Closed Bug 1334647 Opened 3 years ago Closed 3 years ago

Canvas 2D crash: Assertion failure: [GFX1]: Unexpected invalid target in a Canvas2d [@mozilla::dom::CanvasRenderingContext2D::DrawImage]

Categories

(Core :: Canvas: 2D, defect, P3, critical)

x86_64
macOS
defect

Tracking

()

RESOLVED FIXED
mozilla54
Tracking Status
firefox52 --- fixed
firefox53 --- fixed
firefox54 --- fixed

People

(Reporter: posidron, Assigned: lsalzman)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [gfx-noted])

Attachments

(3 files)

Attached file testcase
Tested with https://hg.mozilla.org/integration/mozilla-inbound/rev/54cecb685bca


#0 0x1121c1c9a in mozilla::gfx::Log<1, mozilla::gfx::CriticalLogger>::WriteLog(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x2643c9a)
#1 0x1121c1a7d in mozilla::gfx::Log<1, mozilla::gfx::CriticalLogger>::Flush() (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x2643a7d)
#2 0x1156b8372 in mozilla::dom::CanvasRenderingContext2D::DrawImage(mozilla::dom::HTMLImageElementOrHTMLCanvasElementOrHTMLVideoElementOrImageBitmap const&, double, double, double, double, double, double, double, double, unsigned char, mozilla::ErrorResult&) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x5b3a372)
#3 0x1144a724e in mozilla::dom::CanvasRenderingContext2DBinding::drawImage(JSContext*, JS::Handle<JSObject*>, mozilla::dom::CanvasRenderingContext2D*, JSJitMethodCallArgs const&) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x492924e)
#4 0x115591bb9 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x5a13bb9)
#5 0x11bdefb4f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xc271b4f)
#6 0x11bdd3e28 in Interpret(JSContext*, js::RunState&) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xc255e28)
#7 0x11bdb7887 in js::RunScript(JSContext*, js::RunState&) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xc239887)
#8 0x11bdf3e8b in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xc275e8b)
#9 0x11bdf4c6a in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xc276c6a)
#10 0x11c9ffd64 in Evaluate(JSContext*, js::ScopeKind, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xce81d64)
#11 0x11ca00bd2 in Evaluate(JSContext*, JS::AutoObjectVector&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xce82bd2)
#12 0x113324fbf in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x37a6fbf)
#13 0x1133268b5 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x37a88b5)
#14 0x1133c8dd7 in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x384add7)
#15 0x1133c4d74 in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x3846d74)
#16 0x1133a53b2 in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x38273b2)
#17 0x1133a1055 in nsScriptElement::MaybeProcessScript() (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x3823055)
#18 0x11217d5ca in nsHtml5TreeOpExecutor::RunScript(nsIContent*) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x25ff5ca)
#19 0x11217b2d9 in nsHtml5TreeOpExecutor::RunFlushLoop() (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x25fd2d9)
#20 0x11218249e in nsHtml5ExecutorFlusher::Run() (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x260449e)
#21 0x10fe74540 in nsThread::ProcessNextEvent(bool, bool*) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x2f6540)
#22 0x10fe6c810 in NS_ProcessPendingEvents(nsIThread*, unsigned int) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x2ee810)
#23 0x1178e7d0f in nsBaseAppShell::NativeEventCallback() (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x7d69d0f)
#24 0x1179f7bb4 in nsAppShell::ProcessGeckoEvents(void*) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x7e79bb4)
#25 0x7fffcd058980 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xa7980)
#26 0x7fffcd039a7c in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88a7c)
#27 0x7fffcd038f75 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x87f75)
#28 0x7fffcd038973 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x87973)
#29 0x7fffcc5c4acb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30acb)
#30 0x7fffcc5c4808 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30808)
#31 0x7fffcc5c4735 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30735)
#32 0x7fffcab6aae3 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x46ae3)
#33 0x7fffcb2e521e in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x7c121e)
#34 0x1179f610c in -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x7e7810c)
#35 0x7fffcab5f464 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3b464)
#36 0x1179f9017 in nsAppShell::Run() (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x7e7b017)
#37 0x11a067628 in XRE_RunAppShell() (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xa4e9628)
#38 0x110e54fba in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x12d6fba)
#39 0x110d8c207 in MessageLoop::RunInternal() (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x120e207)
#40 0x110d8becc in MessageLoop::Run() (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x120decc)
#41 0x11a0668f0 in XRE_InitChildProcess(int, char**, XREChildData const*) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xa4e88f0)
#42 0x1058a7675 in content_process_main(mozilla::Bootstrap*, int, char**) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container+0x100002675)
#43 0x1058a7945 in main (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container+0x100002945)
#44 0x1058a6343 in start (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container+0x100001343)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x2643c9a) in mozilla::gfx::Log<1, mozilla::gfx::CriticalLogger>::WriteLog(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&)

Command: /srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container -appdir /srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/Resources/browser -profile /var/folders/ph/3q0jpmfd0j55k72jc86s9x0c0000gn/T/tmpln0ag4eh 62860 org.mozilla.machname.2072582403 tab

==63012==ABORTING
Blocks: 1313884
Has Regression Range: --- → yes
Has STR: --- → yes
Keywords: regression
Priority: -- → P3
Whiteboard: [gfx-noted]
The critical error in bug 1313884, while intentions might have been good, was probably not carefully considered. It lacks consistency with what we do everywhere else when a canvas operation is done on an invalid canvas, that is to just throw a JS error. It is easily possible to create such invalid canvases, so it is probably not a good idea to leave the critical error in there at all.
Assignee: nobody → lsalzman
Status: NEW → ASSIGNED
Attachment #8831294 - Flags: review?(rhunt)
Comment on attachment 8831294 [details] [diff] [review]
make canvas.drawImage trigger a JS error rather than a critical error on an invalid target

You're right that's better. It was intended as a diagnostic crash and should have been backed out after bug 1318283 was resolved.
Attachment #8831294 - Flags: review?(rhunt) → review+
Pushed by lsalzman@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/a991ec4c6d06
make canvas.drawImage trigger a JS error rather than a critical error on an invalid target. r=rhunt
IIUC, 53 is also affected but not 52.
ni'ing myself for uplift once this lands on central.

It also seems this affects 52, as that was when the first patch landed from bug 1313884.
Flags: needinfo?(lsalzman)
https://hg.mozilla.org/mozilla-central/rev/a991ec4c6d06
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Can we land a test for this as well?
Flags: in-testsuite?
Comment on attachment 8831294 [details] [diff] [review]
make canvas.drawImage trigger a JS error rather than a critical error on an invalid target

Approval Request Comment
[Feature/Bug causing the regression]: bug 1313884
[User impact if declined]: Using canvas.drawImage in JS may trigger critical errors.
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]: no
[List of other uplifts needed for the feature/fix]: aurora (53), beta (52)
[Is the change risky?]: no
[Why is the change risky/not risky?]: Turns a critical error into a JS error.
[String changes made/needed]: None
Flags: needinfo?(lsalzman)
Attachment #8831294 - Flags: approval-mozilla-beta?
Attachment #8831294 - Flags: approval-mozilla-aurora?
Just makes testcase into a crashtest.
Attachment #8831779 - Flags: review?(rhunt)
Attachment #8831779 - Flags: review?(rhunt) → review+
Comment on attachment 8831294 [details] [diff] [review]
make canvas.drawImage trigger a JS error rather than a critical error on an invalid target

make a canvas error non-fatal, aurora53+, beta52+
Attachment #8831294 - Flags: approval-mozilla-beta?
Attachment #8831294 - Flags: approval-mozilla-beta+
Attachment #8831294 - Flags: approval-mozilla-aurora?
Attachment #8831294 - Flags: approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.