Closed Bug 1257717 Opened 8 years ago Closed 8 years ago

Crash [@ mozilla::gfx::GetBitmapForSurface] with ctx2d.createPattern, after WebGL context loss

Categories

(Core :: Graphics: Canvas2D, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox48 --- fixed

People

(Reporter: jruderman, Assigned: lsalzman)

References

Details

(Keywords: crash, testcase, Whiteboard: [gfx-noted])

Attachments

(3 files)

Attached file testcase
This testcase needs:
  user_pref("webgl.lose-context-on-memory-pressure", true);
and:
  https://github.com/MozillaSecurity/funfuzz/tree/master/dom/extension

For instructions on setting up the DOMFuzz extension, see https://bug1257090.bmoattachments.org/attachment.cgi?id=8731058
Attached file stack
Whiteboard: [gfx-noted]
We're createPattern'ing with a canvas source that fails to snapshot.

The spec, as far as createPattern goes, says: "If the image is a canvas with no data, throws an InvalidStateError exception."

That is also the only real choice of errors it seems to give us to throw here, but it fits. Rather than letting a null snapshot leak into the code and cause problems downwind, as it is doing, it seems saner to take advantage of this and throw an error.

Also, I made our Skia GetBitmapForSurface a bit more error-proof by checking for a null surface, in case any other code wants to pull the same stunt.
Assignee: nobody → lsalzman
Status: NEW → ASSIGNED
Attachment #8735524 - Flags: review?(jmuizelaar)
Comment on attachment 8735524 [details] [diff] [review]
throw InvalidStateError when CreatePattern fails to snapshot source

Review of attachment 8735524 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/canvas/CanvasRenderingContext2D.cpp
@@ +2085,5 @@
>      if (srcCanvas) {
>        // This might not be an Azure canvas!
>        RefPtr<SourceSurface> srcSurf = srcCanvas->GetSurfaceSnapshot();
> +      if (!srcSurf) {
> +        aError.Throw(NS_ERROR_DOM_INVALID_STATE_ERR);

Since we rarely expect this to occur, I think it would be good to JS_ReportWarning(cx...) here so that people are more likely to understand what's going on when this happens.

@@ +2111,5 @@
>      EnsureTarget();
>      RefPtr<SourceSurface> srcSurf = imgBitmap.PrepareForDrawTarget(mTarget);
> +    if (!srcSurf) {
> +      aError.Throw(NS_ERROR_DOM_INVALID_STATE_ERR);
> +      return nullptr;

Same here.
Attachment #8735524 - Flags: review?(jmuizelaar) → review+
https://hg.mozilla.org/mozilla-central/rev/9a7955d81761
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in before you can comment on or make changes to this bug.