Attempting to draw an oversized canvas crashes Firefox due to a null-deref.

I don't crash on a Mac using http://hg.mozilla.org/releases/mozilla-beta/rev/8c38918f146d (9.0 Beta) or more recent Aurora or Nightly builds. Unfortunately your crash-stats submissions seems to have evaporated, but from the bug meta-data I assume you were testing a 64-bit Linux build of some recent 9.0 Beta.

Yes. New crash report from current 9.0 beta on 64-bit Linux is at https://crash-stats.mozilla.com/report/index/bp-985a0fbc-db5d-4b8a-acac-3d4422111128

I can confirm in Linux 32bit / 64bit on Beta/10, Aurora/11, Nightly/12 sample crash report Operating system: Linux 0.0.0 Linux 3.1.6-1.fc16.i686.PAE #1 SMP Wed Dec 21 23:01:09 UTC 2011 i686 CPU: x86 GenuineIntel family 6 model 37 stepping 1 1 CPU Crash reason: SIGSEGV Crash address: 0x4 Thread 0 (crashed) 0 libxul.so!gfxASurface::CairoSurface [gfxASurface.h : 119 + 0x3] eip = 0x01a4382f esp = 0xbfdb5d20 ebp = 0xbfdb5d48 ebx = 0x03855a18 esi = 0xbfdb6110 edi = 0x09b6ddb8 eax = 0x00000000 ecx = 0xb78099d4 edx = 0x00000004 efl = 0x00210206 Found by: given as instruction pointer in context 1 libxul.so!gfxContext::gfxContext [gfxContext.cpp : 64 + 0xa] eip = 0x029f132b esp = 0xbfdb5d50 ebp = 0xbfdb5df8 ebx = 0x03855a18 esi = 0xbfdb6110 edi = 0x09b6ddb8 Found by: call frame info 2 libxul.so!nsLayoutUtils::SurfaceFromElement [nsLayoutUtils.cpp : 3953 + 0x15] eip = 0x016462e3 esp = 0xbfdb5e00 ebp = 0xbfdb5fa8 ebx = 0x03855a18 esi = 0xbfdb6110 edi = 0x09b6ddb8 Found by: call frame info 3 libxul.so!nsCanvasRenderingContext2D::DrawImage [nsCanvasRenderingContext2D.cpp : 3426 + 0x1b] eip = 0x01a3e91d esp = 0xbfdb5fb0 ebp = 0xbfdb61f8 ebx = 0x03855a18 esi = 0x01a3e7ae edi = 0x00000000 Found by: call frame info 4 libxul.so!nsIDOMCanvasRenderingContext2D_DrawImage [dom_quickstubs.cpp : 2772 + 0x77] eip = 0x0224e890 esp = 0xbfdb6200 ebp = 0xbfdb62d8 ebx = 0x03855a18 esi = 0x01a3e7ae edi = 0x00000000 Found by: call frame info

Happens with azure enabled and with azure disabled. nsCanvasRenderingContext2D::DrawImage nsCanvasRenderingContext2DAzure::DrawImage

This bug is still present in version 25 on Windows 7 with WebGL on. The size of a canvas needs to be larger than 2^18 pixels in my case: <canvas id="A" width="32" height="8193"></canvas> <canvas id="B" width="10" height="10"></canvas> <script> document.getElementById("B").getContext("2d").drawImage( document.getElementById("A"), 0, 8193, 10, 10, 0, 0, 10, 10); </script> Strangely, the too large canvas is displaying correctly, so there must be some error/overflow in the WebGL drawImage functions.

I noticed this happens when the width/height of what you're drawing from is set to 0.