Closed Bug 1074192 Opened 6 years ago Closed 4 years ago

crash in mozilla::image::DrawableFrameRef::DrawableFrameRef(mozilla::image::imgFrame*)

Categories

(Core :: ImageLib, defect, P3)

54 Branch
All
Android
defect

Tracking

()

RESOLVED FIXED
mozilla55
Tracking Status
firefox52 --- unaffected
firefox-esr52 --- unaffected
firefox53 --- unaffected
firefox54 --- fixed
firefox55 --- fixed

People

(Reporter: aaronmt, Assigned: aosmond)

References

Details

(Keywords: crash, Whiteboard: gfx-noted)

Crash Data

Attachments

(2 obsolete files)

This bug was filed from the Socorro interface and is 
report bp-fe12f0ff-8e05-4cdb-a391-5cb102140928.
=============================================================
Crash Signature: [@ mozilla::image::DrawableFrameRef::DrawableFrameRef(mozilla::image::imgFrame*)] → [@ mozilla::image::DrawableFrameRef::DrawableFrameRef(mozilla::image::imgFrame*)] [@ mozilla::image::DrawableFrameRef::DrawableFrameRef]
This has resurfaced as a low volume crash in recent builds, related to bug 1331938.
Assignee: nobody → aosmond
Status: NEW → ASSIGNED
Depends on: 1331938
Priority: -- → P3
Whiteboard: gfx-noted
Version: 35 Branch → 54 Branch
When drawing an image on the main thread, imgFrame::Optimize can be called trigging a release of mRawSurface. In the meantime, a decoder thread could be calling imgFrame::DrawableFrameRef which depends on mRawSurface -- if it changes in the middle of the transaction, we are in trouble.
Attachment #8847579 - Flags: review?(tnikkel)
Attachment #8847579 - Attachment is obsolete: true
Attachment #8847579 - Flags: review?(tnikkel)
Comment on attachment 8847699 [details]
Bug 1074192 - Hold the mutex in imgFrame when creating a DrawableFrameRef;

https://reviewboard.mozilla.org/r/120626/#review122900
Attachment #8847699 - Flags: review?(tnikkel) → review+
Pushed by aosmond@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/5c8ae52e3fc7
Hold the mutex in imgFrame when creating a DrawableFrameRef. r=tnikkel
https://hg.mozilla.org/mozilla-central/rev/5c8ae52e3fc7
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Please request Aurora approval on this when you get a chance.
Flags: needinfo?(aosmond)
Comment on attachment 8847699 [details]
Bug 1074192 - Hold the mutex in imgFrame when creating a DrawableFrameRef;

Approval Request Comment
[Feature/Bug causing the regression]: bug 1331938
[User impact if declined]: Low volume browser crash due to null pointer dereference.
[Is this code covered by automated tests?]: Yes, the modified code is on a frequently executed path, although the bug only occurs in particular cases for thread timing.
[Has the fix been verified in Nightly?]: Yes, to the extent it has not caused any new problems. The crash being solved is low volume.
[Needs manual test from QE? If yes, steps to reproduce]: No.
[List of other uplifts needed for the feature/fix]: No.
[Is the change risky?]: No.
[Why is the change risky/not risky?]: It is a very simple change, locking a mutex that should have been locked all along.
[String changes made/needed]: None.
Flags: needinfo?(aosmond)
Attachment #8847699 - Flags: approval-mozilla-aurora?
Comment on attachment 8847699 [details]
Bug 1074192 - Hold the mutex in imgFrame when creating a DrawableFrameRef;

Fix a crash. Aurora54+.
Attachment #8847699 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Attachment #8847699 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.