Crash in Canvas patch seen on OS X Tor Browser
I built tor-browser.git on OS X (non cross-compiled), and added torbutton and NoScript. Then if I go to theguardian.com, I get a crash. Here's the stack trace:
On http://www.theguardian.com/international: blocked access to canvas image data from document http://www.theguardian.com/international, script from http://www.theguardian.com/international:223
Hit MOZ_CRASH([AutoAssertOnGC] possible GC in GC-unsafe region) at /projects/torproject/tor-browser31/js/src/jsgc.cpp:6919
Process 58004 stopped
* thread #1: tid = 0x227cad, 0x0000000106ef03e0 XUL`JS::AutoAssertOnGC::VerifyIsSafeToGC(rt=0x0000000111d59000) + 80 at jsgc.cpp:6919, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
frame #0: 0x0000000106ef03e0 XUL`JS::AutoAssertOnGC::VerifyIsSafeToGC(rt=0x0000000111d59000) + 80 at jsgc.cpp:6919
6916 JS::AutoAssertOnGC::VerifyIsSafeToGC(JSRuntime* rt)
6917 {
6918 if (rt->gc.isInsideUnsafeRegion())
-> 6919 MOZ_CRASH("[AutoAssertOnGC] possible GC in GC-unsafe region");
6920 }
6921
6922 JS::AutoAssertNoAlloc::AutoAssertNoAlloc(JSRuntime* rt)
(lldb) bt
* thread #1: tid = 0x227cad, 0x0000000106ef03e0 XUL`JS::AutoAssertOnGC::VerifyIsSafeToGC(rt=0x0000000111d59000) + 80 at jsgc.cpp:6919, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
frame #0: 0x0000000106ef03e0 XUL`JS::AutoAssertOnGC::VerifyIsSafeToGC(rt=0x0000000111d59000) + 80 at jsgc.cpp:6919
frame #1: 0x0000000106f41f81 XUL`bool js::gc::CheckAllocatorState<(cx=0x000000011696b790, kind=FINALIZE_STRING)1>(js::ExclusiveContext*, js::gc::AllocKind) + 513 at jsgcinlines.h:473
frame #2: 0x0000000106faeece XUL`JSString* js::gc::AllocateNonObject<JSString, (cx=0x000000011696b790)1>(js::ExclusiveContext*) + 142 at jsgcinlines.h:562
frame #3: 0x0000000106faed75 XUL`JSString* js::NewGCString<(cx=0x000000011696b790)1>(js::ExclusiveContext*) + 21 at jsgcinlines.h:651
frame #4: 0x00000001069063a7 XUL`JSFlatString* JSFlatString::new_<(cx=0x000000011696b790, chars=0x000000011eb8efc0, length=25)1, unsigned char>(js::ExclusiveContext*, unsigned char const*, unsigned long) + 167 at String-inl.h:239
frame #5: 0x0000000106906d99 XUL`JSFlatString* js::NewStringCopyNDontDeflate<(cx=0x000000011696b790, s=0x00000001072e296f, n=25)1, unsigned char>(js::ExclusiveContext*, unsigned char const*, unsigned long) + 361 at String.cpp:1020
frame #6: 0x00000001069070d5 XUL`JSFlatString* js::NewStringCopyN<(cx=0x000000011696b790, s=0x00000001072e296f, n=25)1, unsigned char>(js::ExclusiveContext*, unsigned char const*, unsigned long) + 37 at String.h:1047
frame #7: 0x0000000106888ac5 XUL`JSFlatString* js::NewStringCopyN<(cx=0x000000011696b790, s=0x00000001072e296f, n=25)1>(js::ExclusiveContext*, char const*, unsigned long) + 37 at String.h:1140
frame #8: 0x0000000106888a0c XUL`JSFlatString* js::NewStringCopyZ<(cx=0x000000011696b790, s=0x00000001072e296f)1>(js::ExclusiveContext*, char const*) + 60 at String.h:1160
frame #9: 0x0000000106e3c581 XUL`JS_NewStringCopyZ(cx=0x000000011696b790, s=0x00000001072e296f) + 113 at jsapi.cpp:4352
frame #10: 0x000000010237b48b XUL`XPCConvert::NativeData2JS(d=JS::MutableHandleValue at 0x00007fff5fbf6e08, s=0x00007fff5fbf7aa8, type=0x00007fff5fbf74b0, iid=0x00007fff5fbf7920, pErr=0x0000000000000000) + 1755 at XPCConvert.cpp:232
frame #11: 0x00000001023e2b97 XUL`nsXPCWrappedJSClass::CallMethod(this=0x0000000113593470, wrapper=0x0000000115e86080, methodIndex=3, info_=0x0000000111d3a338, nativeParams=0x00007fff5fbf7aa0) + 4087 at XPCWrappedJSClass.cpp:1119
frame #12: 0x00000001023e1b89 XUL`nsXPCWrappedJS::CallMethod(this=0x0000000115e86080, methodIndex=3, info=0x0000000111d3a338, params=0x00007fff5fbf7aa0) + 185 at XPCWrappedJS.cpp:532
frame #13: 0x00000001017246f9 XUL`PrepareAndDispatch(self=0x0000000119ced600, methodIndex=3, args=0x00007fff5fbf7c00, gpregs=0x00007fff5fbf7b80, fpregs=0x00007fff5fbf7bb0) + 1577 at xptcstubs_x86_64_darwin.cpp:122
frame #14: 0x000000010172315b XUL`SharedStub + 91
frame #15: 0x00000001016701c9 XUL`nsObserverList::NotifyObservers(this=0x00000001169c5bd0, aSubject=0x0000000119d0d420, aTopic=0x00000001072e296f, someData=0x0000000108224ece) + 137 at nsObserverList.cpp:100
frame #16: 0x0000000101671f72 XUL`nsObserverService::NotifyObservers(this=0x00000001116aa5b0, aSubject=0x0000000119d0d420, aTopic=0x00000001072e296f, aSomeData=0x0000000108224ece) + 338 at nsObserverService.cpp:329
frame #17: 0x0000000103ba7da2 XUL`mozilla::CanvasUtils::IsImageExtractionAllowed(aDocument=0x0000000115e43800, aCx=0x00000001161e2430) + 2194 at CanvasUtils.cpp:134
frame #18: 0x0000000103baca11 XUL`mozilla::dom::CanvasRenderingContext2D::GetImageDataArray(this=0x000000011b930000, aCx=0x00000001161e2430, aX=0, aY=0, aWidth=1, aHeight=1, aRetval=0x00007fff5fbf82b8) + 1633 at CanvasRenderingContext2D.cpp:5017
frame #19: 0x0000000103bac1d5 XUL`mozilla::dom::CanvasRenderingContext2D::GetImageData(this=0x000000011b930000, aCx=0x00000001161e2430, aSx=0, aSy=0, aSw=1, aSh=1, error=0x00007fff5fbf83f0) + 1221 at CanvasRenderingContext2D.cpp:4932
frame #20: 0x00000001035b1c48 XUL`mozilla::dom::CanvasRenderingContext2DBinding::getImageData(cx=0x00000001161e2430, obj=Handle<JSObject *> at 0x00007fff5fbf8478, self=0x000000011b930000, args=0x00007fff5fbf84f0) + 744 at CanvasRenderingContext2DBinding.cpp:4416
frame #21: 0x0000000103b85260 XUL`mozilla::dom::GenericBindingMethod(cx=0x00000001161e2430, argc=4, vp=0x00000001134b8208) + 656 at BindingUtils.cpp:2537
frame #22: 0x00000001067ee4e9 XUL`js::CallJSNative(cx=0x00000001161e2430, native=0x0000000103b84fd0, args=0x00007fff5fbf8b80)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 185 at jscntxtinlines.h:226
frame #23: 0x0000000106772471 XUL`js::Invoke(cx=0x00000001161e2430, args=CallArgs at 0x00007fff5fbf8b80, construct=NO_CONSTRUCT) + 1137 at Interpreter.cpp:498
frame #24: 0x000000010678cc85 XUL`Interpret(cx=0x00000001161e2430, state=0x00007fff5fbfb938) + 51269 at Interpreter.cpp:2602
frame #25: 0x0000000106780357 XUL`js::RunScript(cx=0x00000001161e2430, state=0x00007fff5fbfb938) + 583 at Interpreter.cpp:448
frame #26: 0x0000000106798938 XUL`js::ExecuteKernel(cx=0x00000001161e2430, script=JS::HandleScript at 0x00007fff5fbfba20, scopeChainArg=0x000000011dbf5060, thisv=0x00007fff5fbfbaa0, type=EXECUTE_GLOBAL, evalInFrame=AbstractFramePtr at 0x00007fff5fbfba00, result=0x0000000000000000) + 904 at Interpreter.cpp:654
frame #27: 0x0000000106798c2a XUL`js::Execute(cx=0x00000001161e2430, script=JS::HandleScript at 0x00007fff5fbfbb08, scopeChainArg=0x000000011dbf5060, rval=0x0000000000000000) + 666 at Interpreter.cpp:690
I haven't observed this on the cross-compiled alpha, so perhaps it is peculiar to the way I was building. Still it seems worth checking out in case we have some incorrect code.