Closed Bug 1430215 Opened 4 years ago Closed 4 years ago

Permanent false-positive /2dcontext/imagebitmap/createImageBitmap-invalid-args.html | application crashed [@ mozilla::dom::CheckSecurityForHTMLElements] after Assertion failure: aPrincipal

Categories

(Core :: Canvas: 2D, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla61
Tracking Status
firefox-esr52 --- wontfix
firefox-esr60 --- fixed
firefox59 --- wontfix
firefox60 --- wontfix
firefox61 --- fixed

People

(Reporter: intermittent-bug-filer, Assigned: baku)

References

Details

(Keywords: crash, intermittent-failure, Whiteboard: [stockwell fixed:product])

Crash Data

Attachments

(1 file)

Filed by: ncsoregi [at] mozilla.com

https://treeherder.mozilla.org/logviewer.html#?job_id=155952306&repo=autoland

https://queue.taskcluster.net/v1/task/SFxEil3CRSqagl_xc-kHFg/runs/1/artifacts/public/logs/live_backing.log

15:40:57     INFO - mozcrash Saved app info as Z:\task_1515771146\build\blobber_upload_dir\cd5add5d-f91d-4f47-8750-f211496fe8ec.extra
3757
15:40:57     INFO - PROCESS-CRASH | /2dcontext/imagebitmap/createImageBitmap-invalid-args.html | application crashed [@ mozilla::dom::CheckSecurityForHTMLElements]
3758
15:40:57     INFO - Crash dump filename: c:\users\genericworker\appdata\local\temp\tmplhtlbv.mozrunner\minidumps\cd5add5d-f91d-4f47-8750-f211496fe8ec.dmp
Duplicate of this bug: 1430238
Summary: Intermittent /2dcontext/imagebitmap/createImageBitmap-invalid-args.html | application crashed [@ mozilla::dom::CheckSecurityForHTMLElements] after Assertion failure: aPrincipal → Permanent false-positive /2dcontext/imagebitmap/createImageBitmap-invalid-args.html | application crashed [@ mozilla::dom::CheckSecurityForHTMLElements] after Assertion failure: aPrincipal
Over the last 7 days there are 31 failures present on this bug. These happen on: Linux, Linux x64, linux64-ccov, linux64-qr, OS X 10.10, Windows 7, windows10-64
Here is the most recent log example: https://treeherder.mozilla.org/logviewer.html#?repo=mozilla-inbound&job_id=170630731&lineNumber=3099

18:56:46     INFO - PID 3008 | Assertion failure: aPrincipal, at z:/build/build/src/dom/canvas/ImageBitmap.cpp:438
Flags: needinfo?(james)
Component: web-platform-tests → Canvas: 2D
Flags: needinfo?(james)
Product: Testing → Core
Version: Version 3 → unspecified
:milan, can you take a look at this and triage it on your end?
Flags: needinfo?(milan)
Joel, do we have a run with a symbolicated stack?
Flags: needinfo?(milan) → needinfo?(jmaher)
here is a stack for the assertion from linux64-qr:
https://treeherder.mozilla.org/logviewer.html#?job_id=171049868&repo=autoland&lineNumber=1489

task 2018-03-29T15:51:30.756Z] 15:51:30     INFO - PID 1043 | Assertion failure: aPrincipal, at /builds/worker/workspace/build/src/dom/canvas/ImageBitmap.cpp:438
[task 2018-03-29T15:51:31.007Z] 15:51:31     INFO - PID 1043 | #01: mozilla::dom::ImageBitmap::CreateInternal(nsIGlobalObject*, mozilla::dom::HTMLImageElement&, mozilla::Maybe<mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::ErrorResult&) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.015Z] 15:51:31     INFO - PID 1043 | #02: mozilla::dom::ImageBitmap::Create(nsIGlobalObject*, mozilla::dom::HTMLImageElementOrHTMLVideoElementOrHTMLCanvasElementOrBlobOrImageDataOrCanvasRenderingContext2DOrImageBitmapOrArrayBufferViewOrArrayBuffer const&, mozilla::Maybe<mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::ErrorResult&) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.019Z] 15:51:31     INFO - PID 1043 | #03: nsGlobalWindowInner::CreateImageBitmap(JSContext*, mozilla::dom::HTMLImageElementOrHTMLVideoElementOrHTMLCanvasElementOrBlobOrImageDataOrCanvasRenderingContext2DOrImageBitmapOrArrayBufferViewOrArrayBuffer const&, mozilla::ErrorResult&) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.027Z] 15:51:31     INFO - PID 1043 | #04: mozilla::dom::WindowBinding::createImageBitmap(JSContext*, JS::Handle<JSObject*>, nsGlobalWindowInner*, JSJitMethodCallArgs const&) [clone .isra.1118] (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.031Z] 15:51:31     INFO - PID 1043 | #05: mozilla::dom::WindowBinding::createImageBitmap_promiseWrapper(JSContext*, JS::Handle<JSObject*>, nsGlobalWindowInner*, JSJitMethodCallArgs const&) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.039Z] 15:51:31     INFO - PID 1043 | #06: mozilla::dom::WindowBinding::genericPromiseReturningMethod(JSContext*, unsigned int, JS::Value*) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.040Z] 15:51:31     INFO - PID 1043 | #07: js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.049Z] 15:51:31     INFO - PID 1043 | #08: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.050Z] 15:51:31     INFO - PID 1043 | #09: InternalCall(JSContext*, js::AnyInvokeArgs const&) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.059Z] 15:51:31     INFO - PID 1043 | #10: Interpret(JSContext*, js::RunState&) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.063Z] 15:51:31     INFO - PID 1043 | #11: js::RunScript(JSContext*, js::RunState&) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.066Z] 15:51:31     INFO - PID 1043 | #12: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.067Z] 15:51:31     INFO - PID 1043 | #13: InternalCall(JSContext*, js::AnyInvokeArgs const&) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.075Z] 15:51:31     INFO - PID 1043 | #14: js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.077Z] 15:51:31     INFO - PID 1043 | #15: PromiseReactionJob(JSContext*, unsigned int, JS::Value*) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.078Z] 15:51:31     INFO - PID 1043 | #16: js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.078Z] 15:51:31     INFO - PID 1043 | #17: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.079Z] 15:51:31     INFO - PID 1043 | #18: InternalCall(JSContext*, js::AnyInvokeArgs const&) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.079Z] 15:51:31     INFO - PID 1043 | #19: js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.087Z] 15:51:31     INFO - PID 1043 | #20: JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.095Z] 15:51:31     INFO - PID 1043 | #21: mozilla::dom::PromiseJobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.096Z] 15:51:31     INFO - PID 1043 | #22: mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JSCompartment*) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.104Z] 15:51:31     INFO - PID 1043 | #23: mozilla::dom::PromiseJobCallback::Call(char const*) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.108Z] 15:51:31     INFO - PID 1043 | #24: mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.113Z] 15:51:31     INFO - PID 1043 | #25: mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint() [clone .part.281] (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.121Z] 15:51:31     INFO - PID 1043 | #26: mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.123Z] 15:51:31     INFO - PID 1043 | #27: mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.132Z] 15:51:31     INFO - PID 1043 | #28: mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.136Z] 15:51:31     INFO - PID 1043 | #29: mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.145Z] 15:51:31     INFO - PID 1043 | #30: mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.147Z] 15:51:31     INFO - PID 1043 | #31: mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.155Z] 15:51:31     INFO - PID 1043 | #32: nsINode::DispatchEvent(nsIDOMEvent*, bool*) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.157Z] 15:51:31     INFO - PID 1043 | #33: mozilla::AsyncEventDispatcher::Run() (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.166Z] 15:51:31     INFO - PID 1043 | #34: mozilla::SchedulerGroup::Runnable::Run() (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.167Z] 15:51:31     INFO - PID 1043 | #35: nsThread::ProcessNextEvent(bool, bool*) [clone .part.207] (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.172Z] 15:51:31     INFO - PID 1043 | #36: NS_ProcessNextEvent(nsIThread*, bool) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.177Z] 15:51:31     INFO - PID 1043 | #37: mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.181Z] 15:51:31     INFO - PID 1043 | #38: MessageLoop::RunInternal() (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.189Z] 15:51:31     INFO - PID 1043 | #39: MessageLoop::Run() (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.192Z] 15:51:31     INFO - PID 1043 | #40: nsBaseAppShell::Run() (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.196Z] 15:51:31     INFO - PID 1043 | #41: XRE_RunAppShell() (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.204Z] 15:51:31     INFO - PID 1043 | #42: mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.205Z] 15:51:31     INFO - PID 1043 | #43: MessageLoop::RunInternal() (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.206Z] 15:51:31     INFO - PID 1043 | #44: MessageLoop::Run() (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.207Z] 15:51:31     INFO - PID 1043 | #45: XRE_InitChildProcess(int, char**, XREChildData const*) (/builds/worker/workspace/build/application/firefox/libxul.so)
[task 2018-03-29T15:51:31.305Z] 15:51:31     INFO - PID 1043 | #46: content_process_main(mozilla::Bootstrap*, int, char**) (/builds/worker/workspace/build/application/firefox/firefox)
[task 2018-03-29T15:51:31.305Z] 15:51:31     INFO - PID 1043 | #47: main (/builds/worker/workspace/build/application/firefox/firefox)
[task 2018-03-29T15:51:31.786Z] 15:51:31     INFO - mozcrash Downloading symbols from: https://queue.taskcluster.net/v1/task/SMQZdxk0TdaXJmmc2dF5Nw/artifacts/public/build/target.crashreporter-symbols.zip
[task 2018-03-29T15:51:35.223Z] 15:51:35     INFO - PID 1043 | #48: __libc_start_main (/build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:325)
[task 2018-03-29T15:51:35.223Z] 15:51:35     INFO - PID 1043 | #49: _start (/builds/worker/workspace/build/application/firefox/firefox)



and not far after that in the log is the crash and stack:
[task 2018-03-29T15:51:46.373Z] 15:51:46     INFO - PROCESS-CRASH | /2dcontext/imagebitmap/createImageBitmap-invalid-args.html | application crashed [@ mozilla::dom::CheckSecurityForHTMLElements]
[task 2018-03-29T15:51:46.373Z] 15:51:46     INFO - Crash dump filename: /tmp/tmpaNEOMS.mozrunner/minidumps/43ec8ee0-231d-fad6-90e8-7f27cd34556e.dmp
[task 2018-03-29T15:51:46.373Z] 15:51:46     INFO - Operating system: Linux
[task 2018-03-29T15:51:46.373Z] 15:51:46     INFO -                   0.0.0 Linux 4.4.0-1014-aws #14taskcluster-Ubuntu SMP Mon Feb 19 11:31:26 UTC 2018 x86_64
[task 2018-03-29T15:51:46.373Z] 15:51:46     INFO - CPU: amd64
[task 2018-03-29T15:51:46.374Z] 15:51:46     INFO -      family 6 model 62 stepping 4
[task 2018-03-29T15:51:46.374Z] 15:51:46     INFO -      4 CPUs
[task 2018-03-29T15:51:46.374Z] 15:51:46     INFO - 
[task 2018-03-29T15:51:46.374Z] 15:51:46     INFO - GPU: UNKNOWN
[task 2018-03-29T15:51:46.375Z] 15:51:46     INFO - 
[task 2018-03-29T15:51:46.375Z] 15:51:46     INFO - Crash reason:  SIGSEGV
[task 2018-03-29T15:51:46.376Z] 15:51:46     INFO - Crash address: 0x0
[task 2018-03-29T15:51:46.376Z] 15:51:46     INFO - Process uptime: not available
[task 2018-03-29T15:51:46.376Z] 15:51:46     INFO - 
[task 2018-03-29T15:51:46.376Z] 15:51:46     INFO - Thread 0 (crashed)
[task 2018-03-29T15:51:46.377Z] 15:51:46     INFO -  0  libxul.so!mozilla::dom::CheckSecurityForHTMLElements [ImageBitmap.cpp:fe50594b0cb66d0dc735eac3c8e633759c3610a3 : 438 + 0x18]
[task 2018-03-29T15:51:46.377Z] 15:51:46     INFO -     rax = 0x0000000000000000   rdx = 0x0000000000000000
[task 2018-03-29T15:51:46.377Z] 15:51:46     INFO -     rcx = 0x00007fb9487782dd   rbx = 0x00007ffcca68a290
[task 2018-03-29T15:51:46.378Z] 15:51:46     INFO -     rsi = 0x00007fb948a47770   rdi = 0x00007fb948a46540
[task 2018-03-29T15:51:46.378Z] 15:51:46     INFO -     rbp = 0x00007ffcca68a230   rsp = 0x00007ffcca68a220
[task 2018-03-29T15:51:46.378Z] 15:51:46     INFO -      r8 = 0x00007fb948a47770    r9 = 0x00007fb949d28740
[task 2018-03-29T15:51:46.379Z] 15:51:46     INFO -     r10 = 0x000000000000004c   r11 = 0x0000000000000000
[task 2018-03-29T15:51:46.379Z] 15:51:46     INFO -     r12 = 0x00007ffcca68a4c0   r13 = 0x00007ffcca68a358
[task 2018-03-29T15:51:46.379Z] 15:51:46     INFO -     r14 = 0x00007ffcca68a288   r15 = 0x00007fb9317d7b40
[task 2018-03-29T15:51:46.379Z] 15:51:46     INFO -     rip = 0x00007fb9385e2b1f
[task 2018-03-29T15:51:46.379Z] 15:51:46     INFO -     Found by: given as instruction pointer in context
[task 2018-03-29T15:51:46.380Z] 15:51:46     INFO -  1  libxul.so!mozilla::dom::ImageBitmap::CreateInternal [ImageBitmap.cpp:fe50594b0cb66d0dc735eac3c8e633759c3610a3 : 462 + 0x11]
[task 2018-03-29T15:51:46.380Z] 15:51:46     INFO -     rbx = 0x00007ffcca68a290   rbp = 0x00007ffcca68a300
[task 2018-03-29T15:51:46.380Z] 15:51:46     INFO -     rsp = 0x00007ffcca68a240   r12 = 0x00007ffcca68a4c0
[task 2018-03-29T15:51:46.381Z] 15:51:46     INFO -     r13 = 0x00007ffcca68a358   r14 = 0x00007ffcca68a288
[task 2018-03-29T15:51:46.381Z] 15:51:46     INFO -     r15 = 0x00007fb9317d7b40   rip = 0x00007fb9385f8c3c
[task 2018-03-29T15:51:46.381Z] 15:51:46     INFO -     Found by: call frame info
[task 2018-03-29T15:51:46.381Z] 15:51:46     INFO -  2  libxul.so!mozilla::dom::ImageBitmap::Create [ImageBitmap.cpp:fe50594b0cb66d0dc735eac3c8e633759c3610a3 : 1432 + 0x15]
[task 2018-03-29T15:51:46.382Z] 15:51:46     INFO -     rbx = 0x00007ffcca68a358   rbp = 0x00007ffcca68a390
[task 2018-03-29T15:51:46.382Z] 15:51:46     INFO -     rsp = 0x00007ffcca68a310   r12 = 0x00007fb92e0874d8
[task 2018-03-29T15:51:46.382Z] 15:51:46     INFO -     r13 = 0x00007ffcca68a4c0   r14 = 0x00007ffcca68a520
[task 2018-03-29T15:51:46.382Z] 15:51:46     INFO -     r15 = 0x00007ffcca68a480   rip = 0x00007fb9386066ff
[task 2018-03-29T15:51:46.382Z] 15:51:46     INFO -     Found by: call frame info
[task 2018-03-29T15:51:46.383Z] 15:51:46     INFO -  3  libxul.so!nsGlobalWindowInner::CreateImageBitmap [nsGlobalWindowInner.cpp:fe50594b0cb66d0dc735eac3c8e633759c3610a3 : 8086 + 0x19]
[task 2018-03-29T15:51:46.383Z] 15:51:46     INFO -     rbx = 0x00007ffcca68a480   rbp = 0x00007ffcca68a3f0
[task 2018-03-29T15:51:46.383Z] 15:51:46     INFO -     rsp = 0x00007ffcca68a3a0   r12 = 0x00007ffcca68a3b0
[task 2018-03-29T15:51:46.383Z] 15:51:46     INFO -     r13 = 0x00007fb92e087400   r14 = 0x00007ffcca68a520
[task 2018-03-29T15:51:46.384Z] 15:51:46     INFO -     r15 = 0x00007ffcca68a468   rip = 0x00007fb937d715ba
[task 2018-03-29T15:51:46.384Z] 15:51:46     INFO -     Found by: call frame info
[task 2018-03-29T15:51:46.384Z] 15:51:46     INFO -  4  libxul.so!mozilla::dom::WindowBinding::createImageBitmap [WindowBinding.cpp: : 15737 + 0x1c]
[task 2018-03-29T15:51:46.384Z] 15:51:46     INFO -     rbx = 0x00007ffcca68a750   rbp = 0x00007ffcca68a6e0
[task 2018-03-29T15:51:46.384Z] 15:51:46     INFO -     rsp = 0x00007ffcca68a400   r12 = 0x00007ffcca68a520
[task 2018-03-29T15:51:46.385Z] 15:51:46     INFO -     r13 = 0x00007ffcca68a4c0   r14 = 0x00007ffcca68a480
[task 2018-03-29T15:51:46.385Z] 15:51:46     INFO -     r15 = 0x00007ffcca68a468   rip = 0x00007fb938325fcf
[task 2018-03-29T15:51:46.385Z] 15:51:46     INFO -     Found by: call frame info
[task 2018-03-29T15:51:46.386Z] 15:51:46     INFO -  5  libxul.so!mozilla::dom::WindowBinding::createImageBitmap_promiseWrapper [WindowBinding.cpp: : 15868 + 0x5]
[task 2018-03-29T15:51:46.386Z] 15:51:46     INFO -     rbx = 0x00007fb931824000   rbp = 0x00007ffcca68a700
[task 2018-03-29T15:51:46.386Z] 15:51:46     INFO -     rsp = 0x00007ffcca68a6f0   r12 = 0x00007ffcca68a750
[task 2018-03-29T15:51:46.386Z] 15:51:46     INFO -     r13 = 0x00007ffcca68a740   r14 = 0x00007ffcca68a760
[task 2018-03-29T15:51:46.386Z] 15:51:46     INFO -     r15 = 0x00007ffcca68a750 
[task 2018-03-29T15:51:46.387Z] 15:51:46     INFO -     Found by: call frame info
Flags: needinfo?(jmaher)
Duplicate of this bug: 1440544
Milan, can you please have a look at comment 17? Thanks
Flags: needinfo?(milan)
:aosmond, could nsLayoutUtils::SurfaceFromElement call in GetSurfaceFromElement in ImageBitmap.cpp return a "bad" result because we don't have a first frame anymore, as we discarded it?  We ask with SFE_WANT_FIRST_FRAME_IF_IMAGE flag, and then assert (indirectly) that we succeeded.  Is that a bad assumption now?  Or am I way off in the wrong direction?
Flags: needinfo?(milan) → needinfo?(aosmond)
The main problem I see here is that there is no error propagation.
I'm able to reproduce the crash, and this happens because GetWidth/GetHeight fail here:

https://searchfox.org/mozilla-central/rev/59a9a86553e9bfd9277202748ff791fd9bc0713b/layout/base/nsLayoutUtils.cpp#7748-7752

At that point mPrincipal is not set. This triggers the crash here:

https://searchfox.org/mozilla-central/rev/59a9a86553e9bfd9277202748ff791fd9bc0713b/dom/canvas/ImageBitmap.cpp#439

because of this:

https://searchfox.org/mozilla-central/rev/59a9a86553e9bfd9277202748ff791fd9bc0713b/dom/canvas/ImageBitmap.cpp#463

I suspect that the correct fix would be to change nsLayoutUtils::SurfaceFromElement to be:

static bool nsLayoutUtils::SurfaceFromElement(...., SurfaceFromElementResult& aResult);

The method should return bool (or nsresult) if something is wrong.
Attached patch image.patchSplinter Review
A temporary fix is to touch dom/canvas and introduce a check on mPrincipal to be not null.
Assignee: nobody → amarchesini
Attachment #8969282 - Flags: review?(aosmond)
Attachment #8969282 - Flags: review?(aosmond) → review+
Flags: needinfo?(aosmond)
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/8bcaeaf2a5a0
Check on the principal in mozilla::dom::CheckSecurityForHTMLElements in case SurfaceFromElement returns an incomplete result, r=aosmond
Pushed by archaeopteryx@coole-files.de:
https://hg.mozilla.org/integration/mozilla-inbound/rev/6728b103d41d
Check on the principal in mozilla::dom::CheckSecurityForHTMLElements in case SurfaceFromElement returns an incomplete result: Update test expectations. r=none CLOSED TREE
https://hg.mozilla.org/mozilla-central/rev/8bcaeaf2a5a0
https://hg.mozilla.org/mozilla-central/rev/6728b103d41d
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Late for a Beta uplift, but I'd like to keep this on the radar for ESR60 uplift next cycle to help cut down on the noise there for the next year.
Whiteboard: [stockwell needswork:owner] → [stockwell fixed:product]
Comment on attachment 8969282 [details] [diff] [review]
image.patch

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined: a crash can occur.
Fix Landed on Version: 61
Risk to taking this patch (and alternatives if risky): low. It's just an assertion converted in a if stmt.
String or UUID changes made by this patch:  none
Attachment #8969282 - Flags: approval-mozilla-esr60?
Comment on attachment 8969282 [details] [diff] [review]
image.patch

Reduces noise in ESR60 CI runs for the next year. Approved for ESR60.
Attachment #8969282 - Flags: approval-mozilla-esr60? → approval-mozilla-esr60+
You need to log in before you can comment on or make changes to this bug.