Closed Bug 1214571 Opened 10 years ago Closed 10 years ago

Firefox Nightly 44.0a1 (2015-10-12) crashes in mozilla::dom::HTMLCanvasElement

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
44 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox43 --- unaffected
firefox44 + verified

People

(Reporter: Virtual, Assigned: mtseng)

References

Details

(7 keywords, Whiteboard: [b2g-adv-main2.5-])

Crash Data

Attachments

(2 files)

testcase
659 bytes, text/html
Details
Only create mContextObserver once.
1.70 KB, patch
baku
: review+
Details | Diff | Splinter Review
Crashes happens mostly when you close the Firefox, but it can also happens when you swap the tab to another one. [Tracking Requested - why for this release]: Regression Regression window (mozilla-central) Good: https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2015-10-11-03-02-29-mozilla-central/ Bad: https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2015-10-12-03-06-12-mozilla-central/ Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b68eab795f9de072bee12821b0f09422e5aa0da9&tochange=0b69d304f861d0038fb78f1d52b0f5d13ef7c6fe Crashlog reports [@ mozilla::dom::HTMLCanvasElement::OnVisibilityChange() ]: https://crash-stats.mozilla.com/report/index/d75adabe-5159-4d82-8aa9-df02d2151012 https://crash-stats.mozilla.com/report/index/ff9a1d5c-0db5-4d5f-a381-9c3c32151012 https://crash-stats.mozilla.com/report/index/22f8f058-1081-477a-8451-78bdd2151013 https://crash-stats.mozilla.com/report/index/db80e051-041b-4475-9b06-c9ef42151013 https://crash-stats.mozilla.com/report/index/10390cd6-af7e-4103-b506-7b1272151013 https://crash-stats.mozilla.com/report/index/2c865c8a-7ca1-40d1-b1d4-1f2282151013 Crashlog reports [@ mozilla::dom::HTMLCanvasElementObserver::UnregisterVisibilityChangeEvent() ]; https://crash-stats.mozilla.com/report/index/33b2cfea-1f4b-4cf0-a51a-fccee2151012 https://crash-stats.mozilla.com/report/index/b7983fe3-5458-4b26-b2d0-2c8b02151012 https://crash-stats.mozilla.com/report/index/f8ca6fc4-a371-49bc-bad7-d90dd2151013
Group: dom-core-security
Based on the crash stats, we have somehow missed to call HTMLCanvasElementObserver::Destroy() since HTMLCanvasElementObserver::HandleEvent calls OnVisibilityChange() on using a deleted mElement, if I read the stacks right. Raw pointer as a member variable bites again. HTMLCanvasElementObserver has HTMLCanvasElement* mElement;
Blocks: 709490
Summary: Firefox Nightly 44.0a1 (2015-10-13) crashes in mozilla::dom::HTMLCanvasElement → Firefox Nightly 44.0a1 (2015-10-12) crashes in mozilla::dom::HTMLCanvasElement
Btw, looks like it is possible that we create several HTMLCanvasElementObserver objects, but call Destroy on only one of them.
I also want to mention that I have these option set as "false" in about:config: -webgl.angle.try-d3d11 -webgl.can-lose-context-in-foreground -webgl.enable-debug-renderer-info -webgl.restore-context-when-visible and these to "true: -webgl.disable-angle -webgl.disable-extensions -webgl.disable-fail-if-major-performance-caveat -webgl.disabled to disable completely WebGL per security reasons and per not using it.
(In reply to Olli Pettay [:smaug] from comment #2) > Btw, looks like it is possible that we create several > HTMLCanvasElementObserver objects, but call > Destroy on only one of them. HTMLCanvasElementObserver calls Destroy in its DTOR. But yes, we should check if we already have an existing mContextObserver.
(In reply to Olli Pettay [:smaug] from comment #1) > Raw pointer as a member variable bites again. > HTMLCanvasElementObserver has HTMLCanvasElement* mElement; Sigh. :( I should land my analysis soon...
Attached file testcase β€”
Not 100% reliable testcase, since it depends on CC/GC scheduling, but seems to crash locally usually in HTMLCanvasElement::OnVisibilityChange() But hopefully it helps figuring out the right patch for this. c.getContext("webgl", { get stencil() { throw "hahaa"; } }); creates an HTMLCanvasElementObserver which c.getContext("webgl", { stencil: false }); then overrides.
Sorry for crashing nightly. Here is patch to prevent create too much mContextObserver.
Attachment #8674021 - Flags: review?(bugs)
Attachment #8674021 - Flags: review?(bugs) → review+
https://hg.mozilla.org/mozilla-central/rev/7828bf225ef2
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox44: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
Verified as FIXED with (2015-10-17) build. Thank you very much. \o/
Status: RESOLVED → VERIFIED
status-firefox44: fixedverified
Crash Signature: [@ mozilla::dom::HTMLCanvasElement::OnVisibilityChange() ] [@ mozilla::dom::HTMLCanvasElementObserver::UnregisterVisibilityChangeEvent() ] → [@ mozilla::dom::HTMLCanvasElement::OnVisibilityChange() ] [@ mozilla::dom::HTMLCanvasElement::OnVisibilityChange ] [@ mozilla::dom::HTMLCanvasElementObserver::UnregisterVisibilityChangeEvent() ]
Keywords: topcrash, topcrash-win
Group: dom-core-security → core-security-release
Can someone suggest a security rating for this issue?
Flags: sec-bounty?
See the change after https://bugzilla.mozilla.org/show_bug.cgi?id=1214571#c1 sec-critical because of accessing a deleted object.
Group: core-security-release
Flags: sec-bounty? → sec-bounty+
Whiteboard: [b2g-adv-main2.5-]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: