Closed
Bug 971262
Opened 12 years ago
Closed 11 years ago
Faulty: Segfault in SurfaceDescriptor::type() under DeprecatedImageHostSingle::MakeDeprecatedTextureHost
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
FIXED
mozilla30
People
(Reporter: bjacob, Assigned: bjacob)
References
(Blocks 1 open bug)
Details
(Keywords: sec-critical, Whiteboard: [qa-])
Attachments
(1 file)
|
13.06 KB,
text/plain
|
Details |
Found by Christoph Diehl's "Faulty" fuzzer, see bug 777067
|
Assignee | |
Comment 1•12 years ago
|
||
Interesting bit in the log:
2:47.23 [Faulty] pickle field {int} of value: 9 changed to: 1
2:47.24 [Parent 19847] ###!!! ASSERTION: should be implemented or not used: 'Error', file /hack/mozilla-central/gfx/layers/composite/CompositableHost.h, line 138
this is
virtual bool UpdateThebes(const ThebesBufferData& aData,
const nsIntRegion& aUpdated,
const nsIntRegion& aOldValidRegionBack,
nsIntRegion* aUpdatedRegionBack)
{
NS_ERROR("should be implemented or not used");
return false;
}
these 9 and 1 values here are defined in CompositorTypes.h:
enum CompositableType
{
BUFFER_UNKNOWN,
// the deprecated compositable types
BUFFER_IMAGE_SINGLE, // image/canvas with a single texture, single buffered
BUFFER_IMAGE_BUFFERED, // canvas, double buffered
BUFFER_BRIDGE, // image bridge protocol
BUFFER_CONTENT, // thebes layer interface, single buffering
BUFFER_CONTENT_DIRECT, // thebes layer interface, double buffering
BUFFER_CONTENT_INC, // thebes layer interface, only sends incremental
// updates to a texture on the compositor side.
BUFFER_TILED, // tiled thebes layer
// the new compositable types
COMPOSITABLE_IMAGE, // image with single buffering
COMPOSITABLE_CONTENT_SINGLE, // thebes layer interface, single buffering
COMPOSITABLE_CONTENT_DOUBLE, // thebes layer interface, double buffering
BUFFER_COUNT
};
So 9 is COMPOSITABLE_CONTENT_SINGLE i.e. a ContentHost and 1 is BUFFER_IMAGE_SINGLE i.e. a ImageHost.
|
|
Assignee | |
Comment 2•12 years ago
|
||
Based on that, I suspect that this is a manifestation of bug 969549.
Depends on: 969549
|
||
Updated•12 years ago
|
Keywords: sec-critical
|
||
Updated•12 years ago
|
|
||
Updated•11 years ago
|
status-firefox29:
--- → disabled
|
|
Assignee | |
Comment 3•11 years ago
|
||
Fixed by the landing of bug 969549.
Assignee: nobody → bjacob
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
||
Updated•11 years ago
|
status-firefox28:
--- → disabled
Target Milestone: --- → mozilla30
|
||
Updated•11 years ago
|
status-firefox-esr24:
--- → unaffected
|
|
||
Comment 4•11 years ago
|
||
Marking [qa-] for desktop QA verification. FxOS QA may choose to verify at a later date.
Whiteboard: [qa-]
|
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•