Last Comment Bug 421715 - canvas.2dcontext.putImageData(array[undefined]) causes a crash [@ JS_GetProperty]
: canvas.2dcontext.putImageData(array[undefined]) causes a crash [@ JS_GetPrope...
: crash, testcase, verified1.8.1.15
Product: Core
Classification: Components
Component: Canvas: 2D (show other bugs)
: Trunk
: All All
P1 critical (vote)
: mozilla1.9beta5
Assigned To: :Gavin Sharp [email:]
: Milan Sreckovic [:milan]
Depends on: 473968
  Show dependency treegraph
Reported: 2008-03-08 10:32 PST by Mihai Sucan [:msucan]
Modified: 2011-06-09 14:58 PDT (History)
4 users (show) in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

test case (486 bytes, text/html)
2008-03-08 10:34 PST, Mihai Sucan [:msucan]
no flags Details
throw for invalid objects (974 bytes, patch)
2008-03-09 03:40 PDT, :Gavin Sharp [email:]
vladimir: review+
dveditz: approval1.8.1.15+
vladimir: approval1.9+
Details | Diff | Splinter Review
some crashtests (3.00 KB, patch)
2008-03-09 06:02 PDT, :Gavin Sharp [email:]
vladimir: review+
Details | Diff | Splinter Review

Description User image Mihai Sucan [:msucan] 2008-03-08 10:32:17 PST
User-Agent:       Opera/9.26 (X11; Linux i686; U; fr)
Build Identifier: 2008030804

Firefox 3 build 2008030804 crashes if you have a canvas 2dcontext to which you want to putImageData() from an undefined array element. The weird part is, it doesn't crash if array[1] or array[0] is used. However, Firefox crashes if array[2] is used.

The crasher is reproducible in Firefox 2 as well.

Available crash report:

(the crash report includes a private URL, please don't make it public ;) )

Reproducible: Always

Steps to Reproduce:
1. Load the provided URL
2. Click the paragraph.
3. Crash.
Actual Results:  
Firefox crashes.

Expected Results:  
Firefox should not crash.
Comment 1 User image Mihai Sucan [:msucan] 2008-03-08 10:34:29 PST
Created attachment 308181 [details]
test case
Comment 2 User image Steve England [:stevee] 2008-03-08 10:46:20 PST
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5pre) Gecko/2008030806 Minefield/3.0b5pre ID:2008030806

Confirming, bp-8b72f9e8-ed3f-11dc-af24-001a4bd46e84

Signature	JS_GetProperty
UUID	8b72f9e8-ed3f-11dc-af24-001a4bd46e84
Time	2008-03-08 10:42:55-08:00
Uptime	0
Product	Firefox
Version	3.0b5pre
Build ID	2008030806
OS	Windows NT
OS Version	5.1.2600 Service Pack 2
CPU	x86
CPU Info	AuthenticAMD family 6 model 8 stepping 1
Crash Address	0x0

Frame  	Signature  	Source
0 	JS_GetProperty 	mozilla/js/src/jsapi.c:3464
1 	nsCanvasRenderingContext2D::PutImageData() 	mozilla/content/canvas/src/nsCanvasRenderingContext2D.cpp:2556
2 	NS_InvokeByIndex_P 	mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101
3 	XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) 	mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2369
Comment 3 User image :Gavin Sharp [email:] 2008-03-09 03:40:18 PDT
Created attachment 308275 [details] [diff] [review]
throw for invalid objects
Comment 4 User image :Gavin Sharp [email:] 2008-03-09 06:02:53 PDT
Created attachment 308286 [details] [diff] [review]
some crashtests
Comment 5 User image :Gavin Sharp [email:] 2008-03-10 00:42:14 PDT
mozilla/content/canvas/crashtests/421715-1.html 	1.1
mozilla/content/canvas/crashtests/crashtests.list 	1.1
mozilla/content/canvas/src/nsCanvasRenderingContext2D.cpp 	1.122
mozilla/testing/crashtest/crashtests.list 	1.33
Comment 6 User image :Gavin Sharp [email:] 2008-05-04 10:10:57 PDT
Comment on attachment 308275 [details] [diff] [review]
throw for invalid objects

Simple null check fix that's giving Phillip some trouble as he tests out canvas on the branch.
Comment 7 User image Daniel Veditz [:dveditz] 2008-05-05 11:10:36 PDT
Comment on attachment 308275 [details] [diff] [review]
throw for invalid objects

approved for, a=dveditz for release-drivers
Comment 8 User image :Gavin Sharp [email:] 2008-05-05 12:17:37 PDT
Landed on the branch for Firefox
Comment 9 User image Hasham 2008-06-11 16:16:24 PDT
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv: Gecko/20080611 BonEcho/

Verified for branch. Crashed on and didn't crash on latest Bon Echo using STR in comment 0.

Note You need to log in before you can comment on or make changes to this bug.