Closed Bug 746813 Opened 9 years ago Closed 9 years ago

nsCanvasRenderingContext2D::GetMozCurrentTransformInverse crash with large canvas

Categories

(Core :: Canvas: 2D, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla16

People

(Reporter: jruderman, Assigned: cjones)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(3 files, 1 obsolete file)

No description provided.
Attached file stack trace
Needs moar EnsureCurrentSurface.

phone
On Windows 7: bp-72e70eb8-0995-401d-b377-406672120419
Crash Signature: [@ gfxContext::CurrentMatrix ] [@ nsCanvasRenderingContext2D::GetMozCurrentTransformInverse ] → [@ gfxContext::CurrentMatrix ] [@ nsCanvasRenderingContext2D::GetMozCurrentTransformInverse ] [@ gfxContext::CurrentMatrix()]
OS: Linux → All
Hardware: x86_64 → All
Thanks Jesse!
Assignee: nobody → jones.chris.g
Attachment #616774 - Flags: review?(joe)
Comment on attachment 616774 [details] [diff] [review]
Check for context allocation failure before returning inverse transform

Review of attachment 616774 [details] [diff] [review]:
-----------------------------------------------------------------

This needs to be fixed in nsCanvasRenderingContext2DAzure as well - otherwise we'll a) have this bug on some systems but not others and b) make crashtest go orange.
Attachment #616774 - Flags: review?(joe) → review-
Well, OK, but in the port to azure canvas many/most of the EnsureCurrentSurface()-style checks were lost.  This is putting ones finger in dike.  Is there a bug on file for restoring them?  Are we fuzzing azure canvas?
We are fuzzing azure canvas, but only on the (OS version, hardware) combinations in the build pool.  The fuzzer randomizes gfx.canvas.azure.enabled so both azure and non-azure canvas are tested on as many platforms as possible.
OK.  There are many azure-canvas interfaces that don't check for a valid surface whereas the same cairo-canvas interface does.  (I assumed the checks weren't needed for azure-canvas.)  Apparently we have a dearth of tests for those cases, and perhaps our fuzzer is getting unlucky?
fwiw, crash automation reproduced this on all three branches: Beta/12, Aurora/13, Nightly/14 and all 3 platforms.
Was cleaning mq house and came back across this.

This version puts a few more fingers in the azure context dike.
Attachment #616774 - Attachment is obsolete: true
Attachment #631615 - Flags: review?(joe)
Comment on attachment 631615 [details] [diff] [review]
Check for context allocation failure before returning inverse transform, v2

Review of attachment 631615 [details] [diff] [review]:
-----------------------------------------------------------------

Well, not azure content so much as azure canvas, but hooray. And thanks for fixing both implementations!
Attachment #631615 - Flags: review?(joe) → review+
https://hg.mozilla.org/mozilla-central/rev/a07fd72eb33d
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.