Closed Bug 1764999 Opened 3 years ago Closed 3 years ago

Crash in [@ mozilla::WebGLContext::LruPosition::reset]

Tracking

()

Status:

RESOLVED DUPLICATE of bug 1769739

Tracking Flags:

Tracking

Status

firefox-esr91

---

unaffected

firefox99

---

wontfix

firefox100

---

wontfix

firefox101

---

wontfix

firefox102

---

affected

People

(Reporter: aosmond, Assigned: aosmond)

References

Details

(Keywords: crash, csectype-race, sec-other, Whiteboard: [dupe bug 1769739?])

Crash Data

Andrew Osmond [:aosmond] (he/him)

Assignee

Description

•

3 years ago

Maybe Fission related. (DOMFissionEnabled=1)

Crash report: https://crash-stats.mozilla.org/report/index/777365fd-bb91-4ce6-82f1-9cc4b0220414

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0 xul.dll mozilla::WebGLContext::LruPosition::reset dom/canvas/WebGLContext.cpp:129
1 xul.dll mozilla::WebGLContext::BumpLru dom/canvas/WebGLContext.h:275
2 xul.dll mozilla::WebGLContext::PresentInto dom/canvas/WebGLContext.cpp:871
3 xul.dll mozilla::WebGLContext::Present dom/canvas/WebGLContext.cpp:982
4 xul.dll mozilla::HostWebGLContext::Present const dom/canvas/HostWebGLContext.h:173
5 xul.dll mozilla::ClientWebGLContext::Run<void  const dom/canvas/ClientWebGLContext.cpp:351
6 xul.dll mozilla::ClientWebGLContext::Present dom/canvas/ClientWebGLContext.cpp:407
7 xul.dll mozilla::ClientWebGLContext::PresentFrontBuffer dom/canvas/ClientWebGLContext.cpp:441
8 xul.dll mozilla::dom::OffscreenCanvasDisplayHelper::CommitFrameToCompositor dom/canvas/OffscreenCanvasDisplayHelper.cpp:115
9 xul.dll mozilla::dom::OffscreenCanvas::DequeueCommitToCompositor dom/canvas/OffscreenCanvas.cpp:219

We appear to be accessing a global without a mutex on multiple threads:

https://searchfox.org/mozilla-central/rev/d34f9713ae128a3138c2b70d8041a535f1049d19/dom/canvas/WebGLContext.cpp#119

Andrew Osmond [:aosmond] (he/him)

Assignee

Updated

•

3 years ago

status-firefox100: --- → affected

status-firefox101: --- → affected

status-firefox99: --- → affected

status-firefox-esr91: --- → unaffected

Andrew Osmond [:aosmond] (he/him)

Assignee

Comment 1

•

3 years ago

I think I dismissed this initially because I thought it would be accessed only in the parent process.

Andrew McCreight [:mccr8]

Updated

•

3 years ago

Group: gfx-core-security

Keywords: csectype-race

Andrew McCreight [:mccr8]

Updated

•

3 years ago

Updated

•

3 years ago

Keywords: sec-high

Ryan VanderMeulen [:RyanVM]

Updated

•

3 years ago

status-firefox100: affected → wontfix

status-firefox101: affected → wontfix

status-firefox102: --- → affected

status-firefox99: affected → wontfix

Andrew McCreight [:mccr8]

Updated

•

3 years ago

Depends on: 1769739

Keywords: sec-high → sec-other

Whiteboard: [dupe bug 1769739?]

Andrew Osmond [:aosmond] (he/him)

Assignee

Updated

•

3 years ago

Status: NEW → RESOLVED

Closed: 3 years ago

Resolution: --- → DUPLICATE

Daniel Veditz [:dveditz]

Updated

•

2 years ago

Group: gfx-core-security

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Crash in [@ mozilla::WebGLContext::LruPosition::reset]

Categories

(Core :: Graphics: CanvasWebGL, defect)

Tracking

()

People

(Reporter: aosmond, Assigned: aosmond)

References

Details

(Keywords: crash, csectype-race, sec-other, Whiteboard: [dupe bug 1769739?])

Crash Data

Security

(public)

User Story

Description

Updated

Comment 1

Updated

Updated

Updated

Updated

Updated

Updated

Updated