Open
Bug 1404059
Opened 7 years ago
Updated 2 years ago
Assertion failure: aPrincipal, at /builds/worker/workspace/build/src/dom/canvas/ImageBitmap.cpp:320
Categories
(Core :: Graphics: Canvas2D, defect, P2)
Tracking
()
NEW
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox55 | --- | unaffected |
firefox56 | --- | wontfix |
firefox57 | --- | wontfix |
firefox58 | --- | wontfix |
firefox59 | --- | ? |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [gfx-noted])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 76a26ef7c493. Please note, testcase needs to be served by a local webserver in order to reproduce the assertion.
Flags: in-testsuite?
Do we have the rest of the stack? To me, this looks like a bad assert - only one of the three callers checks for a valid principal, but it'd be good to see where it's coming from.
Assignee: nobody → milan
status-firefox55:
--- → wontfix
status-firefox56:
--- → fix-optional
status-firefox57:
--- → fix-optional
status-firefox58:
--- → fix-optional
Flags: needinfo?(jkratzer)
Priority: -- → P2
Whiteboard: [gfx-noted]
Reporter | ||
Comment 2•7 years ago
|
||
Flags: needinfo?(jkratzer)
Updated•7 years ago
|
Flags: needinfo?(milan)
Comment 3•7 years ago
|
||
INFO: Last good revision: 5cac74206e4e96e652289c80f2499827c0907162 INFO: First bad revision: a1e773337202d436865cbdd1fa375277efada840 INFO: Pushlog: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=5cac74206e4e96e652289c80f2499827c0907162&tochange=a1e773337202d436865cbdd1fa375277efada840 Note that newer builds sometimes seem to require a reload before hitting the assert. Seems similarish to bug 1391211?
Blocks: 1375940
Has Regression Range: --- → yes
status-firefox-esr52:
--- → unaffected
Version: unspecified → 56 Branch
Nika, thoughts given the regression range in comment 3?
Flags: needinfo?(milan) → needinfo?(nika)
Comment 5•7 years ago
|
||
(In reply to Milan Sreckovic [:milan] from comment #4) > Nika, thoughts given the regression range in comment 3? My change which is being pointed at here likely isn't causing a new problem - it's just a new way to trigger an existing problem. After my change, window.open() more reliably (it has done so in the past, just less often) spins a nested event loop during its call. What this suggests is that spinning the nested event loop in that fuzz sample somehow causes the ImageData to enter an invalid state where it doesn't have a principal, which causes a crash. I haven't looked deeply into what might be the root cause of this invalid state or the crash as I don't know the code very well.
Flags: needinfo?(nika)
Updated•6 years ago
|
Keywords: intermittent-failure
Comment hidden (Intermittent Failures Robot) |
Comment 7•6 years ago
|
||
https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Move_fix-optionals
status-firefox59:
--- → ?
Updated•6 years ago
|
Assignee: milaninbugzilla → nobody
Updated•6 years ago
|
Keywords: regression
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•