Closed Bug 805948 Opened 12 years ago Closed 12 years ago

b2g crash on 'browser pairs' from marketplace

Categories

(Firefox OS Graveyard :: General, defect, P2)

Product:
Firefox OS Graveyard
Component:
General
Platform:
x86
macOS
Type:
defect

Tracking

(blocking-basecamp:+, firefox18 fixed, firefox19 fixed)

Status:
RESOLVED FIXED
Project Flags:
blocking-basecamp +
Tracking Flags:
Tracking Status
firefox18 --- fixed
firefox19 --- fixed

People

(Reporter: mgoodwin, Assigned: mattwoodrow)

References

(
URL
)

Details

(Keywords: crash, csectype-dos)

Attachments

(1 file)

Use the right perspective value
1.25 KB, patch
cjones
: review+
Details | Diff | Splinter Review
Issue: Phone crash and reboot on playing 'browser pairs' from marketplace STR: 1) Log in to marketplace 2) Install 'browser pairs' 3) Start 'browser pairs' 4) Start a game 5) Attempt to turn a card 6) Observe crash
Mark - Is this a reproducible crash?
blocking-basecamp: --- → ?
Keywords: crash
P3 basecamp nomination.
Priority: -- → P3
Why is this a sec bug also? I don't understand why this is a security bug.
(In reply to Jason Smith [:jsmith] from comment #1) > Mark - Is this a reproducible crash? Yes, consistently reproducible on Nexus S and Otoro. (In reply to Jason Smith [:jsmith] from comment #3) > Why is this a sec bug also? I don't understand why this is a security bug. Ah, I'd assumed that reproducible DoS would be security - correct me if wrong :)
Backtrace is as follows: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 294.316] nsDisplayTransform::GetResultingTransformMatrixInternal (aFrame=0x0, aOrigin=..., aAppUnitsPerPixel=60, aBoundsOverride=0x47fa34e0, aTransformOverride=0x47921ec0, aToMozOrigin=0x47fa34b0, aToPerspectiveOrigin=0x47fa34c8, aChildPerspective=0x47fa34f0, aOutAncestor=0x0) at /Users/mgoodwin/b2g/B2G/gecko/layout/base/nsDisplayList.cpp:3661 3661 aAppUnitsPerPixel); (gdb) bt #0 nsDisplayTransform::GetResultingTransformMatrixInternal (aFrame=0x0, aOrigin=..., aAppUnitsPerPixel=60, aBoundsOverride=0x47fa34e0, aTransformOverride=0x47921ec0, aToMozOrigin=0x47fa34b0, aToPerspectiveOrigin=0x47fa34c8, aChildPerspective=0x47fa34f0, aOutAncestor=0x0) at /Users/mgoodwin/b2g/B2G/gecko/layout/base/nsDisplayList.cpp:3661 #1 0x40821994 in nsDisplayTransform::GetResultingTransformMatrix (aFrame=0x0, aOrigin=..., aAppUnitsPerPixel=15.4888382, aBoundsOverride=0x47fa34e0, aTransformOverride=0x47921ec0, aToMozOrigin=0x47fa34b0, aToPerspectiveOrigin=0x47fa34c8, aChildPerspective=0x47fa34f0, aOutAncestor=0x0) at /Users/mgoodwin/b2g/B2G/gecko/layout/base/nsDisplayList.cpp:3566 #2 0x40f65b36 in SampleValue (aLayer=0x4f7efc90, aPoint=...) at /Users/mgoodwin/b2g/B2G/gecko/gfx/layers/ipc/CompositorParent.cpp:657 #3 SampleAnimations (aLayer=0x4f7efc90, aPoint=...) at /Users/mgoodwin/b2g/B2G/gecko/gfx/layers/ipc/CompositorParent.cpp:718 #4 0x40f65da6 in SampleAnimations (aLayer=0x4f55bc90, aPoint=...) at /Users/mgoodwin/b2g/B2G/gecko/gfx/layers/ipc/CompositorParent.cpp:739 #5 0x40f65da6 in SampleAnimations (aLayer=0x509b7c90, aPoint=...) at /Users/mgoodwin/b2g/B2G/gecko/gfx/layers/ipc/CompositorParent.cpp:739 #6 0x40f65da6 in SampleAnimations (aLayer=0x509b7490, aPoint=...) at /Users/mgoodwin/b2g/B2G/gecko/gfx/layers/ipc/CompositorParent.cpp:739 #7 0x40f65da6 in SampleAnimations (aLayer=0x4f7eb490, aPoint=...) at /Users/mgoodwin/b2g/B2G/gecko/gfx/layers/ipc/CompositorParent.cpp:739 #8 0x40f65da6 in SampleAnimations (aLayer=0x47998c90, aPoint=...) at /Users/mgoodwin/b2g/B2G/gecko/gfx/layers/ipc/CompositorParent.cpp:739 #9 0x40f65e1c in mozilla::layers::CompositorParent::TransformShadowTree (this=0x439df850, aCurrentFrame=...) ---Type <return> to continue, or q <return> to quit--- at /Users/mgoodwin/b2g/B2G/gecko/gfx/layers/ipc/CompositorParent.cpp:791 #10 0x40f663a0 in mozilla::layers::CompositorParent::Composite (this=0x439df850) at /Users/mgoodwin/b2g/B2G/gecko/gfx/layers/ipc/CompositorParent.cpp:519 #11 0x40de45b2 in DispatchToMethod<mozilla::dom::ContentParent, void (mozilla::dom::ContentParent::*)()> ( this=<value optimized out>) at /Users/mgoodwin/b2g/B2G/gecko/ipc/chromium/src/base/tuple.h:383 #12 RunnableMethod<mozilla::dom::ContentParent, void (mozilla::dom::ContentParent::*)(), Tuple0>::Run ( this=<value optimized out>) at /Users/mgoodwin/b2g/B2G/gecko/ipc/chromium/src/base/task.h:307 #13 0x40f0a720 in MessageLoop::RunTask (this=0x4695adf0, task=0x0) at /Users/mgoodwin/b2g/B2G/gecko/ipc/chromium/src/base/message_loop.cc:333 #14 0x40f0b576 in MessageLoop::DeferOrRunPendingTask (this=0x46959eb8, pending_task=<value optimized out>) at /Users/mgoodwin/b2g/B2G/gecko/ipc/chromium/src/base/message_loop.cc:341 #15 0x40f0c154 in MessageLoop::DoWork (this=0x4695adf0) at /Users/mgoodwin/b2g/B2G/gecko/ipc/chromium/src/base/message_loop.cc:441 #16 0x40f0c3d4 in base::MessagePumpDefault::Run (this=0x4590b2e0, delegate=0x4695adf0) at /Users/mgoodwin/b2g/B2G/gecko/ipc/chromium/src/base/message_pump_default.cc:23 #17 0x40f0a6d0 in MessageLoop::RunInternal (this=0x4ccfc) at /Users/mgoodwin/b2g/B2G/gecko/ipc/chromium/src/base/message_loop.cc:215 #18 0x40f0a786 in MessageLoop::RunHandler (this=0x4695adf0) at /Users/mgoodwin/b2g/B2G/gecko/ipc/chromium/src/base/message_loop.cc:208 #19 MessageLoop::Run (this=0x4695adf0) at /Users/mgoodwin/b2g/B2G/gecko/ipc/chromium/src/base/message_loop.cc:182 #20 0x40f12ae4 in base::Thread::ThreadMain (this=0x4590a400) at /Users/mgoodwin/b2g/B2G/gecko/ipc/chromium/src/base/thread.cc:156
What's the crashing line of code? What's the value of the pointer we're crashing trying to read? I strongly suspect this isn't ss but it might affect FF.
Switching this to a P2 basecamp nomination.
Priority: P3 → P2
Matt, dump this bug back to me or someone else if you're overloaded.
Assignee: nobody → matt.woodrow
CC'ing dzbarsky since this is coming from OMTA.
blocking-basecamp: ? → +
Mark: Would it be possible to reproduce this again and find the answers to the questions in comment 6 please? I don't have a debug b2g build handy.
(In reply to Matt Woodrow (:mattwoodrow) from comment #10) > Mark: Would it be possible to reproduce this again and find the answers to > the questions in comment 6 please? > > I don't have a debug b2g build handy. Yeah, I'll give it a go.
I got it: (gdb) frame 0 #0 nsDisplayTransform::GetResultingTransformMatrixInternal (aFrame=0x0, aOrigin=..., aAppUnitsPerPixel=60, aBoundsOverride=0x47b19360, aTransformOverride=0x4db48660, aToMozOrigin=0x47b19330, aToPerspectiveOrigin=0x47b19348, aChildPerspective=0x47b19370, aOutAncestor=0x0) at /Users/mgoodwin/b2g/B2G/gecko/layout/base/nsDisplayList.cpp:3661 3661 aAppUnitsPerPixel); (gdb) list 3656 3657 if (nsLayoutUtils::Are3DTransformsEnabled() && perspectiveCoord > 0.0) { 3658 gfx3DMatrix perspective; 3659 perspective._34 = 3660 -1.0 / NSAppUnitsToFloatPixels(parentDisp->mChildPerspective.GetCoordValue(), 3661 aAppUnitsPerPixel); 3662 /* At the point when perspective is applied, we have been translated to the transform origin. 3663 * The translation to the perspective origin is the difference between these values. 3664 */ 3665 gfxPoint3D toPerspectiveOrigin = aFrame ? GetDeltaToMozPerspectiveOrigin(aFrame, aAppUnitsPerPixel) : *aToPerspectiveOrigin; (gdb) p aAppUnitsPerPixel $7 = 60 (gdb) p parentDisp $6 = (const nsStyleDisplay *) 0x0 So we're trying to get mChildPerspective on a null parentDisp in line 3660.
Group: core-security
Guess we weren't offloading animations with perspective previously?
Attachment #679012 - Flags: review?(jones.chris.g)
Comment on attachment 679012 [details] [diff] [review] Use the right perspective value Apparently not! Maybe move |aAppUnitsPerPixel| onto the same line?
Attachment #679012 - Flags: review?(jones.chris.g) → review+
https://hg.mozilla.org/mozilla-central/rev/72f0d6a7c173
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: