Closed
Bug 1295078
Opened 8 years ago
Closed 8 years ago
crash in mozilla::detail::RefCounted<T>::Release while PopClip in D2D
Categories
(Core :: Graphics: Layers, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1291190
People
(Reporter: jesup, Assigned: nical)
Details
(4 keywords)
Crash Data
+++ This bug was initially created as a clone of Bug #1245870 +++
This bug was filed from the Socorro interface and is
report bp-bcddf6f7-ff8b-4aed-90b4-807ee2160204.
=============================================================
#1 topcrash for aurora 46. Comments and urls reflect problems with gradle.org.
Crashing thread:
1 xul.dll RefPtr<mozilla::gfx::PathRecording>::~RefPtr<mozilla::gfx::PathRecording>() mfbt/RefPtr.h
2 xul.dll mozilla::gfx::DrawTargetD2D1::PopClip() gfx/2d/DrawTargetD2D1.cpp
3 xul.dll mozilla::gfx::DrawTargetDual::PopClip() gfx/2d/DrawTargetDual.h
4 xul.dll gfxContext::~gfxContext() gfx/thebes/gfxContext.cpp
5 xul.dll RefPtr<gfxContext>::assign_with_AddRef(gfxContext*) mfbt/RefPtr.h
...
I'd reopened the bug and marked it s-s. Per bas (below), it's a different bug, though with a similar stack. My original comment:
---------------------
Still a serious crasher in 50.
https://crash-stats.mozilla.com/report/index/5488e38f-488c-41e3-91b1-f52042160813
Also: this is an e5e5 crash, which means it's a UAF, and a sec issue
frames 1 and 2:
mozilla::gfx::DrawTargetD2D1::PopClip() gfx/2d/DrawTargetD2D1.cpp:760
mozilla::dom::CanvasRenderingContext2D::ReturnTarget()
--------
And Bas's reply:
This is a different bug, it would probably be a good idea to file it separately, I will begin investigation though.
Comment 1•8 years ago
|
||
Nical, this is fairly serious, I investigated the minidump for this crash and this suggests CanvasRenderingContext2D::ReturnTarget() can be called with a dangling mTarget pointer. I suspect this is a regression from your canvas work.
Assignee: nobody → nical.bugzilla
Flags: needinfo?(nical.bugzilla)
Assignee | ||
Comment 2•8 years ago
|
||
(In reply to Bas Schouten (:bas.schouten) from comment #1)
> Nical, this is fairly serious, I investigated the minidump for this crash
> and this suggests CanvasRenderingContext2D::ReturnTarget() can be called
> with a dangling mTarget pointer. I suspect this is a regression from your
> canvas work.
This is a duplicate of bug 1291190. I disabled PersistentBufferProviderShared on windows in central and aurora because of it, and people have already verified that the issue stopped reproducing now that the pref is off. I'm still investigating this and I'll figure it out before re-enabling the pref.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(nical.bugzilla)
Resolution: --- → DUPLICATE
Updated•6 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•