Closed Bug 1245870 Opened 10 years ago Closed 9 years ago

crash in mozilla::detail::RefCounted<T>::Release while PopClip in D2D

Categories

(Core :: Graphics: Layers, defect)

Product:
Core
Component:
Graphics: Layers
Platform:
Unspecified
Windows NT
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla47
Tracking Flags:
Tracking Status
firefox46 + fixed
firefox47 + fixed

People

(Reporter: lizzard, Assigned: bas.schouten)

Details

(Keywords: crash, topcrash)

Crash Data

Attachments

(1 file)

MozReview Request: Bug 1245870: When concluding there is nothing to draw inside the clip be sure to balance the Save() since it won't be balanced in PopGroupForlayer. r=jrmuizel
58 bytes, text/x-review-board-request
jrmuizel
: review+
lizzard
: approval-mozilla-aurora+
Details
This bug was filed from the Socorro interface and is report bp-bcddf6f7-ff8b-4aed-90b4-807ee2160204. ============================================================= #1 topcrash for aurora 46. Comments and urls reflect problems with gradle.org. Crashing thread: 1 xul.dll RefPtr<mozilla::gfx::PathRecording>::~RefPtr<mozilla::gfx::PathRecording>() mfbt/RefPtr.h 2 xul.dll mozilla::gfx::DrawTargetD2D1::PopClip() gfx/2d/DrawTargetD2D1.cpp 3 xul.dll mozilla::gfx::DrawTargetDual::PopClip() gfx/2d/DrawTargetDual.h 4 xul.dll gfxContext::~gfxContext() gfx/thebes/gfxContext.cpp 5 xul.dll RefPtr<gfxContext>::assign_with_AddRef(gfxContext*) mfbt/RefPtr.h 6 xul.dll mozilla::layers::ClientPaintedLayer::PaintThebes() gfx/layers/client/ClientPaintedLayer.cpp 7 xul.dll mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) gfx/layers/client/ClientPaintedLayer.cpp 8 xul.dll mozilla::layers::ClientContainerLayer::RenderLayer() gfx/layers/client/ClientContainerLayer.h 9 xul.dll mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) gfx/layers/client/ClientLayerManager.cpp 10 xul.dll mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) gfx/layers/client/ClientLayerManager.cpp
The crash signature seems to be spiking for 47, while it exists in very low volume for earlier versions.
status-firefox46: --- → affected
status-firefox47: --- → affected
tracking-firefox46: --- → +
tracking-firefox47: --- → +
Bas, I expect you caused this one.
Assignee: nobody → bas
Flags: needinfo?(bas)
Summary: crash in mozilla::detail::RefCounted<T>::Release → crash in mozilla::detail::RefCounted<T>::Release while PopClip in D2D
Hrm, the page seems to load just fine for me, seeing if I can reproduce this somehow. I'm not sure how PathRecording got involved here.. that should only be used for printing.
Flags: needinfo?(bas)
Ugh, that's just a red herring, optimized merging RefPtr destructors, never mind that bit.
Comment on attachment 8716045 [details] MozReview Request: Bug 1245870: When concluding there is nothing to draw inside the clip be sure to balance the Save() since it won't be balanced in PopGroupForlayer. r=jrmuizel https://reviewboard.mozilla.org/r/33701/#review30395
Attachment #8716045 - Flags: review?(jmuizelaar) → review+
https://hg.mozilla.org/mozilla-central/rev/afd7858792c9
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox47: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
Comment on attachment 8716045 [details] MozReview Request: Bug 1245870: When concluding there is nothing to draw inside the clip be sure to balance the Save() since it won't be balanced in PopGroupForlayer. r=jrmuizel Approval Request Comment [Feature/regressing bug #]: Native push/poplayer [User impact if declined]: Crash when layers heuristics go a certain way [Describe test coverage new/current, TreeHerder]: Several days nightly coverage [Risks and why]: Low, causes balance in previously unbalanced save/restore [String/UUID change made/needed]: None
Attachment #8716045 - Flags: approval-mozilla-aurora?
Comment on attachment 8716045 [details] MozReview Request: Bug 1245870: When concluding there is nothing to draw inside the clip be sure to balance the Save() since it won't be balanced in PopGroupForlayer. r=jrmuizel Fix for top crash, please uplift to aurora
Attachment #8716045 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(In reply to Bas Schouten (:bas.schouten) from comment #11) > https://hg.mozilla.org/releases/mozilla-aurora/rev/6a9b6a1e2454 setting flags
status-firefox46: affectedfixed
Group: core-security
Status: RESOLVED → REOPENED
status-firefox46: fixed?
status-firefox47: fixed?
status-firefox48: --- → ?
status-firefox49: --- → affected
status-firefox50: --- → affected
Flags: needinfo?(bas)
Keywords: csectype-uaf, sec-critical
Resolution: FIXED → ---
Flags: needinfo?(bas)
Status: REOPENED → RESOLVED
Closed: 10 years ago9 years ago
status-firefox46: ?fixed
status-firefox47: ?fixed
status-firefox48: ? → ---
status-firefox49: affected → ---
status-firefox50: affected → ---
Keywords: csectype-uaf, sec-critical
Resolution: --- → FIXED
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: