Closed Bug 933827 Opened 6 years ago Closed 3 years ago

IPC: crash [@mozilla::layers::ThebesLayerComposite::RenderLayer]

Categories

(Core :: DOM: Content Processes, defect, critical)

ARM
Gonk (Firefox OS)
defect
Not set
critical

Tracking

()

RESOLVED WONTFIX

People

(Reporter: posidron, Assigned: gerard-majax)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Attachments

(1 file)

Attached file fuzzing-session
Tested with an opt/non-debug build of https://github.com/posidron/mozilla-central/commit/26121cb
Assignee: nobody → lissyx+mozillians
(In reply to Christoph Diehl [:cdiehl] from comment #0)
> Created attachment 825983 [details]
> fuzzing-session
> 
> Tested with an opt/non-debug build of
> https://github.com/posidron/mozilla-central/commit/26121cb

I can't find the correct commit in upstream mozilla central :(
At gfx/layers/composite/ThebesLayerComposite.cpp:140 we have a call |mBuffer->SetPaintWillResample(MayResample());|

The crash being 
0x00000000 in ?? ()
(gdb) bt
#0  0x00000000 in ?? ()
#1  0xb5902ba2 in mozilla::layers::ThebesLayerComposite::RenderLayer (this=0xaf147800, aOffset=..., aClipRect=<optimized out>)
    at ../../../../mozilla-central/gfx/layers/composite/ThebesLayerComposite.cpp:140

this would suggest that mBuffer is NULL, but this is checked in the top of ThebesLayerComposite::RenderLayer
Christoph, I have been assigned to work on Gfx/IPC hardening. Could you please teach me how to use the IPC fuzzing tools to reproduce the present crash, and/or other crashes already filed as blockers of bug 777067?
Flags: needinfo?(cdiehl)
https://github.com/posidron/faulty/ - I have to re-write some steps a bit differently but in general they are still valid. You don't need to checkout those patched Github repositories, use only the patches provided in bug 777067.

The faulty.diff patch gets applied to mozilla-central or other branches.
The faulty.sh.diff patch gets applied to the B2G root folder.
The default-gecko-config.diff patch gets applied to gonk-misc/ inside the B2G root folder.

A typical command would be:

./faulty.sh -p -w -o

This would fuzz pickle messages (-p) in the content process (-w) and enables logging in your ADB shell (-o).

You might want to control the probability of how many messages shall get fuzzed otherwise you crash very fast early on.

./faulty.sh -p -w -o -b 1000

We have no blacklisting support yet, so you need to try out some probability numbers which fits best for you.

Let me know if you have further questions. :-)
Flags: needinfo?(cdiehl)
Component: IPC → DOM: Content Processes
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.