Closed Bug 1421960 Opened 7 years ago Closed 6 years ago

Crash in mozilla::gl::GLContext::MakeCurrent

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Version:
59 Branch
Platform:
Unspecified
Android
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1421313
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox57 --- wontfix
firefox58 --- affected
firefox59 --- fixed

People

(Reporter: calixte, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [clouseau][adv-main59-])

Crash Data

This bug was filed from the Socorro interface and is
report bp-86974930-068b-4a34-af02-52d670171129.
=============================================================

Top 10 frames of crashing thread:

0 libxul.so mozilla::gl::GLContext::MakeCurrent gfx/gl/GLContext.cpp:3047
1 libxul.so mozilla::gl::TexturePoolOGL::Fill gfx/layers/opengl/TexturePoolOGL.cpp:104
2 libxul.so mozilla::layers::CompositorOGL::BeginFrame gfx/layers/opengl/CompositorOGL.cpp:677
3 libxul.so mozilla::layers::LayerManagerComposite::Render gfx/layers/composite/LayerManagerComposite.cpp:917
4 libxul.so mozilla::layers::LayerManagerComposite::UpdateAndRender gfx/layers/composite/LayerManagerComposite.cpp:533
5 libxul.so mozilla::layers::LayerManagerComposite::EndTransaction gfx/layers/composite/LayerManagerComposite.cpp:463
6 libxul.so mozilla::layers::CompositorBridgeParent::CompositeToTarget gfx/layers/ipc/CompositorBridgeParent.cpp:1043
7 libxul.so mozilla::layers::CompositorVsyncScheduler::ResumeComposition gfx/layers/ipc/CompositorVsyncScheduler.cpp:388
8 libxul.so mozilla::layers::CompositorBridgeParent::ResumeComposition gfx/layers/ipc/CompositorBridgeParent.cpp:746
9 libxul.so mozilla::layers::UiCompositorControllerParent::RecvResumeAndResize gfx/layers/ipc/UiCompositorControllerParent.cpp:74

=============================================================

There are 26 crashes in nightly 59 with buildid 20171129111022.
In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1390386.

[1] https://hg.mozilla.org/mozilla-central/rev/b98d0d835d12
Flags: needinfo?(jgilbert)
The crash stack here looks very similar to the one seen in bug 1421313.
See Also: → 1421313
This is the #3 top crash in the 11-29 Android Nightly.
I think this is just bug 1421313, moved around.
The bug seems to be dereffing a dead GLContext in MakeCurrent. always-make-current just moved that to crashing on calling MakeCurrentImpl, now that MakeCurrent is non-virtual.
That's my quick read, at least.
Flags: needinfo?(jgilbert) → needinfo?(snorp)
(In reply to Jeff Gilbert [:jgilbert] from comment #3)
> I think this is just bug 1421313, moved around.
> The bug seems to be dereffing a dead GLContext in MakeCurrent.
> always-make-current just moved that to crashing on calling MakeCurrentImpl,
> now that MakeCurrent is non-virtual.
> That's my quick read, at least.

If that's true, then CompositorOGL::BeginFrame() is operating with a dead context and I don't see how that's possible. The context is destroyed in CompositorOGL::CleanupResources() and sets the context to null at that point, which we check for in TexturePoolOGL::Fill(). Presumably all of this is on the Compositor thread, but maybe it's not and we have a race?
Flags: needinfo?(snorp)
I've been getting a ton of crashes from this. It seems to be related to custom tabs. Here's a way to reproduce on my Pixel XL:

1. Have custom tabs enabled, Nightly as default browser.
2. Open Nightly, navigate to a page.
3. Open another app that will use custom tabs, such as Google's News & Weather.
4. Open an article, which loads in a custom tab.
5. Hit back, open another article.
6. Crash.

My workaround has been to disable custom tabs. Over the past few days I haven't seen any crashes.
Group: core-security → gfx-core-security
Jeff - this is a sec bug; what are our options here?
Flags: needinfo?(jgilbert)
(In reply to Randell Jesup [:jesup] from comment #7)
> Jeff - this is a sec bug; what are our options here?

We could uplift bug 1421313. I really don't think this is a good attach vector, though.
We should uplift to beta, but not further, imo.
Flags: needinfo?(jgilbert)
Looks like we're already trying to uplift it to Beta, but ran into a really weird CI crash.
I figured out the uplift problem. Let's dup this one to 1421313.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
See Also: → CVE-2018-5148
Whiteboard: [clouseau] → [clouseau][adv-main59-]
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.