[tbb-bugs] #17313 [Tor Browser]: Crash in Canvas patch seen on OS X Tor Browser

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Oct 10 00:58:18 UTC 2015 

#17313: Crash in Canvas patch seen on OS X Tor Browser
-----------------------------+--------------------------
 Reporter:  arthuredelstein  |          Owner:  tbb-team
     Type:  defect           |         Status:  new
 Priority:  normal           |      Milestone:
Component:  Tor Browser      |        Version:
 Keywords:  tbb-crash        |  Actual Points:
Parent ID:                   |         Points:
  Sponsor:                   |
-----------------------------+--------------------------
 I built tor-browser.git on OS X (non cross-compiled), and added torbutton
 and NoScript. Then if I go to theguardian.com, I get a crash. Here's the
 stack trace:

 {{{
 On http://www.theguardian.com/international: blocked access to canvas
 image data from document http://www.theguardian.com/international, script
 from http://www.theguardian.com/international:223
 Hit MOZ_CRASH([AutoAssertOnGC] possible GC in GC-unsafe region) at
 /projects/torproject/tor-browser31/js/src/jsgc.cpp:6919
 Process 58004 stopped
 * thread #1: tid = 0x227cad, 0x0000000106ef03e0
 XUL`JS::AutoAssertOnGC::VerifyIsSafeToGC(rt=0x0000000111d59000) + 80 at
 jsgc.cpp:6919, queue = 'com.apple.main-thread, stop reason =
 EXC_BAD_ACCESS (code=1, address=0x0)
     frame #0: 0x0000000106ef03e0
 XUL`JS::AutoAssertOnGC::VerifyIsSafeToGC(rt=0x0000000111d59000) + 80 at
 jsgc.cpp:6919
    6916 JS::AutoAssertOnGC::VerifyIsSafeToGC(JSRuntime* rt)
    6917 {
    6918     if (rt->gc.isInsideUnsafeRegion())
 -> 6919         MOZ_CRASH("[AutoAssertOnGC] possible GC in GC-unsafe
 region");
    6920 }
    6921
    6922 JS::AutoAssertNoAlloc::AutoAssertNoAlloc(JSRuntime* rt)
 (lldb) bt
 * thread #1: tid = 0x227cad, 0x0000000106ef03e0
 XUL`JS::AutoAssertOnGC::VerifyIsSafeToGC(rt=0x0000000111d59000) + 80 at
 jsgc.cpp:6919, queue = 'com.apple.main-thread, stop reason =
 EXC_BAD_ACCESS (code=1, address=0x0)
     frame #0: 0x0000000106ef03e0
 XUL`JS::AutoAssertOnGC::VerifyIsSafeToGC(rt=0x0000000111d59000) + 80 at
 jsgc.cpp:6919
     frame #1: 0x0000000106f41f81 XUL`bool
 js::gc::CheckAllocatorState<(cx=0x000000011696b790,
 kind=FINALIZE_STRING)1>(js::ExclusiveContext*, js::gc::AllocKind) + 513 at
 jsgcinlines.h:473
     frame #2: 0x0000000106faeece XUL`JSString*
 js::gc::AllocateNonObject<JSString,
 (cx=0x000000011696b790)1>(js::ExclusiveContext*) + 142 at
 jsgcinlines.h:562
     frame #3: 0x0000000106faed75 XUL`JSString*
 js::NewGCString<(cx=0x000000011696b790)1>(js::ExclusiveContext*) + 21 at
 jsgcinlines.h:651
     frame #4: 0x00000001069063a7 XUL`JSFlatString*
 JSFlatString::new_<(cx=0x000000011696b790, chars=0x000000011eb8efc0,
 length=25)1, unsigned char>(js::ExclusiveContext*, unsigned char const*,
 unsigned long) + 167 at String-inl.h:239
     frame #5: 0x0000000106906d99 XUL`JSFlatString*
 js::NewStringCopyNDontDeflate<(cx=0x000000011696b790,
 s=0x00000001072e296f, n=25)1, unsigned char>(js::ExclusiveContext*,
 unsigned char const*, unsigned long) + 361 at String.cpp:1020
     frame #6: 0x00000001069070d5 XUL`JSFlatString*
 js::NewStringCopyN<(cx=0x000000011696b790, s=0x00000001072e296f, n=25)1,
 unsigned char>(js::ExclusiveContext*, unsigned char const*, unsigned long)
 + 37 at String.h:1047
     frame #7: 0x0000000106888ac5 XUL`JSFlatString*
 js::NewStringCopyN<(cx=0x000000011696b790, s=0x00000001072e296f,
 n=25)1>(js::ExclusiveContext*, char const*, unsigned long) + 37 at
 String.h:1140
     frame #8: 0x0000000106888a0c XUL`JSFlatString*
 js::NewStringCopyZ<(cx=0x000000011696b790,
 s=0x00000001072e296f)1>(js::ExclusiveContext*, char const*) + 60 at
 String.h:1160
     frame #9: 0x0000000106e3c581
 XUL`JS_NewStringCopyZ(cx=0x000000011696b790, s=0x00000001072e296f) + 113
 at jsapi.cpp:4352
     frame #10: 0x000000010237b48b
 XUL`XPCConvert::NativeData2JS(d=JS::MutableHandleValue at
 0x00007fff5fbf6e08, s=0x00007fff5fbf7aa8, type=0x00007fff5fbf74b0,
 iid=0x00007fff5fbf7920, pErr=0x0000000000000000) + 1755 at
 XPCConvert.cpp:232
     frame #11: 0x00000001023e2b97
 XUL`nsXPCWrappedJSClass::CallMethod(this=0x0000000113593470,
 wrapper=0x0000000115e86080, methodIndex=3, info_=0x0000000111d3a338,
 nativeParams=0x00007fff5fbf7aa0) + 4087 at XPCWrappedJSClass.cpp:1119
     frame #12: 0x00000001023e1b89
 XUL`nsXPCWrappedJS::CallMethod(this=0x0000000115e86080, methodIndex=3,
 info=0x0000000111d3a338, params=0x00007fff5fbf7aa0) + 185 at
 XPCWrappedJS.cpp:532
     frame #13: 0x00000001017246f9
 XUL`PrepareAndDispatch(self=0x0000000119ced600, methodIndex=3,
 args=0x00007fff5fbf7c00, gpregs=0x00007fff5fbf7b80,
 fpregs=0x00007fff5fbf7bb0) + 1577 at xptcstubs_x86_64_darwin.cpp:122
     frame #14: 0x000000010172315b XUL`SharedStub + 91
     frame #15: 0x00000001016701c9
 XUL`nsObserverList::NotifyObservers(this=0x00000001169c5bd0,
 aSubject=0x0000000119d0d420, aTopic=0x00000001072e296f,
 someData=0x0000000108224ece) + 137 at nsObserverList.cpp:100
     frame #16: 0x0000000101671f72
 XUL`nsObserverService::NotifyObservers(this=0x00000001116aa5b0,
 aSubject=0x0000000119d0d420, aTopic=0x00000001072e296f,
 aSomeData=0x0000000108224ece) + 338 at nsObserverService.cpp:329
     frame #17: 0x0000000103ba7da2
 XUL`mozilla::CanvasUtils::IsImageExtractionAllowed(aDocument=0x0000000115e43800,
 aCx=0x00000001161e2430) + 2194 at CanvasUtils.cpp:134
     frame #18: 0x0000000103baca11
 XUL`mozilla::dom::CanvasRenderingContext2D::GetImageDataArray(this=0x000000011b930000,
 aCx=0x00000001161e2430, aX=0, aY=0, aWidth=1, aHeight=1,
 aRetval=0x00007fff5fbf82b8) + 1633 at CanvasRenderingContext2D.cpp:5017
     frame #19: 0x0000000103bac1d5
 XUL`mozilla::dom::CanvasRenderingContext2D::GetImageData(this=0x000000011b930000,
 aCx=0x00000001161e2430, aSx=0, aSy=0, aSw=1, aSh=1,
 error=0x00007fff5fbf83f0) + 1221 at CanvasRenderingContext2D.cpp:4932
     frame #20: 0x00000001035b1c48
 XUL`mozilla::dom::CanvasRenderingContext2DBinding::getImageData(cx=0x00000001161e2430,
 obj=Handle<JSObject *> at 0x00007fff5fbf8478, self=0x000000011b930000,
 args=0x00007fff5fbf84f0) + 744 at CanvasRenderingContext2DBinding.cpp:4416
     frame #21: 0x0000000103b85260
 XUL`mozilla::dom::GenericBindingMethod(cx=0x00000001161e2430, argc=4,
 vp=0x00000001134b8208) + 656 at BindingUtils.cpp:2537
     frame #22: 0x00000001067ee4e9
 XUL`js::CallJSNative(cx=0x00000001161e2430, native=0x0000000103b84fd0,
 args=0x00007fff5fbf8b80)(JSContext*, unsigned int, JS::Value*),
 JS::CallArgs const&) + 185 at jscntxtinlines.h:226
     frame #23: 0x0000000106772471 XUL`js::Invoke(cx=0x00000001161e2430,
 args=CallArgs at 0x00007fff5fbf8b80, construct=NO_CONSTRUCT) + 1137 at
 Interpreter.cpp:498
     frame #24: 0x000000010678cc85 XUL`Interpret(cx=0x00000001161e2430,
 state=0x00007fff5fbfb938) + 51269 at Interpreter.cpp:2602
     frame #25: 0x0000000106780357 XUL`js::RunScript(cx=0x00000001161e2430,
 state=0x00007fff5fbfb938) + 583 at Interpreter.cpp:448
     frame #26: 0x0000000106798938
 XUL`js::ExecuteKernel(cx=0x00000001161e2430, script=JS::HandleScript at
 0x00007fff5fbfba20, scopeChainArg=0x000000011dbf5060,
 thisv=0x00007fff5fbfbaa0, type=EXECUTE_GLOBAL,
 evalInFrame=AbstractFramePtr at 0x00007fff5fbfba00,
 result=0x0000000000000000) + 904 at Interpreter.cpp:654
     frame #27: 0x0000000106798c2a XUL`js::Execute(cx=0x00000001161e2430,
 script=JS::HandleScript at 0x00007fff5fbfbb08,
 scopeChainArg=0x000000011dbf5060, rval=0x0000000000000000) + 666 at
 Interpreter.cpp:690
 }}}

 I haven't observed this on the cross-compiled alpha, so perhaps it is
 peculiar to the way I was building. Still it seems worth checking out in
 case we have some incorrect code.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17313>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list