Closed (moved)
Crash in Canvas patch seen on OS X Tor Browser
I built tor-browser.git on OS X (non cross-compiled), and added torbutton and NoScript. Then if I go to theguardian.com, I get a crash. Here's the stack trace:
On http://www.theguardian.com/international: blocked access to canvas image data from document http://www.theguardian.com/international, script from http://www.theguardian.com/international:223
Hit MOZ_CRASH([AutoAssertOnGC] possible GC in GC-unsafe region) at /projects/torproject/tor-browser31/js/src/jsgc.cpp:6919
Process 58004 stopped
* thread #1: tid = 0x227cad, 0x0000000106ef03e0 XUL`JS::AutoAssertOnGC::VerifyIsSafeToGC(rt=0x0000000111d59000) + 80 at jsgc.cpp:6919, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
frame #0: 0x0000000106ef03e0 XUL`JS::AutoAssertOnGC::VerifyIsSafeToGC(rt=0x0000000111d59000) + 80 at jsgc.cpp:6919
6916 JS::AutoAssertOnGC::VerifyIsSafeToGC(JSRuntime* rt)
6917 {
6918 if (rt->gc.isInsideUnsafeRegion())
-> 6919 MOZ_CRASH("[AutoAssertOnGC] possible GC in GC-unsafe region");
6920 }
6921
6922 JS::AutoAssertNoAlloc::AutoAssertNoAlloc(JSRuntime* rt)
(lldb) bt
* thread #1: tid = 0x227cad, 0x0000000106ef03e0 XUL`JS::AutoAssertOnGC::VerifyIsSafeToGC(rt=0x0000000111d59000) + 80 at jsgc.cpp:6919, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
frame #0: 0x0000000106ef03e0 XUL`JS::AutoAssertOnGC::VerifyIsSafeToGC(rt=0x0000000111d59000) + 80 at jsgc.cpp:6919
frame #1: 0x0000000106f41f81 XUL`bool js::gc::CheckAllocatorState<(cx=0x000000011696b790, kind=FINALIZE_STRING)1>(js::ExclusiveContext*, js::gc::AllocKind) + 513 at jsgcinlines.h:473
frame #2: 0x0000000106faeece XUL`JSString* js::gc::AllocateNonObject<JSString, (cx=0x000000011696b790)1>(js::ExclusiveContext*) + 142 at jsgcinlines.h:562
frame #3: 0x0000000106faed75 XUL`JSString* js::NewGCString<(cx=0x000000011696b790)1>(js::ExclusiveContext*) + 21 at jsgcinlines.h:651
frame #4: 0x00000001069063a7 XUL`JSFlatString* JSFlatString::new_<(cx=0x000000011696b790, chars=0x000000011eb8efc0, length=25)1, unsigned char>(js::ExclusiveContext*, unsigned char const*, unsigned long) + 167 at String-inl.h:239
frame #5: 0x0000000106906d99 XUL`JSFlatString* js::NewStringCopyNDontDeflate<(cx=0x000000011696b790, s=0x00000001072e296f, n=25)1, unsigned char>(js::ExclusiveContext*, unsigned char const*, unsigned long) + 361 at String.cpp:1020
frame #6: 0x00000001069070d5 XUL`JSFlatString* js::NewStringCopyN<(cx=0x000000011696b790, s=0x00000001072e296f, n=25)1, unsigned char>(js::ExclusiveContext*, unsigned char const*, unsigned long) + 37 at String.h:1047
frame #7: 0x0000000106888ac5 XUL`JSFlatString* js::NewStringCopyN<(cx=0x000000011696b790, s=0x00000001072e296f, n=25)1>(js::ExclusiveContext*, char const*, unsigned long) + 37 at String.h:1140
frame #8: 0x0000000106888a0c XUL`JSFlatString* js::NewStringCopyZ<(cx=0x000000011696b790, s=0x00000001072e296f)1>(js::ExclusiveContext*, char const*) + 60 at String.h:1160
frame #9: 0x0000000106e3c581 XUL`JS_NewStringCopyZ(cx=0x000000011696b790, s=0x00000001072e296f) + 113 at jsapi.cpp:4352
frame #10: 0x000000010237b48b XUL`XPCConvert::NativeData2JS(d=JS::MutableHandleValue at 0x00007fff5fbf6e08, s=0x00007fff5fbf7aa8, type=0x00007fff5fbf74b0, iid=0x00007fff5fbf7920, pErr=0x0000000000000000) + 1755 at XPCConvert.cpp:232
frame #11: 0x00000001023e2b97 XUL`nsXPCWrappedJSClass::CallMethod(this=0x0000000113593470, wrapper=0x0000000115e86080, methodIndex=3, info_=0x0000000111d3a338, nativeParams=0x00007fff5fbf7aa0) + 4087 at XPCWrappedJSClass.cpp:1119
frame #12: 0x00000001023e1b89 XUL`nsXPCWrappedJS::CallMethod(this=0x0000000115e86080, methodIndex=3, info=0x0000000111d3a338, params=0x00007fff5fbf7aa0) + 185 at XPCWrappedJS.cpp:532
frame #13: 0x00000001017246f9 XUL`PrepareAndDispatch(self=0x0000000119ced600, methodIndex=3, args=0x00007fff5fbf7c00, gpregs=0x00007fff5fbf7b80, fpregs=0x00007fff5fbf7bb0) + 1577 at xptcstubs_x86_64_darwin.cpp:122
frame #14: 0x000000010172315b XUL`SharedStub + 91
frame #15: 0x00000001016701c9 XUL`nsObserverList::NotifyObservers(this=0x00000001169c5bd0, aSubject=0x0000000119d0d420, aTopic=0x00000001072e296f, someData=0x0000000108224ece) + 137 at nsObserverList.cpp:100
frame #16: 0x0000000101671f72 XUL`nsObserverService::NotifyObservers(this=0x00000001116aa5b0, aSubject=0x0000000119d0d420, aTopic=0x00000001072e296f, aSomeData=0x0000000108224ece) + 338 at nsObserverService.cpp:329
frame #17: 0x0000000103ba7da2 XUL`mozilla::CanvasUtils::IsImageExtractionAllowed(aDocument=0x0000000115e43800, aCx=0x00000001161e2430) + 2194 at CanvasUtils.cpp:134
frame #18: 0x0000000103baca11 XUL`mozilla::dom::CanvasRenderingContext2D::GetImageDataArray(this=0x000000011b930000, aCx=0x00000001161e2430, aX=0, aY=0, aWidth=1, aHeight=1, aRetval=0x00007fff5fbf82b8) + 1633 at CanvasRenderingContext2D.cpp:5017
frame #19: 0x0000000103bac1d5 XUL`mozilla::dom::CanvasRenderingContext2D::GetImageData(this=0x000000011b930000, aCx=0x00000001161e2430, aSx=0, aSy=0, aSw=1, aSh=1, error=0x00007fff5fbf83f0) + 1221 at CanvasRenderingContext2D.cpp:4932
frame #20: 0x00000001035b1c48 XUL`mozilla::dom::CanvasRenderingContext2DBinding::getImageData(cx=0x00000001161e2430, obj=Handle<JSObject *> at 0x00007fff5fbf8478, self=0x000000011b930000, args=0x00007fff5fbf84f0) + 744 at CanvasRenderingContext2DBinding.cpp:4416
frame #21: 0x0000000103b85260 XUL`mozilla::dom::GenericBindingMethod(cx=0x00000001161e2430, argc=4, vp=0x00000001134b8208) + 656 at BindingUtils.cpp:2537
frame #22: 0x00000001067ee4e9 XUL`js::CallJSNative(cx=0x00000001161e2430, native=0x0000000103b84fd0, args=0x00007fff5fbf8b80)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 185 at jscntxtinlines.h:226
frame #23: 0x0000000106772471 XUL`js::Invoke(cx=0x00000001161e2430, args=CallArgs at 0x00007fff5fbf8b80, construct=NO_CONSTRUCT) + 1137 at Interpreter.cpp:498
frame #24: 0x000000010678cc85 XUL`Interpret(cx=0x00000001161e2430, state=0x00007fff5fbfb938) + 51269 at Interpreter.cpp:2602
frame #25: 0x0000000106780357 XUL`js::RunScript(cx=0x00000001161e2430, state=0x00007fff5fbfb938) + 583 at Interpreter.cpp:448
frame #26: 0x0000000106798938 XUL`js::ExecuteKernel(cx=0x00000001161e2430, script=JS::HandleScript at 0x00007fff5fbfba20, scopeChainArg=0x000000011dbf5060, thisv=0x00007fff5fbfbaa0, type=EXECUTE_GLOBAL, evalInFrame=AbstractFramePtr at 0x00007fff5fbfba00, result=0x0000000000000000) + 904 at Interpreter.cpp:654
frame #27: 0x0000000106798c2a XUL`js::Execute(cx=0x00000001161e2430, script=JS::HandleScript at 0x00007fff5fbfbb08, scopeChainArg=0x000000011dbf5060, rval=0x0000000000000000) + 666 at Interpreter.cpp:690
I haven't observed this on the cross-compiled alpha, so perhaps it is peculiar to the way I was building. Still it seems worth checking out in case we have some incorrect code.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information