578465 - crash in [@ nsHTMLCanvasElement::ToDataURLImpl] when running WebGL conformance suite

Status: RESOLVED DUPLICATE of bug 578215

(Core :: Graphics: CanvasWebGL, defect)

Description

[Benoit Jacob [:bjacob] (mostly away)]

the problem is that at line 240 we do

   getter_AddRefs(imgStream)

and imgStream is null.

Backtrace + printing imgStream:

#0  0x000000381e0a6afd in nanosleep () at ../sysdeps/unix/syscall-template.S:82
#1  0x000000381e0a6970 in __sleep (seconds=0) at ../sysdeps/unix/sysv/linux/sleep.c:138
#2  0x00007f6bdc649c90 in ah_crap_handler (signum=11) at /home/bjacob/mozilla-central/toolkit/xre/nsSigHandlers.cpp:132
#3  0x00007f6bdc64ea31 in nsProfileLock::FatalSignalHandler (signo=11, info=0x7fffd7cad530, context=0x7fffd7cad400) at nsProfileLock.cpp:221
#4  <signal handler called>
#5  0x00007f6bdcd84522 in nsHTMLCanvasElement::ToDataURLImpl (this=0x7f6bcc741ca0, aMimeType=..., aEncoderOptions=..., aDataURL=...)
    at /home/bjacob/mozilla-central/content/html/content/src/nsHTMLCanvasElement.cpp:240
#6  0x00007f6bdcd84332 in nsHTMLCanvasElement::ToDataURL (this=0x7f6bcc741ca0, aType=..., aParams=..., optional_argc=0 '\000', aDataURL=...)
    at /home/bjacob/mozilla-central/content/html/content/src/nsHTMLCanvasElement.cpp:205
#7  0x00007f6bdd5073c5 in nsIDOMHTMLCanvasElement_ToDataURL (cx=0x7f6bc8b41800, argc=0, vp=0x7f6bd02fe2a8) at dom_quickstubs.cpp:17501
#8  0x00007f6bdbbe9588 in js_Interpret (cx=0x7f6bc8b41800) at /home/bjacob/mozilla-central/js/src/jsops.cpp:2148
#9  0x00007f6bdbbfd0bc in js_Invoke (cx=0x7f6bc8b41800, args=..., flags=0) at /home/bjacob/mozilla-central/js/src/jsinterp.cpp:664
#10 0x00007f6bdbbfd28f in js_InternalInvoke (cx=0x7f6bc8b41800, obj=0x7f6bc282d000, fval=140100801568128, flags=0, argc=1, argv=0x7f6bbe93e020, rval=0x7fffd7cae818)
    at /home/bjacob/mozilla-central/js/src/jsinterp.cpp:694
#11 0x00007f6bdbb6481e in JS_CallFunctionValue (cx=0x7f6bc8b41800, obj=0x7f6bc282d000, fval=140100801568128, argc=1, argv=0x7f6bbe93e020, rval=0x7fffd7cae818)
    at /home/bjacob/mozilla-central/js/src/jsapi.cpp:4632
#12 0x00007f6bdcf235e6 in nsJSContext::CallEventHandler (this=0x7f6bcabef200, aTarget=0x7f6bbe917468, aScope=0x7f6bc282d000, aHandler=0x7f6bc2829d80, aargv=0x7f6bc1326850, arv=
    0x7fffd7cae9b0) at /home/bjacob/mozilla-central/dom/base/nsJSEnvironment.cpp:2204
#13 0x00007f6bdcfb209c in nsJSEventListener::HandleEvent (this=0x7f6bc4e85200, aEvent=0x7f6bc2721be0) at /home/bjacob/mozilla-central/dom/src/events/nsJSEventListener.cpp:228
#14 0x00007f6bdcd1b205 in nsEventListenerManager::HandleEventSubType (this=0x7f6bc21f9f50, aListenerStruct=0x7f6bc21f9f98, aListener=0x7f6bc4e85200, aDOMEvent=0x7f6bc2721be0, 
    aCurrentTarget=0x7f6bbe917488, aPhaseFlags=6, aPusher=0x7fffd7caf080) at /home/bjacob/mozilla-central/content/events/src/nsEventListenerManager.cpp:1094
#15 0x00007f6bdcd1b6c4 in nsEventListenerManager::HandleEventInternal (this=0x7f6bc21f9f50, aPresContext=0x7f6bbe916c00, aEvent=0x7fffd7caf1b0, aDOMEvent=0x7fffd7caf050, 
    aCurrentTarget=0x7f6bbe917488, aFlags=6, aEventStatus=0x7fffd7caf058, aPusher=0x7fffd7caf080) at /home/bjacob/mozilla-central/content/events/src/nsEventListenerManager.cpp:1190
#16 0x00007f6bdcd470ed in nsEventListenerManager::HandleEvent (this=0x7f6bc21f9f50, aPresContext=0x7f6bbe916c00, aEvent=0x7fffd7caf1b0, aDOMEvent=0x7fffd7caf050, aCurrentTarget=
    0x7f6bbe917488, aFlags=6, aEventStatus=0x7fffd7caf058, aPusher=0x7fffd7caf080) at /home/bjacob/mozilla-central/content/events/src/nsEventListenerManager.h:146
#17 0x00007f6bdcd4761d in nsEventTargetChainItem::HandleEvent (this=0x7f6bcf8bb3b8, aVisitor=..., aFlags=6, aMayHaveNewListenerManagers=0, aPusher=0x7fffd7caf080)
    at /home/bjacob/mozilla-central/content/events/src/nsEventDispatcher.cpp:212
#18 0x00007f6bdcd452a2 in nsEventTargetChainItem::HandleEventTargetChain (this=0x7f6bcf8bb1f8, aVisitor=..., aFlags=6, aCallback=0x0, aMayHaveNewListenerManagers=0, aPusher=
    0x7fffd7caf080) at /home/bjacob/mozilla-central/content/events/src/nsEventDispatcher.cpp:341
#19 0x00007f6bdcd46039 in nsEventDispatcher::Dispatch (aTarget=0x7f6bc8b41400, aPresContext=0x7f6bbe916c00, aEvent=0x7fffd7caf1b0, aDOMEvent=0x0, aEventStatus=0x7fffd7caf1fc, 
    aCallback=0x0, aTargets=0x0) at /home/bjacob/mozilla-central/content/events/src/nsEventDispatcher.cpp:628
#20 0x00007f6bdc8f6f18 in DocumentViewerImpl::LoadComplete (this=0x7f6bc10f9200, aStatus=0) at /home/bjacob/mozilla-central/layout/base/nsDocumentViewer.cpp:1037
#21 0x00007f6bdd568a70 in nsDocShell::EndPageLoad (this=0x7f6bc8b3f800, aProgress=0x7f6bc8b3f828, aChannel=0x7f6bbf42d2a0, aStatus=0)
    at /home/bjacob/mozilla-central/docshell/base/nsDocShell.cpp:5766
#22 0x00007f6bdd568453 in nsDocShell::OnStateChange (this=0x7f6bc8b3f800, aProgress=0x7f6bc8b3f828, aRequest=0x7f6bbf42d2a0, aStateFlags=131088, aStatus=0)
    at /home/bjacob/mozilla-central/docshell/base/nsDocShell.cpp:5647
#23 0x00007f6bdd5957d1 in nsDocLoader::FireOnStateChange (this=0x7f6bc8b3f800, aProgress=0x7f6bc8b3f828, aRequest=0x7f6bbf42d2a0, aStateFlags=131088, aStatus=0)
    at /home/bjacob/mozilla-central/uriloader/base/nsDocLoader.cpp:1321
#24 0x00007f6bdd5944fc in nsDocLoader::doStopDocumentLoad (this=0x7f6bc8b3f800, request=0x7f6bbf42d2a0, aStatus=0) at /home/bjacob/mozilla-central/uriloader/base/nsDocLoader.cpp:929
#25 0x00007f6bdd5940e5 in nsDocLoader::DocLoaderIsEmpty (this=0x7f6bc8b3f800, aFlushLayout=1) at /home/bjacob/mozilla-central/uriloader/base/nsDocLoader.cpp:805
#26 0x00007f6bdd593c12 in nsDocLoader::OnStopRequest (this=0x7f6bc8b3f800, aRequest=0x7f6bc5067ea0, aCtxt=0x0, aStatus=0)
    at /home/bjacob/mozilla-central/uriloader/base/nsDocLoader.cpp:700
#27 0x00007f6bdc696851 in nsLoadGroup::RemoveRequest (this=0x7f6bcab44df0, request=0x7f6bc5067ea0, ctxt=0x0, aStatus=0)
    at /home/bjacob/mozilla-central/netwerk/base/src/nsLoadGroup.cpp:680
#28 0x00007f6bdcc2f63b in nsDocument::DoUnblockOnload (this=0x7f6bbe809800) at /home/bjacob/mozilla-central/content/base/src/nsDocument.cpp:6945
#29 0x00007f6bdcc2f3fc in nsDocument::UnblockOnload (this=0x7f6bbe809800, aFireSync=1) at /home/bjacob/mozilla-central/content/base/src/nsDocument.cpp:6887
#30 0x00007f6bdcd44d11 in nsLoadBlockingPLDOMEvent::~nsLoadBlockingPLDOMEvent (this=0x7f6bcc151880, __in_chrg=<value optimized out>)
    at /home/bjacob/mozilla-central/content/events/src/nsPLDOMEvent.cpp:86
---Type <return> to continue, or q <return> to quit---
#31 0x00007f6bdcd44d64 in nsLoadBlockingPLDOMEvent::~nsLoadBlockingPLDOMEvent (this=0x7f6bcc151880, __in_chrg=<value optimized out>)
    at /home/bjacob/mozilla-central/content/events/src/nsPLDOMEvent.cpp:88
#32 0x00007f6bddb7b9fa in nsRunnable::Release (this=0x7f6bcc151880) at nsThreadUtils.cpp:55
#33 0x00007f6bdc64b8d6 in nsCOMPtr<nsIRunnable>::~nsCOMPtr (this=0x7fffd7cafce0, __in_chrg=<value optimized out>) at ../../dist/include/nsCOMPtr.h:533
#34 0x00007f6bddbef3c8 in nsThread::ProcessNextEvent (this=0x7f6bda138d70, mayWait=0, result=0x7fffd7cafd5c) at /home/bjacob/mozilla-central/xpcom/threads/nsThread.cpp:552
#35 0x00007f6bddb7bf7d in NS_ProcessNextEvent_P (thread=0x7f6bda138d70, mayWait=0) at nsThreadUtils.cpp:250
#36 0x00007f6bdda42ea6 in mozilla::ipc::MessagePump::Run (this=0x7f6bda1af800, aDelegate=0x7f6bda1d21c0) at /home/bjacob/mozilla-central/ipc/glue/MessagePump.cpp:118
#37 0x00007f6bddc5eb91 in MessageLoop::RunInternal (this=0x7f6bda1d21c0) at /home/bjacob/mozilla-central/ipc/chromium/src/base/message_loop.cc:219
#38 0x00007f6bddc5eb16 in MessageLoop::RunHandler (this=0x7f6bda1d21c0) at /home/bjacob/mozilla-central/ipc/chromium/src/base/message_loop.cc:202
#39 0x00007f6bddc5eaa7 in MessageLoop::Run (this=0x7f6bda1d21c0) at /home/bjacob/mozilla-central/ipc/chromium/src/base/message_loop.cc:176
#40 0x00007f6bdd8e8889 in nsBaseAppShell::Run (this=0x7f6bd27d4a20) at /home/bjacob/mozilla-central/widget/src/xpwidgets/nsBaseAppShell.cpp:175
#41 0x00007f6bdd645b01 in nsAppStartup::Run (this=0x7f6bd00ff330) at /home/bjacob/mozilla-central/toolkit/components/startup/src/nsAppStartup.cpp:192
#42 0x00007f6bdc63bafd in XRE_main (argc=4, argv=0x7fffd7cb09c8, aAppData=0x7f6bda1250f0) at /home/bjacob/mozilla-central/toolkit/xre/nsAppRunner.cpp:3625
#43 0x0000000000401f4f in main (argc=4, argv=0x7fffd7cb09c8) at /home/bjacob/mozilla-central/browser/app/nsBrowserApp.cpp:158
(gdb) frame 5
#5  0x00007f6bdcd84522 in nsHTMLCanvasElement::ToDataURLImpl (this=0x7f6bcc741ca0, aMimeType=..., aEncoderOptions=..., aDataURL=...)
    at /home/bjacob/mozilla-central/content/html/content/src/nsHTMLCanvasElement.cpp:240
240                                    getter_AddRefs(imgStream));
(gdb) print imgStream
$1 = {mRawPtr = 0x0}

Comment 1

[Benoit Jacob [:bjacob] (mostly away)]

ah no, that imgStream being null can't be the cause of this crash.... investigating

Comment 2

[Benoit Jacob [:bjacob] (mostly away)]

Thanks to Ehsan... context is null here.

Comment 3

[Benoit Jacob [:bjacob] (mostly away)]

Attachment: Fix canvas GetContext()

This patch was basically written by Ehsan ;-)

It fixes the crash; the problem was that GetContext had a bug letting it return NS_OK even if the context pointer was null.

Comment 4

[Daniel Holbert [:dholbert]]

Here are STR for what I think is the same crash (based on crash signature matching this bug)
 0. Enable pref webgl.enabled_for_all_sites & restart Firefox
 1. Load http://dev.miaumiau.cat/quickGraph/
 2. Right-click the 3D surface and choose "View Image" or "Save Image As"
 --> Immediate crash.
Crashes:
bp-77c0c96d-dc78-4a55-aa00-1ab332100713
bp-4531ba72-3a42-4449-9b3e-66e502100713
bp-5b99695e-ad4e-4cce-a2a6-e53a52100713

Comment 5

[Benoit Jacob [:bjacob] (mostly away)]

Here, with a build that has this patch applied, it's not crashing (it's also not doing anything). Can you confirm this fixes it?

Comment 6

[(no longer active)]

Comment on attachment 457154 [details] [diff] [review]
Fix canvas GetContext()

>diff --git a/content/html/content/src/nsHTMLCanvasElement.cpp b/content/html/content/src/nsHTMLCanvasElement.cpp
>--- a/content/html/content/src/nsHTMLCanvasElement.cpp
>+++ b/content/html/content/src/nsHTMLCanvasElement.cpp
>@@ -344,23 +344,23 @@ nsHTMLCanvasElement::GetContextHelper(co
> 
>   return rv;
> }
> 
> NS_IMETHODIMP
> nsHTMLCanvasElement::GetContext(const nsAString& aContextId,
>                                 nsISupports **aContext)
> {
>-  nsresult rv;
>+  nsresult rv = NS_ERROR_FAILURE;

On second look, we don't seem to use rv in the outer block at all, so maybe move it to the GetContextHelper line?

Comment 7

[Daniel Holbert [:dholbert]]

(In reply to comment #5)
> Here, with a build that has this patch applied, it's not crashing (it's also
> not doing anything). Can you confirm this fixes it?

I just tested the patch from comment 6 -- it fixes the crash, but we still don't get the expected result ('view image' or 'save image as'.  Instead, I get no visible change in the browser, and this is spammed to std[err|out]:
{
../../mozilla/content/html/content/src/nsHTMLCanvasElement.cpp, line 233
JavaScript error: , line 0: uncaught exception: [Exception... "Component returned failure code: 0x8000ffff (NS_ERROR_UNEXPECTED) [nsIDOMHTMLCanvasElement.toDataURL]"  nsresult: "0x8000ffff (NS_ERROR_UNEXPECTED)"  location: "JS frame :: chrome://browser/content/nsContextMenu.js :: anonymous :: line 1002"  data: no]
}

Comment 8

[Vladimir Vukicevic [:vlad] [:vladv] (needinfo me, slow to respond)]

Is this a dup of 578215?

Comment 9

[Benoit Jacob [:bjacob] (mostly away)]

(In reply to comment #8)
> Is this a dup of 578215?

Yes, looks so. I don't know which of the 2 patches is best, you decide :-)

Comment 10

[Benoit Jacob [:bjacob] (mostly away)]

(In reply to comment #7)
> (In reply to comment #5)
> > Here, with a build that has this patch applied, it's not crashing (it's also
> > not doing anything). Can you confirm this fixes it?
> 
> I just tested the patch from comment 6 -- it fixes the crash, but we still
> don't get the expected result ('view image' or 'save image as'.

This is a separate bug (I don't even know if this stuff is implemented at all?)

Comment 11

[Vladimir Vukicevic [:vlad] [:vladv] (needinfo me, slow to respond)]

It's not, there's a bug on file for it somewhere.