Closed
Bug 866575
Opened 11 years ago
Closed 11 years ago
DOM-bindings crash with large source in createPattern
Categories
(Core :: Graphics: Canvas2D, defect)
Tracking
()
RESOLVED
FIXED
mozilla23
| Tracking | Status | |
|---|---|---|
| firefox22 | --- | unaffected |
| firefox23 | + | fixed |
People
(Reporter: jruderman, Assigned: dzbarsky)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(3 files)
|
(deleted),
text/html
|
Details | |
|
(deleted),
patch
|
nrc
:
review+
|
Details | Diff | Splinter Review |
|
(deleted),
patch
|
mattwoodrow
:
review+
|
Details | Diff | Splinter Review |
Assertion failure: value, at dist/include/mozilla/dom/BindingUtils.h:557 Or null deref [@ mozilla::dom::WrapNewBindingObjectHelper<nsRefPtr<mozilla::dom::CanvasPattern>, true>::Wrap(JSContext*, JS::Handle<JSObject*>, nsRefPtr<mozilla::dom::CanvasPattern> const&, JS::Value*)]
|
Reporter | |
Comment 1•11 years ago
|
||
When createPattern fails, is it supposed to throw or return null?
|
||
Comment 2•11 years ago
|
||
On Windows: bp-65ab709e-f98d-45f2-a050-cd5052130429. It's likely a regression from bug 856472.
Crash Signature: [@ mozilla::dom::WrapNewBindingObjectHelper<nsRefPtr<mozilla::dom::CanvasPattern>, true>::Wrap(JSContext*, JS::Handle<JSObject*>, nsRefPtr<mozilla::dom::CanvasPattern> const&, JS::Value*)] → [@ mozilla::dom::WrapNewBindingObjectHelper<nsRefPtr<mozilla::dom::CanvasPattern>, true>::Wrap(JSContext*, JS::Handle<JSObject*>, nsRefPtr<mozilla::dom::CanvasPattern> const&, JS::Value*)]
[@ mozilla::dom::WrapNewBindingObjectHelper<nsRefPtr<mozilla::dom…
status-firefox22:
--- → unaffected
status-firefox23:
--- → affected
Keywords: regression
OS: Mac OS X → All
Hardware: x86_64 → All
Version: Trunk → 23 Branch
|
Assignee | |
Comment 3•11 years ago
|
||
The bug is at https://mxr.mozilla.org/mozilla-central/source/content/canvas/src/CanvasRenderingContext2D.cpp#1453 This should throw or we should change the webidl to return a nullable CanvasPattern.
|
|
||
Updated•11 years ago
|
Crash Signature: , JS::Value*)]
[@ mozilla::dom::WrapNewBindingObjectHelper<nsRefPtr<mozilla::dom::ScriptProcessorNode>, int>::Wrap(JSContext*, JS::Handle<JSObject*>, nsRefPtr<mozilla::dom::ScriptProcessorNode> const&, JS::Value*) ] → , JS::Value*)]
[@ mozilla::dom::WrapNewBindingObjectHelper<nsRefPtr<mozilla::dom::ScriptProcessorNode>, int>::Wrap(JSContext*, JS::Handle<JSObject*>, nsRefPtr<mozilla::dom::ScriptProcessorNode> const&, JS::Value*)]
good=2013-04-19 bad=2013-04-20 http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=64d6d002e888&tochange=dd03d42b01b1
|
||
Comment 5•11 years ago
|
||
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=e1198271a9a6&tochange=3e7970330a3e
Blocks: 856472
|
|
||
Comment 6•11 years ago
|
||
Imo that method should throw. David, want to do that and ask nrc or bas for review?
|
|
||
Updated•11 years ago
|
tracking-firefox23:
--- → ?
|
|
Assignee | |
Comment 7•11 years ago
|
||
|
||
Comment 8•11 years ago
|
||
Comment on attachment 743140 [details] [diff] [review] Patch Review of attachment 743140 [details] [diff] [review]: ----------------------------------------------------------------- lgtm
Attachment #743140 -
Flags: review?(ncameron) → review+
|
|
Assignee | |
Comment 9•11 years ago
|
||
Attachment #744362 -
Flags: review?(matt.woodrow)
|
||
Updated•11 years ago
|
Attachment #744362 -
Flags: review?(matt.woodrow) → review+
|
|
Assignee | |
Comment 10•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/1edc14e71167
|
||
Comment 11•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/1edc14e71167
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
|
|
||
Updated•11 years ago
|
|
||
Updated•11 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•