Closed
Bug 1183363
Opened 9 years ago
Closed 9 years ago
Canvas isPointInPath crash
Categories
(Core :: Graphics: Canvas2D, defect)
Core
Graphics: Canvas2D
Tracking
()
RESOLVED
FIXED
mozilla42
People
(Reporter: jruderman, Assigned: lsalzman)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [fuzzblocker:CanvasRenderingContext2D])
Crash Data
Attachments
(5 files)
308 bytes,
text/html
|
Details | |
134.34 KB,
text/plain
|
Details | |
343 bytes,
text/html
|
Details | |
1.80 KB,
patch
|
bas.schouten
:
review+
ritu
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
1.15 KB,
patch
|
bas.schouten
:
review+
|
Details | Diff | Splinter Review |
No description provided.
Reporter | ||
Comment 1•9 years ago
|
||
Reporter | ||
Comment 2•9 years ago
|
||
Reporter | ||
Comment 3•9 years ago
|
||
In both cases, mTarget is null and something tries to call a GetTransform on it.
Reporter | ||
Updated•9 years ago
|
Whiteboard: [fuzzblocker:CanvasRenderingContext2D]
Reporter | ||
Comment 4•9 years ago
|
||
I'm seeing similar problems with lots of signatures, so this effectively prevents me from fuzzing canvas.
Flags: needinfo?(jgilbert)
Comment 5•9 years ago
|
||
Canvas2D, so over to :jrmuizel.
Flags: needinfo?(jgilbert) → needinfo?(jmuizelaar)
Assignee | ||
Comment 6•9 years ago
|
||
I tracked this to a regression caused by the part 3 patch from Bas in bug 1167235.
CanvasRenderingContext2D::ReturnTarget() gets called, nulling out mTarget, so when mTarget->GetTransform() is called, mTarget is null. Prior to said patch, mTarget would have still been around by now. But it looks like the transform can be picked up from elsewhere instead of the draw target in this case. There are a few little other possible crashes nearby.
I'll work up a fixed for this soon.
Assignee: nobody → lsalzman
Status: NEW → ASSIGNED
Updated•9 years ago
|
Flags: needinfo?(jmuizelaar)
Assignee | ||
Comment 7•9 years ago
|
||
This patch makes sure that EnsureWritablePath and EnsureUserSpacePath always call EnsureTarget so that any downstream users of mTarget will always have a valid mTarget to work with.
Attachment #8633296 -
Flags: review?(bas)
Updated•9 years ago
|
Attachment #8633296 -
Flags: review?(bas) → review+
Assignee | ||
Comment 8•9 years ago
|
||
Keywords: checkin-needed
Assignee | ||
Comment 9•9 years ago
|
||
Comment on attachment 8633296 [details] [diff] [review]
make EnsureWritablePath and EnsureUserSpacePath always imply EnsureTarget
Approval Request Comment
[Feature/regressing bug #]: bug 1167235 - Persist buffer provider requires that the draw target between transactions, so code that previously relied on the existence of a draw target could possibly now manipulate a null draw target.
[User impact if declined]: JS Canvas2D code can be used to crash Firefox.
[Describe test coverage new/current, TreeHerder]: mochitest
[Risks and why]: There should be little risk of regression here as concerns stability. It's possible that certain operations like IsPointInPath might slightly regress in performance due to needing to now acquire a draw target first, but in discussion this was deemed acceptable to keep the code saner/easier to understand/safer.
[String/UUID change made/needed]: None
Attachment #8633296 -
Flags: approval-mozilla-aurora?
Comment 10•9 years ago
|
||
Can we land the testcase as a crashtest too?
Flags: needinfo?(lsalzman)
Flags: in-testsuite?
Comment 11•9 years ago
|
||
Keywords: checkin-needed
Comment 12•9 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
Assignee | ||
Comment 13•9 years ago
|
||
This just the testcases into a single crashtest for tracking both.
Flags: needinfo?(lsalzman)
Attachment #8634359 -
Flags: review?(bas)
Updated•9 years ago
|
Attachment #8634359 -
Flags: review?(bas) → review+
Assignee | ||
Updated•9 years ago
|
Keywords: checkin-needed
Comment 14•9 years ago
|
||
Keywords: checkin-needed
Updated•9 years ago
|
Flags: in-testsuite? → in-testsuite+
Comment 15•9 years ago
|
||
status-firefox41:
--- → affected
Comment on attachment 8633296 [details] [diff] [review]
make EnsureWritablePath and EnsureUserSpacePath always imply EnsureTarget
This has an associated crashtest and the try push looks clean. Let's uplift to Aurora.
Attachment #8633296 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 17•9 years ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•