Crash in [@ nsWrapperCache::GetWrapperMaybeDead] from CanvasRenderingContext2D_Binding::getTransform
Categories
(Core :: Graphics: Canvas2D, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox126 | --- | fixed |
| firefox127 | --- | fixed |
| firefox128 | --- | fixed |
People
(Reporter: aryx, Assigned: aosmond)
References
(Regression)
Details
(Keywords: crash, regression, topcrash)
Crash Data
Attachments
(1 file)
|
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
dmeehan
:
approval-mozilla-release+
|
Details | Review |
This is a rather frequent Mobile crash since Fenix 125. The crashstacks are corrupted. The same signature had been reported in the past in bug 1838496, bug 1816975 and bug 1515463.
Crash report: https://crash-stats.mozilla.org/report/index/b7763e9e-ed42-4722-8ef2-28e690240516
Reason: SIGSEGV / SEGV_MAPERR
Top 10 frames:
0 libxul.so nsWrapperCache::GetWrapperMaybeDead() const dom/base/nsWrapperCache.h:137
0 libxul.so nsWrapperCache::GetWrapperPreserveColor() const dom/base/nsWrapperCacheInlines.h:15
0 libxul.so nsWrapperCache::GetWrapper() const dom/base/nsWrapperCacheInlines.h:28
1 libxul.so mozilla::dom::binding_detail::DoGetOrCreateDOMReflector<mozilla::dom::DOMMatr... dom/bindings/BindingUtils.h:1159
1 libxul.so mozilla::dom::GetOrCreateDOMReflector<mozilla::dom::DOMMatrix>(JSContext*, mo... dom/bindings/BindingUtils.h:1237
1 libxul.so mozilla::dom::GetOrCreateDOMReflectorHelper<RefPtr<mozilla::dom::DOMMatrix>, ... dom/bindings/BindingUtils.h:1843
2 libxul.so mozilla::dom::GetOrCreateDOMReflector<RefPtr<mozilla::dom::DOMMatrix> >(JSCon... dom/bindings/BindingUtils.h:1861
2 libxul.so mozilla::dom::CanvasRenderingContext2D_Binding::getTransform(JSContext*, JS::... dom/bindings/CanvasRenderingContext2DBinding.cpp:8696
3 libxul.so mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::Nor... dom/bindings/BindingUtils.cpp:3269
4 ? @0x0000007238be4980
|
||
Comment 1•1 year ago
|
||
The bug is linked to a topcrash signature, which matches the following criteria:
- Top 10 AArch64 and ARM crashes on nightly
- Top 10 AArch64 and ARM crashes on beta
- Top 10 AArch64 and ARM crashes on release
For more information, please visit BugBot documentation.
|
||
Comment 2•1 year ago
|
||
This doesn't look good.
Peter, do you mind to take look? Or redirect this to someone?
|
||
Comment 3•1 year ago
|
||
These all have CanvasRenderingContext2D_Binding::getTransform in the proto stack.
|
||
Comment 4•1 year ago
|
||
Bug 1887729 added code in CanvasRenderingContext2D::EnsureTarget that returns false without throwing an error: https://searchfox.org/mozilla-central/rev/c84d3db8d7d6503b1208a0378db640095e106355/dom/canvas/CanvasRenderingContext2D.cpp#1522-1528 (if mIsContextLost is true and mAllowContextRestore is true). This is problematic because CanvasRenderingContext2D::GetTransform then returns a nullptr without an error being thrown (https://searchfox.org/mozilla-central/rev/c84d3db8d7d6503b1208a0378db640095e106355/dom/canvas/CanvasRenderingContext2D.cpp#2209-2211). CanvasRenderingContext2D.getTransform is not marked as returning a nullable DOMMatrix (https://searchfox.org/mozilla-central/rev/c84d3db8d7d6503b1208a0378db640095e106355/dom/webidl/CanvasRenderingContext2D.webidl#168) and then the binding code crashes because it doesn't expect the null.
I don't know what the right fix is, and also haven't checked whether other callers of CanvasRenderingContext2D::EnsureTarget might have similar issues.
|
|
||
Updated•1 year ago
|
|
|
||
Comment 5•1 year ago
|
||
As expected, this is also on desktop, in lower volume: bp-f692402d-2bbf-4eb8-aff4-be26b0240520
|
Assignee | |
Comment 6•1 year ago
|
||
When we lose the context for a 2D canvas, we need to silently fail any
canvas calls until the context is recovered. Unfortunately that meant we
returned a nullptr in CanvasRenderingContext2D::GetTransform which is
unsupported by the WebIDL. For now, let's just return an identity
transform as a placeholder for these situations.
|
||
Updated•1 year ago
|
|
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Comment 7•1 year ago
|
||
Comment on attachment 9403649 [details]
Bug 1897201 - Return identity transform while recovering from context loss with canvas.
Beta/Release Uplift Approval Request
- User impact if declined: Content process crash when calling CanvasRenderingContext2D::GetTransform after a GPU process crash and before it has recovered
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): We are already silently failing most canvas calls during context loss. The caller isn't supposed to call anything during this time, and after it is restored, the state is reset to default anyways. Change is well contained.
- String changes made/needed:
- Is Android affected?: Yes
|
||
Comment 9•1 year ago
|
||
| bugherder | ||
|
||
Comment 10•1 year ago
|
||
Comment on attachment 9403649 [details]
Bug 1897201 - Return identity transform while recovering from context loss with canvas.
Approved for 127 beta 6, thanks.
|
||
Comment 11•1 year ago
|
||
| uplift | ||
|
|
||
Updated•1 year ago
|
|
||
Comment 12•1 year ago
|
||
Comment on attachment 9403649 [details]
Bug 1897201 - Return identity transform while recovering from context loss with canvas.
Approved for 126.0.1
|
|
||
Comment 13•1 year ago
|
||
| uplift | ||
|
|
||
Updated•1 year ago
|
Description
•