Closed Bug 525990 Opened 15 years ago Closed 14 years ago

Null deref crash in [@ _moz_cairo_surface_flush - gfxASurface::Flush - nsGLPbufferCGL::ThebesSurface]

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID
Tracking Flags:
Tracking Status
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: halb.halb, Unassigned)

Details

(Keywords: crash, testcase, Whiteboard: [sg:dos null-deref])

Crash Data

Attachments

(1 file)

test case which causes crash
7.96 KB, text/html
Details 
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_1; en-us) AppleWebKit/531.9 (KHTML, like Gecko) Version/4.0.3 Safari/531.9
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.3a1pre) Gecko/20091101 Minefield/3.7a1pre

Null dereference crash in WebGL stuff, affects 3.7 and not 3.5.  
Related to canvas with large width.

Reproducible: Always

Steps to Reproduce:
Use recent Firefox 3.7 (this doesn't affect 3.5).

Set webgl.enabled_for_all_sites = true in about:config

Open attached html file
Actual Results:  
Crash.

Process:         firefox-bin [47053]
Path:            /Volumes/data_apps/obj-x86_64-apple-darwin10.0.0/dist/MinefieldDebug.app/Contents/MacOS/firefox-bin
Identifier:      org.mozilla.firefox
Version:         3.7a1pre (3.7a1pre)
Code Type:       X86-64 (Native)
Parent Process:  launchd [200]

Date/Time:       2009-11-02 13:06:50.235 -0800
OS Version:      Mac OS X 10.6.1 (10B504)
Report Version:  6

Interval Since Last Report:          1886 sec
Crashes Since Last Report:           2
Per-App Interval Since Last Report:  610 sec
Per-App Crashes Since Last Report:   2
Anonymous UUID:                      3D956540-F69B-4457-B4A4-761A72189954

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000014
Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   libthebes.dylib               	0x000000011506b328 _moz_cairo_surface_flush + 16
1   libthebes.dylib               	0x00000001150029b1 gfxASurface::Flush() + 25 (gfxASurface.cpp:262)
2   libgklayout.dylib             	0x0000000115630c8e nsGLPbufferCGL::ThebesSurface() + 418 (nsGLPbufferCGL.cpp:246)
3   libgklayout.dylib             	0x000000011561da20 mozilla::WebGLContext::Render(gfxContext*, gfxPattern::GraphicsFilter) + 168 (WebGLContext.cpp:253)
4   libgklayout.dylib             	0x0000000115690b00 nsHTMLCanvasElement::RenderContexts(gfxContext*, gfxPattern::GraphicsFilter) + 86 (nsHTMLCanvasElement.cpp:488)
5   libgklayout.dylib             	0x0000000115326e52 nsHTMLCanvasFrame::PaintCanvas(nsIRenderingContext&, nsRect const&, nsPoint) + 432 (nsHTMLCanvasFrame.cpp:257)
6   libgklayout.dylib             	0x00000001153276c9 nsDisplayItemCanvas::Paint(nsDisplayListBuilder*, nsIRenderingContext*) + 75 (nsHTMLCanvasFrame.cpp:74)
7   libgklayout.dylib             	0x0000000115265596 nsDisplayList::Paint(nsDisplayListBuilder*, nsIRenderingContext*) const + 112 (nsDisplayList.cpp:407)
8   libgklayout.dylib             	0x00000001152655db nsDisplayWrapList::Paint(nsDisplayListBuilder*, nsIRenderingContext*) + 41 (nsDisplayList.cpp:925)
9   libgklayout.dylib             	0x000000011526574c nsDisplayClip::Paint(nsDisplayListBuilder*, nsIRenderingContext*) + 90 (nsDisplayList.cpp:1121)
10  libgklayout.dylib             	0x0000000115265596 nsDisplayList::Paint(nsDisplayListBuilder*, nsIRenderingContext*) const + 112 (nsDisplayList.cpp:407)
...

    
    

    
  
Looks like the same bug/cause as bug 525984.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE

    
    

    
  
I don't think this is a duplicate.  It still crashes with a patch in place for 525984.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---

    
    

    
  
Ah.  mQuartzSurface needs nsnull treatment, and needs error checking to make sure it's valid when ThebesSurface() is called.

    
  
Keywords: crash
Summary: Null deref crash in _moz_cairo_surface_flush / nsGLPbufferCGL::ThebesSurface() → Null deref crash in [@ _moz_cairo_surface_flush - gfxASurface::Flush - nsGLPbufferCGL::ThebesSurface]

    
    

    
  
nsGLPbufferCGL::ThebesSurface() exists on the 1.9.2 branch but not WebGLContext. Is there some way other than WebGL to get to the buggy code, or was that NPOTB on 1.9.2?

Definitely not in FF 3.5 (1.9.1-branch).
Status: UNCONFIRMED → NEW

          status1.9.1:
          --- → unaffected
Ever confirmed: true
Keywords: testcase
Whiteboard: [sg:dos null-deref]
Component: Canvas: 2D → Canvas: WebGL

    
    

    
  
nsGLPbufferCGL is gone
Status: NEW → RESOLVED
Closed: 15 years ago14 years ago
Resolution: --- → INVALID
Crash Signature: [@ _moz_cairo_surface_flush - gfxASurface::Flush - nsGLPbufferCGL::ThebesSurface]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: