Closed Bug 1551745 Opened 6 years ago Closed 6 years ago

Assertion failure: initialBytes + nbytes > initialBytes, at src/js/src/gc/Scheduling.h:680

Categories

(Core :: JavaScript: GC, defect, P1)

Product:
Core
Component:
JavaScript: GC
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox67 --- wontfix
firefox68 --- fixed

People

(Reporter: tsmith, Assigned: jonco)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(2 files)

testcase.html
314 bytes, text/html
Details
Bug 1551745 - Check max size and fix overflow calculating canvas allocation size r=smaug?
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Assertion failure: initialBytes + nbytes > initialBytes, at src/js/src/gc/Scheduling.h:680

#0 js::gc::MemoryTracker::addMemory(js::gc::Cell*, unsigned long, js::MemoryUse) src/js/src/gc/Scheduling.h:678:5
#1 JS::AddAssociatedMemory(JSObject*, unsigned long, JS::MemoryUse) src/js/src/jsapi.cpp:1165:9
#2 mozilla::dom::CanvasRenderingContext2D::ClearTarget(int, int) src/dom/canvas/CanvasRenderingContext2D.cpp:1502:7
#3 mozilla::dom::CanvasRenderingContext2D::SetDimensions(int, int) src/dom/canvas/CanvasRenderingContext2D.cpp:1475:3
#4 mozilla::dom::CanvasRenderingContextHelper::UpdateContext(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) src/dom/canvas/CanvasRenderingContextHelper.cpp:216:24
#5 mozilla::dom::HTMLCanvasElement::AfterMaybeChangeAttr(int, nsAtom*, bool) src/dom/html/HTMLCanvasElement.cpp:461:5
#6 mozilla::dom::HTMLCanvasElement::AfterSetAttr(int, nsAtom*, nsAttrValue const*, nsAttrValue const*, nsIPrincipal*, bool) src/dom/html/HTMLCanvasElement.cpp:440:3
#7 mozilla::dom::Element::SetAttrAndNotify(int, nsAtom*, nsAtom*, nsAttrValue const*, nsAttrValue&, nsIPrincipal*, unsigned char, bool, bool, bool, mozilla::dom::Document*, mozAutoDocUpdate const&) src/dom/base/Element.cpp:2541:10
#8 mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) src/dom/base/Element.cpp:2405:10
#9 mozilla::dom::Element::SetAttribute(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsIPrincipal*, mozilla::ErrorResult&) src/dom/base/Element.cpp:1408:12
#10 mozilla::dom::Element_Binding::setAttribute(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/ElementBinding.cpp:1490:9
#11 bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3165:13
#12 CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:443:13
#13 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:535:12
#14 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:590:10
#15 Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3082:16
#16 js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:423:10
#17 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:563:13
#18 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:590:10
#19 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:606:8
#20 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2655:10
#21 mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
#22 void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#23 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1038:43
#24 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1239:17
#25 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:349:17
#26 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:551:16
#27 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1047:11
#28 nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1104:7
#29 nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:6646:20
#30 nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:6446:7
#31 non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
#32 nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1313:3
#33 nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:872:14
#34 nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:710:9
#35 nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:598:5
#36 non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp
#37 mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:568:22
#38 imgRequestProxy::RemoveFromLoadGroup() src/image/imgRequestProxy.cpp:404:15
#39 imgRequestProxy::OnLoadComplete(bool) src/image/imgRequestProxy.cpp:1032:7
#40 void mozilla::image::ImageObserverNotifier<mozilla::image::ObserverTable const*>::operator()<void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)::'lambda5'(mozilla::image::IProgressObserver*)>(mozilla::image::ObserverTable const*) src/image/ProgressTracker.cpp:260:9
#41 void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) src/image/ProgressTracker.cpp:329:5
#42 mozilla::image::ProgressTracker::SyncNotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)::$_1::operator()(mozilla::image::ObserverTable const*) const src/image/ProgressTracker.cpp:348:5
#43 decltype(fp(static_cast<mozilla::image::ObserverTable const*>(std::nullptr_t))) mozilla::image::CopyOnWrite<mozilla::image::ObserverTable>::Read<mozilla::image::ProgressTracker::SyncNotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)::$_1>(mozilla::image::ProgressTracker::SyncNotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)::$_1) const src/image/CopyOnWrite.h:155:12
#44 mozilla::image::ProgressTracker::SyncNotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) src/image/ProgressTracker.cpp:347:14
#45 mozilla::image::RasterImage::NotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<unsigned int> const&, mozilla::image::DecoderFlags, mozilla::image::SurfaceFlags) src/image/RasterImage.cpp:1614:28
#46 mozilla::image::RasterImage::NotifyForLoadEvent(unsigned int) src/image/RasterImage.cpp:938:3
#47 mozilla::image::RasterImage::OnImageDataComplete(nsIRequest*, nsISupports*, nsresult, bool) src/image/RasterImage.cpp:921:3
#48 imgRequest::OnStopRequest(nsIRequest*, nsresult) src/image/imgRequest.cpp:787:16
#49 nsJARChannel::OnStopRequest(nsIRequest*, nsresult) src/modules/libjar/nsJARChannel.cpp:1026:16
#50 non-virtual thunk to nsJARChannel::OnStopRequest(nsIRequest*, nsresult) src/modules/libjar/nsJARChannel.cpp
#51 nsInputStreamPump::OnStateStop() src/netwerk/base/nsInputStreamPump.cpp:655:16
#52 nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) src/netwerk/base/nsInputStreamPump.cpp:403:21
#53 non-virtual thunk to nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) src/netwerk/base/nsInputStreamPump.cpp
#54 nsInputStreamReadyEvent::Run() src/xpcom/io/nsStreamUtils.cpp:91:20
#55 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1175:14
#56 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
#57 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
#58 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
#59 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#60 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#61 XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:919:20
#62 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:238:9
#63 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
#64 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#65 XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:757:34
#66 content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#67 main src/browser/app/nsBrowserApp.cpp:263:18
Flags: in-testsuite?
Assignee: nobody → jcoppeard
Priority: -- → P1

The patch changes the calculation for the allocation size associated with a canvas rendering context to return zero when the width or height are greater than allowed (the is will result in an error when creating the target later on) and also if the size calculation overflows (which shouldn't normally happen given the previous check).

Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/a0464187dbfa Check max size and fix overflow calculating canvas allocation size r=smaug

The call to gfxPrefs::MaxCanvasSize() is causing a rooting hazard as below. I'm pretty sure this is a false positive but I'm going to remove this part of the code and leave the overflow check while I figure this out. This should still fix the original problem.

Function '_ZN7mozilla3dom32CanvasRenderingContext2D_BindingL9_finalizeEPN2js6FreeOpEP8JSObject$CanvasRenderingContext2DBinding.cpp:void mozilla::dom::CanvasRenderingContext2D_Binding::_finalize(js::FreeOp*, JSObject*)' has unrooted 'obj' of type 'JSObject*' live across GC call '_ZN7mozilla3dom26BindingJSObjectMallocBytesEPNS0_24CanvasRenderingContext2DE$uint64 mozilla::dom::BindingJSObjectMallocBytes(mozilla::dom::CanvasRenderingContext2D*)' at obj-analyzed/dom/bindings/CanvasRenderingContext2DBinding.cpp:7151
    CanvasRenderingContext2DBinding.cpp:7147: Call(1,2, self := UnwrapPossiblyNotInitializedDOMObject(obj*))
    CanvasRenderingContext2DBinding.cpp:7148: Assume(2,3, !null(self*), true)
    CanvasRenderingContext2DBinding.cpp:7149: Call(3,4, __temp_1 := UndefinedValue())
    CanvasRenderingContext2DBinding.cpp:7149: Call(4,5, SetReservedSlot(obj*,0,__temp_1))
    CanvasRenderingContext2DBinding.cpp:7150: Assume(5,7, !null(self*), false)
    CanvasRenderingContext2DBinding.cpp:7150: Assign(7,8, __temp_2 := 0)
    CanvasRenderingContext2DBinding.cpp:7150: Call(8,9, ClearWrapper(self*,__temp_2*,obj*))
    CanvasRenderingContext2DBinding.cpp:7151: Call(9,10, mallocBytes := BindingJSObjectMallocBytes(self*)) [[GC call]]
    CanvasRenderingContext2DBinding.cpp:7151: Assume(10,11, (mallocBytes* != 0), true)
    CanvasRenderingContext2DBinding.cpp:7152: Call(11,12, RemoveAssociatedMemory(obj*,mallocBytes*,1))
GC Function: _ZN7mozilla3dom26BindingJSObjectMallocBytesEPNS0_24CanvasRenderingContext2DE$uint64 mozilla::dom::BindingJSObjectMallocBytes(mozilla::dom::CanvasRenderingContext2D*)
    int32 gfxPrefs::MaxCanvasSize()
    gfxPrefs* gfxPrefs::GetSingleton()
    gfxPrefs* gfxPrefs::CreateAndInitializeSingleton()
    void gfxPrefs::Init()
    void gfxPrefs::SetGfxLoggingLevelChangeCallback((void)(mozilla::gfx::GfxPrefValue*)*)
    void gfxPrefs::Pref::SetChangeCallback((void)(mozilla::gfx::GfxPrefValue*)*)
    void gfxPrefs::Pref::FireChangeCallback()
    gfxPrefs::Pref.mChangeCallback
    unresolved gfxPrefs::Pref.mChangeCallback


Function '_ZN7mozilla3dom24CanvasRenderingContext2D11ClearTargetEii$void mozilla::dom::CanvasRenderingContext2D::ClearTarget(int32, int32)' has unrooted 'wrapper' of type 'JSObject*' live across GC call '_ZN7mozilla3dom26BindingJSObjectMallocBytesEPNS0_24CanvasRenderingContext2DE$uint64 mozilla::dom::BindingJSObjectMallocBytes(mozilla::dom::CanvasRenderingContext2D*)' at dom/canvas/CanvasRenderingContext2D.cpp:1494
    CanvasRenderingContext2D.cpp:1492: Call(6,7, wrapper := this*.field:1.GetWrapperMaybeDead())
    CanvasRenderingContext2D.cpp:1493: Assume(7,8, !null(wrapper*), true)
    CanvasRenderingContext2D.cpp:1494: Call(8,9, __temp_1 := BindingJSObjectMallocBytes(this*)) [[GC call]]
    CanvasRenderingContext2D.cpp:1494: Call(9,10, RemoveAssociatedMemory(wrapper*,__temp_1*,1))
GC Function: _ZN7mozilla3dom26BindingJSObjectMallocBytesEPNS0_24CanvasRenderingContext2DE$uint64 mozilla::dom::BindingJSObjectMallocBytes(mozilla::dom::CanvasRenderingContext2D*)
    int32 gfxPrefs::MaxCanvasSize()
    gfxPrefs* gfxPrefs::GetSingleton()
    gfxPrefs* gfxPrefs::CreateAndInitializeSingleton()
    void gfxPrefs::Init()
    void gfxPrefs::SetGfxLoggingLevelChangeCallback((void)(mozilla::gfx::GfxPrefValue*)*)
    void gfxPrefs::Pref::SetChangeCallback((void)(mozilla::gfx::GfxPrefValue*)*)
    void gfxPrefs::Pref::FireChangeCallback()
    gfxPrefs::Pref.mChangeCallback
    unresolved gfxPrefs::Pref.mChangeCallback
Keywords: leave-open
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/1be11bf256ee Remove false positive rooting hazard calculating allocation size until there's a fix r=me
Keywords: leave-open
See Also: → 1552137

https://hg.mozilla.org/mozilla-central/rev/a0464187dbfa
https://hg.mozilla.org/mozilla-central/rev/1be11bf256ee

Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox68: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
status-firefox67: --- → wontfix
status-firefox-esr60: --- → wontfix
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: