(In reply to Daniel Veditz [:dveditz] from comment #7) > It might not be a driver/OS bug. We're in the middle of deleting buffers (`mozilla::gl::GLContext::fDeleteBuffers`) and then GLEngine decides to go do something seemingly unrelated (`glDrawArraysInstanced_STD_GL3Exec`). maybe it's our fault for not keeping objects alive as long as the APIs require them? Is there some "I'm done" signal from GLEngine we're supposed to wait for? No, that's benign behavior according to spec. It's just doing lazy execution. It is not clear to me that this is a sandbox escape, and I don't think the POC demonstrates that.
Bug 1914707 Comment 9 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
(In reply to Daniel Veditz [:dveditz] from comment #7) > It might not be a driver/OS bug. We're in the middle of deleting buffers (`mozilla::gl::GLContext::fDeleteBuffers`) and then GLEngine decides to go do something seemingly unrelated (`glDrawArraysInstanced_STD_GL3Exec`). maybe it's our fault for not keeping objects alive as long as the APIs require them? Is there some "I'm done" signal from GLEngine we're supposed to wait for? No, that's benign behavior according to spec. It's just doing lazy execution. Also, it is not clear to me that this is a sandbox escape, and I don't think the POC demonstrates that.