Closed
Bug 1135066
Opened 10 years ago
Closed 10 years ago
SEGV in mozilla::layers::BufferTextureClient::AllocateForSurface
Categories
(Core :: Graphics: Layers, defect)
Tracking
()
RESOLVED
FIXED
mozilla39
| Tracking | Status | |
|---|---|---|
| firefox37 | --- | wontfix |
| firefox38 | --- | fixed |
| firefox39 | --- | fixed |
| firefox-esr31 | --- | wontfix |
| firefox-esr38 | --- | fixed |
| b2g-v2.0 | --- | unaffected |
| b2g-v2.0M | --- | unaffected |
| b2g-v2.1 | --- | unaffected |
| b2g-v2.1S | --- | unaffected |
| b2g-v2.2 | --- | unaffected |
| b2g-master | --- | unaffected |
People
(Reporter: milan, Assigned: milan)
References
Details
(Keywords: sec-moderate, Whiteboard: [adv-main38+][post-critsmash-triage])
Attachments
(2 files, 1 obsolete file)
|
2.20 KB,
patch
|
mstange
:
review+
abillings
:
approval-mozilla-aurora+
lmandel
:
approval-mozilla-beta-
|
Details | Diff | Splinter Review |
|
4.94 KB,
patch
|
mstange
:
review+
|
Details | Diff | Splinter Review |
+++ This bug was initially created as a clone of Bug #1095925 +++
The test case from bug 1095925 crashes OS X with a different signature.
|
Assignee | |
Updated•10 years ago
|
Assignee: nobody → milan
Whiteboard: [adv-main36+]
|
|
Assignee | |
Comment 1•10 years ago
|
||
Note: This does not crash on Windows.
Attachment #8567107 -
Flags: review?(jmuizelaar)
|
|
Assignee | |
Updated•10 years ago
|
Attachment #8567107 -
Flags: review?(jmuizelaar) → review?(mstange)
|
||
Comment 2•10 years ago
|
||
Doesn't this mean we'll hit the MOZ_ASSERT(mCGContext) further down? We're only trying to create a CG DrawTarget because our existing one is something else, so if we continue with the old value of dt then borrowing a CGContext from that won't work, BorrowedCGContext::BorrowCGContextFromDrawTarget will return null.
|
|
Assignee | |
Comment 3•10 years ago
|
||
Yeah, you're right; we get out the other end in the release build, but there are asserts that fire in debug.
|
|
Assignee | |
Updated•10 years ago
|
Attachment #8567107 -
Attachment is obsolete: true
Attachment #8567107 -
Flags: review?(mstange)
|
|
Assignee | |
Comment 4•10 years ago
|
||
Attachment #8573492 -
Flags: review?(mstange)
|
|
||
Updated•10 years ago
|
Attachment #8573492 -
Flags: review?(mstange) → review+
|
|
Assignee | |
Comment 5•10 years ago
|
||
|
|
Assignee | |
Updated•10 years ago
|
Keywords: checkin-needed
|
||
Comment 6•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/e4a81270915c
Based on bug 1095925, I assume this is also wontfix for esr31. I assume we want this on Aurora/Beta however?
status-firefox37:
--- → affected
status-firefox38:
--- → affected
status-firefox39:
--- → fixed
status-firefox-esr31:
--- → wontfix
Flags: needinfo?(milan)
Flags: in-testsuite?
Keywords: checkin-needed
|
||
Comment 7•10 years ago
|
||
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
|
|
Assignee | |
Comment 8•10 years ago
|
||
Comment on attachment 8573492 [details] [diff] [review]
Catch failed CreateDrawTarget. r=mstange
Let me know if you think this is critical enough for beta uplift, otherwise I think we're good with just Aurora, and mostly because it will become ESR.
Approval Request Comment
[Feature/regressing bug #]:
[User impact if declined]: OS X sec-moderate in 38 (eventually ESR)
[Describe test coverage new/current, TreeHerder]: None; will check if we can create an automated test for this but not land it until this fix releases.
[Risks and why]: Low. Avoid dereferencing null pointer.
[String/UUID change made/needed]: n/a
Flags: needinfo?(milan)
Attachment #8573492 -
Flags: approval-mozilla-aurora?
|
|
Assignee | |
Comment 9•10 years ago
|
||
Don't know about the timing for landing this - I imagine only after this fix is in the release?
Attachment #8574879 -
Flags: review?(mstange)
|
||
Comment 10•10 years ago
|
||
Comment on attachment 8573492 [details] [diff] [review]
Catch failed CreateDrawTarget. r=mstange
I wouldn't mind this on beta just for completeness if the patch applies cleanly.
Attachment #8573492 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
||
Updated•10 years ago
|
Attachment #8574879 -
Flags: review?(mstange) → review+
|
|
||
Comment 11•10 years ago
|
||
Comment on attachment 8573492 [details] [diff] [review]
Catch failed CreateDrawTarget. r=mstange
Per comment 10.
Attachment #8573492 -
Flags: approval-mozilla-beta?
|
|
Assignee | |
Comment 12•10 years ago
|
||
For the automated test: https://treeherder.mozilla.org/#/jobs?repo=try&revision=75ac8b25170d
The test does fail before the fix: https://treeherder.mozilla.org/#/jobs?repo=try&revision=5e61d5ddd732
|
|
Assignee | |
Comment 13•10 years ago
|
||
Leave NI on me to remember to land the test once the fix is in all the trains.
Flags: needinfo?(milan)
|
|
||
Comment 14•10 years ago
|
||
|
|
||
Comment 15•10 years ago
|
||
Comment on attachment 8573492 [details] [diff] [review]
Catch failed CreateDrawTarget. r=mstange
While this is a straightforward patch, I don't think "completeness" is enough justification to take the change in Beta at this point. Let's let this ride the 38 train.
Attachment #8573492 -
Flags: approval-mozilla-beta? → approval-mozilla-beta-
|
|
||
Updated•10 years ago
|
|
|
Assignee | |
Updated•10 years ago
|
Flags: needinfo?(milan)
|
|
Assignee | |
Updated•10 years ago
|
Flags: needinfo?(milan)
|
|
||
Updated•10 years ago
|
Whiteboard: [adv-main38+]
|
|
||
Updated•10 years ago
|
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.1S:
--- → unaffected
status-b2g-v2.2:
--- → unaffected
status-b2g-master:
--- → unaffected
status-firefox-esr38:
--- → fixed
|
|
Assignee | |
Updated•10 years ago
|
Flags: needinfo?(milan)
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•10 years ago
|
Whiteboard: [adv-main38+] → [adv-main38+][post-critsmash-triage]
|
||
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•