has not caused any new problems. The crash being solved is low volume.
[Needs manual test from QE? If yes, steps to reproduce]: No.
[List of other uplifts needed for the feature/fix]: No.
[Is the change risky?]: No.
[Why is the change risky/not risky?]: It is a very simple change, locking a mutex that should have been locked all along.
[String changes made/needed]: None.
Flags: needinfo?(aosmond)
Attachment #8847699 - Flags: approval-mozilla-aurora?
Comment on attachment 8847699 [details]
Bug 1074192 - Hold the mutex in imgFrame when creating a DrawableFrameRef;

Fix a crash. Aurora54+.
Attachment #8847699 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

Comment 10

2 years ago
bugherderuplift
https://hg.mozilla.org/releases/mozilla-aurora/rev/14f30c91790a
status-firefox54: affected → fixed
(Assignee)

Updated

2 years ago
Attachment #8847699 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.