the problem is that at line 240 we do getter_AddRefs(imgStream) and imgStream is null. Backtrace + printing imgStream: #0 0x000000381e0a6afd in nanosleep () at ../sysdeps/unix/syscall-template.S:82 #1 0x000000381e0a6970 in __sleep (seconds=0) at ../sysdeps/unix/sysv/linux/sleep.c:138 #2 0x00007f6bdc649c90 in ah_crap_handler (signum=11) at /home/bjacob/mozilla-central/toolkit/xre/nsSigHandlers.cpp:132 #3 0x00007f6bdc64ea31 in nsProfileLock::FatalSignalHandler (signo=11, info=0x7fffd7cad530, context=0x7fffd7cad400) at nsProfileLock.cpp:221 #4 <signal handler called> #5 0x00007f6bdcd84522 in nsHTMLCanvasElement::ToDataURLImpl (this=0x7f6bcc741ca0, aMimeType=..., aEncoderOptions=..., aDataURL=...) at /home/bjacob/mozilla-central/content/html/content/src/nsHTMLCanvasElement.cpp:240 #6 0x00007f6bdcd84332 in nsHTMLCanvasElement::ToDataURL (this=0x7f6bcc741ca0, aType=..., aParams=..., optional_argc=0 '\000', aDataURL=...) at /home/bjacob/mozilla-central/content/html/content/src/nsHTMLCanvasElement.cpp:205 #7 0x00007f6bdd5073c5 in nsIDOMHTMLCanvasElement_ToDataURL (cx=0x7f6bc8b41800, argc=0, vp=0x7f6bd02fe2a8) at dom_quickstubs.cpp:17501 #8 0x00007f6bdbbe9588 in js_Interpret (cx=0x7f6bc8b41800) at /home/bjacob/mozilla-central/js/src/jsops.cpp:2148 #9 0x00007f6bdbbfd0bc in js_Invoke (cx=0x7f6bc8b41800, args=..., flags=0) at /home/bjacob/mozilla-central/js/src/jsinterp.cpp:664 #10 0x00007f6bdbbfd28f in js_InternalInvoke (cx=0x7f6bc8b41800, obj=0x7f6bc282d000, fval=140100801568128, flags=0, argc=1, argv=0x7f6bbe93e020, rval=0x7fffd7cae818) at /home/bjacob/mozilla-central/js/src/jsinterp.cpp:694 #11 0x00007f6bdbb6481e in JS_CallFunctionValue (cx=0x7f6bc8b41800, obj=0x7f6bc282d000, fval=140100801568128, argc=1, argv=0x7f6bbe93e020, rval=0x7fffd7cae818) at /home/bjacob/mozilla-central/js/src/jsapi.cpp:4632 #12 0x00007f6bdcf235e6 in nsJSContext::CallEventHandler (this=0x7f6bcabef200, aTarget=0x7f6bbe917468, aScope=0x7f6bc282d000, aHandler=0x7f6bc2829d80, aargv=0x7f6bc1326850, arv= 0x7fffd7cae9b0) at /home/bjacob/mozilla-central/dom/base/nsJSEnvironment.cpp:2204 #13 0x00007f6bdcfb209c in nsJSEventListener::HandleEvent (this=0x7f6bc4e85200, aEvent=0x7f6bc2721be0) at /home/bjacob/mozilla-central/dom/src/events/nsJSEventListener.cpp:228 #14 0x00007f6bdcd1b205 in nsEventListenerManager::HandleEventSubType (this=0x7f6bc21f9f50, aListenerStruct=0x7f6bc21f9f98, aListener=0x7f6bc4e85200, aDOMEvent=0x7f6bc2721be0, aCurrentTarget=0x7f6bbe917488, aPhaseFlags=6, aPusher=0x7fffd7caf080) at /home/bjacob/mozilla-central/content/events/src/nsEventListenerManager.cpp:1094 #15 0x00007f6bdcd1b6c4 in nsEventListenerManager::HandleEventInternal (this=0x7f6bc21f9f50, aPresContext=0x7f6bbe916c00, aEvent=0x7fffd7caf1b0, aDOMEvent=0x7fffd7caf050, aCurrentTarget=0x7f6bbe917488, aFlags=6, aEventStatus=0x7fffd7caf058, aPusher=0x7fffd7caf080) at /home/bjacob/mozilla-central/content/events/src/nsEventListenerManager.cpp:1190 #16 0x00007f6bdcd470ed in nsEventListenerManager::HandleEvent (this=0x7f6bc21f9f50, aPresContext=0x7f6bbe916c00, aEvent=0x7fffd7caf1b0, aDOMEvent=0x7fffd7caf050, aCurrentTarget= 0x7f6bbe917488, aFlags=6, aEventStatus=0x7fffd7caf058, aPusher=0x7fffd7caf080) at /home/bjacob/mozilla-central/content/events/src/nsEventListenerManager.h:146 #17 0x00007f6bdcd4761d in nsEventTargetChainItem::HandleEvent (this=0x7f6bcf8bb3b8, aVisitor=..., aFlags=6, aMayHaveNewListenerManagers=0, aPusher=0x7fffd7caf080) at /home/bjacob/mozilla-central/content/events/src/nsEventDispatcher.cpp:212 #18 0x00007f6bdcd452a2 in nsEventTargetChainItem::HandleEventTargetChain (this=0x7f6bcf8bb1f8, aVisitor=..., aFlags=6, aCallback=0x0, aMayHaveNewListenerManagers=0, aPusher= 0x7fffd7caf080) at /home/bjacob/mozilla-central/content/events/src/nsEventDispatcher.cpp:341 #19 0x00007f6bdcd46039 in nsEventDispatcher::Dispatch (aTarget=0x7f6bc8b41400, aPresContext=0x7f6bbe916c00, aEvent=0x7fffd7caf1b0, aDOMEvent=0x0, aEventStatus=0x7fffd7caf1fc, aCallback=0x0, aTargets=0x0) at /home/bjacob/mozilla-central/content/events/src/nsEventDispatcher.cpp:628 #20 0x00007f6bdc8f6f18 in DocumentViewerImpl::LoadComplete (this=0x7f6bc10f9200, aStatus=0) at /home/bjacob/mozilla-central/layout/base/nsDocumentViewer.cpp:1037 #21 0x00007f6bdd568a70 in nsDocShell::EndPageLoad (this=0x7f6bc8b3f800, aProgress=0x7f6bc8b3f828, aChannel=0x7f6bbf42d2a0, aStatus=0) at /home/bjacob/mozilla-central/docshell/base/nsDocShell.cpp:5766 #22 0x00007f6bdd568453 in nsDocShell::OnStateChange (this=0x7f6bc8b3f800, aProgress=0x7f6bc8b3f828, aRequest=0x7f6bbf42d2a0, aStateFlags=131088, aStatus=0) at /home/bjacob/mozilla-central/docshell/base/nsDocShell.cpp:5647 #23 0x00007f6bdd5957d1 in nsDocLoader::FireOnStateChange (this=0x7f6bc8b3f800, aProgress=0x7f6bc8b3f828, aRequest=0x7f6bbf42d2a0, aStateFlags=131088, aStatus=0) at /home/bjacob/mozilla-central/uriloader/base/nsDocLoader.cpp:1321 #24 0x00007f6bdd5944fc in nsDocLoader::doStopDocumentLoad (this=0x7f6bc8b3f800, request=0x7f6bbf42d2a0, aStatus=0) at /home/bjacob/mozilla-central/uriloader/base/nsDocLoader.cpp:929 #25 0x00007f6bdd5940e5 in nsDocLoader::DocLoaderIsEmpty (this=0x7f6bc8b3f800, aFlushLayout=1) at /home/bjacob/mozilla-central/uriloader/base/nsDocLoader.cpp:805 #26 0x00007f6bdd593c12 in nsDocLoader::OnStopRequest (this=0x7f6bc8b3f800, aRequest=0x7f6bc5067ea0, aCtxt=0x0, aStatus=0) at /home/bjacob/mozilla-central/uriloader/base/nsDocLoader.cpp:700 #27 0x00007f6bdc696851 in nsLoadGroup::RemoveRequest (this=0x7f6bcab44df0, request=0x7f6bc5067ea0, ctxt=0x0, aStatus=0) at /home/bjacob/mozilla-central/netwerk/base/src/nsLoadGroup.cpp:680 #28 0x00007f6bdcc2f63b in nsDocument::DoUnblockOnload (this=0x7f6bbe809800) at /home/bjacob/mozilla-central/content/base/src/nsDocument.cpp:6945 #29 0x00007f6bdcc2f3fc in nsDocument::UnblockOnload (this=0x7f6bbe809800, aFireSync=1) at /home/bjacob/mozilla-central/content/base/src/nsDocument.cpp:6887 #30 0x00007f6bdcd44d11 in nsLoadBlockingPLDOMEvent::~nsLoadBlockingPLDOMEvent (this=0x7f6bcc151880, __in_chrg=<value optimized out>) at /home/bjacob/mozilla-central/content/events/src/nsPLDOMEvent.cpp:86 ---Type <return> to continue, or q <return> to quit--- #31 0x00007f6bdcd44d64 in nsLoadBlockingPLDOMEvent::~nsLoadBlockingPLDOMEvent (this=0x7f6bcc151880, __in_chrg=<value optimized out>) at /home/bjacob/mozilla-central/content/events/src/nsPLDOMEvent.cpp:88 #32 0x00007f6bddb7b9fa in nsRunnable::Release (this=0x7f6bcc151880) at nsThreadUtils.cpp:55 #33 0x00007f6bdc64b8d6 in nsCOMPtr<nsIRunnable>::~nsCOMPtr (this=0x7fffd7cafce0, __in_chrg=<value optimized out>) at ../../dist/include/nsCOMPtr.h:533 #34 0x00007f6bddbef3c8 in nsThread::ProcessNextEvent (this=0x7f6bda138d70, mayWait=0, result=0x7fffd7cafd5c) at /home/bjacob/mozilla-central/xpcom/threads/nsThread.cpp:552 #35 0x00007f6bddb7bf7d in NS_ProcessNextEvent_P (thread=0x7f6bda138d70, mayWait=0) at nsThreadUtils.cpp:250 #36 0x00007f6bdda42ea6 in mozilla::ipc::MessagePump::Run (this=0x7f6bda1af800, aDelegate=0x7f6bda1d21c0) at /home/bjacob/mozilla-central/ipc/glue/MessagePump.cpp:118 #37 0x00007f6bddc5eb91 in MessageLoop::RunInternal (this=0x7f6bda1d21c0) at /home/bjacob/mozilla-central/ipc/chromium/src/base/message_loop.cc:219 #38 0x00007f6bddc5eb16 in MessageLoop::RunHandler (this=0x7f6bda1d21c0) at /home/bjacob/mozilla-central/ipc/chromium/src/base/message_loop.cc:202 #39 0x00007f6bddc5eaa7 in MessageLoop::Run (this=0x7f6bda1d21c0) at /home/bjacob/mozilla-central/ipc/chromium/src/base/message_loop.cc:176 #40 0x00007f6bdd8e8889 in nsBaseAppShell::Run (this=0x7f6bd27d4a20) at /home/bjacob/mozilla-central/widget/src/xpwidgets/nsBaseAppShell.cpp:175 #41 0x00007f6bdd645b01 in nsAppStartup::Run (this=0x7f6bd00ff330) at /home/bjacob/mozilla-central/toolkit/components/startup/src/nsAppStartup.cpp:192 #42 0x00007f6bdc63bafd in XRE_main (argc=4, argv=0x7fffd7cb09c8, aAppData=0x7f6bda1250f0) at /home/bjacob/mozilla-central/toolkit/xre/nsAppRunner.cpp:3625 #43 0x0000000000401f4f in main (argc=4, argv=0x7fffd7cb09c8) at /home/bjacob/mozilla-central/browser/app/nsBrowserApp.cpp:158 (gdb) frame 5 #5 0x00007f6bdcd84522 in nsHTMLCanvasElement::ToDataURLImpl (this=0x7f6bcc741ca0, aMimeType=..., aEncoderOptions=..., aDataURL=...) at /home/bjacob/mozilla-central/content/html/content/src/nsHTMLCanvasElement.cpp:240 240 getter_AddRefs(imgStream)); (gdb) print imgStream $1 = {mRawPtr = 0x0}

ah no, that imgStream being null can't be the cause of this crash.... investigating

Thanks to Ehsan... context is null here.

This patch was basically written by Ehsan ;-) It fixes the crash; the problem was that GetContext had a bug letting it return NS_OK even if the context pointer was null.

Here are STR for what I think is the same crash (based on crash signature matching this bug) 0. Enable pref webgl.enabled_for_all_sites & restart Firefox 1. Load http://dev.miaumiau.cat/quickGraph/ 2. Right-click the 3D surface and choose "View Image" or "Save Image As" --> Immediate crash. Crashes: bp-77c0c96d-dc78-4a55-aa00-1ab332100713 bp-4531ba72-3a42-4449-9b3e-66e502100713 bp-5b99695e-ad4e-4cce-a2a6-e53a52100713

Here, with a build that has this patch applied, it's not crashing (it's also not doing anything). Can you confirm this fixes it?

Comment on attachment 457154 [details] [diff] [review] Fix canvas GetContext() >diff --git a/content/html/content/src/nsHTMLCanvasElement.cpp b/content/html/content/src/nsHTMLCanvasElement.cpp >--- a/content/html/content/src/nsHTMLCanvasElement.cpp >+++ b/content/html/content/src/nsHTMLCanvasElement.cpp >@@ -344,23 +344,23 @@ nsHTMLCanvasElement::GetContextHelper(co > > return rv; > } > > NS_IMETHODIMP > nsHTMLCanvasElement::GetContext(const nsAString& aContextId, > nsISupports **aContext) > { >- nsresult rv; >+ nsresult rv = NS_ERROR_FAILURE; On second look, we don't seem to use rv in the outer block at all, so maybe move it to the GetContextHelper line?

(In reply to comment #5) > Here, with a build that has this patch applied, it's not crashing (it's also > not doing anything). Can you confirm this fixes it? I just tested the patch from comment 6 -- it fixes the crash, but we still don't get the expected result ('view image' or 'save image as'. Instead, I get no visible change in the browser, and this is spammed to std[err|out]: { ../../mozilla/content/html/content/src/nsHTMLCanvasElement.cpp, line 233 JavaScript error: , line 0: uncaught exception: [Exception... "Component returned failure code: 0x8000ffff (NS_ERROR_UNEXPECTED) [nsIDOMHTMLCanvasElement.toDataURL]" nsresult: "0x8000ffff (NS_ERROR_UNEXPECTED)" location: "JS frame :: chrome://browser/content/nsContextMenu.js :: anonymous :: line 1002" data: no] }

Is this a dup of 578215?

(In reply to comment #8) > Is this a dup of 578215? Yes, looks so. I don't know which of the 2 patches is best, you decide :-)

(In reply to comment #7) > (In reply to comment #5) > > Here, with a build that has this patch applied, it's not crashing (it's also > > not doing anything). Can you confirm this fixes it? > > I just tested the patch from comment 6 -- it fixes the crash, but we still > don't get the expected result ('view image' or 'save image as'. This is a separate bug (I don't even know if this stuff is implemented at all?)

It's not, there's a bug on file for it somewhere.