Closed Bug 421715 Opened 16 years ago Closed 16 years ago

canvas.2dcontext.putImageData(array[undefined]) causes a crash [@ JS_GetProperty]

Categories

(Core :: Graphics: Canvas2D, defect, P1)

Product:
Core
Component:
Graphics: Canvas2D
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9beta5

People

(Reporter: msucan, Assigned: Gavin)

References

(
URL
)

Details

(Keywords: crash, testcase, verified1.8.1.15)

Crash Data

Attachments

(3 files)

test case
486 bytes, text/html
Details
throw for invalid objects
974 bytes, patch
vlad
: review+
dveditz
: approval1.8.1.15+
vlad
: approval1.9+
Details | Diff | Splinter Review
some crashtests
3.00 KB, patch
vlad
: review+
Details | Diff | Splinter Review 
User-Agent:       Opera/9.26 (X11; Linux i686; U; fr)
Build Identifier: 2008030804

Firefox 3 build 2008030804 crashes if you have a canvas 2dcontext to which you want to putImageData() from an undefined array element. The weird part is, it doesn't crash if array[1] or array[0] is used. However, Firefox crashes if array[2] is used.

The crasher is reproducible in Firefox 2 as well.

Available crash report:

http://crash-stats.mozilla.com/report/index/ea8388b5-ed3b-11dc-be10-001a4bd43ef6

(the crash report includes a private URL, please don't make it public ;) )

Reproducible: Always

Steps to Reproduce:
1. Load the provided URL
2. Click the paragraph.
3. Crash.
Actual Results:  
Firefox crashes.

Expected Results:  
Firefox should not crash.
Attached file test case 
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking-firefox3?
Keywords: crash, 
          
            testcase
Summary: canvas.2dcontext.putImageData(array[undefined]) causes a crash → canvas.2dcontext.putImageData(array[undefined]) causes a crash [@ JS_GetProperty]
Version: unspecified → Trunk

    
  
Version: Trunk → unspecified

    
    

    
  
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b5pre) Gecko/2008030806 Minefield/3.0b5pre ID:2008030806

Confirming, bp-8b72f9e8-ed3f-11dc-af24-001a4bd46e84

Signature	JS_GetProperty
UUID	8b72f9e8-ed3f-11dc-af24-001a4bd46e84
Time	2008-03-08 10:42:55-08:00
Uptime	0
Product	Firefox
Version	3.0b5pre
Build ID	2008030806
OS	Windows NT
OS Version	5.1.2600 Service Pack 2
CPU	x86
CPU Info	AuthenticAMD family 6 model 8 stepping 1
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0x0
Comments	

Frame  	Signature  	Source
0 	JS_GetProperty 	mozilla/js/src/jsapi.c:3464
1 	nsCanvasRenderingContext2D::PutImageData() 	mozilla/content/canvas/src/nsCanvasRenderingContext2D.cpp:2556
2 	NS_InvokeByIndex_P 	mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101
3 	XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) 	mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:2369
Version: unspecified → Trunk
Flags: blocking-firefox3?
Product: Firefox → Core
QA Contact: general → general
Flags: blocking1.9?
Component: General → Layout: Canvas
QA Contact: general → layout.canvas

    
    

    
  


  
Assignee: nobody → gavin.sharp
Status: NEW → ASSIGNED

        Attachment #308275 -
        Flags: review?(vladimir)
OS: Linux → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9beta5

        Attachment #308286 -
        Flags: review? → review?(vladimir)

        Attachment #308275 -
        Flags: review?(vladimir)

        Attachment #308275 -
        Flags: review+

        Attachment #308275 -
        Flags: approval1.9+

    
    

    
  
mozilla/content/canvas/crashtests/421715-1.html 	1.1
mozilla/content/canvas/crashtests/crashtests.list 	1.1
mozilla/content/canvas/src/nsCanvasRenderingContext2D.cpp 	1.122
mozilla/testing/crashtest/crashtests.list 	1.33
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Flags: in-testsuite+
Keywords: checkin-needed
Resolution: --- → FIXED

    
    

    
  
Comment on attachment 308275 [details] [diff] [review]
throw for invalid objects

Simple null check fix that's giving Phillip some trouble as he tests out canvas on the branch.

        Attachment #308275 -
        Flags: approval1.8.1.15?

    
    

    
  
Comment on attachment 308275 [details] [diff] [review]
throw for invalid objects

approved for 1.8.1.15, a=dveditz for release-drivers

        Attachment #308275 -
        Flags: approval1.8.1.15? → approval1.8.1.15+

    
    

    
  
Landed on the branch for Firefox 2.0.0.15.
mozilla/content/canvas/src/nsCanvasRenderingContext2D.cpp 	1.22.2.33
Flags: blocking1.9?
Keywords: fixed1.8.1.15

    
    

    
  
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.15pre) Gecko/20080611 BonEcho/2.0.0.15pre

Verified for branch. Crashed on 1.8.1.14 and didn't crash on latest Bon Echo using STR in comment 0.
Keywords: fixed1.8.1.15verified1.8.1.15
Depends on: 473968
Crash Signature: [@ JS_GetProperty]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: