Closed Bug 676918 Opened 14 years ago Closed 14 years ago

[ANGLE] crash from CanvasLayerD3D9::UpdateSurface [@ gl::Context::readPixels(int, int, int, int, unsigned int, unsigned int, void*) ]

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla8
Tracking Flags:
Tracking Status
firefox7 - wontfix
firefox8 + fixed
firefox9 + fixed
firefox10 + fixed
status1.9.2 --- unaffected

People

(Reporter: bjacob, Unassigned)

References

Details

(Keywords: crash, Whiteboard: [sg:high?][qa?])

I got this following the STR from bug 675634, having locked my screen as suggested in bug 675634 comment 7. The crash occured some time after unlocking. Instead of getting bug 675634, I got this new one. Crash link: https://crash-stats.mozilla.com/report/index/bp-b97104c7-6074-4ff8-b13f-f33742110805 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0xffffffffc2782607 0 libGLESv2.dll gl::Context::readPixels gfx/angle/src/libglesv2/Context.cpp:2128 1 libGLESv2.dll glReadPixels gfx/angle/src/libglesv2/libGLESv2.cpp:3956 2 xul.dll mozilla::gl::GLContext::ReadPixelsIntoImageSurface gfx/thebes/GLContext.cpp:1223 3 xul.dll mozilla::layers::CanvasLayerD3D9::UpdateSurface gfx/layers/d3d9/CanvasLayerD3D9.cpp:131 4 xul.dll mozilla::layers::CanvasLayerD3D9::RenderLayer gfx/layers/d3d9/CanvasLayerD3D9.cpp:211 The crash line is: http://hg.mozilla.org/releases/mozilla-beta/file/f327eb465d32/gfx/angle/src/libGLESv2/Context.cpp#l2128 2109 IDirect3DSurface9 *systemSurface; 2110 HRESULT result = device->CreateOffscreenPlainSurface(desc.Width, desc.Height, desc.Format, D3DPOOL_SYSTEMMEM, &systemSurface, NULL); 2111 2112 if (result == D3DERR_OUTOFVIDEOMEMORY || result == E_OUTOFMEMORY) 2113 { 2114 return error(GL_OUT_OF_MEMORY); 2115 } 2116 2117 ASSERT(SUCCEEDED(result)); 2118 2119 if (desc.MultiSampleType != D3DMULTISAMPLE_NONE) 2120 { 2121 UNIMPLEMENTED(); // FIXME: Requires resolve using StretchRect into non-multisampled render target 2122 } 2123 2124 result = device->GetRenderTargetData(renderTarget, systemSurface); 2125 2126 if (FAILED(result)) 2127 { 2128 systemSurface->Release(); ////// <--- CRASH HERE So maybe we need to check that CreateOffscreenPlainSurface succeeded?
Checks improved in ANGLE r719.
Not sure of the severity here, potentially reading data off other pages/tabs you have open?
Keywords: crash
See Also: → http://code.google.com/p/angleproject/issues/detail?id=194
Whiteboard: [sg:high?]
Maybe, yes. Though for that you would have to trigger this bug without crashing. Will import ANGLE r719.
Imported ANGLE r719: http://hg.mozilla.org/mozilla-central/rev/ddf7263c56d7
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
status-firefox10: --- → fixed
status-firefox7: --- → wontfix
status-firefox8: --- → fixed
status-firefox9: --- → fixed
tracking-firefox10: --- → +
tracking-firefox7: --- → -
tracking-firefox8: --- → +
tracking-firefox9: --- → +
Target Milestone: --- → mozilla8
How widespread/reproducible is this crash? Is there something QA can do to verify the fix?
Whiteboard: [sg:high?] → [sg:high?][qa?]
Group: core-security
You need to log in before you can comment on or make changes to this bug.