Closed
Bug 931331
Opened 11 years ago
Closed 10 years ago
Skia: Double free with fillText on huge canvas
Categories
(Core :: Graphics, defect)
Tracking
()
People
(Reporter: jruderman, Assigned: gw280)
References
Details
(5 keywords)
Attachments
(2 files)
With: user_pref("layers.use-deprecated-textures", true); user_pref("gfx.canvas.azure.backends", "skia"); the testcase causes a double-free. Nightly: bp-7e72bff0-3a71-4293-8474-55edf2131026
Reporter | ||
Comment 1•11 years ago
|
||
Comment 2•11 years ago
|
||
Not a default configuration, so not a priority, but let's try to get ahead of it.
Assignee: nobody → gwright
Comment 3•11 years ago
|
||
Is this pref'd on for any releases or platforms?
Comment 4•11 years ago
|
||
This preference is on by default on Android and B2G. The crash, the stack and the bug are in specific code OS X. So, you're right, let's verify that this is not a problem on Android or B2G. Can we do ASAN builds for those platforms?
Keywords: qawanted
Comment 5•11 years ago
|
||
I don't think we can make Android ASAN builds (or B2G).
Comment 6•11 years ago
|
||
Can't reproduce on Android Fennec 25.0. Still working to test on B2G. Neither of which are ASan builds, of course.
Comment 7•11 years ago
|
||
The original crash didn't look like an ASan build, pretty sure they don't report to socorro. mwobensmith did not crash on Android (non-asan) but has not yet tried b2g. Are we planning on using Skia on Mac in the future? If not and this ends up only being a problem on Mac with non-default prefs and nowhere else then we can lower the severity. Even though we are crashing deep in the OS it's during a release in Firefox, and it's possible we've abused the OS object in some way.
Keywords: regressionwindow-wanted
Comment 8•11 years ago
|
||
We are planning on using Skia on the Mac, though not with "deprecated textures". So that we don't lose this one, let's keep the severity high for a bit longer?
Comment 9•11 years ago
|
||
Critsmash triage is making this a sec-high because it isn't on everywhere yet.
Updated•11 years ago
|
Group: gfx-core-security
Comment 10•10 years ago
|
||
George, is Skia still disabled for OSX? Is this something somebody should look at in the near term?
Flags: needinfo?(gwright)
Comment 11•10 years ago
|
||
Skia is still non-default. Bug 932958 would make the switch. On the roadmap, but not scheduled yet.
Blocks: 932958
Flags: needinfo?(gwright)
Assignee | ||
Comment 12•10 years ago
|
||
Yes, we'd like to be able to turn it on. When I'm back from travelling I will look at whether this is still reproducible with the current version of Skia in-tree.
Comment 13•10 years ago
|
||
George, I guess you are not planning to turn it on for 29. Right?
status-firefox30:
--- → affected
status-firefox31:
--- → affected
tracking-firefox30:
--- → +
tracking-firefox31:
--- → +
Flags: needinfo?(gwright)
Comment 14•10 years ago
|
||
No, we're not going to make this the default in 29, or 30 or 31, for that matter.
Comment 15•10 years ago
|
||
OK. Thanks. So, updating the tracking flags + status accordingly. Please set the tracking flag back on the release in which Skia is going to be enabled for Mac OS X (and obviously, if that bug is not yet fixed).
Updated•10 years ago
|
Flags: needinfo?(gwright)
Comment 16•10 years ago
|
||
(In reply to Sylvestre Ledru [:sylvestre] from comment #15) > OK. Thanks. So, updating the tracking flags + status accordingly. > Please set the tracking flag back on the release in which Skia is going to > be enabled for Mac OS X (and obviously, if that bug is not yet fixed). Why explicitly minus this for releases? Disabled or not, it is a high rated security issue and we should take a fix if it is available.
Comment 17•10 years ago
|
||
That meant, to me, that we won't block the release of 29 because of this bug. But I will be happy to uplift any patch.
Comment 18•10 years ago
|
||
A minus on tracking is an explicit decision to *not* take a patch on a release.
Comment 19•10 years ago
|
||
No, it is not ;) We accept uplift requests even if they are not tracked.
Comment 20•10 years ago
|
||
Actually it is, based on six years of experience. We always will accept requests but an explicit minus means we've turned it away. Perhaps you're new here?
Comment 21•10 years ago
|
||
(That was meant with a smiley but, seriously, don't minus things unless you're explicitly rejecting them.)
Comment 22•10 years ago
|
||
(In reply to Al Billings [:abillings] from comment #20) > Actually it is, based on six years of experience. We always will accept > requests but an explicit minus means we've turned it away. Perhaps you're > new here? It's not Al, we take uplift nominations all the time on bugs that are not tracked. We can discuss this further off-bug if you like.
Updated•10 years ago
|
status-firefox32:
--- → disabled
status-firefox33:
--- → disabled
Comment 23•10 years ago
|
||
Ignoring the deprecated textures part, and using Steven Michaud's ASAN build from 2014/06/23 (http://people.mozilla.org/~stmichaud/bmo/firefox-asan-howto.txt), no crash on this test case on 10.9. We do have a newer Skia than when this first showed up. Jesse, do you still see this in 33?
Flags: needinfo?(jruderman)
Reporter | ||
Comment 24•10 years ago
|
||
WFM on trunk
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(jruderman)
Resolution: --- → WORKSFORME
Updated•10 years ago
|
Group: gfx-core-security
We don't use deprecated textures on Mac, do we? Do those even exist anymore?
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Keywords: regressionwindow-wanted
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•