Last Comment Bug 421715 - canvas.2dcontext.putImageData(array[undefined]) causes a crash [@ JS_GetProperty]
: canvas.2dcontext.putImageData(array[undefined]) causes a crash [@ JS_GetPrope...
Status: RESOLVED FIXED
: crash, testcase, verified1.8.1.15
Product: Core
Classification: Components
Component: Canvas: 2D (show other bugs)
: Trunk
: All All
: P1 critical (vote)
: mozilla1.9beta5
Assigned To: :Gavin Sharp [email: gavin@gavinsharp.com]
:
Mentors:
http://www.robodesign.ro/coding/0040/
Depends on: 473968
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-08 10:32 PST by Mihai Sucan [:msucan]
Modified: 2011-06-09 14:58 PDT (History)
4 users (show)
gavin.sharp: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
test case (486 bytes, text/html)
2008-03-08 10:34 PST, Mihai Sucan [:msucan]
no flags Details
throw for invalid objects (974 bytes, patch)
2008-03-09 03:40 PDT, :Gavin Sharp [email: gavin@gavinsharp.com]
vladimir: review+
dveditz: approval1.8.1.15+
vladimir: approval1.9+
Details | Diff | Splinter Review
some crashtests (3.00 KB, patch)
2008-03-09 06:02 PDT, :Gavin Sharp [email: gavin@gavinsharp.com]
vladimir: review+
Details | Diff | Splinter Review

Description Mihai Sucan [:msucan] 2008-03-08 10:32:17 PST
User-Agent:       Opera/9.26 (X11; Linux i686; U; fr)
Build Identifier: 2008030804

Firefox 3 build 2008030804 crashes if you have a canvas 2dcontext to which you want to putImageData() from an undefined array element. The weird part is, it doesn't crash if array[1] or array[0] is used. However, Firefox crashes if array[2] is used.

The crasher is reproducible in Firefox 2 as well.

Available crash report:

http://crash-stats.mozilla.com/report/index/ea8388b5-ed3b-11dc-be10-001a4bd43ef6

(the crash report includes a private URL, please don't make it public ;) )

Reproducible: Always

Steps to Reproduce:
1. Load the provided URL
2. Click the paragraph.
3. Crash.
Actual Results:  
Firefox crashes.

Expected Results:  
Firefox should not crash.
Comment 1 Mihai Sucan [:msucan] 2008-03-08 10:34:29 PST
Created attachment 308181 [details]
test case
Comment 2 Steve England [:stevee] 2008-03-08 10:46:20 PST
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5pre) Gecko/2008030806 Minefield/3.0b5pre ID:2008030806

Confirming, bp-8b72f9e8-ed3f-11dc-af24-001a4bd46e84

Signature	JS_GetProperty
UUID	8b72f9e8-ed3f-11dc-af24-001a4bd46e84
Time	2008-03-08 10:42:55-08:00
Uptime	0
Product	Firefox
Version	3.0b5pre
Build ID	2008030806
OS	Windows NT
OS Version	5.1.2600 Service Pack 2
CPU	x86
CPU Info	AuthenticAMD family 6 model 8 stepping 1
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0x0
Comments	

Frame  	Signature  	Source
0 	JS_GetProperty 	mozilla/js/src/jsapi.c:3464
1 	nsCanvasRenderingContext2D::PutImageData() 	mozilla/content/canvas/src/nsCanvasRenderingContext2D.cpp:2556
2 	NS_InvokeByIndex_P 	mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101
3 	XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) 	mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2369
Comment 3 :Gavin Sharp [email: gavin@gavinsharp.com] 2008-03-09 03:40:18 PDT
Created attachment 308275 [details] [diff] [review]
throw for invalid objects
Comment 4 :Gavin Sharp [email: gavin@gavinsharp.com] 2008-03-09 06:02:53 PDT
Created attachment 308286 [details] [diff] [review]
some crashtests
Comment 5 :Gavin Sharp [email: gavin@gavinsharp.com] 2008-03-10 00:42:14 PDT
mozilla/content/canvas/crashtests/421715-1.html 	1.1
mozilla/content/canvas/crashtests/crashtests.list 	1.1
mozilla/content/canvas/src/nsCanvasRenderingContext2D.cpp 	1.122
mozilla/testing/crashtest/crashtests.list 	1.33
Comment 6 :Gavin Sharp [email: gavin@gavinsharp.com] 2008-05-04 10:10:57 PDT
Comment on attachment 308275 [details] [diff] [review]
throw for invalid objects

Simple null check fix that's giving Phillip some trouble as he tests out canvas on the branch.
Comment 7 Daniel Veditz [:dveditz] 2008-05-05 11:10:36 PDT
Comment on attachment 308275 [details] [diff] [review]
throw for invalid objects

approved for 1.8.1.15, a=dveditz for release-drivers
Comment 8 :Gavin Sharp [email: gavin@gavinsharp.com] 2008-05-05 12:17:37 PDT
Landed on the branch for Firefox 2.0.0.15.
mozilla/content/canvas/src/nsCanvasRenderingContext2D.cpp 	1.22.2.33
Comment 9 Hasham 2008-06-11 16:16:24 PDT
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.15pre) Gecko/20080611 BonEcho/2.0.0.15pre

Verified for branch. Crashed on 1.8.1.14 and didn't crash on latest Bon Echo using STR in comment 0.

Note You need to log in before you can comment on or make changes to this bug.