Closed Bug 673378 Opened 13 years ago Closed 13 years ago

Crash at nsHTMLCanvasElement::GetContext


(Core :: Graphics: Canvas2D, defect)

Not set



Tracking Status
firefox6 + fixed
firefox7 + fixed


(Reporter: attekett, Assigned: bjacob)



(4 keywords, Whiteboard: [qa!])

Crash Data


(3 files)

opening the attached page causes firefox (beta and nightly) to crash at nsHTMLCanvasElement::GetContext. Tested on windows 7 x64 and linux on x86 and x86_64. 

More info in crash reports:
098b62aa-0e85-4c82-9f5b-3a64b2110722 (Ubuntu 11.04 x64)
ebfba132-9e14-4979-b319-103ac2110722 (Windows 7 x64)
Attachment #547648 - Attachment mime type: text/plain → text/html
Crash Signature: [@ nsHTMLCanvasElement::GetContext ] [@ nsHTMLCanvasElement::GetContext(nsAString_internal const&, unsigned __int64 const&, nsISupports**) ]
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.112 Safari/534.30

No rectangles, but also no crash.
Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv: Gecko/20110614 Firefox/3.6.18
Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/5.0

Mozilla/5.0 (X11; Linux x86_64; rv:6.0) Gecko/20100101 Firefox/6.0
Mozilla/5.0 (X11; Linux x86_64; rv:7.0a2) Gecko/20110720 Firefox/7.0a2
Mozilla/5.0 (X11; Linux x86_64; rv:8.0a1) Gecko/20110721 Firefox/8.0a1

Regression range of crash:

Last good nightly: 2011-05-20
First bad nightly: 2011-05-21

Keywords: crash, regression
Hardware: x86_64 → All
Version: 6 Branch → Trunk
Component: General → Canvas: 2D
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → canvas.2d
Local track down:

The first bad revision is:
changeset:   69815:693555498d57
user:        Benoit Jacob <>
date:        Fri May 20 15:53:53 2011 -0400
summary:     Bug 656215 - null out failed canvas contexts - r=roc
Blocks: 656215
We probably need to clear out mCurrentContextId when UpdateContext fails....
Assignee: nobody → bjacob
Requesting tracking for this crash regression on the relevant branches.
Attached file reduced testcase
Is this bad enough to back out bug 656215? Which would you rather live with? We are trying to build the last beta Today.
I should have reacted to this sooner... trying to make a patch now.
And we kept missing it in triage :-/
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff46789e9 in nsHTMLCanvasElement::GetContext (this=0x19e0c20, aContextId=..., 
    aContextOptions=..., aContext=0x7fffffff8a90)
    at /home/bjacob/mozilla-central/content/html/content/src/nsHTMLCanvasElement.cpp:531
531       NS_ADDREF (*aContext = mCurrentContext);
(gdb) bt
#0  0x00007ffff46789e9 in nsHTMLCanvasElement::GetContext (this=0x19e0c20, aContextId=..., 
    aContextOptions=..., aContext=0x7fffffff8a90)
    at /home/bjacob/mozilla-central/content/html/content/src/nsHTMLCanvasElement.cpp:531
#1  0x00007ffff4e0a628 in nsIDOMHTMLCanvasElement_GetContext (cx=0x12a0f00, argc=1, vp=0x7fffe43a0088)
    at /home/bjacob/build/firefox/js/src/xpconnect/src/dom_quickstubs.cpp:21946
#2  0x00007ffff599a63f in js::CallJSNative (cx=0x12a0f00, 
    native=0x7ffff4e0a426 <nsIDOMHTMLCanvasElement_GetContext(JSContext*, uintN, jsval*)>, args=...)
    at /home/bjacob/mozilla-central/js/src/jscntxtinlines.h:281
#3  0x00007ffff59972de in js::Invoke (cx=0x12a0f00, argsRef=..., construct=js::NO_CONSTRUCT)
    at /home/bjacob/mozilla-central/js/src/jsinterp.cpp:656
Boris' suggestion in comment 3 was the right one: this trivial patch fixes the crash.
Attachment #550553 - Flags: review?(roc)
Comment on attachment 550553 [details] [diff] [review]
also reset the contextid

Nested ifs would probably result in less code here.
Attachment #550553 - Flags: review?(roc) → review+
Attachment #550553 - Flags: approval-mozilla-beta?
Attachment #550553 - Flags: approval-mozilla-aurora?
Landing on central. Please approve for beta.
Comment on attachment 550553 [details] [diff] [review]
also reset the contextid

Roc says this is very low risk and fixes the issue totally we were trying to fix in 656215
Attachment #550553 - Flags: approval-mozilla-beta?
Attachment #550553 - Flags: approval-mozilla-beta+
Attachment #550553 - Flags: approval-mozilla-aurora?
Attachment #550553 - Flags: approval-mozilla-aurora+
Landed on beta and aurora:
Closed: 13 years ago
Resolution: --- → FIXED
Fwiw, Truncate() is probably more idiomatic than AssignLiteral("").
Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0

Verified issue on the reduced test case from Comment 5 - FF 6.0b5 does not crash anymore.

But when testing the test case from the description on Ubuntu 11.04 x86 - FF 6.0b5 freezes and the whole system goes really slow.

Should this bug be reopend?
No, AIUI this testcase can result in absurdly large canvases being created, that's the point as it's trying to test cases where canvas creation fails for lack of memory. So depending on the virtual memory setup on your machine it can really consume huge amounts of resources. Only reopen if you get a firefox crash.
Firefox doesn't freezes but no rectangles are present. In this case, is this resolved, or the purpose of this test is not to crash? If so, it's 
WFM on Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/6.0 (beta 5) and the status can be chanced to Verified Fixed.
VERIFIED FIXED based on previous comments.

qa+ for verification on Firefox 7.
Keywords: verified-beta
Whiteboard: [qa+]
Verified on the latest Nightly on Aurora and on Firefox 7RC using the reduced test cases from the description and from Comment 5 - there is no crash.

Mozilla/5.0 (Windows NT 5.1; rv:7.0) Gecko/20100101 Firefox/7.0
Mozilla/5.0 (Windows NT 6.1; rv:7.0) Gecko/20100101 Firefox/7.0
Mozilla/5.0 (X11; Linux x86_64; rv:7.0) Gecko/20100101 Firefox/7.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0) Gecko/20100101 Firefox/7.0

Mozilla/5.0 (Windows NT 5.1; rv:8.0a2) Gecko/20110921 Firefox/8.0a2
Mozilla/5.0 (Windows NT 6.1; rv:8.0a2) Gecko/20110921 Firefox/8.0a2
Mozilla/5.0 (X11; Linux x86_64; rv:8.0a2) Gecko/20110921 Firefox/8.0a2
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0a2) Gecko/20110921 Firefox/8.0a2

Mozilla/5.0 (Windows NT 5.1; rv:9.0a1) Gecko/20110922 Firefox/9.0a1
Mozilla/5.0 (Windows NT 6.1; rv:9.0a1) Gecko/20110922 Firefox/9.0a1
Mozilla/5.0 (X11; Linux x86_64; rv:9.0a1) Gecko/20110922 Firefox/9.0a1
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0a1) Gecko/20110923 Firefox/9.0a1
Keywords: verified-aurora
Whiteboard: [qa+] → [qa!]
You need to log in before you can comment on or make changes to this bug.