1425443 - Crash in mozilla::layers::CompositorVsyncScheduler::DispatchVREvents

Status: RESOLVED DUPLICATE of bug 1420940

(Core :: Graphics, defect)

Description

[Randell Jesup [:jesup] (needinfo me)]

This bug was filed from the Socorro interface and is
report bp-13c18af4-2aaa-4864-8062-a52cd0171211.
=============================================================

Top frames of crashing thread:

0 xul.dll mozilla::layers::CompositorVsyncScheduler::DispatchVREvents gfx/layers/ipc/CompositorVsyncScheduler.cpp:365
1 xul.dll mozilla::detail::RunnableMethodImpl<mozilla::layers::CompositorVsyncScheduler*, void  xpcom/threads/nsThreadUtils.h:1192
2 xul.dll MessageLoop::DoWork ipc/chromium/src/base/message_loop.cc:535

=============================================================

UAF in 59 - I'd guess either the object itself is gone (perhaps the runnable didn't hold a ref to it somehow(!?), or that the display is slightly off and it's actually the Monitor that was freed; or (less likely) that the ::Get() call is UAFing.

There are a handful of crashes before 11/22, but with slightly different signatures - perhaps the code changed then and the crash switched from wildptr to a UAF read (the monitor appears to have been introduced there).  The single 57.0 crash was a wildptr EXEC, which isn't good.  Assuming it's a regression for now, but might just be a change of symptom/frequency.

Comment 1

[Randell Jesup [:jesup] (needinfo me)]

daoshengmu@gmail.com seems to have made most of the changes here recently - thoughts?

Comment 2

[Daosheng Mu[:daoshengmu]]

I think it has been resolved at https://bugzilla.mozilla.org/show_bug.cgi?id=1420940#c10.

Thanks!

Comment 4

[Liz Henry (:lizzard) (relman/hg->git project)]

Fixed in 59 in the duplicate.