Closed Bug 1478040 Opened 6 years ago Closed 6 years ago

Crash in static struct webrender::tiling::Frame webrender::frame_builder::FrameBuilder::build

Categories

(Core :: Graphics: WebRender, defect, P3)

Product:
Core
Component:
Graphics: WebRender
Platform:
x86_64
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
firefox63 --- affected

People

(Reporter: jan, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, nightly-community)

Crash Data

Nvidia, GK208B [GeForce GT 710]

This bug was filed from the Socorro interface and is
report bp-9ba062ac-f7dd-4ff5-9bd5-449fc0180724.
> index out of bounds: the len is 107 but the index is 16565899579919558117
=============================================================

Top 10 frames of crashing thread:

0 xul.dll static void std::panicking::rust_panic_with_hook src/libstd/panicking.rs:521
1 xul.dll static void std::panicking::continue_panic_fmt src/libstd/panicking.rs:426
2 xul.dll static void std::panicking::rust_begin_panic src/libstd/panicking.rs:337
3 xul.dll static void core::panicking::panic_fmt src/libcore/panicking.rs:92
4 xul.dll static void core::panicking::panic_bounds_check src/libcore/panicking.rs:60
5 xul.dll static struct webrender::tiling::Frame webrender::frame_builder::FrameBuilder::build gfx/webrender/src/frame_builder.rs:333
6 xul.dll static struct webrender::internal_types::RenderedDocument webrender::render_backend::Document::render gfx/webrender/src/render_backend.rs:283
7 xul.dll static void webrender::render_backend::RenderBackend::update_document gfx/webrender/src/render_backend.rs:1112
8 xul.dll static bool webrender::render_backend::RenderBackend::process_api_msg gfx/webrender/src/render_backend.rs:988
9 xul.dll static void webrender::render_backend::RenderBackend::run gfx/webrender/src/render_backend.rs:798

=============================================================
dec 16565899579919558117 = hex 0xe5e5e5e5e5e5e5e5

So this is similar to bug 1460087, but with a different decimal number.

(Kartikaya Gupta (email:kats@mozilla.com) from bug 1424126 comment 2)
> However, the value `3857049061` is 0xE5E5E5E5 which is jemalloc fills in for freed memory. so this is really a use-after-free instance which is bad news.
> Hopefully it doesn't come back.
See Also: → 1478047
Priority: -- → P3
Closing because no crashes reported for 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.