Opened 4 years ago

Last modified 3 years ago

#17313 needs_information defect

Crash in Canvas patch seen on OS X Tor Browser

Reported by: arthuredelstein Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-crash
Cc: gk, brade, mcs Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I built tor-browser.git on OS X (non cross-compiled), and added torbutton and NoScript. Then if I go to theguardian.com, I get a crash. Here's the stack trace:

On http://www.theguardian.com/international: blocked access to canvas image data from document http://www.theguardian.com/international, script from http://www.theguardian.com/international:223
Hit MOZ_CRASH([AutoAssertOnGC] possible GC in GC-unsafe region) at /projects/torproject/tor-browser31/js/src/jsgc.cpp:6919
Process 58004 stopped
* thread #1: tid = 0x227cad, 0x0000000106ef03e0 XUL`JS::AutoAssertOnGC::VerifyIsSafeToGC(rt=0x0000000111d59000) + 80 at jsgc.cpp:6919, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
    frame #0: 0x0000000106ef03e0 XUL`JS::AutoAssertOnGC::VerifyIsSafeToGC(rt=0x0000000111d59000) + 80 at jsgc.cpp:6919
   6916	JS::AutoAssertOnGC::VerifyIsSafeToGC(JSRuntime* rt)
   6917	{
   6918	    if (rt->gc.isInsideUnsafeRegion())
-> 6919	        MOZ_CRASH("[AutoAssertOnGC] possible GC in GC-unsafe region");
   6920	}
   6921	
   6922	JS::AutoAssertNoAlloc::AutoAssertNoAlloc(JSRuntime* rt)
(lldb) bt
* thread #1: tid = 0x227cad, 0x0000000106ef03e0 XUL`JS::AutoAssertOnGC::VerifyIsSafeToGC(rt=0x0000000111d59000) + 80 at jsgc.cpp:6919, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
    frame #0: 0x0000000106ef03e0 XUL`JS::AutoAssertOnGC::VerifyIsSafeToGC(rt=0x0000000111d59000) + 80 at jsgc.cpp:6919
    frame #1: 0x0000000106f41f81 XUL`bool js::gc::CheckAllocatorState<(cx=0x000000011696b790, kind=FINALIZE_STRING)1>(js::ExclusiveContext*, js::gc::AllocKind) + 513 at jsgcinlines.h:473
    frame #2: 0x0000000106faeece XUL`JSString* js::gc::AllocateNonObject<JSString, (cx=0x000000011696b790)1>(js::ExclusiveContext*) + 142 at jsgcinlines.h:562
    frame #3: 0x0000000106faed75 XUL`JSString* js::NewGCString<(cx=0x000000011696b790)1>(js::ExclusiveContext*) + 21 at jsgcinlines.h:651
    frame #4: 0x00000001069063a7 XUL`JSFlatString* JSFlatString::new_<(cx=0x000000011696b790, chars=0x000000011eb8efc0, length=25)1, unsigned char>(js::ExclusiveContext*, unsigned char const*, unsigned long) + 167 at String-inl.h:239
    frame #5: 0x0000000106906d99 XUL`JSFlatString* js::NewStringCopyNDontDeflate<(cx=0x000000011696b790, s=0x00000001072e296f, n=25)1, unsigned char>(js::ExclusiveContext*, unsigned char const*, unsigned long) + 361 at String.cpp:1020
    frame #6: 0x00000001069070d5 XUL`JSFlatString* js::NewStringCopyN<(cx=0x000000011696b790, s=0x00000001072e296f, n=25)1, unsigned char>(js::ExclusiveContext*, unsigned char const*, unsigned long) + 37 at String.h:1047
    frame #7: 0x0000000106888ac5 XUL`JSFlatString* js::NewStringCopyN<(cx=0x000000011696b790, s=0x00000001072e296f, n=25)1>(js::ExclusiveContext*, char const*, unsigned long) + 37 at String.h:1140
    frame #8: 0x0000000106888a0c XUL`JSFlatString* js::NewStringCopyZ<(cx=0x000000011696b790, s=0x00000001072e296f)1>(js::ExclusiveContext*, char const*) + 60 at String.h:1160
    frame #9: 0x0000000106e3c581 XUL`JS_NewStringCopyZ(cx=0x000000011696b790, s=0x00000001072e296f) + 113 at jsapi.cpp:4352
    frame #10: 0x000000010237b48b XUL`XPCConvert::NativeData2JS(d=JS::MutableHandleValue at 0x00007fff5fbf6e08, s=0x00007fff5fbf7aa8, type=0x00007fff5fbf74b0, iid=0x00007fff5fbf7920, pErr=0x0000000000000000) + 1755 at XPCConvert.cpp:232
    frame #11: 0x00000001023e2b97 XUL`nsXPCWrappedJSClass::CallMethod(this=0x0000000113593470, wrapper=0x0000000115e86080, methodIndex=3, info_=0x0000000111d3a338, nativeParams=0x00007fff5fbf7aa0) + 4087 at XPCWrappedJSClass.cpp:1119
    frame #12: 0x00000001023e1b89 XUL`nsXPCWrappedJS::CallMethod(this=0x0000000115e86080, methodIndex=3, info=0x0000000111d3a338, params=0x00007fff5fbf7aa0) + 185 at XPCWrappedJS.cpp:532
    frame #13: 0x00000001017246f9 XUL`PrepareAndDispatch(self=0x0000000119ced600, methodIndex=3, args=0x00007fff5fbf7c00, gpregs=0x00007fff5fbf7b80, fpregs=0x00007fff5fbf7bb0) + 1577 at xptcstubs_x86_64_darwin.cpp:122
    frame #14: 0x000000010172315b XUL`SharedStub + 91
    frame #15: 0x00000001016701c9 XUL`nsObserverList::NotifyObservers(this=0x00000001169c5bd0, aSubject=0x0000000119d0d420, aTopic=0x00000001072e296f, someData=0x0000000108224ece) + 137 at nsObserverList.cpp:100
    frame #16: 0x0000000101671f72 XUL`nsObserverService::NotifyObservers(this=0x00000001116aa5b0, aSubject=0x0000000119d0d420, aTopic=0x00000001072e296f, aSomeData=0x0000000108224ece) + 338 at nsObserverService.cpp:329
    frame #17: 0x0000000103ba7da2 XUL`mozilla::CanvasUtils::IsImageExtractionAllowed(aDocument=0x0000000115e43800, aCx=0x00000001161e2430) + 2194 at CanvasUtils.cpp:134
    frame #18: 0x0000000103baca11 XUL`mozilla::dom::CanvasRenderingContext2D::GetImageDataArray(this=0x000000011b930000, aCx=0x00000001161e2430, aX=0, aY=0, aWidth=1, aHeight=1, aRetval=0x00007fff5fbf82b8) + 1633 at CanvasRenderingContext2D.cpp:5017
    frame #19: 0x0000000103bac1d5 XUL`mozilla::dom::CanvasRenderingContext2D::GetImageData(this=0x000000011b930000, aCx=0x00000001161e2430, aSx=0, aSy=0, aSw=1, aSh=1, error=0x00007fff5fbf83f0) + 1221 at CanvasRenderingContext2D.cpp:4932
    frame #20: 0x00000001035b1c48 XUL`mozilla::dom::CanvasRenderingContext2DBinding::getImageData(cx=0x00000001161e2430, obj=Handle<JSObject *> at 0x00007fff5fbf8478, self=0x000000011b930000, args=0x00007fff5fbf84f0) + 744 at CanvasRenderingContext2DBinding.cpp:4416
    frame #21: 0x0000000103b85260 XUL`mozilla::dom::GenericBindingMethod(cx=0x00000001161e2430, argc=4, vp=0x00000001134b8208) + 656 at BindingUtils.cpp:2537
    frame #22: 0x00000001067ee4e9 XUL`js::CallJSNative(cx=0x00000001161e2430, native=0x0000000103b84fd0, args=0x00007fff5fbf8b80)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 185 at jscntxtinlines.h:226
    frame #23: 0x0000000106772471 XUL`js::Invoke(cx=0x00000001161e2430, args=CallArgs at 0x00007fff5fbf8b80, construct=NO_CONSTRUCT) + 1137 at Interpreter.cpp:498
    frame #24: 0x000000010678cc85 XUL`Interpret(cx=0x00000001161e2430, state=0x00007fff5fbfb938) + 51269 at Interpreter.cpp:2602
    frame #25: 0x0000000106780357 XUL`js::RunScript(cx=0x00000001161e2430, state=0x00007fff5fbfb938) + 583 at Interpreter.cpp:448
    frame #26: 0x0000000106798938 XUL`js::ExecuteKernel(cx=0x00000001161e2430, script=JS::HandleScript at 0x00007fff5fbfba20, scopeChainArg=0x000000011dbf5060, thisv=0x00007fff5fbfbaa0, type=EXECUTE_GLOBAL, evalInFrame=AbstractFramePtr at 0x00007fff5fbfba00, result=0x0000000000000000) + 904 at Interpreter.cpp:654
    frame #27: 0x0000000106798c2a XUL`js::Execute(cx=0x00000001161e2430, script=JS::HandleScript at 0x00007fff5fbfbb08, scopeChainArg=0x000000011dbf5060, rval=0x0000000000000000) + 666 at Interpreter.cpp:690

I haven't observed this on the cross-compiled alpha, so perhaps it is peculiar to the way I was building. Still it seems worth checking out in case we have some incorrect code.

Child Tickets

Change History (5)

comment:1 Changed 4 years ago by gk

Cc: gk added

comment:2 Changed 4 years ago by mcs

Cc: brade mcs added

Which branch did you build from?
Did the VerifyIsSafeToGC() crash occur with a debug build or an optimized one?

comment:3 in reply to:  2 Changed 4 years ago by arthuredelstein

Replying to mcs:

Which branch did you build from?

tor-browser-38.2.1esr-5.5-2 (fa344a1dc4bef4bc77d60b23b9b195812a937ae9)

Did the VerifyIsSafeToGC() crash occur with a debug build or an optimized one?

Here's the .mozconfig I used:

. $topsrcdir/browser/config/mozconfig

# Arthur's favorite build configuration
mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/obj-@CONFIG_GUESS@
mk_add_options MOZ_APP_DISPLAYNAME="Tor Browser"
mk_add_options MOZ_MAKE_FLAGS="-j8"
mk_add_options MOZILLA_OFFICIAL=1
mk_add_options BUILD_OFFICIAL=1

#ac_add_options --enable-optimize
ac_add_options --disable-optimize
#ac_add_options --enable-official-branding
#ac_add_options --enable-tor-browser-update
#ac_add_options --enable-update-packaging
ac_add_options --enable-signmar
#ac_add_options --enable-verify-mar
ac_add_options --enable-debug-symbols
ac_add_options --disable-strip
ac_add_options --disable-install-strip
ac_add_options --enable-tests
ac_add_options --enable-debug
ac_add_options --disable-maintenance-service
ac_add_options --disable-crashreporter
ac_add_options --disable-webrtc
#ac_add_options --disable-ctypes
ac_add_options --with-ccache=/usr/local/bin/ccache
ac_add_options --enable-bundled-fonts
ac_add_options --without-intl-api

comment:4 Changed 4 years ago by arthuredelstein

Severity: Normal

I confirmed that this crash does not happen in a non-debug build (not optimized.) This makes sense, as VerifyIsSafeToGC(...) at jsgc.cpp:6919 is inside an #ifdef DEBUG clause.

I did a few diagnostics -- it turns out that if I comment out
CanvasPermissionPromptHelper.init();
and
CanvasPermissionPromptHelper.uninit();
in browser/base/content/browser.js, then the crash goes away. But if instead I comment out only the contents of the observe function in CanvasPermissionPromptHelper then the crash still happens.

Using lldb, I also found that the string apparently causing this crash is "canvas-permissions-prompt" (aka the observer "topic"). So it appears that something is going wrong in the conversion of the topic string from a char[] to a JS string -- maybe it's not being properly marked "safe-to-gc"?

In any case, the mozilla-central string conversion code path appears to be somewhat different -- this bug may already be fixed there. So it may make sense to postpone tracking this bug down until we rebase to mozilla-central or FF45ESR.

comment:5 Changed 3 years ago by gk

Status: newneeds_information

Arthur, does this still happen with an ESR45 based Tor Browser?

Note: See TracTickets for help on using tickets.