Last Comment Bug 673378 - Crash at nsHTMLCanvasElement::GetContext
: Crash at nsHTMLCanvasElement::GetContext
Status: VERIFIED FIXED
[qa!]
: crash, regression, verified-aurora, verified-beta
Product: Core
Classification: Components
Component: Canvas: 2D (show other bugs)
: Trunk
: All All
: -- critical (vote)
: ---
Assigned To: Benoit Jacob [:bjacob] (mostly away)
:
Mentors:
Depends on:
Blocks: 656215
  Show dependency treegraph
 
Reported: 2011-07-22 03:04 PDT by Atte Kettunen
Modified: 2011-09-23 07:18 PDT (History)
9 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
+
fixed
+
fixed


Attachments
HTML page which should draw rectancles with increasing size. (1.18 KB, text/html)
2011-07-22 03:04 PDT, Atte Kettunen
no flags Details
reduced testcase (297 bytes, text/html)
2011-07-23 01:31 PDT, arno renevier
no flags Details
also reset the contextid (1.03 KB, patch)
2011-08-03 16:28 PDT, Benoit Jacob [:bjacob] (mostly away)
roc: review+
christian: approval‑mozilla‑aurora+
christian: approval‑mozilla‑beta+
Details | Diff | Review

Description Atte Kettunen 2011-07-22 03:04:44 PDT
Created attachment 547648 [details]
HTML page which should draw rectancles with increasing size.

opening the attached page causes firefox (beta and nightly) to crash at nsHTMLCanvasElement::GetContext. Tested on windows 7 x64 and linux on x86 and x86_64. 

More info in crash reports:
098b62aa-0e85-4c82-9f5b-3a64b2110722 (Ubuntu 11.04 x64)
ebfba132-9e14-4979-b319-103ac2110722 (Windows 7 x64)
Comment 1 Thomas Ahlblom 2011-07-22 04:02:05 PDT
WFM:
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.112 Safari/534.30

No rectangles, but also no crash.
Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.2.18) Gecko/20110614 Firefox/3.6.18
Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/5.0

Reproduced:
Mozilla/5.0 (X11; Linux x86_64; rv:6.0) Gecko/20100101 Firefox/6.0
Mozilla/5.0 (X11; Linux x86_64; rv:7.0a2) Gecko/20110720 Firefox/7.0a2
Mozilla/5.0 (X11; Linux x86_64; rv:8.0a1) Gecko/20110721 Firefox/8.0a1

Regression range of crash:

Last good nightly: 2011-05-20
First bad nightly: 2011-05-21

Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=2e0e36b0feae&tochange=21c304c5f351
Comment 2 Thomas Ahlblom 2011-07-22 06:14:33 PDT
Local track down:

The first bad revision is:
changeset:   69815:693555498d57
user:        Benoit Jacob <bjacob@mozilla.com>
date:        Fri May 20 15:53:53 2011 -0400
summary:     Bug 656215 - null out failed canvas contexts - r=roc
Comment 3 Boris Zbarsky [:bz] 2011-07-22 08:01:07 PDT
We probably need to clear out mCurrentContextId when UpdateContext fails....
Comment 4 Boris Zbarsky [:bz] 2011-07-22 08:01:43 PDT
Requesting tracking for this crash regression on the relevant branches.
Comment 5 arno renevier 2011-07-23 01:31:32 PDT
Created attachment 547905 [details]
reduced testcase
Comment 6 christian 2011-08-03 15:56:00 PDT
Is this bad enough to back out bug 656215? Which would you rather live with? We are trying to build the last beta Today.
Comment 7 Benoit Jacob [:bjacob] (mostly away) 2011-08-03 16:18:27 PDT
I should have reacted to this sooner... trying to make a patch now.
Comment 8 christian 2011-08-03 16:19:59 PDT
And we kept missing it in triage :-/
Comment 9 Benoit Jacob [:bjacob] (mostly away) 2011-08-03 16:21:05 PDT
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff46789e9 in nsHTMLCanvasElement::GetContext (this=0x19e0c20, aContextId=..., 
    aContextOptions=..., aContext=0x7fffffff8a90)
    at /home/bjacob/mozilla-central/content/html/content/src/nsHTMLCanvasElement.cpp:531
531       NS_ADDREF (*aContext = mCurrentContext);
(gdb) bt
#0  0x00007ffff46789e9 in nsHTMLCanvasElement::GetContext (this=0x19e0c20, aContextId=..., 
    aContextOptions=..., aContext=0x7fffffff8a90)
    at /home/bjacob/mozilla-central/content/html/content/src/nsHTMLCanvasElement.cpp:531
#1  0x00007ffff4e0a628 in nsIDOMHTMLCanvasElement_GetContext (cx=0x12a0f00, argc=1, vp=0x7fffe43a0088)
    at /home/bjacob/build/firefox/js/src/xpconnect/src/dom_quickstubs.cpp:21946
#2  0x00007ffff599a63f in js::CallJSNative (cx=0x12a0f00, 
    native=0x7ffff4e0a426 <nsIDOMHTMLCanvasElement_GetContext(JSContext*, uintN, jsval*)>, args=...)
    at /home/bjacob/mozilla-central/js/src/jscntxtinlines.h:281
#3  0x00007ffff59972de in js::Invoke (cx=0x12a0f00, argsRef=..., construct=js::NO_CONSTRUCT)
    at /home/bjacob/mozilla-central/js/src/jsinterp.cpp:656
Comment 10 Benoit Jacob [:bjacob] (mostly away) 2011-08-03 16:28:43 PDT
Created attachment 550553 [details] [diff] [review]
also reset the contextid

Boris' suggestion in comment 3 was the right one: this trivial patch fixes the crash.
Comment 11 Robert O'Callahan (:roc) (Exited; email my personal email if necessary) 2011-08-03 16:30:11 PDT
Comment on attachment 550553 [details] [diff] [review]
also reset the contextid

Nested ifs would probably result in less code here.
Comment 12 Benoit Jacob [:bjacob] (mostly away) 2011-08-03 16:33:15 PDT
Landing on central. Please approve for beta.
Comment 13 Benoit Jacob [:bjacob] (mostly away) 2011-08-03 16:37:10 PDT
Landed on central:
http://hg.mozilla.org/mozilla-central/rev/f12f16210f30
Comment 14 christian 2011-08-03 16:56:00 PDT
Comment on attachment 550553 [details] [diff] [review]
also reset the contextid

Roc says this is very low risk and fixes the issue totally we were trying to fix in 656215
Comment 15 Benoit Jacob [:bjacob] (mostly away) 2011-08-03 16:57:41 PDT
Landed on beta and aurora:
http://hg.mozilla.org/releases/mozilla-beta/rev/f8583ac431a6
http://hg.mozilla.org/releases/mozilla-aurora/rev/1539927cf9ba
Comment 16 Boris Zbarsky [:bz] 2011-08-03 19:24:18 PDT
Fwiw, Truncate() is probably more idiomatic than AssignLiteral("").
Comment 17 Simona B [:simonab] 2011-08-05 02:35:07 PDT
Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0

Verified issue on the reduced test case from Comment 5 - FF 6.0b5 does not crash anymore.

But when testing the test case from the description on Ubuntu 11.04 x86 - FF 6.0b5 freezes and the whole system goes really slow.

Should this bug be reopend?
Comment 18 Benoit Jacob [:bjacob] (mostly away) 2011-08-05 08:38:09 PDT
No, AIUI this testcase can result in absurdly large canvases being created, that's the point as it's trying to test cases where canvas creation fails for lack of memory. So depending on the virtual memory setup on your machine it can really consume huge amounts of resources. Only reopen if you get a firefox crash.
Comment 19 Vlad [QA] 2011-08-10 05:34:03 PDT
Firefox doesn't freezes but no rectangles are present. In this case, is this resolved, or the purpose of this test is not to crash? If so, it's 
WFM on Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/6.0 (beta 5) and the status can be chanced to Verified Fixed.
Thanks
Comment 20 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2011-09-22 16:35:28 PDT
VERIFIED FIXED based on previous comments.

qa+ for verification on Firefox 7.
Comment 21 Simona B [:simonab] 2011-09-23 07:18:06 PDT
Verified on the latest Nightly on Aurora and on Firefox 7RC using the reduced test cases from the description and from Comment 5 - there is no crash.

Mozilla/5.0 (Windows NT 5.1; rv:7.0) Gecko/20100101 Firefox/7.0
Mozilla/5.0 (Windows NT 6.1; rv:7.0) Gecko/20100101 Firefox/7.0
Mozilla/5.0 (X11; Linux x86_64; rv:7.0) Gecko/20100101 Firefox/7.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0) Gecko/20100101 Firefox/7.0

Mozilla/5.0 (Windows NT 5.1; rv:8.0a2) Gecko/20110921 Firefox/8.0a2
Mozilla/5.0 (Windows NT 6.1; rv:8.0a2) Gecko/20110921 Firefox/8.0a2
Mozilla/5.0 (X11; Linux x86_64; rv:8.0a2) Gecko/20110921 Firefox/8.0a2
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0a2) Gecko/20110921 Firefox/8.0a2

Mozilla/5.0 (Windows NT 5.1; rv:9.0a1) Gecko/20110922 Firefox/9.0a1
Mozilla/5.0 (Windows NT 6.1; rv:9.0a1) Gecko/20110922 Firefox/9.0a1
Mozilla/5.0 (X11; Linux x86_64; rv:9.0a1) Gecko/20110922 Firefox/9.0a1
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0a1) Gecko/20110923 Firefox/9.0a1

Note You need to log in before you can comment on or make changes to this bug.