Closed Bug 933822 Opened 12 years ago Closed 6 years ago

IPC: crash with PLayerTransaction::Msg_PCompositableConstructor [@mozilla::layers::CompositableHost::Create]

Categories

(Core :: IPC, defect)

Product:
Core
Component:
IPC
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: posidron, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Attachments

(1 file)

fuzzing-session
52.72 KB, text/plain
Details
Attached file fuzzing-session
Tested with an opt/non-debug build of https://github.com/posidron/mozilla-central/commit/26121cb
There's multiple issues in this one ; I/Gecko ( 1155): IPDL protocol error: Error deserializing 'data' (SerializedStructuredCloneBuffer) member of 'ClonedMessageData' I/Gecko ( 1155): IPDL protocol error: Error deserializing 'ClonedMessageData' I/Gecko ( 1155): I/Gecko ( 1155): ###!!! [Parent][DispatchSyncMessage] Error: Value error: message was deserialized, but contained an illegal value Then : I/Gecko ( 1155): IPDL protocol error: unknown union type I/Gecko ( 1155): IPDL protocol error: Error deserializing 'value' (JSVariant) member of 'CpowEntry' I/Gecko ( 1155): IPDL protocol error: Error deserializing 'CpowEntry[i]' I/Gecko ( 1155): IPDL protocol error: Error deserializing 'InfallibleTArray' I/Gecko ( 1155): I/Gecko ( 1155): ###!!! [Parent][DispatchSyncMessage] Error: Value error: message was deserialized, but contained an illegal value And then we see a bunch of JS errors: System JS : ERROR (null):0 - Permission denied to access property 'toString' System JS : ERROR (null):0 - Permission denied to access property 'message' System JS : ERROR (null):0 - uncaught exception: unknown (can't convert to string) JavaScript error: app://system.gaiamobile.org/js/storage.js, line 36: NS_ERROR_UNEXPECTED: XXX FIXME : Got a mozContentEvent: accessibility-screenreader JavaScript error: app://system.gaiamobile.org/js/attention_screen.js, line 329: app is undefined JavaScript error: app://system.gaiamobile.org/js/window_manager.js, line 1347: runningApps[displayedApp] is undefined System JS : ERROR (null):0 - Permission denied to access property 'toString' System JS : ERROR (null):0 - Permission denied to access property 'message' System JS : ERROR (null):0 - uncaught exception: unknown (can't convert to string) JavaScript error: app://system.gaiamobile.org/js/airplane_mode.js, line 65: NS_ERROR_UNEXPECTED: But then the system crashes inside gfx/layers/composite/CompositableHost.cpp ; Is there a link between both ?

This is fuzzing of an ancient B2G build, crashing in layers, so I'm going to mark this as incomplete.

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: