Closed Bug 1135066 Opened 5 years ago Closed 5 years ago

SEGV in mozilla::layers::BufferTextureClient::AllocateForSurface


(Core :: Graphics: Layers, defect)

Not set



Tracking Status
firefox37 --- wontfix
firefox38 --- fixed
firefox39 --- fixed
firefox-esr31 --- wontfix
firefox-esr38 --- fixed
b2g-v2.0 --- unaffected
b2g-v2.0M --- unaffected
b2g-v2.1 --- unaffected
b2g-v2.1S --- unaffected
b2g-v2.2 --- unaffected
b2g-master --- unaffected


(Reporter: milan, Assigned: milan)



(Keywords: sec-moderate, Whiteboard: [adv-main38+][post-critsmash-triage])


(2 files, 1 obsolete file)

+++ This bug was initially created as a clone of Bug #1095925 +++

The test case from bug 1095925 crashes OS X with a different signature.
Assignee: nobody → milan
Whiteboard: [adv-main36+]
Note: This does not crash on Windows.
Attachment #8567107 - Flags: review?(jmuizelaar)
Attachment #8567107 - Flags: review?(jmuizelaar) → review?(mstange)
Doesn't this mean we'll hit the MOZ_ASSERT(mCGContext) further down? We're only trying to create a CG DrawTarget because our existing one is something else, so if we continue with the old value of dt then borrowing a CGContext from that won't work, BorrowedCGContext::BorrowCGContextFromDrawTarget will return null.
Yeah, you're right; we get out the other end in the release build, but there are asserts that fire in debug.
Attachment #8567107 - Attachment is obsolete: true
Attachment #8567107 - Flags: review?(mstange)
Attachment #8573492 - Flags: review?(mstange) → review+

Based on bug 1095925, I assume this is also wontfix for esr31. I assume we want this on Aurora/Beta however?
Flags: needinfo?(milan)
Flags: in-testsuite?
Keywords: checkin-needed
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
Comment on attachment 8573492 [details] [diff] [review]
Catch failed CreateDrawTarget. r=mstange

Let me know if you think this is critical enough for beta uplift, otherwise I think we're good with just Aurora, and mostly because it will become ESR.

Approval Request Comment
[Feature/regressing bug #]:
[User impact if declined]: OS X sec-moderate in 38 (eventually ESR)
[Describe test coverage new/current, TreeHerder]: None; will check if we can create an automated test for this but not land it until this fix releases.
[Risks and why]: Low.  Avoid dereferencing null pointer.
[String/UUID change made/needed]: n/a
Flags: needinfo?(milan)
Attachment #8573492 - Flags: approval-mozilla-aurora?
Don't know about the timing for landing this - I imagine only after this fix is in the release?
Attachment #8574879 - Flags: review?(mstange)
Comment on attachment 8573492 [details] [diff] [review]
Catch failed CreateDrawTarget. r=mstange

I wouldn't mind this on beta just for completeness if the patch applies cleanly.
Attachment #8573492 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Attachment #8574879 - Flags: review?(mstange) → review+
Comment on attachment 8573492 [details] [diff] [review]
Catch failed CreateDrawTarget. r=mstange

Per comment 10.
Attachment #8573492 - Flags: approval-mozilla-beta?
Leave NI on me to remember to land the test once the fix is in all the trains.
Flags: needinfo?(milan)
Comment on attachment 8573492 [details] [diff] [review]
Catch failed CreateDrawTarget. r=mstange

While this is a straightforward patch, I don't think "completeness" is enough justification to take the change in Beta at this point. Let's let this ride the 38 train.
Attachment #8573492 - Flags: approval-mozilla-beta? → approval-mozilla-beta-
Flags: needinfo?(milan)
Flags: needinfo?(milan)
Whiteboard: [adv-main38+]
Flags: needinfo?(milan)
Group: core-security → core-security-release
Whiteboard: [adv-main38+] → [adv-main38+][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.