[tbb-bugs] #17313 [Tor Browser]: Crash in Canvas patch seen on OS X Tor Browser

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Oct 29 17:18:01 UTC 2015

#17313: Crash in Canvas patch seen on OS X Tor Browser
 Reporter:  arthuredelstein  |          Owner:  tbb-team
     Type:  defect           |         Status:  new
 Priority:  Medium           |      Milestone:
Component:  Tor Browser      |        Version:
 Severity:  Normal           |     Resolution:
 Keywords:  tbb-crash        |  Actual Points:
Parent ID:                   |         Points:
  Sponsor:                   |
Changes (by arthuredelstein):

 * severity:   => Normal


 I confirmed that this crash does not happen in a non-debug build (not
 optimized.) This makes sense, as VerifyIsSafeToGC(...) at jsgc.cpp:6919 is
 inside an #ifdef DEBUG clause.

 I did a few diagnostics -- it turns out that if I comment out
 in [https://gitweb.torproject.org/tor-
 browser/base/content/browser.js], then the crash goes away. But if instead
 I comment out only the contents of the `observe` function in
 `CanvasPermissionPromptHelper` then the crash still happens.

 Using lldb, I also found that the string apparently causing this crash is
 "canvas-permissions-prompt" (aka the observer "topic"). So it appears that
 something is going wrong in the conversion of the topic string from a
 char[] to a JS string -- maybe it's not being properly marked "safe-to-

 In any case, the mozilla-central string conversion code path appears to be
 somewhat different -- this bug may already be fixed there. So it may make
 sense to postpone tracking this bug down until we rebase to mozilla-
 central or FF45ESR.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17313#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list