Closed Bug 1067542 Opened 10 years ago Closed 9 years ago

WebGL2: crash in CompileShader on conformance2/core/frag-depth.html test

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Version:
Other Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: bjacob, Unassigned)

References

Details

Attachments

(1 file)

avoid-compileshader-0length-crash
977 bytes, patch
u480271
: review+
Details | Diff | Splinter Review 
The stack is:

#6  __strcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:532
#7  0x00007f6ed7813d30 in ShGetObjectCode (handle=0x7f6eb49e3800, objCode=0x7f6ed8eb90ec <gNullChar> "") at /home/bjacob/hack/djg/gfx/angle/src/compiler/translator/ShaderLang.cpp:288
#8  0x00007f6ed533ad6e in mozilla::WebGLContext::CompileShader (this=0x7f6eadc74800, shader=0x7f6ea4b47dc0) at /home/bjacob/hack/djg/dom/canvas/WebGLContextGL.cpp:3314
#9  0x00007f6ed520d393 in mozilla::dom::WebGLRenderingContextBinding::compileShader (cx=0x7f6eb7baf210, obj=..., self=0x7f6eadc74800, args=...) at ./WebGLRenderingContextBinding.cpp:8669

Some debugging:

(gdb) frame 8
#8  0x00007f6ed533ad6e in mozilla::WebGLContext::CompileShader (this=0x7f6eadc74800, shader=0x7f6ea4b47dc0) at /home/bjacob/hack/djg/dom/canvas/WebGLContextGL.cpp:3314
3314	
(gdb) l
3309	        MOZ_ASSERT(lenWithNull >= 1);
3310	        size_t len = lenWithNull - 1;
3311	
3312	        nsAutoCString translatedSrc;
3313	        translatedSrc.SetLength(len); // Allocates len+1, for the null-term.
3314	
3315	        if (len) {
3316	          ShGetObjectCode(compiler, translatedSrc.BeginWriting());
3317	        }
3318	
(gdb) p len
$14 = 0
(gdb) p translatedSrc.BeginWriting()
$15 = (nsACString_internal::char_type *) 0x7f6ed8eb90ec <gNullChar> ""

What's this 0x7f6ed8eb90ec ? That's our storage for a singleton null string, a global read-only string. /proc/pid/maps confirms it's in a read-only segment from the libxul mapping itself:

7f6ed27ce000-7f6edad01000 r-xp 00000000 08:11 39071485                   /home/bjacob/hack/djg/obj-firefox-debug/toolkit/library/libxul.so

So our above code has to special-case 0-length strings, as even the action of overwriting a 0 byte with 0 is not allowed in a read-only segment.

        Attachment #8489571 -
        Flags: review?(dglastonbury)

    
  

        Attachment #8489571 -
        Flags: review?(dglastonbury) → review+

    
    

    
  
This code has been replaced.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: