Skip to content

GitLab

Trac
Trac

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

Closed (moved)
Opened by Arthur Edelstein@arthuredelstein

Crash in Canvas patch seen on OS X Tor Browser

I built tor-browser.git on OS X (non cross-compiled), and added torbutton and NoScript. Then if I go to theguardian.com, I get a crash. Here's the stack trace:

On http://www.theguardian.com/international: blocked access to canvas image data from document http://www.theguardian.com/international, script from http://www.theguardian.com/international:223
Hit MOZ_CRASH([AutoAssertOnGC] possible GC in GC-unsafe region) at /projects/torproject/tor-browser31/js/src/jsgc.cpp:6919
Process 58004 stopped
* thread #1: tid = 0x227cad, 0x0000000106ef03e0 XUL`JS::AutoAssertOnGC::VerifyIsSafeToGC(rt=0x0000000111d59000) + 80 at jsgc.cpp:6919, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
    frame #0: 0x0000000106ef03e0 XUL`JS::AutoAssertOnGC::VerifyIsSafeToGC(rt=0x0000000111d59000) + 80 at jsgc.cpp:6919
   6916	JS::AutoAssertOnGC::VerifyIsSafeToGC(JSRuntime* rt)
   6917	{
   6918	    if (rt->gc.isInsideUnsafeRegion())
-> 6919	        MOZ_CRASH("[AutoAssertOnGC] possible GC in GC-unsafe region");
   6920	}
   6921	
   6922	JS::AutoAssertNoAlloc::AutoAssertNoAlloc(JSRuntime* rt)
(lldb) bt
* thread #1: tid = 0x227cad, 0x0000000106ef03e0 XUL`JS::AutoAssertOnGC::VerifyIsSafeToGC(rt=0x0000000111d59000) + 80 at jsgc.cpp:6919, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
    frame #0: 0x0000000106ef03e0 XUL`JS::AutoAssertOnGC::VerifyIsSafeToGC(rt=0x0000000111d59000) + 80 at jsgc.cpp:6919
    frame #1: 0x0000000106f41f81 XUL`bool js::gc::CheckAllocatorState<(cx=0x000000011696b790, kind=FINALIZE_STRING)1>(js::ExclusiveContext*, js::gc::AllocKind) + 513 at jsgcinlines.h:473
    frame #2: 0x0000000106faeece XUL`JSString* js::gc::AllocateNonObject<JSString, (cx=0x000000011696b790)1>(js::ExclusiveContext*) + 142 at jsgcinlines.h:562
    frame #3: 0x0000000106faed75 XUL`JSString* js::NewGCString<(cx=0x000000011696b790)1>(js::ExclusiveContext*) + 21 at jsgcinlines.h:651
    frame #4: 0x00000001069063a7 XUL`JSFlatString* JSFlatString::new_<(cx=0x000000011696b790, chars=0x000000011eb8efc0, length=25)1, unsigned char>(js::ExclusiveContext*, unsigned char const*, unsigned long) + 167 at String-inl.h:239
    frame #5: 0x0000000106906d99 XUL`JSFlatString* js::NewStringCopyNDontDeflate<(cx=0x000000011696b790, s=0x00000001072e296f, n=25)1, unsigned char>(js::ExclusiveContext*, unsigned char const*, unsigned long) + 361 at String.cpp:1020
    frame #6: 0x00000001069070d5 XUL`JSFlatString* js::NewStringCopyN<(cx=0x000000011696b790, s=0x00000001072e296f, n=25)1, unsigned char>(js::ExclusiveContext*, unsigned char const*, unsigned long) + 37 at String.h:1047
    frame #7: 0x0000000106888ac5 XUL`JSFlatString* js::NewStringCopyN<(cx=0x000000011696b790, s=0x00000001072e296f, n=25)1>(js::ExclusiveContext*, char const*, unsigned long) + 37 at String.h:1140
    frame #8: 0x0000000106888a0c XUL`JSFlatString* js::NewStringCopyZ<(cx=0x000000011696b790, s=0x00000001072e296f)1>(js::ExclusiveContext*, char const*) + 60 at String.h:1160
    frame #9: 0x0000000106e3c581 XUL`JS_NewStringCopyZ(cx=0x000000011696b790, s=0x00000001072e296f) + 113 at jsapi.cpp:4352
    frame #10: 0x000000010237b48b XUL`XPCConvert::NativeData2JS(d=JS::MutableHandleValue at 0x00007fff5fbf6e08, s=0x00007fff5fbf7aa8, type=0x00007fff5fbf74b0, iid=0x00007fff5fbf7920, pErr=0x0000000000000000) + 1755 at XPCConvert.cpp:232
    frame #11: 0x00000001023e2b97 XUL`nsXPCWrappedJSClass::CallMethod(this=0x0000000113593470, wrapper=0x0000000115e86080, methodIndex=3, info_=0x0000000111d3a338, nativeParams=0x00007fff5fbf7aa0) + 4087 at XPCWrappedJSClass.cpp:1119
    frame #12: 0x00000001023e1b89 XUL`nsXPCWrappedJS::CallMethod(this=0x0000000115e86080, methodIndex=3, info=0x0000000111d3a338, params=0x00007fff5fbf7aa0) + 185 at XPCWrappedJS.cpp:532
    frame #13: 0x00000001017246f9 XUL`PrepareAndDispatch(self=0x0000000119ced600, methodIndex=3, args=0x00007fff5fbf7c00, gpregs=0x00007fff5fbf7b80, fpregs=0x00007fff5fbf7bb0) + 1577 at xptcstubs_x86_64_darwin.cpp:122
    frame #14: 0x000000010172315b XUL`SharedStub + 91
    frame #15: 0x00000001016701c9 XUL`nsObserverList::NotifyObservers(this=0x00000001169c5bd0, aSubject=0x0000000119d0d420, aTopic=0x00000001072e296f, someData=0x0000000108224ece) + 137 at nsObserverList.cpp:100
    frame #16: 0x0000000101671f72 XUL`nsObserverService::NotifyObservers(this=0x00000001116aa5b0, aSubject=0x0000000119d0d420, aTopic=0x00000001072e296f, aSomeData=0x0000000108224ece) + 338 at nsObserverService.cpp:329
    frame #17: 0x0000000103ba7da2 XUL`mozilla::CanvasUtils::IsImageExtractionAllowed(aDocument=0x0000000115e43800, aCx=0x00000001161e2430) + 2194 at CanvasUtils.cpp:134
    frame #18: 0x0000000103baca11 XUL`mozilla::dom::CanvasRenderingContext2D::GetImageDataArray(this=0x000000011b930000, aCx=0x00000001161e2430, aX=0, aY=0, aWidth=1, aHeight=1, aRetval=0x00007fff5fbf82b8) + 1633 at CanvasRenderingContext2D.cpp:5017
    frame #19: 0x0000000103bac1d5 XUL`mozilla::dom::CanvasRenderingContext2D::GetImageData(this=0x000000011b930000, aCx=0x00000001161e2430, aSx=0, aSy=0, aSw=1, aSh=1, error=0x00007fff5fbf83f0) + 1221 at CanvasRenderingContext2D.cpp:4932
    frame #20: 0x00000001035b1c48 XUL`mozilla::dom::CanvasRenderingContext2DBinding::getImageData(cx=0x00000001161e2430, obj=Handle<JSObject *> at 0x00007fff5fbf8478, self=0x000000011b930000, args=0x00007fff5fbf84f0) + 744 at CanvasRenderingContext2DBinding.cpp:4416
    frame #21: 0x0000000103b85260 XUL`mozilla::dom::GenericBindingMethod(cx=0x00000001161e2430, argc=4, vp=0x00000001134b8208) + 656 at BindingUtils.cpp:2537
    frame #22: 0x00000001067ee4e9 XUL`js::CallJSNative(cx=0x00000001161e2430, native=0x0000000103b84fd0, args=0x00007fff5fbf8b80)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 185 at jscntxtinlines.h:226
    frame #23: 0x0000000106772471 XUL`js::Invoke(cx=0x00000001161e2430, args=CallArgs at 0x00007fff5fbf8b80, construct=NO_CONSTRUCT) + 1137 at Interpreter.cpp:498
    frame #24: 0x000000010678cc85 XUL`Interpret(cx=0x00000001161e2430, state=0x00007fff5fbfb938) + 51269 at Interpreter.cpp:2602
    frame #25: 0x0000000106780357 XUL`js::RunScript(cx=0x00000001161e2430, state=0x00007fff5fbfb938) + 583 at Interpreter.cpp:448
    frame #26: 0x0000000106798938 XUL`js::ExecuteKernel(cx=0x00000001161e2430, script=JS::HandleScript at 0x00007fff5fbfba20, scopeChainArg=0x000000011dbf5060, thisv=0x00007fff5fbfbaa0, type=EXECUTE_GLOBAL, evalInFrame=AbstractFramePtr at 0x00007fff5fbfba00, result=0x0000000000000000) + 904 at Interpreter.cpp:654
    frame #27: 0x0000000106798c2a XUL`js::Execute(cx=0x00000001161e2430, script=JS::HandleScript at 0x00007fff5fbfbb08, scopeChainArg=0x000000011dbf5060, rval=0x0000000000000000) + 666 at Interpreter.cpp:690

I haven't observed this on the cross-compiled alpha, so perhaps it is peculiar to the way I was building. Still it seems worth checking out in case we have some incorrect code.

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information