Status

()

Core
Canvas: 2D
RESOLVED FIXED
12 years ago
11 years ago

People

(Reporter: georgi - hopefully not receiving bugspam, Unassigned)

Tracking

({crash})

Trunk
x86
Linux
crash
Points:
---
Bug Flags:
wanted1.8.1.x -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?] mem corruption, not 1.8-branch)

Attachments

(1 attachment)

canvas crash toDataURLAs

there is strange canvas related crash triggered by a large canvas and 
canvas.toDataURLAs("image/png","")

registers are definitely screwed. may be glib/Xorg related - glib asserts
badly.


(Gecko:4841): GLib-GObject-WARNING **: invalid uninstantiatable type `GEnum' in cast to `GtkWidget'

Program /opt/joro/firefox/mozilla/fb-opt-static/dist/bin/firefox-bin (pid = 4841) received signal 11.

(gdb) bt
#0  0xffffe410 in __kernel_vsyscall ()
#1  0xb741d7b6 in nanosleep () from /lib/tls/libc.so.6
#2  0xb741d5df in sleep () from /lib/tls/libc.so.6
#3  0xb7f5c96b in ah_crap_handler (signum=11) at nsSigHandlers.cpp:133
#4  0xb7f74cc4 in nsProfileLock::FatalSignalHandler (signo=11)
    at nsProfileLock.cpp:210
#5  <signal handler called>
#6  0xb768aa53 in g_type_check_instance_cast ()
   from /usr/lib/libgobject-2.0.so.0
#7  0xb769743c in ?? () from /usr/lib/libgobject-2.0.so.0
#8  0x00000010 in ?? ()
#9  0xb769ad58 in ?? () from /usr/lib/libgobject-2.0.so.0
#10 0x0804ea50 in ?? ()
#11 0x08104560 in ?? ()
#12 0x08060500 in ?? ()
#13 0x009cff34 in ?? ()
#14 0xb5f26e2c in ?? ()
   from /opt/joro/firefox/mozilla/fb-opt-static/dist/bin/components/libwidget_gtk2.so
#15 0x088a0170 in ?? ()
#16 0xb64ab80c in ns_if_addref<nsIDocShellTreeOwner*> ()
at /opt/joro/firefox/mozilla/docshell/base/nsDocShellLoadTypes.h:110
Previous frame inner to this frame (corrupt stack?)
(gdb) frame 6
#6  0xb768aa53 in g_type_check_instance_cast ()
   from /usr/lib/libgobject-2.0.so.0
(gdb) x/i $eip
0xb768aa53 <g_type_check_instance_cast+83>:     testb  $0x40,0x7(%esi)
(gdb) p/x $esi
$1 = 0xdadadad8
(gdb) x/4x *$esi
Cannot access memory at address 0xdadadad8
(gdb)
Created attachment 221308 [details]
crash with bad $esi
i don't get the scary glib warning and don't crash on today's trunk.

but reloading a larger canvas causes X window error and exit.

also get an error toDataURLAs is not a function.

not sure if this is the expected behaviour.


Updated

12 years ago
Component: General → JavaScript Engine
Product: Firefox → Core

Comment 3

12 years ago
hard to tell were this should go... docshell?
Component: JavaScript Engine → Embedding: Docshell
Er.. why docshell.  It's a canvas issue, no?
Component: Embedding: Docshell → Layout: Canvas
QA Contact: general → layout.canvas
Georgi, this seems to just put my X server in 100% CPU for a while (I killed Mozilla after a minute or so).  Could you post the full stack maybe?  As an attachment, if it's long.
(In reply to comment #5)
> Georgi, this seems to just put my X server in 100% CPU for a while (I killed
> Mozilla after a minute or so).  Could you post the full stack maybe?  As an
> attachment, if it's long.
> 

i don't crash on today's trunk, so can't give a stack from today (believe that the stack in the description is full, though may be not quite correct).

today's behaviour is this: on loading the testcase i get an exception that toDataURLAs is not a function. on the third reload of the testcase firefox exits with this message:

The program 'Gecko' received an X Window System error.
This probably reflects a bug in the program.
The error was 'RenderBadPicture (invalid Picture parameter)'.
  (Details: serial 25948 error_code 181 request_code 154 minor_code 7)
  (Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the --sync command line
   option to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)

will try to minimize the canvas and do a valgrind run, though suspect that valgrind and a canvas large enough will take *long* time.



Oh, I see.  The stack is completely busted, eh?  :(
(In reply to comment #7)
> Oh, I see.  The stack is completely busted, eh?  :(
> 

either somewhat busted or gdb is confused.

have a testcase that causes X error from the first time, trying to minimize it (uses a lot of memory)
valgrind produces this:

--WEBSHELL 0x1f398b30 == 3
WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv)) failed: file /opt/joro/firefox/mozilla/content/html/content/src/nsHTMLCanvasElement.cpp, line 395
++WEBSHELL 0x226032a8 == 4
++DOMWINDOW == 9
++DOMWINDOW == 10
--DOMWINDOW == 9
--DOMWINDOW == 8
The program 'Gecko' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadDrawable (invalid Pixmap or Window parameter)'.
  (Details: serial 52286 error_code 9 request_code 154 minor_code 4)
  (Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the --sync command line
   option to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)
note that i don't crash with this anymore and don't get the scary glib warning - just exit with X error.
2006-02-22 build on windows crashes, 2006-03-04 build not.
I suspect this was fixed when cairo was turned on (bug 323923) on windows.
Note that the testcase uses >600MB on current trunk builds on windows, something I'm not really fond of (bug?).
(In reply to comment #11)
> Note that the testcase uses >600MB on current trunk builds on windows,
> something I'm not really fond of (bug?).
> 

there are a lot of ways to use >600MB vm.

Does this crash on branches too?
Flags: blocking1.9a1?
(In reply to comment #13)
> Does this crash on branches too?

Doesn't crash for me on branches.
doesn't crash for me on linux branches.

get exception canvas.toDataURLAs is not a function.
Whiteboard: [sg:critical?] mem corruption, not 1.8-branch
Keywords: crash
This was fixed by bug 336331 which made toDataURLAs [noscript]
Group: security
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
Flags: blocking1.9a1?
Flags: wanted1.8.1.x-
You need to log in before you can comment on or make changes to this bug.