Closed
Bug 1451302
Opened 6 years ago
Closed 2 years ago
Crash in mozilla::layers::ComputeVisibleRegionForChildren
Categories
(Core :: Graphics: Layers, defect, P2)
Tracking
()
People
(Reporter: philipp, Unassigned)
References
Details
(5 keywords, Whiteboard: [gfx-noted])
Crash Data
This bug was filed from the Socorro interface and is report bp-9dd21178-bb36-48d0-b03e-332520180314. ============================================================= Top 10 frames of crashing thread: 0 xul.dll mozilla::layers::ComputeVisibleRegionForChildren gfx/layers/composite/LayerManagerComposite.cpp:1524 1 xul.dll mozilla::layers::ComputeVisibleRegionForChildren gfx/layers/composite/LayerManagerComposite.cpp:1529 2 xul.dll mozilla::layers::RefLayerMLGPU::GetShadowVisibleRegion gfx/layers/mlgpu/ContainerLayerMLGPU.cpp:261 3 xul.dll mozilla::layers::ContainerLayer::DefaultComputeEffectiveTransforms gfx/layers/Layers.cpp:1245 4 xul.dll mozilla::layers::LayerManagerComposite::UpdateAndRender gfx/layers/composite/LayerManagerComposite.cpp:482 5 xul.dll mozilla::layers::LayerManagerComposite::EndTransaction gfx/layers/composite/LayerManagerComposite.cpp:463 6 xul.dll mozilla::layers::CompositorBridgeParent::CompositeToTarget gfx/layers/ipc/CompositorBridgeParent.cpp:1049 7 xul.dll mozilla::layers::CompositorVsyncScheduler::Composite gfx/layers/ipc/CompositorVsyncScheduler.cpp:280 8 xul.dll mozilla::detail::RunnableMethodImpl<mozilla::layers::CompositorVsyncScheduler*, void xpcom/threads/nsThreadUtils.h:1193 9 xul.dll MessageLoop::DoWork ipc/chromium/src/base/message_loop.cc:535 ============================================================= crashes with this signature are starting to show up across platforms since firefox 57 with fairly low volume, perhaps related to bug 1381753.
Reporter | ||
Updated•6 years ago
|
Flags: needinfo?(matt.woodrow)
Comment 1•6 years ago
|
||
Milan, could you assign somebody to investigate this sec-high bug? Thx!
Flags: needinfo?(milan)
Bas, Nical, UAF in LayerManagerComposite, perhaps related to advanced layers?
Flags: needinfo?(nical.bugzilla)
Flags: needinfo?(milan)
Flags: needinfo?(bas)
Perhaps related to bug 1451297? Probably a stretch.
Comment 4•6 years ago
|
||
(In reply to Milan Sreckovic [:milan] from comment #3) > Perhaps related to bug 1451297? Probably a stretch. Nical would know better, but since this is an actual UAF of a layer, and ImageBridge is the only place I know of where we handle layers off the main thread. It seems reasonable to expect ImageBridge to be related somehow.
Flags: needinfo?(bas)
Updated•6 years ago
|
Updated•6 years ago
|
status-firefox61:
--- → affected
status-firefox62:
--- → affected
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → affected
Updated•6 years ago
|
Whiteboard: [gfx-noted]
Updated•6 years ago
|
Comment 5•6 years ago
|
||
Is this stalled? Any new ideas?
Updated•6 years ago
|
Updated•6 years ago
|
Comment 6•6 years ago
|
||
Adding Jessie (new graphics engineering manager) to all sec-crit and sec-high graphics bugs
Updated•6 years ago
|
Assignee: nobody → mikokm
Updated•6 years ago
|
Assignee: mikokm → nobody
Comment 7•6 years ago
|
||
> Nical would know better, but since this is an actual UAF of a layer, and ImageBridge is the only place I know of where we handle layers off the main thread. It seems reasonable to expect ImageBridge to be related somehow.
On the parent process the image bridge lives on the compositor thread. In fact I don't know of anything that touches layers off the compositor thread. I had a quick look at the shutdown code in case something might accidentally trigger some destruction code from the main thread but I didn't see anything obvious there.
It might not be thread related but rather something about deinitializing a container layer that is still referred to by a ref layer. Looking at the other reports it doesn't seem to be specific to advanced layers.
Flags: needinfo?(nical.bugzilla)
Updated•5 years ago
|
status-firefox65:
--- → fix-optional
status-firefox66:
--- → fix-optional
Updated•5 years ago
|
Comment 8•4 years ago
|
||
Removing employee no longer with company from CC list of private bugs.
Comment 9•2 years ago
|
||
Redirect a needinfo that is pending on an inactive user to the triage owner.
:bhood, since the bug has high priority and high severity, could you have a look please?
For more information, please visit auto_nag documentation.
Flags: needinfo?(matt.woodrow) → needinfo?(bhood)
Comment 10•2 years ago
|
||
Nical, I'm tagging you on this since you've been involved previously: Can we verify that this is still an issue with current code?
Flags: needinfo?(bhood) → needinfo?(nical.bugzilla)
Comment 11•2 years ago
|
||
Looks like all of the crash reports are pre-webrender versions of firefox.
Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(nical.bugzilla)
Resolution: --- → FIXED
Comment 12•2 years ago
|
||
Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.
Keywords: stalled
Updated•2 years ago
|
Resolution: FIXED → WORKSFORME
Updated•10 months ago
|
Group: gfx-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•