Open Bug 1404059 Opened 7 years ago Updated 2 years ago

Assertion failure: aPrincipal, at /builds/worker/workspace/build/src/dom/canvas/ImageBitmap.cpp:320

Categories

(Core :: Graphics: Canvas2D, defect, P2)

56 Branch
defect

Tracking

()

Tracking Status
firefox-esr52 --- unaffected
firefox55 --- unaffected
firefox56 --- wontfix
firefox57 --- wontfix
firefox58 --- wontfix
firefox59 --- ?

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [gfx-noted])

Attachments

(2 files)

Attached file trigger.html
Testcase found while fuzzing mozilla-central rev 76a26ef7c493.  Please note, testcase needs to be served by a local webserver in order to reproduce the assertion.
Flags: in-testsuite?
Do we have the rest of the stack?
To me, this looks like a bad assert - only one of the three callers checks for a valid principal, but it'd be good to see where it's coming from.
Assignee: nobody → milan
Flags: needinfo?(jkratzer)
Priority: -- → P2
Whiteboard: [gfx-noted]
Attached file Minidump stack trace
Flags: needinfo?(jkratzer)
Flags: needinfo?(milan)
INFO: Last good revision: 5cac74206e4e96e652289c80f2499827c0907162
INFO: First bad revision: a1e773337202d436865cbdd1fa375277efada840
INFO: Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=5cac74206e4e96e652289c80f2499827c0907162&tochange=a1e773337202d436865cbdd1fa375277efada840

Note that newer builds sometimes seem to require a reload before hitting the assert. Seems similarish to bug 1391211?
Blocks: 1375940
Has Regression Range: --- → yes
Version: unspecified → 56 Branch
Nika, thoughts given the regression range in comment 3?
Flags: needinfo?(milan) → needinfo?(nika)
(In reply to Milan Sreckovic [:milan] from comment #4)
> Nika, thoughts given the regression range in comment 3?

My change which is being pointed at here likely isn't causing a new problem - it's just a new way to trigger an existing problem. After my change, window.open() more reliably (it has done so in the past, just less often) spins a nested event loop during its call. 

What this suggests is that spinning the nested event loop in that fuzz sample somehow causes the ImageData to enter an invalid state where it doesn't have a principal, which causes a crash. I haven't looked deeply into what might be the root cause of this invalid state or the crash as I don't know the code very well.
Flags: needinfo?(nika)
Assignee: milaninbugzilla → nobody
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: