Closed Bug 1334647 Opened 8 years ago Closed 8 years ago

Canvas 2D crash: Assertion failure: [GFX1]: Unexpected invalid target in a Canvas2d [@mozilla::dom::CanvasRenderingContext2D::DrawImage]

Categories

(Core :: Graphics: Canvas2D, defect, P3)

Product:
Core
Component:
Graphics: Canvas2D
Platform:
x86_64
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla54
Tracking Flags:
Tracking Status
firefox52 --- fixed
firefox53 --- fixed
firefox54 --- fixed

People

(Reporter: posidron, Assigned: lsalzman)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [gfx-noted])

Attachments

(3 files)

testcase
478 bytes, text/html
Details
make canvas.drawImage trigger a JS error rather than a critical error on an invalid target
1.16 KB, patch
rhunt
: review+
jcristau
: approval-mozilla-aurora+
jcristau
: approval-mozilla-beta+
Details | Diff | Splinter Review
add crashtest for bug 1334647
1.42 KB, patch
rhunt
: review+
Details | Diff | Splinter Review
Attached file testcase
Tested with https://hg.mozilla.org/integration/mozilla-inbound/rev/54cecb685bca #0 0x1121c1c9a in mozilla::gfx::Log<1, mozilla::gfx::CriticalLogger>::WriteLog(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x2643c9a) #1 0x1121c1a7d in mozilla::gfx::Log<1, mozilla::gfx::CriticalLogger>::Flush() (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x2643a7d) #2 0x1156b8372 in mozilla::dom::CanvasRenderingContext2D::DrawImage(mozilla::dom::HTMLImageElementOrHTMLCanvasElementOrHTMLVideoElementOrImageBitmap const&, double, double, double, double, double, double, double, double, unsigned char, mozilla::ErrorResult&) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x5b3a372) #3 0x1144a724e in mozilla::dom::CanvasRenderingContext2DBinding::drawImage(JSContext*, JS::Handle<JSObject*>, mozilla::dom::CanvasRenderingContext2D*, JSJitMethodCallArgs const&) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x492924e) #4 0x115591bb9 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x5a13bb9) #5 0x11bdefb4f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xc271b4f) #6 0x11bdd3e28 in Interpret(JSContext*, js::RunState&) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xc255e28) #7 0x11bdb7887 in js::RunScript(JSContext*, js::RunState&) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xc239887) #8 0x11bdf3e8b in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xc275e8b) #9 0x11bdf4c6a in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xc276c6a) #10 0x11c9ffd64 in Evaluate(JSContext*, js::ScopeKind, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xce81d64) #11 0x11ca00bd2 in Evaluate(JSContext*, JS::AutoObjectVector&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xce82bd2) #12 0x113324fbf in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x37a6fbf) #13 0x1133268b5 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x37a88b5) #14 0x1133c8dd7 in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x384add7) #15 0x1133c4d74 in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x3846d74) #16 0x1133a53b2 in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x38273b2) #17 0x1133a1055 in nsScriptElement::MaybeProcessScript() (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x3823055) #18 0x11217d5ca in nsHtml5TreeOpExecutor::RunScript(nsIContent*) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x25ff5ca) #19 0x11217b2d9 in nsHtml5TreeOpExecutor::RunFlushLoop() (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x25fd2d9) #20 0x11218249e in nsHtml5ExecutorFlusher::Run() (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x260449e) #21 0x10fe74540 in nsThread::ProcessNextEvent(bool, bool*) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x2f6540) #22 0x10fe6c810 in NS_ProcessPendingEvents(nsIThread*, unsigned int) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x2ee810) #23 0x1178e7d0f in nsBaseAppShell::NativeEventCallback() (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x7d69d0f) #24 0x1179f7bb4 in nsAppShell::ProcessGeckoEvents(void*) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x7e79bb4) #25 0x7fffcd058980 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xa7980) #26 0x7fffcd039a7c in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88a7c) #27 0x7fffcd038f75 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x87f75) #28 0x7fffcd038973 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x87973) #29 0x7fffcc5c4acb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30acb) #30 0x7fffcc5c4808 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30808) #31 0x7fffcc5c4735 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30735) #32 0x7fffcab6aae3 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x46ae3) #33 0x7fffcb2e521e in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x7c121e) #34 0x1179f610c in -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x7e7810c) #35 0x7fffcab5f464 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3b464) #36 0x1179f9017 in nsAppShell::Run() (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x7e7b017) #37 0x11a067628 in XRE_RunAppShell() (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xa4e9628) #38 0x110e54fba in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x12d6fba) #39 0x110d8c207 in MessageLoop::RunInternal() (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x120e207) #40 0x110d8becc in MessageLoop::Run() (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x120decc) #41 0x11a0668f0 in XRE_InitChildProcess(int, char**, XREChildData const*) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xa4e88f0) #42 0x1058a7675 in content_process_main(mozilla::Bootstrap*, int, char**) (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container+0x100002675) #43 0x1058a7945 in main (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container+0x100002945) #44 0x1058a6343 in start (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container+0x100001343) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x2643c9a) in mozilla::gfx::Log<1, mozilla::gfx::CriticalLogger>::WriteLog(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) Command: /srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container -appdir /srv/mozilla/mozilla-inbound/ff-x86_64-apple-darwin16.3.0-asan-debug/dist/NightlyDebug.app/Contents/Resources/browser -profile /var/folders/ph/3q0jpmfd0j55k72jc86s9x0c0000gn/T/tmpln0ag4eh 62860 org.mozilla.machname.2072582403 tab ==63012==ABORTING
Blocks: 1313884
Has Regression Range: --- → yes
Has STR: --- → yes
Keywords: regression
Priority: -- → P3
Whiteboard: [gfx-noted]
The critical error in bug 1313884, while intentions might have been good, was probably not carefully considered. It lacks consistency with what we do everywhere else when a canvas operation is done on an invalid canvas, that is to just throw a JS error. It is easily possible to create such invalid canvases, so it is probably not a good idea to leave the critical error in there at all.
Assignee: nobody → lsalzman
Status: NEW → ASSIGNED
Attachment #8831294 - Flags: review?(rhunt)
Comment on attachment 8831294 [details] [diff] [review] make canvas.drawImage trigger a JS error rather than a critical error on an invalid target You're right that's better. It was intended as a diagnostic crash and should have been backed out after bug 1318283 was resolved.
Attachment #8831294 - Flags: review?(rhunt) → review+
Pushed by lsalzman@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/a991ec4c6d06 make canvas.drawImage trigger a JS error rather than a critical error on an invalid target. r=rhunt
IIUC, 53 is also affected but not 52.
status-firefox52: --- → unaffected
status-firefox53: --- → affected
ni'ing myself for uplift once this lands on central. It also seems this affects 52, as that was when the first patch landed from bug 1313884.
status-firefox52: unaffectedaffected
Flags: needinfo?(lsalzman)
https://hg.mozilla.org/mozilla-central/rev/a991ec4c6d06
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox54: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Can we land a test for this as well?
Flags: in-testsuite?
Comment on attachment 8831294 [details] [diff] [review] make canvas.drawImage trigger a JS error rather than a critical error on an invalid target Approval Request Comment [Feature/Bug causing the regression]: bug 1313884 [User impact if declined]: Using canvas.drawImage in JS may trigger critical errors. [Is this code covered by automated tests?]: yes [Has the fix been verified in Nightly?]: yes [Needs manual test from QE? If yes, steps to reproduce]: no [List of other uplifts needed for the feature/fix]: aurora (53), beta (52) [Is the change risky?]: no [Why is the change risky/not risky?]: Turns a critical error into a JS error. [String changes made/needed]: None
Flags: needinfo?(lsalzman)
Attachment #8831294 - Flags: approval-mozilla-beta?
Attachment #8831294 - Flags: approval-mozilla-aurora?
Just makes testcase into a crashtest.
Attachment #8831779 - Flags: review?(rhunt)
Attachment #8831779 - Flags: review?(rhunt) → review+
Comment on attachment 8831294 [details] [diff] [review] make canvas.drawImage trigger a JS error rather than a critical error on an invalid target make a canvas error non-fatal, aurora53+, beta52+
Attachment #8831294 - Flags: approval-mozilla-beta?
Attachment #8831294 - Flags: approval-mozilla-beta+
Attachment #8831294 - Flags: approval-mozilla-aurora?
Attachment #8831294 - Flags: approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: