Closed Bug 992999 Opened 11 years ago Closed 8 years ago

No repainting with testcase from bug 988878 and crash [@ mozilla::layers::ContentHostIncremental::TextureUpdateRequest::~TextureUpdateRequest] when closing page

Categories

(Core :: Graphics: Layers, defect)

Product:
Core
Component:
Graphics: Layers
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: martijn.martijn, Unassigned)

References

(
URL
)

Details

(4 keywords)

Crash Data

Bug 988878 is fixed now in the latest Nightly build on MacOsX 10.9.2, but when I load that page, it causes Firefox to not repaint anything, so when I switch from one tab to the tab with that page loaded, the previous tab is still shown.
Closing the page causes my Nightly build to crash, so I'm going to mark this security sensitive for now. https://crash-stats.mozilla.com/report/index/3526a7a4-3e22-4d7f-853f-342c32140407 0 XUL mozilla::layers::ContentHostIncremental::TextureUpdateRequest::~TextureUpdateRequest() gfx/layers/composite/ContentHost.h 1 XUL nsTArray_Impl<nsAutoPtr<mozilla::layers::ContentHostIncremental::Request>, nsTArrayInfallibleAllocator>::~nsTArray_Impl() obj-firefox/x86_64/dist/include/nsAutoPtr.h 2 XUL mozilla::layers::ContentHostIncremental::~ContentHostIncremental() obj-firefox/x86_64/dist/include/nsISelectionPrivate.h 3 XUL mozilla::layers::ContentHostIncremental::~ContentHostIncremental() gfx/layers/composite/ContentHost.cpp 4 XUL mozilla::layers::CompositableParent::~CompositableParent() obj-firefox/x86_64/dist/include/mozilla/RefPtr.h 5 XUL mozilla::layers::CompositableParent::~CompositableParent() gfx/layers/composite/CompositableHost.cpp 6 XUL mozilla::layers::LayerTransactionParent::DeallocPCompositableParent(mozilla::layers::PCompositableParent*) gfx/layers/ipc/LayerTransactionParent.cpp 7 XUL mozilla::layers::PCompositableParent::OnMessageReceived(IPC::Message const&) obj-firefox/x86_64/ipc/ipdl/PCompositableParent.cpp 8 XUL mozilla::layers::PCompositorParent::OnMessageReceived(IPC::Message const&) obj-firefox/x86_64/ipc/ipdl/PCompositorParent.cpp 9 XUL mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) ipc/glue/MessageChannel.cpp 10 XUL mozilla::ipc::MessageChannel::OnMaybeDequeueOne() ipc/glue/MessageChannel.cpp
Blocks: 988878
Group: core-security
Summary: No repainting with testcase from bug 988878 → No repainting with testcase from bug 988878 and crash [@ mozilla::layers::ContentHostIncremental::TextureUpdateRequest::~TextureUpdateRequest] when closing page
Crash Signature: [@ mozilla::layers::ContentHostIncremental::TextureUpdateRequest::~TextureUpdateRequest()]
Keywords: crash, reproducible
Component: Graphics → Graphics: Layers
The crash is a null-deref, doesn't seem like we need to keep this hidden for security but maybe we should because bug 988878 is.
Keywords: sec-other
Severity: normal → critical
Group: core-security → gfx-core-security
Crash Signature: [@ mozilla::layers::ContentHostIncremental::TextureUpdateRequest::~TextureUpdateRequest()] → [@ mozilla::layers::ContentHostIncremental::TextureUpdateRequest::~TextureUpdateRequest()] [@ mozilla::layers::ContentHostIncremental::TextureUpdateRequest::~TextureUpdateRequest]
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.