Crash at nsHTMLCanvasElement::GetContext

VERIFIED FIXED

Status

()

Core
Canvas: 2D
--
critical
VERIFIED FIXED
6 years ago
6 years ago

People

(Reporter: Atte Kettunen, Assigned: bjacob)

Tracking

(4 keywords)

Trunk
crash, regression, verified-aurora, verified-beta
Points:
---

Firefox Tracking Flags

(firefox6+ fixed, firefox7+ fixed)

Details

(Whiteboard: [qa!], crash signature)

Attachments

(3 attachments)

(Reporter)

Description

6 years ago
Created attachment 547648 [details]
HTML page which should draw rectancles with increasing size.

opening the attached page causes firefox (beta and nightly) to crash at nsHTMLCanvasElement::GetContext. Tested on windows 7 x64 and linux on x86 and x86_64. 

More info in crash reports:
098b62aa-0e85-4c82-9f5b-3a64b2110722 (Ubuntu 11.04 x64)
ebfba132-9e14-4979-b319-103ac2110722 (Windows 7 x64)

Updated

6 years ago
Attachment #547648 - Attachment mime type: text/plain → text/html

Updated

6 years ago
Crash Signature: [@ nsHTMLCanvasElement::GetContext ] [@ nsHTMLCanvasElement::GetContext(nsAString_internal const&, unsigned __int64 const&, nsISupports**) ]

Comment 1

6 years ago
WFM:
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.112 Safari/534.30

No rectangles, but also no crash.
Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18
Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/5.0

Reproduced:
Mozilla/5.0 (X11; Linux x86_64; rv:6.0) Gecko/20100101 Firefox/6.0
Mozilla/5.0 (X11; Linux x86_64; rv:7.0a2) Gecko/20110720 Firefox/7.0a2
Mozilla/5.0 (X11; Linux x86_64; rv:8.0a1) Gecko/20110721 Firefox/8.0a1

Regression range of crash:

Last good nightly: 2011-05-20
First bad nightly: 2011-05-21

Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=2e0e36b0feae&tochange=21c304c5f351
Keywords: crash, regression
Hardware: x86_64 → All
Version: 6 Branch → Trunk

Updated

6 years ago
Status: UNCONFIRMED → NEW
Component: General → Canvas: 2D
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → canvas.2d

Comment 2

6 years ago
Local track down:

The first bad revision is:
changeset:   69815:693555498d57
user:        Benoit Jacob <bjacob@mozilla.com>
date:        Fri May 20 15:53:53 2011 -0400
summary:     Bug 656215 - null out failed canvas contexts - r=roc

Updated

6 years ago
Blocks: 656215

Comment 3

6 years ago
We probably need to clear out mCurrentContextId when UpdateContext fails....
Assignee: nobody → bjacob

Comment 4

6 years ago
Requesting tracking for this crash regression on the relevant branches.
status-firefox6: --- → affected
status-firefox7: --- → affected
tracking-firefox6: --- → ?
tracking-firefox7: --- → ?

Comment 5

6 years ago
Created attachment 547905 [details]
reduced testcase

Updated

6 years ago
tracking-firefox6: ? → +
tracking-firefox7: ? → +

Comment 6

6 years ago
Is this bad enough to back out bug 656215? Which would you rather live with? We are trying to build the last beta Today.
(Assignee)

Comment 7

6 years ago
I should have reacted to this sooner... trying to make a patch now.

Comment 8

6 years ago
And we kept missing it in triage :-/
(Assignee)

Comment 9

6 years ago
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff46789e9 in nsHTMLCanvasElement::GetContext (this=0x19e0c20, aContextId=..., 
    aContextOptions=..., aContext=0x7fffffff8a90)
    at /home/bjacob/mozilla-central/content/html/content/src/nsHTMLCanvasElement.cpp:531
531       NS_ADDREF (*aContext = mCurrentContext);
(gdb) bt
#0  0x00007ffff46789e9 in nsHTMLCanvasElement::GetContext (this=0x19e0c20, aContextId=..., 
    aContextOptions=..., aContext=0x7fffffff8a90)
    at /home/bjacob/mozilla-central/content/html/content/src/nsHTMLCanvasElement.cpp:531
#1  0x00007ffff4e0a628 in nsIDOMHTMLCanvasElement_GetContext (cx=0x12a0f00, argc=1, vp=0x7fffe43a0088)
    at /home/bjacob/build/firefox/js/src/xpconnect/src/dom_quickstubs.cpp:21946
#2  0x00007ffff599a63f in js::CallJSNative (cx=0x12a0f00, 
    native=0x7ffff4e0a426 <nsIDOMHTMLCanvasElement_GetContext(JSContext*, uintN, jsval*)>, args=...)
    at /home/bjacob/mozilla-central/js/src/jscntxtinlines.h:281
#3  0x00007ffff59972de in js::Invoke (cx=0x12a0f00, argsRef=..., construct=js::NO_CONSTRUCT)
    at /home/bjacob/mozilla-central/js/src/jsinterp.cpp:656
Created attachment 550553 [details] [diff] [review]
also reset the contextid

Boris' suggestion in comment 3 was the right one: this trivial patch fixes the crash.
Attachment #550553 - Flags: review?(roc)
Comment on attachment 550553 [details] [diff] [review]
also reset the contextid

Nested ifs would probably result in less code here.
Attachment #550553 - Flags: review?(roc) → review+
(Assignee)

Updated

6 years ago
Attachment #550553 - Flags: approval-mozilla-beta?
Attachment #550553 - Flags: approval-mozilla-aurora?
Landing on central. Please approve for beta.
Landed on central:
http://hg.mozilla.org/mozilla-central/rev/f12f16210f30

Comment 14

6 years ago
Comment on attachment 550553 [details] [diff] [review]
also reset the contextid

Roc says this is very low risk and fixes the issue totally we were trying to fix in 656215
Attachment #550553 - Flags: approval-mozilla-beta?
Attachment #550553 - Flags: approval-mozilla-beta+
Attachment #550553 - Flags: approval-mozilla-aurora?
Attachment #550553 - Flags: approval-mozilla-aurora+
Landed on beta and aurora:
http://hg.mozilla.org/releases/mozilla-beta/rev/f8583ac431a6
http://hg.mozilla.org/releases/mozilla-aurora/rev/1539927cf9ba
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED

Updated

6 years ago
status-firefox6: affected → fixed
status-firefox7: affected → fixed

Comment 16

6 years ago
Fwiw, Truncate() is probably more idiomatic than AssignLiteral("").
Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0

Verified issue on the reduced test case from Comment 5 - FF 6.0b5 does not crash anymore.

But when testing the test case from the description on Ubuntu 11.04 x86 - FF 6.0b5 freezes and the whole system goes really slow.

Should this bug be reopend?
No, AIUI this testcase can result in absurdly large canvases being created, that's the point as it's trying to test cases where canvas creation fails for lack of memory. So depending on the virtual memory setup on your machine it can really consume huge amounts of resources. Only reopen if you get a firefox crash.

Comment 19

6 years ago
Firefox doesn't freezes but no rectangles are present. In this case, is this resolved, or the purpose of this test is not to crash? If so, it's 
WFM on Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/6.0 (beta 5) and the status can be chanced to Verified Fixed.
Thanks
VERIFIED FIXED based on previous comments.

qa+ for verification on Firefox 7.
Status: RESOLVED → VERIFIED
Keywords: verified-beta
Whiteboard: [qa+]
Verified on the latest Nightly on Aurora and on Firefox 7RC using the reduced test cases from the description and from Comment 5 - there is no crash.

Mozilla/5.0 (Windows NT 5.1; rv:7.0) Gecko/20100101 Firefox/7.0
Mozilla/5.0 (Windows NT 6.1; rv:7.0) Gecko/20100101 Firefox/7.0
Mozilla/5.0 (X11; Linux x86_64; rv:7.0) Gecko/20100101 Firefox/7.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0) Gecko/20100101 Firefox/7.0

Mozilla/5.0 (Windows NT 5.1; rv:8.0a2) Gecko/20110921 Firefox/8.0a2
Mozilla/5.0 (Windows NT 6.1; rv:8.0a2) Gecko/20110921 Firefox/8.0a2
Mozilla/5.0 (X11; Linux x86_64; rv:8.0a2) Gecko/20110921 Firefox/8.0a2
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0a2) Gecko/20110921 Firefox/8.0a2

Mozilla/5.0 (Windows NT 5.1; rv:9.0a1) Gecko/20110922 Firefox/9.0a1
Mozilla/5.0 (Windows NT 6.1; rv:9.0a1) Gecko/20110922 Firefox/9.0a1
Mozilla/5.0 (X11; Linux x86_64; rv:9.0a1) Gecko/20110922 Firefox/9.0a1
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0a1) Gecko/20110923 Firefox/9.0a1
Keywords: verified-aurora
Whiteboard: [qa+] → [qa!]
You need to log in before you can comment on or make changes to this bug.