Closed Bug 1342694 Opened 7 years ago Closed 3 years ago

[OffscreenCanvas] Crash in mozilla::WebGLContext::FromDomElem when uploading canvas as WebGL texture

Categories

(Core :: Graphics: CanvasWebGL, defect, P5)

Product:
Core
Component:
Graphics: CanvasWebGL
Version:
54 Branch
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: ashley, Assigned: mtseng)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

Bug 1342694 - Get correct principal when using OffscreenCanvas.
59 bytes, text/x-review-board-request
Details 
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0
Build ID: 20170225030208

Steps to reproduce:

1. Visit https://www.scirra.com/labs/bugs/offscreencanvas-texture/
2. Click 'Crash'


Actual results:

The page creates an OffscreenCanvas with a WebGL context. When you click the button it creates a temporary DOM canvas and tries to upload it to a WebGL texture via texImage2D(). The texImage2D call crashes the whole browser tab.


Expected results:

The call to texImage2D should succeed.
Severity: normal → critical
Component: Untriaged → Canvas: WebGL
Keywords: crash, testcase
Product: Firefox → Core
I tested the latest Nightly (32/64b, Win 7), I'm not able to crash with the testcase.
Still crashes for me with Nightly 54.0a1 (2017-02-27) (64-bit) on Windows 10. Although I had to flip the flag gfx.offscreencanvas.enabled to true this time for it to crash but I didn't have to previously - maybe the default was changed on that recently?
Indeed, it crashes with gfx.offscreencanvas.enabled=true.
https://crash-stats.mozilla.com/report/index/59a946f3-d1b1-4af8-8939-ce3632170227

Even 51 crashes or old versions.

NI? Morris who worked on implementation of OffscreenCanvas.
Status: UNCONFIRMED → NEW
Crash Signature: [@ mozilla::WebGLContext::FromDomElem ]
Ever confirmed: true
Flags: needinfo?(mtseng)
Summary: [OffscreenCanvas] Crash uploading canvas as WebGL texture → [OffscreenCanvas] Crash in mozilla::WebGLContext::FromDomElem when uploading canvas as WebGL texture
I'll check this.
Assignee: nobody → mtseng
Flags: needinfo?(mtseng)
I can reproduce this.
Comment on attachment 8842297 [details]
Bug 1342694 - Get correct principal when using OffscreenCanvas.

https://reviewboard.mozilla.org/r/116164/#review118032

::: dom/canvas/WebGLTextureUpload.cpp:361
(Diff revision 1)
>          auto& srcPrincipal = sfer.mPrincipal;
> -        nsIPrincipal* dstPrincipal = GetCanvas()->NodePrincipal();
> +        nsIPrincipal* dstPrincipal;
> +        if (mOffscreenCanvas) {
> +          MOZ_ASSERT(NS_IsMainThread());
> +          nsCOMPtr<nsIGlobalObject> global = mOffscreenCanvas->GetParentObject();
> +          nsCOMPtr<nsPIDOMWindowInner> window = do_QueryInterface(global);

Why do we pull from the window, and not the offscreen canvas?
OffscreenCanvas doesn't have any principal info. But the OffscreenCanvas's parent object, which is window, has principal info. So I get the principal from the window instead of OffscreenCanvas.
Blocks: offscreen-canvas
Attachment #8842297 - Flags: review?(jgilbert)

OffscreenCanvas is P5 for now.

Severity: critical → minor
Priority: P3 → P5

I believe the code that caused this crash was deleted. I wrote a working implementation for WebRender in bug 1736177.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: