Closed Bug 355869 Opened 13 years ago Closed 13 years ago
Invalid read in ns
Canvas Rendering Context2D::Context State::Context State
In SeaMonkey, tab tooltips are drawn using canvas. With linux seamonkey trunk CVS from 20061006, if I mouseover a tab to trigger the tooltip shows, I get Invalid read of size 4 in nsCanvasRenderingContext2D::ContextState::ContextState This might be a bug in nsTArray instead (that or it's perhaps abusing the API). It seems to be using memory nsTArray dumped in a call to nsTArray::EnsureCapacity (via realloc). I'll attach the full valgrind log.
All this is happening from a single call to ctx.save() on line 269 http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/xpfe/global/resources/content/bindings/tabbrowser.xml&rev=1.165&mark=269,231#208
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/content/canvas/src/nsCanvasRenderingContext2D.cpp&rev=1.70&mark=1102#1099 mStyleStack.AppendElement(CurrentState()); is effectively mStyleStack.AppendElement(mStyleStack[mSaveCount]); so it seems to evaluate mStyleStack[mSaveCount] lazily or some such thing. If I change it to ContextState state = CurrentState(); mStyleStack.AppendElement(state); the invalid read goes away. So this seems like a compiler bug.
I think it's not a compiler bug. That might be the right fix - AppendElement might reallocate the internal buffer, which invalidates pointers (and references) to elements in the array, leading to an invalid memory read; so the data needs to be copied before.
Comment on attachment 241599 [details] [diff] [review] use a copy r=me, thanks for catching this!
Attachment #241599 - Flags: review?(vladimir) → review+
Attachment #241599 - Flags: superreview?(roc) → superreview+
landed on trunk
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment on attachment 241599 [details] [diff] [review] use a copy This is low risk and avoids reading freed memory (potential crash). Probably missed the boat for 1.8.1, so requesting 220.127.116.11.
Attachment #241599 - Flags: approval18.104.22.168?
Comment on attachment 241599 [details] [diff] [review] use a copy approved for 1.8 branch, a=dveditz for drivers
Attachment #241599 - Flags: approval22.214.171.124? → approval126.96.36.199+
WFM: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:188.8.131.52pre) Gecko/20061201 BonEcho/184.108.40.206pre
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.