Closed Bug 1421960 Opened 7 years ago Closed 7 years ago

Crash in mozilla::gl::GLContext::MakeCurrent

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Version:
59 Branch
Platform:
Unspecified
Android
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1421313
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox57 --- wontfix
firefox58 --- affected
firefox59 --- fixed

People

(Reporter: calixte, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [clouseau][adv-main59-])

Crash Data

This bug was filed from the Socorro interface and is report bp-86974930-068b-4a34-af02-52d670171129. ============================================================= Top 10 frames of crashing thread: 0 libxul.so mozilla::gl::GLContext::MakeCurrent gfx/gl/GLContext.cpp:3047 1 libxul.so mozilla::gl::TexturePoolOGL::Fill gfx/layers/opengl/TexturePoolOGL.cpp:104 2 libxul.so mozilla::layers::CompositorOGL::BeginFrame gfx/layers/opengl/CompositorOGL.cpp:677 3 libxul.so mozilla::layers::LayerManagerComposite::Render gfx/layers/composite/LayerManagerComposite.cpp:917 4 libxul.so mozilla::layers::LayerManagerComposite::UpdateAndRender gfx/layers/composite/LayerManagerComposite.cpp:533 5 libxul.so mozilla::layers::LayerManagerComposite::EndTransaction gfx/layers/composite/LayerManagerComposite.cpp:463 6 libxul.so mozilla::layers::CompositorBridgeParent::CompositeToTarget gfx/layers/ipc/CompositorBridgeParent.cpp:1043 7 libxul.so mozilla::layers::CompositorVsyncScheduler::ResumeComposition gfx/layers/ipc/CompositorVsyncScheduler.cpp:388 8 libxul.so mozilla::layers::CompositorBridgeParent::ResumeComposition gfx/layers/ipc/CompositorBridgeParent.cpp:746 9 libxul.so mozilla::layers::UiCompositorControllerParent::RecvResumeAndResize gfx/layers/ipc/UiCompositorControllerParent.cpp:74 ============================================================= There are 26 crashes in nightly 59 with buildid 20171129111022. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1390386. [1] https://hg.mozilla.org/mozilla-central/rev/b98d0d835d12
Flags: needinfo?(jgilbert)
The crash stack here looks very similar to the one seen in bug 1421313.
See Also: → 1421313
This is the #3 top crash in the 11-29 Android Nightly.
I think this is just bug 1421313, moved around. The bug seems to be dereffing a dead GLContext in MakeCurrent. always-make-current just moved that to crashing on calling MakeCurrentImpl, now that MakeCurrent is non-virtual. That's my quick read, at least.
Flags: needinfo?(jgilbert) → needinfo?(snorp)
(In reply to Jeff Gilbert [:jgilbert] from comment #3) > I think this is just bug 1421313, moved around. > The bug seems to be dereffing a dead GLContext in MakeCurrent. > always-make-current just moved that to crashing on calling MakeCurrentImpl, > now that MakeCurrent is non-virtual. > That's my quick read, at least. If that's true, then CompositorOGL::BeginFrame() is operating with a dead context and I don't see how that's possible. The context is destroyed in CompositorOGL::CleanupResources() and sets the context to null at that point, which we check for in TexturePoolOGL::Fill(). Presumably all of this is on the Compositor thread, but maybe it's not and we have a race?
Flags: needinfo?(snorp)
I've been getting a ton of crashes from this. It seems to be related to custom tabs. Here's a way to reproduce on my Pixel XL: 1. Have custom tabs enabled, Nightly as default browser. 2. Open Nightly, navigate to a page. 3. Open another app that will use custom tabs, such as Google's News & Weather. 4. Open an article, which loads in a custom tab. 5. Hit back, open another article. 6. Crash. My workaround has been to disable custom tabs. Over the past few days I haven't seen any crashes.
Group: core-security → gfx-core-security
Jeff - this is a sec bug; what are our options here?
Flags: needinfo?(jgilbert)
(In reply to Randell Jesup [:jesup] from comment #7) > Jeff - this is a sec bug; what are our options here? We could uplift bug 1421313. I really don't think this is a good attach vector, though. We should uplift to beta, but not further, imo.
Flags: needinfo?(jgilbert)
Looks like we're already trying to uplift it to Beta, but ran into a really weird CI crash.
I figured out the uplift problem. Let's dup this one to 1421313.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
See Also: → CVE-2018-5148
Whiteboard: [clouseau] → [clouseau][adv-main59-]
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.