Closed Bug 592737 Opened 14 years ago Closed 14 years ago

vertexAttrib3fv crash [@JSObject::getClass]

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- beta7+

People

(Reporter: posidron, Assigned: bjacob)

Details

Attachments

(2 files, 1 obsolete file)

callstack
5.58 KB, text/plain
Details
Fix bug 592737
4.50 KB, patch
vlad
: review+
Details | Diff | Splinter Review
Attached file callstack 
vertexAttrib3fv(0, null);

The parameter 'null' causes a null pointer dereference.

Required parameter type: Float32Array | sequence
Version: unspecified → Trunk
Attached patch Fix bug 592737 (obsolete) — Splinter Review 
OK, let helper_isInt32Array and helper_isFloat32Array check if obj is null, and return false in that case.
Assignee: nobody → bjacob
Status: NEW → ASSIGNED
Attachment #471170 - Flags: review?(vladimir)
Comment on attachment 471170 [details] [diff] [review]
Fix bug 592737

This actually isn't enough -- JS_IsArrayObject will crash if given a null argument, so we'd just move the crash one branch down in the if() statement.  Better would be to just null check the arg right after it's pulled out of the args array.  In some cases this involves adding an additional brahc, in others it means changing if (!JSVAL_IS_OBJECT(x)) -> if (JSVAL_IS_PRIMITIVE(x))
Attached patch Fix bug 592737Splinter Review 
OK, here's the new patch.

By the way, these were the last occurences of !JSVAL_IS_OBJECT in this file.

This should prevent crashing, but I wonder if that is spec-compliant: in case of a null object, shouldn't these methods just generate ERROR_INVALID_VALUE and let the JS continue?
Attachment #471170 - Attachment is obsolete: true
Attachment #471204 - Flags: review?(vladimir)
Attachment #471170 - Flags: review?(vladimir)
Comment on attachment 471204 [details] [diff] [review]
Fix bug 592737

looks fine; not sure about the GL error though -- maybe?
Attachment #471204 - Flags: review?(vladimir) → review+
Anyway, that would be nontrivial to fix as we can't generate GL errors from quickstubs. Sweeping this one under the carpet...

Will land the fix tomorrow morning (don't want to spend tonight babysitting tinderbox...)
blocking2.0: --- → ?
Please mark as blocking so I can land this tomorrow.
blocking2.0: ? → beta6+
http://hg.mozilla.org/mozilla-central/rev/886665dec3cb
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: