Closed
Bug 1443674
Opened 7 years ago
Closed 3 years ago
Crash [@ MakeContextCurrent] in transferToImageBitmap
Categories
(Core :: Graphics: CanvasWebGL, defect, P5)
Tracking
()
RESOLVED
INVALID
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase, Whiteboard: [gfx-noted])
Attachments
(1 file)
|
233 bytes,
text/html
|
Details |
Testcase found while fuzzing esr-52 rev d61516b059c1.
==16802==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000048 (pc 0x7f812e7d7875 bp 0x7fffd0e122b0 sp 0x7fffd0e121c0 T0)
#0 0x7f812e7d7874 in MakeContextCurrent /home/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:1913:5
#1 0x7f812e7d7874 in mozilla::WebGLContext::ClearScreen() /home/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:1473
#2 0x7f812e783f4f in mozilla::dom::OffscreenCanvas::TransferToImageBitmap() /home/worker/workspace/build/src/dom/canvas/OffscreenCanvas.cpp:231:5
#3 0x7f812d2e258c in mozilla::dom::OffscreenCanvasBinding::transferToImageBitmap(JSContext*, JS::Handle<JSObject*>, mozilla::dom::OffscreenCanvas*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/OffscreenCanvasBinding.cpp:201:57
#4 0x7f812e61ffe9 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2904:13
#5 0x7f81349aee65 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#6 0x7f81349aee65 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#7 0x7f813498f26f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
#8 0x7f813498f26f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
#9 0x7f813497442d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
#10 0x7f81349b1352 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:686:15
#11 0x7f81349b1beb in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:718:12
#12 0x7f81344931c4 in Evaluate(JSContext*, js::ScopeKind, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:4439:19
#13 0x7f8134493f1b in Evaluate /home/worker/workspace/build/src/js/src/jsapi.cpp:4466:12
#14 0x7f8134493f1b in JS::Evaluate(JSContext*, JS::AutoObjectVector&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:4524
#15 0x7f812cc11580 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) /home/worker/workspace/build/src/dom/base/nsJSUtils.cpp:207:12
#16 0x7f812cc12699 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) /home/worker/workspace/build/src/dom/base/nsJSUtils.cpp:274:10
#17 0x7f812cca91d1 in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*) /home/worker/workspace/build/src/dom/base/nsScriptLoader.cpp:2193:14
#18 0x7f812cca60de in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*) /home/worker/workspace/build/src/dom/base/nsScriptLoader.cpp:1979:10
#19 0x7f812cc8d435 in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) /home/worker/workspace/build/src/dom/base/nsScriptLoader.cpp:1712:10
#20 0x7f812cc89da1 in nsScriptElement::MaybeProcessScript() /home/worker/workspace/build/src/dom/base/nsScriptElement.cpp:149:10
#21 0x7f812bcfa7d3 in AttemptToExecute /home/worker/workspace/build/src/dom/base/nsIScriptElement.h:222:18
#22 0x7f812bcfa7d3 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /home/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:666
#23 0x7f812bcf8f55 in nsHtml5TreeOpExecutor::RunFlushLoop() /home/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:489:7
#24 0x7f812bcfdbcb in nsHtml5ExecutorFlusher::Run() /home/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:128:9
#25 0x7f8129e8dcab in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1216:7
#26 0x7f8129f0fdec in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/glue/nsThreadUtils.cpp:361:10
#27 0x7f812acc8d54 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:124:5
#28 0x7f812ac3a8b8 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3
#29 0x7f812ac3a8b8 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225
#30 0x7f812ac3a8b8 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205
#31 0x7f81302db75f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
#32 0x7f81324f8b77 in XRE_RunAppShell /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:866:12
#33 0x7f812ac3a8b8 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3
#34 0x7f812ac3a8b8 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225
#35 0x7f812ac3a8b8 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205
#36 0x7f81324f8182 in XRE_InitChildProcess /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:698:7
#37 0x4dfbab in content_process_main /home/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:197:19
#38 0x4dfbab in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:392
#39 0x7f814605282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#40 0x41ba88 in _start (/home/forb1dden/builds/esr-asan/firefox+0x41ba88)
Flags: in-testsuite?
|
||
Comment 1•7 years ago
|
||
Looks like we could do better.
Assignee: nobody → jgilbert
Flags: needinfo?(jgilbert)
Whiteboard: [gfx-noted]
|
|
||
Updated•7 years ago
|
Assignee: jgilbert → nobody
|
||
Comment 2•7 years ago
|
||
OffscreenCanvas is not yet supported.
|
|
||
Updated•7 years ago
|
Summary: Crash [@ MakeContextCurrent] → Crash [@ MakeContextCurrent] in transferToImageBitmap
|
|
||
Comment 3•7 years ago
|
||
Please confirm that this fuzzer will stop reporting (currently unsupported) OffscreenCanvas bugs as criticals.
Flags: needinfo?(jkratzer)
|
||
Comment 5•3 years ago
|
||
This code was removed so this shouldn't be a problem anymore. We do need to fix TransferToImageBitmap to maybe clear the canvas based on the spec, but after a discussion offline with kgilbert, we're not exactly sure what to do here at the moment.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•