Closed
Bug 866575
Opened 12 years ago
Closed 12 years ago
DOM-bindings crash with large source in createPattern
Categories
(Core :: Graphics: Canvas2D, defect)
Tracking
()
RESOLVED
FIXED
mozilla23
Tracking | Status | |
---|---|---|
firefox22 | --- | unaffected |
firefox23 | + | fixed |
People
(Reporter: jruderman, Assigned: dzbarsky)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(3 files)
377 bytes,
text/html
|
Details | |
2.57 KB,
patch
|
nrc
:
review+
|
Details | Diff | Splinter Review |
899 bytes,
patch
|
mattwoodrow
:
review+
|
Details | Diff | Splinter Review |
Assertion failure: value, at dist/include/mozilla/dom/BindingUtils.h:557
Or null deref [@ mozilla::dom::WrapNewBindingObjectHelper<nsRefPtr<mozilla::dom::CanvasPattern>, true>::Wrap(JSContext*, JS::Handle<JSObject*>, nsRefPtr<mozilla::dom::CanvasPattern> const&, JS::Value*)]
Reporter | ||
Comment 1•12 years ago
|
||
When createPattern fails, is it supposed to throw or return null?
Comment 2•12 years ago
|
||
On Windows: bp-65ab709e-f98d-45f2-a050-cd5052130429.
It's likely a regression from bug 856472.
Crash Signature: [@ mozilla::dom::WrapNewBindingObjectHelper<nsRefPtr<mozilla::dom::CanvasPattern>, true>::Wrap(JSContext*, JS::Handle<JSObject*>, nsRefPtr<mozilla::dom::CanvasPattern> const&, JS::Value*)] → [@ mozilla::dom::WrapNewBindingObjectHelper<nsRefPtr<mozilla::dom::CanvasPattern>, true>::Wrap(JSContext*, JS::Handle<JSObject*>, nsRefPtr<mozilla::dom::CanvasPattern> const&, JS::Value*)]
[@ mozilla::dom::WrapNewBindingObjectHelper<nsRefPtr<mozilla::dom…
status-firefox22:
--- → unaffected
status-firefox23:
--- → affected
Keywords: regression
OS: Mac OS X → All
Hardware: x86_64 → All
Version: Trunk → 23 Branch
Assignee | ||
Comment 3•12 years ago
|
||
The bug is at https://mxr.mozilla.org/mozilla-central/source/content/canvas/src/CanvasRenderingContext2D.cpp#1453
This should throw or we should change the webidl to return a nullable CanvasPattern.
Updated•12 years ago
|
Crash Signature: , JS::Value*)]
[@ mozilla::dom::WrapNewBindingObjectHelper<nsRefPtr<mozilla::dom::ScriptProcessorNode>, int>::Wrap(JSContext*, JS::Handle<JSObject*>, nsRefPtr<mozilla::dom::ScriptProcessorNode> const&, JS::Value*) ] → , JS::Value*)]
[@ mozilla::dom::WrapNewBindingObjectHelper<nsRefPtr<mozilla::dom::ScriptProcessorNode>, int>::Wrap(JSContext*, JS::Handle<JSObject*>, nsRefPtr<mozilla::dom::ScriptProcessorNode> const&, JS::Value*)]
good=2013-04-19
bad=2013-04-20
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=64d6d002e888&tochange=dd03d42b01b1
Comment 6•12 years ago
|
||
Imo that method should throw.
David, want to do that and ask nrc or bas for review?
Updated•12 years ago
|
tracking-firefox23:
--- → ?
Assignee | ||
Comment 7•12 years ago
|
||
Comment 8•12 years ago
|
||
Comment on attachment 743140 [details] [diff] [review]
Patch
Review of attachment 743140 [details] [diff] [review]:
-----------------------------------------------------------------
lgtm
Attachment #743140 -
Flags: review?(ncameron) → review+
Assignee | ||
Comment 9•12 years ago
|
||
Attachment #744362 -
Flags: review?(matt.woodrow)
Updated•12 years ago
|
Attachment #744362 -
Flags: review?(matt.woodrow) → review+
Assignee | ||
Comment 10•12 years ago
|
||
Comment 11•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
Updated•12 years ago
|
Updated•12 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•