Closed
Bug 933827
Opened 11 years ago
Closed 8 years ago
IPC: crash [@mozilla::layers::ThebesLayerComposite::RenderLayer]
Categories
(Core :: DOM: Content Processes, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: posidron, Assigned: gerard-majax)
References
(Blocks 1 open bug)
Details
(Keywords: crash)
Attachments
(1 file)
(deleted),
text/plain
|
Details |
Tested with an opt/non-debug build of https://github.com/posidron/mozilla-central/commit/26121cb
Assignee | ||
Updated•11 years ago
|
Assignee: nobody → lissyx+mozillians
Assignee | ||
Comment 1•11 years ago
|
||
(In reply to Christoph Diehl [:cdiehl] from comment #0)
> Created attachment 825983 [details]
> fuzzing-session
>
> Tested with an opt/non-debug build of
> https://github.com/posidron/mozilla-central/commit/26121cb
I can't find the correct commit in upstream mozilla central :(
Assignee | ||
Comment 2•11 years ago
|
||
At gfx/layers/composite/ThebesLayerComposite.cpp:140 we have a call |mBuffer->SetPaintWillResample(MayResample());|
The crash being
0x00000000 in ?? ()
(gdb) bt
#0 0x00000000 in ?? ()
#1 0xb5902ba2 in mozilla::layers::ThebesLayerComposite::RenderLayer (this=0xaf147800, aOffset=..., aClipRect=<optimized out>)
at ../../../../mozilla-central/gfx/layers/composite/ThebesLayerComposite.cpp:140
this would suggest that mBuffer is NULL, but this is checked in the top of ThebesLayerComposite::RenderLayer
Comment 3•11 years ago
|
||
Christoph, I have been assigned to work on Gfx/IPC hardening. Could you please teach me how to use the IPC fuzzing tools to reproduce the present crash, and/or other crashes already filed as blockers of bug 777067?
Updated•11 years ago
|
Flags: needinfo?(cdiehl)
Reporter | ||
Comment 4•11 years ago
|
||
https://github.com/posidron/faulty/ - I have to re-write some steps a bit differently but in general they are still valid. You don't need to checkout those patched Github repositories, use only the patches provided in bug 777067.
The faulty.diff patch gets applied to mozilla-central or other branches.
The faulty.sh.diff patch gets applied to the B2G root folder.
The default-gecko-config.diff patch gets applied to gonk-misc/ inside the B2G root folder.
A typical command would be:
./faulty.sh -p -w -o
This would fuzz pickle messages (-p) in the content process (-w) and enables logging in your ADB shell (-o).
You might want to control the probability of how many messages shall get fuzzed otherwise you crash very fast early on.
./faulty.sh -p -w -o -b 1000
We have no blacklisting support yet, so you need to try out some probability numbers which fits best for you.
Let me know if you have further questions. :-)
Flags: needinfo?(cdiehl)
Comment 5•11 years ago
|
||
Many thanks!
Updated•10 years ago
|
Component: IPC → DOM: Content Processes
Assignee | ||
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•