Closed Bug 765198 Opened 12 years ago Closed 12 years ago

WebGL crash [@mozilla::WebGLContext::ReadPixels]

Categories

(Core :: Graphics: CanvasWebGL, defect)

15 Branch
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla16
Tracking Status
firefox15 --- affected

People

(Reporter: posidron, Assigned: bjacob)

References

Details

(4 keywords, Whiteboard: [asan] webgl-test-needed)

Crash Data

Attachments

(4 files)

Attached file testcase
      No description provided.
Attached file callstack
On Windows: bp-4163d421-8c71-4a16-b481-777092120615
Crash Signature: [@ mozilla::WebGLContext::ReadPixels(int, int, int, int, unsigned int, unsigned int, mozilla::dom::TypedArray_base<unsigned char, void, &JS_GetArrayBufferViewData(JSObject*, JSContext*), &JS_GetArrayBufferViewByteLength(JSObject*, JSContext*)>* mozilla::.…
OS: Mac OS X → All
Hardware: x86_64 → All
It's a regression, you can add 'regression' keyword.

Regression range:

m-c
good=2012-06-02
bad=2012-06-03
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=5199196b65ec&tochange=d0ebcaa7efb5

m-i
good=2012-06-01
bad=2012-06-02
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=50c9995aa7d0&tochange=9abc60f44fd5

Suspected bug:
Boris Zbarsky — Bug 748266. Switch the WebGL canvas context to new DOM bindings. r=peterv
Many thanks for the report. The crash is trivial: the testcase calls readpixels with null |pixels| argument and we crash at:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff3e2e703 in mozilla::WebGLContext::ReadPixels (this=0x3a3f2b0, x=7, y=7, width=7, height=63, format=6406, type=32820, pixels=0x0, 
    rv=...) at /hack/mozilla-central/content/canvas/src/WebGLContextGL.cpp:3856
3856        void* data = pixels->mData;
(gdb) p pixels
$1 = (mozilla::dom::ArrayBufferView *) 0x0
Per spec, 5.14.12: If pixels is null, an INVALID_VALUE error is generated.
Attachment #633529 - Flags: review?(bzbarsky)
Confirming the testcase doesn't crash anymore with this patch.
Blocks: 748266
Keywords: regression
Version: Trunk → 15 Branch
> Per spec, 5.14.12: If pixels is null, an INVALID_VALUE error is generated.

This should probably have a test in the test suite, if there isn't one already; our old binding code threw NS_ERROR_FAILURE in that case....
Comment on attachment 633529 [details] [diff] [review]
check for null pixels in readPixels

r=me
Attachment #633529 - Flags: review?(bzbarsky) → review+
http://hg.mozilla.org/integration/mozilla-inbound/rev/82c5ff778cab
Assignee: nobody → bjacob
Whiteboard: [asan] → [asan] webgl-test-needed
Target Milestone: --- → mozilla15
Target Milestone: mozilla15 → mozilla16
https://hg.mozilla.org/mozilla-central/rev/82c5ff778cab
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Attached file callstack-new.txt
The testcase now produces an assertion failure:

JavaScript warning: file:///765198/testcase.html, line 40: WebGL: readPixels: null destination buffer
Assertion failure: !AccessCheck::callerIsChrome(), at /Users/cdiehl/Code/Mozilla/mc-asan/js/xpconnect/wrappers/XrayWrapper.cpp:770
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Keywords: assertion
I can only reproduce this crash on Win7 and on Mac; I cannot reproduce on Linux and WinXP. So I will need a bit more time than normal to debug this.
Actually, I can't reproduce anymore on my Mac since I updated Nightly from June 11's build to today's.

Can you still reproduce in current Nightly?
I can reproduce it with an ASAN enabled build (trunk).
Can't easily debug on Windows at the moment due to bug 767006.
Depends on: 767006
I can't reproduce the crash anymore in a Windows debug build from today's mozilla-central. Last week, I could reproduce. Can you still reproduce a crash or is ASAN necessary to observe any issue?
Yes, an ASAN build seems to be necessary.
Can you teach me how to make an ASAN build? And then, how to reproduce with it?
The steps for building are described here:
https://developer.mozilla.org/en/Building_Firefox_with_Address_Sanitizer

Once you have done that, you can just open the testcase with Firefox and you will see the result in the shell.
Fixed. The bug is indeed fixed with a build of today even with ASAN enabled.
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: