Closed Bug 1295078 Opened 6 years ago Closed 6 years ago

crash in mozilla::detail::RefCounted<T>::Release while PopClip in D2D

Categories

(Core :: Graphics: Layers, defect)

Unspecified
Windows NT
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1291190

People

(Reporter: jesup, Assigned: nical)

Details

(4 keywords)

Crash Data

+++ This bug was initially created as a clone of Bug #1245870 +++

This bug was filed from the Socorro interface and is 
report bp-bcddf6f7-ff8b-4aed-90b4-807ee2160204.
=============================================================

#1 topcrash for aurora 46. Comments and urls reflect problems with gradle.org. 

Crashing thread: 

1 	xul.dll 	RefPtr<mozilla::gfx::PathRecording>::~RefPtr<mozilla::gfx::PathRecording>() 	mfbt/RefPtr.h
2 	xul.dll 	mozilla::gfx::DrawTargetD2D1::PopClip() 	gfx/2d/DrawTargetD2D1.cpp
3 	xul.dll 	mozilla::gfx::DrawTargetDual::PopClip() 	gfx/2d/DrawTargetDual.h
4 	xul.dll 	gfxContext::~gfxContext() 	gfx/thebes/gfxContext.cpp
5 	xul.dll 	RefPtr<gfxContext>::assign_with_AddRef(gfxContext*) 	mfbt/RefPtr.h


...


I'd reopened the bug and marked it s-s.  Per bas (below), it's a different bug, though with a similar stack.  My original comment:

---------------------

Still a serious crasher in 50.
https://crash-stats.mozilla.com/report/index/5488e38f-488c-41e3-91b1-f52042160813
Also: this is an e5e5 crash, which means it's a UAF, and a sec issue

frames 1 and 2:
mozilla::gfx::DrawTargetD2D1::PopClip() 	gfx/2d/DrawTargetD2D1.cpp:760
mozilla::dom::CanvasRenderingContext2D::ReturnTarget()


--------

And Bas's reply:


This is a different bug, it would probably be a good idea to file it separately, I will begin investigation though.
Nical, this is fairly serious, I investigated the minidump for this crash and this suggests CanvasRenderingContext2D::ReturnTarget() can be called with a dangling mTarget pointer. I suspect this is a regression from your canvas work.
Assignee: nobody → nical.bugzilla
Flags: needinfo?(nical.bugzilla)
(In reply to Bas Schouten (:bas.schouten) from comment #1)
> Nical, this is fairly serious, I investigated the minidump for this crash
> and this suggests CanvasRenderingContext2D::ReturnTarget() can be called
> with a dangling mTarget pointer. I suspect this is a regression from your
> canvas work.

This is a duplicate of bug 1291190. I disabled PersistentBufferProviderShared on windows in central and aurora because of it, and people have already verified that the issue stopped reproducing now that the pref is off. I'm still investigating this and I'll figure it out before re-enabling the pref.
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(nical.bugzilla)
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.