Closed Bug 1074192 Opened 11 years ago Closed 8 years ago

crash in mozilla::image::DrawableFrameRef::DrawableFrameRef(mozilla::image::imgFrame*)

Categories

(Core :: Graphics: ImageLib, defect, P3)

Product:
Core
Component:
Graphics: ImageLib
Version:
54 Branch
Platform:
All
Android
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox52 --- unaffected
firefox-esr52 --- unaffected
firefox53 --- unaffected
firefox54 --- fixed
firefox55 --- fixed

People

(Reporter: aaronmt, Assigned: aosmond)

References

Details

(Keywords: crash, Whiteboard: gfx-noted)

Crash Data

Attachments

(2 obsolete files)

This bug was filed from the Socorro interface and is report bp-fe12f0ff-8e05-4cdb-a391-5cb102140928. =============================================================
Crash Signature: [@ mozilla::image::DrawableFrameRef::DrawableFrameRef(mozilla::image::imgFrame*)] → [@ mozilla::image::DrawableFrameRef::DrawableFrameRef(mozilla::image::imgFrame*)] [@ mozilla::image::DrawableFrameRef::DrawableFrameRef]
This has resurfaced as a low volume crash in recent builds, related to bug 1331938.
Assignee: nobody → aosmond
Status: NEW → ASSIGNED
status-firefox53: --- → unaffected
status-firefox54: --- → affected
status-firefox55: --- → affected
Depends on: 1331938
Priority: -- → P3
Whiteboard: gfx-noted
Version: 35 Branch → 54 Branch
When drawing an image on the main thread, imgFrame::Optimize can be called trigging a release of mRawSurface. In the meantime, a decoder thread could be calling imgFrame::DrawableFrameRef which depends on mRawSurface -- if it changes in the middle of the transaction, we are in trouble.
Attachment #8847579 - Flags: review?(tnikkel)
Attachment #8847579 - Attachment is obsolete: true
Attachment #8847579 - Flags: review?(tnikkel)
Comment on attachment 8847699 [details] Bug 1074192 - Hold the mutex in imgFrame when creating a DrawableFrameRef; https://reviewboard.mozilla.org/r/120626/#review122900
Attachment #8847699 - Flags: review?(tnikkel) → review+
Pushed by aosmond@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/5c8ae52e3fc7 Hold the mutex in imgFrame when creating a DrawableFrameRef. r=tnikkel
https://hg.mozilla.org/mozilla-central/rev/5c8ae52e3fc7
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox55: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Please request Aurora approval on this when you get a chance.
status-firefox52: --- → unaffected
status-firefox-esr52: --- → unaffected
Flags: needinfo?(aosmond)
Comment on attachment 8847699 [details] Bug 1074192 - Hold the mutex in imgFrame when creating a DrawableFrameRef; Approval Request Comment [Feature/Bug causing the regression]: bug 1331938 [User impact if declined]: Low volume browser crash due to null pointer dereference. [Is this code covered by automated tests?]: Yes, the modified code is on a frequently executed path, although the bug only occurs in particular cases for thread timing. [Has the fix been verified in Nightly?]: Yes, to the extent it has not caused any new problems. The crash being solved is low volume. [Needs manual test from QE? If yes, steps to reproduce]: No. [List of other uplifts needed for the feature/fix]: No. [Is the change risky?]: No. [Why is the change risky/not risky?]: It is a very simple change, locking a mutex that should have been locked all along. [String changes made/needed]: None.
Flags: needinfo?(aosmond)
Attachment #8847699 - Flags: approval-mozilla-aurora?
Comment on attachment 8847699 [details] Bug 1074192 - Hold the mutex in imgFrame when creating a DrawableFrameRef; Fix a crash. Aurora54+.
Attachment #8847699 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Attachment #8847699 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: