Crash: double-free [@xcb_render_create_picture]

RESOLVED FIXED in Firefox 49

Status

()

Core
Graphics: Layers
--
critical
RESOLVED FIXED
2 years ago
a year ago

People

(Reporter: posidron, Assigned: acomminos)

Tracking

(4 keywords)

Trunk
mozilla50
x86_64
Mac OS X
crash, csectype-other, sec-critical, testcase
Points:
---

Firefox Tracking Flags

(firefox49 fixed, firefox-esr45 unaffected, firefox50 unaffected, firefox51 unaffected)

Details

(Whiteboard: [adv-main49+])

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
The following testcase crashes on en-us.linux-x86_64-asan.tar.bz2 revision 1d26ac38f26ded12a7ca0fb56a67db5eef8f2c20

See attachment.

Backtrace:

==14239==ERROR: AddressSanitizer: attempting double-free on 0x603000f08e90 in thread T0:
    #0 0x4b27ce in realloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:71:3
    #1 0x7f57c579d017 in xcb_render_create_picture (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x14017)

0x603000f08e90 is located 0 bytes inside of 24-byte region [0x603000f08e90,0x603000f08ea8)
freed by thread T40 (Compositor) here:
    #0 0x4b215b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
    #1 0x7f57c57f34ac  (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x6a4ac)

previously allocated by thread T40 (Compositor) here:
    #0 0x4b27ce in realloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:71:3
    #1 0x7f57c579d017 in xcb_render_create_picture (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x14017)

Thread T40 (Compositor) created by T0 here:
    #0 0x49a839 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:238:3
    #1 0x7f57b2ab4a1b in CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/platform_thread_posix.cc:137:14
    #2 0x7f57b2ab4a1b in Create /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/platform_thread_posix.cc:148
    #3 0x7f57b2ab4a1b in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/thread.cc:98
    #4 0x7f57b41fc5b8 in CreateCompositorThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/gfx/layers/ipc/CompositorThread.cpp:105:8
    #5 0x7f57b41fc5b8 in mozilla::layers::CompositorThreadHolder::CompositorThreadHolder() /builds/slave/m-in-l64-asan-0000000000000000/build/src/gfx/layers/ipc/CompositorThread.cpp:53
    #6 0x7f57b41fc70a in mozilla::layers::CompositorThreadHolder::Start() /builds/slave/m-in-l64-asan-0000000000000000/build/src/gfx/layers/ipc/CompositorThread.cpp:121:33
    #7 0x7f57b430e002 in InitLayersIPC /builds/slave/m-in-l64-asan-0000000000000000/build/src/gfx/thebes/gfxPlatform.cpp:882:9
    #8 0x7f57b430e002 in gfxPlatform::Init() /builds/slave/m-in-l64-asan-0000000000000000/build/src/gfx/thebes/gfxPlatform.cpp:680
    #9 0x7f57b430b7a2 in gfxPlatform::GetPlatform() /builds/slave/m-in-l64-asan-0000000000000000/build/src/gfx/thebes/gfxPlatform.cpp:515:9
    #10 0x7f57b8b5562d in CreateVsyncRefreshTimer /builds/slave/m-in-l64-asan-0000000000000000/build/src/layout/base/nsRefreshDriver.cpp:861:5
    #11 0x7f57b8b5562d in nsRefreshDriver::ChooseTimer() const /builds/slave/m-in-l64-asan-0000000000000000/build/src/layout/base/nsRefreshDriver.cpp:996
    #12 0x7f57b8b5861a in nsRefreshDriver::EnsureTimerStarted(nsRefreshDriver::EnsureTimerStartedFlags) /builds/slave/m-in-l64-asan-0000000000000000/build/src/layout/base/nsRefreshDriver.cpp:1213:34
    #13 0x7f57b8e31c26 in PresShell::ScheduleViewManagerFlush(nsIPresShell::PaintType) /builds/slave/m-in-l64-asan-0000000000000000/build/src/layout/base/nsPresShell.cpp:3663:5
    #14 0x7f57b8fa535c in nsIFrame::SchedulePaint(nsIFrame::PaintType) /builds/slave/m-in-l64-asan-0000000000000000/build/src/layout/generic/nsFrame.cpp:5710:3
    #15 0x7f57b8fa3c75 in InvalidateFrameInternal(nsIFrame*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/layout/generic/nsFrame.cpp:5500:5
    #16 0x7f57b8f32f18 in nsIFrame::InvalidateFrameSubtree(unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/layout/generic/nsFrame.cpp:5513:3
    #17 0x7f57b8c7fac7 in InvalidateCanvasIfNeeded /builds/slave/m-in-l64-asan-0000000000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:8508:3
    #18 0x7f57b8c7fac7 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:7656
    #19 0x7f57b8e1cd67 in PresShell::Initialize(int, int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/layout/base/nsPresShell.cpp:1726:7
    #20 0x7f57b496d841 in nsContentSink::StartLayout(bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/base/nsContentSink.cpp:1210:19
    #21 0x7f57b3d09736 in nsHtml5TreeOpExecutor::StartLayout() /builds/slave/m-in-l64-asan-0000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:612:3
    #22 0x7f57b3d15e8e in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/parser/html/nsHtml5TreeOperation.cpp:990:7
    #23 0x7f57b3d07087 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/slave/m-in-l64-asan-0000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:448:21
    #24 0x7f57b3d0bb1b in nsHtml5ExecutorFlusher::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/parser/html/nsHtml5StreamParser.cpp:128:9
    #25 0x7f57b1d57ec6 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:1068:7
    #26 0x7f57b1dd626c in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290:10
    #27 0x7f57b2b228af in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:100:21
    #28 0x7f57b2a970e8 in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:232:3
    #29 0x7f57b2a970e8 in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:225
    #30 0x7f57b2a970e8 in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:205
    #31 0x7f57b84dd88f in nsBaseAppShell::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/widget/nsBaseAppShell.cpp:156:3
    #32 0x7f57ba40e321 in nsAppStartup::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/components/startup/nsAppStartup.cpp:284:19
    #33 0x7f57ba55b873 in XREMain::XRE_mainRun() /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4213:10
    #34 0x7f57ba55ce13 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4332:8
    #35 0x7f57ba55dcea in XRE_main /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4423:16
    #36 0x4dfb47 in do_main /builds/slave/m-in-l64-asan-0000000000000000/build/src/browser/app/nsBrowserApp.cpp:251:10
    #37 0x4dfb47 in main /builds/slave/m-in-l64-asan-0000000000000000/build/src/browser/app/nsBrowserApp.cpp:387
    #38 0x7f57cb407ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

SUMMARY: AddressSanitizer: double-free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:71:3 in realloc
(Reporter)

Comment 1

2 years ago
Created attachment 8775725 [details]
Testcase
(Reporter)

Updated

2 years ago
Severity: normal → critical
(Reporter)

Comment 2

2 years ago
Different variant which occurred 911 times in the last days in same function:

==6568==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fa24ae0927f bp 0x603000cdb070 sp 0x7fa21b4416e0 T40)
    #0 0x7fa24ae0927e in xcb_render_create_picture (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x1427e)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x1427e) in xcb_render_create_picture
Thread T40 (Compositor) created by T0 here:
    #0 0x49a839 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:238:3
    #1 0x7fa238144ebb in CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/platform_thread_posix.cc:137:14
    #2 0x7fa238144ebb in Create /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/platform_thread_posix.cc:148
    #3 0x7fa238144ebb in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/thread.cc:98
    #4 0x7fa23989b1b8 in CreateCompositorThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/gfx/layers/ipc/CompositorThread.cpp:105:8
    #5 0x7fa23989b1b8 in mozilla::layers::CompositorThreadHolder::CompositorThreadHolder() /builds/slave/m-in-l64-asan-0000000000000000/build/src/gfx/layers/ipc/CompositorThread.cpp:53
    #6 0x7fa23989b30a in mozilla::layers::CompositorThreadHolder::Start() /builds/slave/m-in-l64-asan-0000000000000000/build/src/gfx/layers/ipc/CompositorThread.cpp:121:33
    #7 0x7fa2399acae2 in InitLayersIPC /builds/slave/m-in-l64-asan-0000000000000000/build/src/gfx/thebes/gfxPlatform.cpp:888:9
    #8 0x7fa2399acae2 in gfxPlatform::Init() /builds/slave/m-in-l64-asan-0000000000000000/build/src/gfx/thebes/gfxPlatform.cpp:684
    #9 0x7fa2399aa282 in gfxPlatform::GetPlatform() /builds/slave/m-in-l64-asan-0000000000000000/build/src/gfx/thebes/gfxPlatform.cpp:517:9
    #10 0x7fa23e22348d in CreateVsyncRefreshTimer /builds/slave/m-in-l64-asan-0000000000000000/build/src/layout/base/nsRefreshDriver.cpp:861:5
    #11 0x7fa23e22348d in nsRefreshDriver::ChooseTimer() const /builds/slave/m-in-l64-asan-0000000000000000/build/src/layout/base/nsRefreshDriver.cpp:996
    #12 0x7fa23e226497 in nsRefreshDriver::EnsureTimerStarted(nsRefreshDriver::EnsureTimerStartedFlags) /builds/slave/m-in-l64-asan-0000000000000000/build/src/layout/base/nsRefreshDriver.cpp:1213:34
    #13 0x7fa23e4ff956 in PresShell::ScheduleViewManagerFlush(nsIPresShell::PaintType) /builds/slave/m-in-l64-asan-0000000000000000/build/src/layout/base/nsPresShell.cpp:3663:5
    #14 0x7fa23e672859 in nsIFrame::SchedulePaint(nsIFrame::PaintType) /builds/slave/m-in-l64-asan-0000000000000000/build/src/layout/generic/nsFrame.cpp:5698:3
    #15 0x7fa23e671155 in InvalidateFrameInternal(nsIFrame*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/layout/generic/nsFrame.cpp:5488:5
    #16 0x7fa23e600828 in nsIFrame::InvalidateFrameSubtree(unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/layout/generic/nsFrame.cpp:5501:3
    #17 0x7fa23e34db47 in InvalidateCanvasIfNeeded /builds/slave/m-in-l64-asan-0000000000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:8508:3
    #18 0x7fa23e34db47 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:7656
    #19 0x7fa23e4ea808 in PresShell::Initialize(int, int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/layout/base/nsPresShell.cpp:1726:7
    #20 0x7fa23a00b01f in nsContentSink::StartLayout(bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/base/nsContentSink.cpp:1210:19
    #21 0x7fa2393a8666 in nsHtml5TreeOpExecutor::StartLayout() /builds/slave/m-in-l64-asan-0000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:612:3
    #22 0x7fa2393b4e1e in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/parser/html/nsHtml5TreeOperation.cpp:990:7
    #23 0x7fa2393a5fb7 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/slave/m-in-l64-asan-0000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:448:21
    #24 0x7fa2393aaaab in nsHtml5ExecutorFlusher::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/parser/html/nsHtml5StreamParser.cpp:128:9
    #25 0x7fa2373e8696 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:1073:7
    #26 0x7fa237466a3c in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290:10
    #27 0x7fa2381b2cbf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:100:21
    #28 0x7fa238127588 in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:235:3
    #29 0x7fa238127588 in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:228
    #30 0x7fa238127588 in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:208
    #31 0x7fa23db99aaf in nsBaseAppShell::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/widget/nsBaseAppShell.cpp:156:3
    #32 0x7fa23fad82d1 in nsAppStartup::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/components/startup/nsAppStartup.cpp:284:19
    #33 0x7fa23fc25db3 in XREMain::XRE_mainRun() /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4390:10
    #34 0x7fa23fc27353 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4513:8
    #35 0x7fa23fc2822a in XRE_main /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4608:16
    #36 0x4dfb47 in do_main /builds/slave/m-in-l64-asan-0000000000000000/build/src/browser/app/nsBrowserApp.cpp:251:10
    #37 0x4dfb47 in main /builds/slave/m-in-l64-asan-0000000000000000/build/src/browser/app/nsBrowserApp.cpp:387
    #38 0x7fa250a73ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
Severity: critical → normal
(Reporter)

Updated

2 years ago
Severity: normal → critical
Group: core-security → gfx-core-security
status-firefox50: --- → affected
status-firefox51: --- → affected
Milan, can someone on your team take a look since this is sec-critical? Thanks.
status-firefox49: --- → ?
status-firefox-esr45: --- → ?
Flags: needinfo?(milan)
Flags: needinfo?(milan)
Lee, Andrew, thoughts?  We expect a system cairo call here?
Flags: needinfo?(lsalzman)
Flags: needinfo?(andrew)
(Assignee)

Comment 5

2 years ago
There shouldn't be any, no- even if XRender is enabled, we don't let system cairo create any kind of Xlib cairo surfaces.

It's worth noting that the revision used does use native cairo if X11 SHM is unavailable as a fallback, but only with image surfaces. This was replaced by my WindowSurface patches in 50. It's unlikely to be responsible for this XCB XRender call though.

http://hg.mozilla.org/mozilla-central/file/1d26ac38f26ded12a7ca0fb56a67db5eef8f2c20/widget/gtk/nsWindow.cpp

A stack of the offending thread would be most helpful here- I'd guess that GDK is making the call.
Flags: needinfo?(andrew)
Christoph, see comment 5 ask.
Flags: needinfo?(cdiehl)
(Reporter)

Comment 7

2 years ago
That's all the information I am able to provide. 
However, I do get a lot of null-ptr crashes with those stack signatures:

911 crashes
        "xcb_render_create_picture", 
        "__interceptor_pthread_create", 
        "CreateThread", 
        "Create", 
        "base::Thread::StartWithOptions", 
        "CreateCompositorThread", 
        "mozilla::layers::CompositorThreadHolder::CompositorThreadHolder", 
        "mozilla::layers::CompositorThreadHolder::Start"

720 crashes
        "/lib/x86_64-linux-gnu/libc.so.6+0x152105", 
        "xcb_render_create_picture"

15
        "/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x69c63", 
        "__interceptor_pthread_create", 
        "CreateThread", 
        "Create", 
        "base::Thread::StartWithOptions", 
        "CreateCompositorThread", 
        "mozilla::layers::CompositorThreadHolder::CompositorThreadHolder", 
        "mozilla::layers::CompositorThreadHolder::Start"
Flags: needinfo?(cdiehl)
(Reporter)

Comment 8

2 years ago
Stupid question but is it possible that 'xvfb-run' can influence such behavior?
Andrew, can you dig deeper into this?  At least to get to the point where we may know if it's us or GTK (Lee mentioned it could be) and get us to something actionable.
Assignee: nobody → andrew
Flags: needinfo?(lsalzman) → needinfo?(andrew)
(Assignee)

Comment 10

2 years ago
Sure, I'll take a look. I suspect it's a drawing call made by GTK as well.

Christoph, can you provide me with your GTK version? In addition, it would be helpful if you could check the status of the GTK_CSD environment variable- if GTK is drawing client side decorations, it *will* make calls to XRender.
Flags: needinfo?(andrew)
(Assignee)

Updated

2 years ago
Flags: needinfo?(cdiehl)
(Reporter)

Comment 11

2 years ago
$ dpkg -s libgtk-3-0 | grep '^Version' | cut -d' ' -f2-
3.10.8-0ubuntu1.6

GTK_CSD is empty. It's a headless system at EC2.
Flags: needinfo?(cdiehl)
(Reporter)

Comment 12

2 years ago
$ dpkg -l libgtk* | grep -e '^i' | grep -e 'libgtk-*[0-9]'
ii  libgtk-3-0:amd64                     3.10.8-0ubuntu1.6                          amd64        GTK+ graphical user interface library
ii  libgtk-3-0-dbg:amd64                 3.10.8-0ubuntu1.6                          amd64        GTK+ libraries and debugging symbols
ii  libgtk-3-bin                         3.10.8-0ubuntu1.6                          amd64        programs for the GTK+ graphical user interface library
ii  libgtk-3-common                      3.10.8-0ubuntu1.6                          all          common files for the GTK+ graphical user interface library
ii  libgtk2.0-0:amd64                    2.24.23-0ubuntu1.1                         amd64        GTK+ graphical user interface library
ii  libgtk2.0-common                     2.24.23-0ubuntu1.1                         all          common files for the GTK+ graphical user interface library
ii  libgtk2.0-dev                        2.24.23-0ubuntu1.1                         amd64        development files for the GTK+ library
(Assignee)

Comment 13

2 years ago
Thanks for the info. This is almost certainly a result of gdk_cairo_create being called to instantiate a cairo context for a GdkWindow on the compositor thread. We've had issues with the function not being thread-safe in the past, as GDK expecting it only to be called from the main thread in the "draw" handler (bug 1285561). Cairo reference counting is atomic, but we can still race and perform a double-free when the main thread calls cairo_surface_finish (as GDK occasionally does).

The "good" news is that this path won't happen for most users- we only fall back to cairo blitting when we don't have MIT-SHM available, or if we fail to paint to the window with SHM. MIT-SHM is a widely available X extension and many applications explicitly require it.

The patch in bug 1285561 that solves this is rather large- it could potentially be uplifted, though. Alternatively, we could throw in our XRender drawing path instead when we don't have SHM, as we did prior to the addition of the gdk_cairo_create fallback.

What do you think, Milan?
Flags: needinfo?(milan)
Situation not being common - I'm worried about the mention of EC2 in comment 11, so I'm not sure we can ignore this problem on that front.

The fix is on 50, so the question is whether we need to fix this bug before November when 50 releases. The patch in bug 1285561 is not small, but it has been on 50 since the middle of July, and no regressions are currently linked to it.

As a first pass, I'd like to see the alternative patch (XRender path when SHM is not there), that we would  uplift all the way if necessary.
Flags: needinfo?(milan)
(Assignee)

Updated

2 years ago
status-firefox49: ? → affected
status-firefox50: affected → unaffected
status-firefox51: affected → unaffected
We are coming up on the beta 7 build tomorrow, so we could still take a patch if you manage to cherry pick a fix that applies to 49.
(Assignee)

Comment 16

2 years ago
Created attachment 8784534 [details] [diff] [review]
Remove cairo image surface fallback due to threading issues.

Here's a patch removing the image surface fallback case, reverting to XRender.
Attachment #8784534 - Flags: review?(lsalzman)
Attachment #8784534 - Flags: review?(lsalzman) → review+
(Assignee)

Comment 17

2 years ago
Comment on attachment 8784534 [details] [diff] [review]
Remove cairo image surface fallback due to threading issues.

Approval Request Comment
[Feature/regressing bug #]: 1015218
[User impact if declined]: Possibility for threading issues depending on the user's GTK version.
[Describe test coverage new/current, TreeHerder]: N/A
[Risks and why]: It's possible that our XRender backend may have regressed; it's unlikely, and the majority of users won't even fall back to this path.
[String/UUID change made/needed]: N/A
Attachment #8784534 - Flags: approval-mozilla-beta?
Comment on attachment 8784534 [details] [diff] [review]
Remove cairo image surface fallback due to threading issues.

Fix for a sec-critical crash, let's uplift for beta 7.
Attachment #8784534 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
(Assignee)

Updated

2 years ago
Keywords: checkin-needed
https://hg.mozilla.org/releases/mozilla-beta/rev/fe99dea1a20d

This needs to land on esr45 too, yes?
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox49: affected → fixed
tracking-firefox-esr45: --- → ?
Flags: needinfo?(andrew)
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
(Assignee)

Comment 20

2 years ago
Nope, it's unaffected according to https://hg.mozilla.org/releases/mozilla-esr45/file/tip/widget/gtk/nsWindow.cpp.
Flags: needinfo?(andrew)
Ah great, thanks!
status-firefox-esr45: ? → unaffected
tracking-firefox-esr45: ? → ---
Group: gfx-core-security → core-security-release
Whiteboard: [adv-main49+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.