Closed
Bug 1471714
Opened 6 years ago
Closed 6 years ago
Crash in nsRegion::AddRect
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
INCOMPLETE
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox-esr60 | --- | unaffected |
| firefox61 | --- | affected |
| firefox62 | --- | affected |
| firefox63 | --- | affected |
People
(Reporter: philipp, Unassigned)
References
Details
(4 keywords)
Crash Data
This bug was filed from the Socorro interface and is report bp-986a3274-b754-4226-9dbd-f46890180626. ============================================================= Top 10 frames of crashing thread: 0 xul.dll nsRegion::AddRect gfx/src/nsRegion.h:2011 1 xul.dll mozilla::layers::HostLayer::RecomputeShadowVisibleRegionFromChildren gfx/layers/composite/LayerManagerComposite.cpp:1545 2 xul.dll mozilla::layers::ContainerLayer::DefaultComputeEffectiveTransforms gfx/layers/Layers.cpp:1270 3 xul.dll mozilla::layers::LayerManagerComposite::UpdateAndRender gfx/layers/composite/LayerManagerComposite.cpp:483 4 xul.dll mozilla::layers::LayerManagerComposite::EndTransaction gfx/layers/composite/LayerManagerComposite.cpp:464 5 xul.dll mozilla::layers::CompositorBridgeParent::CompositeToTarget gfx/layers/ipc/CompositorBridgeParent.cpp:1056 6 xul.dll mozilla::layers::CompositorVsyncScheduler::Composite gfx/layers/ipc/CompositorVsyncScheduler.cpp:243 7 xul.dll mozilla::detail::RunnableMethodImpl<mozilla::layers::CompositorVsyncScheduler*, void xpcom/threads/nsThreadUtils.h:1216 8 xul.dll MessageLoop::DoWork ipc/chromium/src/base/message_loop.cc:535 9 xul.dll base::MessagePumpForUI::DoRunLoop ipc/chromium/src/base/message_pump_win.cc:210 ============================================================= this is a cross-platform crash regressing in firefox 61 - perhaps related to bug 1440753. it's fairly low volume though.
|
||
Comment 1•6 years ago
|
||
Bas: this is crashing in code you added in bug 1440753 -- please take a look.
Flags: needinfo?(bas)
Keywords: sec-high
|
||
Comment 2•6 years ago
|
||
Most of the other crashes from this signature seem to be completely different. There's a couple of other ACCESS_VIOLATION_WRITES but they're in completely different places so that looks like random corruption. Most crashes are other types.
This particular one (again, of which I can find only one) is basically doing this:
if (mMyArray.IsEmpty()) {
mMyArray.AppendElement(NewObject());
}
The only potential write violation there I could see would be if 'this' was maybe corrupted? (i.e. the region object itself was wrong)
I can have a look at the minidump if that's interesting, but I can't see any way in which this particular code could be wrong.
If you have any idea how to move forward let me know and I'll happily pursue whatever line of investigation you suggest, but I think these are just random cases of corruption showing up, in an extremely hot function that was newly added in bug 1440753.Flags: needinfo?(bas) → needinfo?(dveditz)
|
|
||
Comment 3•6 years ago
|
||
They might be crashing in different places because <this> is bogus, and depending on other values they take a different path before it's used. A handful of the crashes have AddRect called by nsRegion::Or() and in some cases Or sets *this to a passed-in region. Maybe that's coming in bogus? But you're right that it looks like it's the layers above that have lost track of their nsRegions and there could be multiple causes that just happen to get detected here.
Group: gfx-core-security
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(dveditz)
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•