canvas.2dcontext.putImageData(array[undefined]) causes a crash [@ JS_GetProperty]

RESOLVED FIXED in mozilla1.9beta5

Status

()

Core
Canvas: 2D
P1
critical
RESOLVED FIXED
10 years ago
6 years ago

People

(Reporter: msucan, Assigned: Gavin)

Tracking

({crash, testcase, verified1.8.1.15})

Trunk
mozilla1.9beta5
crash, testcase, verified1.8.1.15
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

Attachments

(3 attachments)

(Reporter)

Description

10 years ago
User-Agent:       Opera/9.26 (X11; Linux i686; U; fr)
Build Identifier: 2008030804

Firefox 3 build 2008030804 crashes if you have a canvas 2dcontext to which you want to putImageData() from an undefined array element. The weird part is, it doesn't crash if array[1] or array[0] is used. However, Firefox crashes if array[2] is used.

The crasher is reproducible in Firefox 2 as well.

Available crash report:

http://crash-stats.mozilla.com/report/index/ea8388b5-ed3b-11dc-be10-001a4bd43ef6

(the crash report includes a private URL, please don't make it public ;) )

Reproducible: Always

Steps to Reproduce:
1. Load the provided URL
2. Click the paragraph.
3. Crash.
Actual Results:  
Firefox crashes.

Expected Results:  
Firefox should not crash.
(Reporter)

Comment 1

10 years ago
Created attachment 308181 [details]
test case

Updated

10 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking-firefox3?
Keywords: crash, testcase
Summary: canvas.2dcontext.putImageData(array[undefined]) causes a crash → canvas.2dcontext.putImageData(array[undefined]) causes a crash [@ JS_GetProperty]
Version: unspecified → Trunk

Updated

10 years ago
Version: Trunk → unspecified
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5pre) Gecko/2008030806 Minefield/3.0b5pre ID:2008030806

Confirming, bp-8b72f9e8-ed3f-11dc-af24-001a4bd46e84

Signature	JS_GetProperty
UUID	8b72f9e8-ed3f-11dc-af24-001a4bd46e84
Time	2008-03-08 10:42:55-08:00
Uptime	0
Product	Firefox
Version	3.0b5pre
Build ID	2008030806
OS	Windows NT
OS Version	5.1.2600 Service Pack 2
CPU	x86
CPU Info	AuthenticAMD family 6 model 8 stepping 1
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0x0
Comments	

Frame  	Signature  	Source
0 	JS_GetProperty 	mozilla/js/src/jsapi.c:3464
1 	nsCanvasRenderingContext2D::PutImageData() 	mozilla/content/canvas/src/nsCanvasRenderingContext2D.cpp:2556
2 	NS_InvokeByIndex_P 	mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101
3 	XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) 	mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2369
Version: unspecified → Trunk

Updated

10 years ago
Component: General → General
Flags: blocking-firefox3?
Product: Firefox → Core
QA Contact: general → general

Updated

10 years ago
Flags: blocking1.9?
Component: General → Layout: Canvas
QA Contact: general → layout.canvas
Created attachment 308275 [details] [diff] [review]
throw for invalid objects
Assignee: nobody → gavin.sharp
Status: NEW → ASSIGNED
Attachment #308275 - Flags: review?(vladimir)
OS: Linux → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9beta5
Created attachment 308286 [details] [diff] [review]
some crashtests
Attachment #308286 - Flags: review?
Attachment #308286 - Flags: review? → review?(vladimir)
Attachment #308275 - Flags: review?(vladimir)
Attachment #308275 - Flags: review+
Attachment #308275 - Flags: approval1.9+
Attachment #308286 - Flags: review?(vladimir) → review+
Keywords: checkin-needed
mozilla/content/canvas/crashtests/421715-1.html 	1.1
mozilla/content/canvas/crashtests/crashtests.list 	1.1
mozilla/content/canvas/src/nsCanvasRenderingContext2D.cpp 	1.122
mozilla/testing/crashtest/crashtests.list 	1.33
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Flags: in-testsuite+
Keywords: checkin-needed
Resolution: --- → FIXED
Comment on attachment 308275 [details] [diff] [review]
throw for invalid objects

Simple null check fix that's giving Phillip some trouble as he tests out canvas on the branch.
Attachment #308275 - Flags: approval1.8.1.15?
Comment on attachment 308275 [details] [diff] [review]
throw for invalid objects

approved for 1.8.1.15, a=dveditz for release-drivers
Attachment #308275 - Flags: approval1.8.1.15? → approval1.8.1.15+
Landed on the branch for Firefox 2.0.0.15.
mozilla/content/canvas/src/nsCanvasRenderingContext2D.cpp 	1.22.2.33
Flags: blocking1.9?
Keywords: fixed1.8.1.15

Comment 9

9 years ago
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.15pre) Gecko/20080611 BonEcho/2.0.0.15pre

Verified for branch. Crashed on 1.8.1.14 and didn't crash on latest Bon Echo using STR in comment 0.
Keywords: fixed1.8.1.15 → verified1.8.1.15
Depends on: 473968
Crash Signature: [@ JS_GetProperty]
You need to log in before you can comment on or make changes to this bug.