Closed Bug 933822 Opened 6 years ago Closed 7 months ago

IPC: crash with PLayerTransaction::Msg_PCompositableConstructor [@mozilla::layers::CompositableHost::Create]

Categories

(Core :: IPC, defect, critical)

Product:
Core
Component:
IPC
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: posidron, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Attachments

(1 file)

fuzzing-session
52.72 KB, text/plain
Details
Attached file fuzzing-session 
Tested with an opt/non-debug build of https://github.com/posidron/mozilla-central/commit/26121cb
There's multiple issues in this one ;

I/Gecko   ( 1155): IPDL protocol error: Error deserializing 'data' (SerializedStructuredCloneBuffer) member of 'ClonedMessageData'
I/Gecko   ( 1155): IPDL protocol error: Error deserializing 'ClonedMessageData'
I/Gecko   ( 1155):
I/Gecko   ( 1155): ###!!! [Parent][DispatchSyncMessage] Error: Value error: message was deserialized, but contained an illegal value

Then :

I/Gecko   ( 1155): IPDL protocol error: unknown union type
I/Gecko   ( 1155): IPDL protocol error: Error deserializing 'value' (JSVariant) member of 'CpowEntry'
I/Gecko   ( 1155): IPDL protocol error: Error deserializing 'CpowEntry[i]'
I/Gecko   ( 1155): IPDL protocol error: Error deserializing 'InfallibleTArray'
I/Gecko   ( 1155):
I/Gecko   ( 1155): ###!!! [Parent][DispatchSyncMessage] Error: Value error: message was deserialized, but contained an illegal value

And then we see a bunch of JS errors:
System JS : ERROR (null):0 - Permission denied to access property 'toString'
System JS : ERROR (null):0 - Permission denied to access property 'message'
System JS : ERROR (null):0 - uncaught exception: unknown (can't convert to string)
JavaScript error: app://system.gaiamobile.org/js/storage.js, line 36: NS_ERROR_UNEXPECTED:
XXX FIXME : Got a mozContentEvent: accessibility-screenreader
JavaScript error: app://system.gaiamobile.org/js/attention_screen.js, line 329: app is undefined
JavaScript error: app://system.gaiamobile.org/js/window_manager.js, line 1347: runningApps[displayedApp] is undefined
System JS : ERROR (null):0 - Permission denied to access property 'toString'
System JS : ERROR (null):0 - Permission denied to access property 'message'
System JS : ERROR (null):0 - uncaught exception: unknown (can't convert to string)
JavaScript error: app://system.gaiamobile.org/js/airplane_mode.js, line 65: NS_ERROR_UNEXPECTED:


But then the system crashes inside gfx/layers/composite/CompositableHost.cpp ; Is there a link between both ?

This is fuzzing of an ancient B2G build, crashing in layers, so I'm going to mark this as incomplete.

Status: NEW → RESOLVED
Closed: 7 months ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.