Closed
Bug 1716622
Opened 3 years ago
Closed 3 years ago
Assertion failure: length <= (2147483647) (Bindings must have checked ArrayBuffer{View} length), at /builds/worker/workspace/obj-build/dist/include/mozilla/dom/TypedArray.h:138
Categories
(Core :: DOM: Bindings (WebIDL), defect)
Core
DOM: Bindings (WebIDL)
Tracking
()
RESOLVED
FIXED
92 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox-esr91 | --- | fixed |
| firefox91 | --- | wontfix |
| firefox92 | --- | fixed |
People
(Reporter: jkratzer, Assigned: jandem)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(2 files, 1 obsolete file)
|
180 bytes,
text/html
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-esr91+
|
Details | Review |
Testcase found while fuzzing mozilla-central rev 4bf424b6f46a (built with --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 4bf424b6f46a --debug --fuzzing -n mc-debug
$ python -m grizzly.replay ./mc-debug/firefox ./testcase.html
Assertion failure: length <= (2147483647) (Bindings must have checked ArrayBuffer{View} length), at /builds/worker/workspace/obj-build/dist/include/mozilla/dom/TypedArray.h:138
#0 0x7f72d0987606 in mozilla::dom::TypedArray_base<unsigned char, &(js::UnwrapUint8ClampedArray(JSObject*)), &(js::GetUint8ClampedArrayLengthAndData(JSObject*, unsigned long*, bool*, unsigned char**))>::ComputeState() const /builds/worker/workspace/obj-build/dist/include/mozilla/dom/TypedArray.h:137:5
#1 0x7f72d0a64293 in mozilla::webgl::FromImageData(unsigned int, mozilla::avec3<unsigned int>, mozilla::dom::ImageData const&, mozilla::dom::TypedArray<unsigned char, &(js::UnwrapUint8ClampedArray(JSObject*)), &(JS_GetUint8ClampedArrayData(JSObject*, bool*, JS::AutoRequireNoGC const&)), &(js::GetUint8ClampedArrayLengthAndData(JSObject*, unsigned long*, bool*, unsigned char**)), &(JS_NewUint8ClampedArray(JSContext*, unsigned long))>*) /builds/worker/checkouts/gecko/dom/canvas/WebGLTextureUpload.cpp:81:14
#2 0x7f72d09b1bc9 in operator() /builds/worker/checkouts/gecko/dom/canvas/ClientWebGLContext.cpp:3962:19
#3 0x7f72d09b1bc9 in mozilla::ClientWebGLContext::TexImage(unsigned char, unsigned int, int, unsigned int, mozilla::avec3<int> const&, mozilla::avec3<int> const&, int, mozilla::webgl::PackingInfo const&, mozilla::TexImageSource const&) const /builds/worker/checkouts/gecko/dom/canvas/ClientWebGLContext.cpp:3914:15
#4 0x7f72d022c0c7 in TexSubImage2D<mozilla::dom::ImageData> /builds/worker/checkouts/gecko/dom/canvas/ClientWebGLContext.h:1521:5
#5 0x7f72d022c0c7 in void mozilla::ClientWebGLContext::TexSubImage2D<mozilla::dom::ImageData>(unsigned int, int, int, int, unsigned int, unsigned int, mozilla::dom::ImageData const&, mozilla::ErrorResult&) const /builds/worker/checkouts/gecko/dom/canvas/ClientWebGLContext.h:1712:5
#6 0x7f72d02a7732 in mozilla::dom::WebGLRenderingContext_Binding::texSubImage2D(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WebGLRenderingContextBinding.cpp:14156:32
#7 0x7f72d08e15d7 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3298:13
#8 0x7f72d3a64820 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:426:13
#9 0x7f72d3a63f82 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:511:12
#10 0x7f72d3a657a9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:571:10
#11 0x7f72d3a5a5d9 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:575:10
#12 0x7f72d3a5a5d9 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3244:16
#13 0x7f72d3a52545 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:395:13
#14 0x7f72d3a63f9f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:543:13
#15 0x7f72d3a657a9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:571:10
#16 0x7f72d3a659e1 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:588:8
#17 0x7f72d3ff8e7b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2785:10
#18 0x7f72d053cd4e in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:58:8
#19 0x7f72d0c9c496 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#20 0x7f72d0c9c1ea in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1108:43
#21 0x7f72d0c9ce88 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1305:17
#22 0x7f72d0c921c5 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:390:5
#23 0x7f72d0c921c5 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:355:17
#24 0x7f72d0c916df in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:557:16
#25 0x7f72d0c94304 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1116:11
#26 0x7f72d0c96f46 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
#27 0x7f72cf6b2245 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1331:17
#28 0x7f72cf3c76da in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4316:28
#29 0x7f72cf3c7566 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4286:10
#30 0x7f72cf5314c7 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7678:3
#31 0x7f72cf5a1716 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1150:12
#32 0x7f72cf5a1716 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1156:12
#33 0x7f72cf5a1716 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1203:13
#34 0x7f72cd8bd6a2 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:143:20
#35 0x7f72cd8e84ee in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:479:16
#36 0x7f72cd8c6209 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:782:26
#37 0x7f72cd8c5078 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:618:15
#38 0x7f72cd8c52f3 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:402:36
#39 0x7f72cd8ebce6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:135:37
#40 0x7f72cd8ebce6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#41 0x7f72cd8d7c5f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1162:16
#42 0x7f72cd8de89a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
#43 0x7f72ce1db736 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#44 0x7f72ce143487 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
#45 0x7f72ce1433a2 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
#46 0x7f72ce1433a2 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
#47 0x7f72d1f8b088 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#48 0x7f72d392e5f3 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:910:20
#49 0x7f72ce1dc62a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#50 0x7f72ce143487 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
#51 0x7f72ce1433a2 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
#52 0x7f72ce1433a2 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
#53 0x7f72d392e20e in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742:34
#54 0x5642ca2a8c56 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#55 0x5642ca2a8c56 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:313:18
#56 0x7f72e45aa0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?
|
||
Comment 1•3 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210708154614-ab46ef66acce.
The bug appears to have been introduced in the following build range:
Start: 1e9779538e9493590ddc45f16bb852ac79325bf8 (20210412154438)
End: 64b1938f0ed6fc36f8e82160d7bb968c5dec7d72 (20210412161323)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=1e9779538e9493590ddc45f16bb852ac79325bf8&tochange=64b1938f0ed6fc36f8e82160d7bb968c5dec7d72
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
Reporter | |
Comment 2•3 years ago
|
||
I've attached a simpler testcase that triggers the same assertion.
#0 0x7fac84b77c46 in mozilla::dom::TypedArray_base<unsigned char, &(js::UnwrapUint8ClampedArray(JSObject*)), &(js::GetUint8ClampedArrayLengthAndData(JSObject*, unsigned long*, bool*, unsigned char**))>::ComputeState() const /builds/worker/workspace/obj-build/dist/include/mozilla/dom/TypedArray.h:137:5
#1 0x7fac84bc1ace in mozilla::dom::ImageBitmap::CreateInternal(nsIGlobalObject*, mozilla::dom::ImageData&, mozilla::Maybe<mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/canvas/ImageBitmap.cpp:867:9
#2 0x7fac84bc323f in mozilla::dom::ImageBitmap::Create(nsIGlobalObject*, mozilla::dom::HTMLImageElementOrSVGImageElementOrHTMLCanvasElementOrHTMLVideoElementOrImageBitmapOrBlobOrCanvasRenderingContext2DOrImageData const&, mozilla::Maybe<mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/canvas/ImageBitmap.cpp:1250:9
#3 0x7fac83620f97 in nsGlobalWindowInner::CreateImageBitmap(mozilla::dom::HTMLImageElementOrSVGImageElementOrHTMLCanvasElementOrHTMLVideoElementOrImageBitmapOrBlobOrCanvasRenderingContext2DOrImageData const&, int, int, int, int, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:7431:10
#4 0x7fac8453003e in createImageBitmap /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:19314:64
#5 0x7fac8453003e in mozilla::dom::Window_Binding::createImageBitmap_promiseWrapper(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:19341:13
#6 0x7fac84ad421c in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3297:13
#7 0x7fac87c73d30 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:426:13
#8 0x7fac87c73492 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:511:12
#9 0x7fac87c74cb9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:571:10
#10 0x7fac87c69a99 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:575:10
#11 0x7fac87c69a99 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3226:16
#12 0x7fac87c618c5 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:395:13
#13 0x7fac87c734af in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:543:13
#14 0x7fac87c74cb9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:571:10
#15 0x7fac87c74ef1 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:588:8
#16 0x7fac87d7832b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2785:10
#17 0x7fac8472dc6e in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:58:8
#18 0x7fac84e8f456 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#19 0x7fac84e8f1aa in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1109:43
#20 0x7fac84e8fe48 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1306:17
#21 0x7fac84e85175 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:390:5
#22 0x7fac84e85175 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:348:17
#23 0x7fac84e8468f in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:550:16
#24 0x7fac84e872b4 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1082:11
#25 0x7fac864ff743 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1087:7
#26 0x7fac87614c05 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6285:20
#27 0x7fac876146ff in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5675:7
#28 0x7fac8761557f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#29 0x7fac82d242fc in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1362:3
#30 0x7fac82d238ca in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:968:14
#31 0x7fac82d21cd7 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:787:9
#32 0x7fac82d22ebf in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:670:5
#33 0x7fac87634e18 in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13444:23
#34 0x7fac81c285aa in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:614:22
#35 0x7fac81c29a23 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:518:10
#36 0x7fac8372d6ed in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11341:18
#37 0x7fac8370a950 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11271:9
#38 0x7fac8371c946 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7779:3
#39 0x7fac8378c786 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
#40 0x7fac8378c786 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
#41 0x7fac8378c786 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
#42 0x7fac81a6d882 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:143:20
#43 0x7fac81a9877e in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:502:16
#44 0x7fac81a763f9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:805:26
#45 0x7fac81a75268 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:641:15
#46 0x7fac81a754e3 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:425:36
#47 0x7fac81a9bf76 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:135:37
#48 0x7fac81a9bf76 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:532:5
#49 0x7fac81a8809f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1152:16
#50 0x7fac81a8eb2a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:466:10
#51 0x7fac823a59b6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#52 0x7fac822ff517 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#53 0x7fac822ff432 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#54 0x7fac822ff432 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#55 0x7fac86189f48 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#56 0x7fac87b3d993 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:910:20
#57 0x7fac823a68aa in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#58 0x7fac822ff517 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#59 0x7fac822ff432 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#60 0x7fac822ff432 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#61 0x7fac87b3d5ae in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742:34
#62 0x557f853e0c56 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#63 0x557f853e0c56 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327:18
#64 0x7fac984870b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
|
|
Reporter | |
Updated•3 years ago
|
Attachment #9227239 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 3•3 years ago
|
||
:jandem, since you introduced this assertion in bug 1688616, can you take a look?
Flags: needinfo?(jdemooij)
|
|
Reporter | |
Updated•3 years ago
|
Component: Canvas: WebGL → DOM: Bindings (WebIDL)
|
Assignee | |
Updated•3 years ago
|
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
|
||
Updated•3 years ago
|
Crash Signature: [@ mozilla::dom::ImageBitmap::CreateInternal ]
|
|
||
Updated•3 years ago
|
Crash Signature: [@ mozilla::dom::ImageBitmap::CreateInternal ] → [@ mozilla::dom::ImageBitmap::CreateInternal ]
[@ mozilla::webgl::FromImageData ]
|
||
Updated•3 years ago
|
Crash Signature: [@ mozilla::dom::ImageBitmap::CreateInternal ]
[@ mozilla::webgl::FromImageData ] → [@ mozilla::dom::ImageBitmap::CreateInternal ]
[@ mozilla::webgl::FromImageData ]
[@ mozilla::dom::CanvasRenderingContext2D::PutImageData_explicit]
|
|
Assignee | |
Comment 5•3 years ago
|
||
After we enabled support for large ArrayBuffers on 64-bit platforms, we could
also create larger ImageData objects. WebIDL bindings check for large ArrayBuffer{View}s
but not when they're wrapped in an ImageData.
It seems safest to limit ImageData arrays to the old 2 GB for now until we need larger
buffers.
|
|
Assignee | |
Updated•3 years ago
|
Crash Signature: [@ mozilla::dom::ImageBitmap::CreateInternal ]
[@ mozilla::webgl::FromImageData ]
[@ mozilla::dom::CanvasRenderingContext2D::PutImageData_explicit] → [@ mozilla::dom::ImageBitmap::CreateInternal ]
[@ mozilla::webgl::FromImageData ]
[@ mozilla::dom::CanvasRenderingContext2D::PutImageData_explicit]
Flags: needinfo?(jdemooij)
|
|
||
Comment 6•3 years ago
|
||
:jandem, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Flags: needinfo?(jdemooij)
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/be5ed2078ae1
Limit ImageData typed array to 2 GB. r=edgar
|
||
Comment 8•3 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox92:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 92 Branch
|
|
||
Comment 9•3 years ago
|
||
Bugmon Analysis
Unable to reproduce bug 1716622 using build mozilla-central 20210615134418-4bf424b6f46a. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
||
Comment 10•3 years ago
|
||
Is there a user-facing impact here which would justify uplift consideration for ESR?
status-firefox-esr78:
--- → unaffected
status-firefox-esr91:
--- → affected
Flags: needinfo?(jdemooij)
Flags: in-testsuite?
Flags: in-testsuite+
|
|
Assignee | |
Comment 11•3 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #10)
Is there a user-facing impact here which would justify uplift consideration for ESR?
It's a safe fix, I'll request uplift.
|
|
Assignee | |
Comment 12•3 years ago
|
||
Comment on attachment 9234386 [details]
Bug 1716622 - Limit ImageData typed array to 2 GB. r?edgar!
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Fixes crashes when trying to use large ImageData objects.
- User impact if declined: (safe) crashes
- Fix Landed on Version: 92
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): It just limits some values to what they were before large TypedArrays were supported.
- String or UUID changes made by this patch: N/A
Attachment #9234386 -
Flags: approval-mozilla-esr91?
|
|
||
Comment 13•3 years ago
|
||
Comment on attachment 9234386 [details]
Bug 1716622 - Limit ImageData typed array to 2 GB. r?edgar!
Approved for 91.1esr.
Attachment #9234386 -
Flags: approval-mozilla-esr91? → approval-mozilla-esr91+
|
|
||
Comment 14•3 years ago
|
||
| bugherder uplift | ||
You need to log in
before you can comment on or make changes to this bug.
Description
•