Crash with null canvas.toBlob callback

VERIFIED FIXED

Status

()

defect
--
critical
VERIFIED FIXED
7 years ago
a month ago

People

(Reporter: jruderman, Assigned: khuey)

Tracking

(Blocks 1 bug, 4 keywords)

18 Branch
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox18+ verified, firefox19+ verified)

Details

(crash signature)

Attachments

(3 attachments)

(Reporter)

Updated

7 years ago
Blocks: 326633
(Reporter)

Comment 1

7 years ago
Posted file stack
(Reporter)

Comment 2

7 years ago
Nightly: bp-c9a61a86-6688-4a88-a023-5d0f82121018
Crash Signature: [@ (anonymous namespace)::ToBlobRunnable::Run() ]
Yep, xpidl allowing you to pass null for things that should not really be nullable strikes again!  ;)
On Windows: bp-92c346d8-aec4-4686-ba83-9b34a2121018.
Crash Signature: [@ (anonymous namespace)::ToBlobRunnable::Run() ] → [@ (anonymous namespace)::ToBlobRunnable::Run() ] [@ `anonymous namespace''::ToBlobRunnable::Run()]
OS: Mac OS X → All
Hardware: x86_64 → All
Version: Trunk → 18 Branch
Assignee: nobody → khuey
https://hg.mozilla.org/mozilla-central/rev/0ff60bfb3442
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Comment on attachment 672953 [details] [diff] [review]
Patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 648610
User impact if declined: Firefox can be made to crash in a non-exploitable manner.
Testing completed (on m-c, etc.): On m-c, has an automated test, is trivial.
Risk to taking this patch (and alternatives if risky): As low as can be, just a null check.
String or UUID changes made by this patch: None.
Attachment #672953 - Flags: approval-mozilla-aurora?
Comment on attachment 672953 [details] [diff] [review]
Patch

[Triage Comment]
Null checks are good :)
Attachment #672953 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Can it be pushed to Aurora?
Yeah, the tree was broken last time I wanted to push.  I'll try to do that this week.

Comment 11

7 years ago
Kyle, ping for aurora checkin?
I want to, but everytime I look at doing it Aurora is closed :-P
I reproduced the issue on Nightly 2012-10-18.
Verified fixed on FF 18b1 on Win 7 x64, Ubuntu 12.04 and Mac OS X 10.7.5.
(In reply to Paul Silaghi [QA] from comment #14)
> I reproduced the issue on Nightly 2012-10-18.
> Verified fixed on FF 18b1 on Win 7 x64, Ubuntu 12.04 and Mac OS X 10.7.5.
Verified fixed on FF 19b3 on Win 7 x64, Ubuntu 12.04 and Mac OS X 10.8.2.
Status: RESOLVED → VERIFIED
Component: DOM → DOM: Core & HTML
Product: Core → Core
You need to log in before you can comment on or make changes to this bug.