Closed Bug 968204 Opened 10 years ago Closed 10 years ago

Faulty: ABORT: "Incompatibe surface type" in CanvasLayerComposite::Initialize under LayerTransactionParent::RecvUpdate, TColorLayerAttributes case

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla30

People

(Reporter: bjacob, Assigned: bjacob)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Faulty session
37.15 KB, text/plain
Details
Attached file Faulty session 
Found by Christoph Diehl's "Faulty" fuzzer, see bug 777067

This seems like we're trying to reinterpret a CanvasLayer as... a ColorLayer?

Indeed we have:

  enum LayerType {
    TYPE_CANVAS,
    TYPE_COLOR,
    TYPE_CONTAINER,
    TYPE_IMAGE,
    TYPE_READBACK,
    TYPE_REF,
    TYPE_SHADOW,
    TYPE_THEBES
  };

So for Faulty to cause a CanvasLayer to be reinterpreted as a ColorLayer, all it would have to do would be to change a 0 into a 1, which it did a few times in time session.
Classification: PLayerTransaction, wrong layer type, hard
Depends on: PReinterpretCast
Fixed by the landing of PLayerTransaction type checks before casting layers, bug 968833.
Assignee: nobody → bjacob
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: