Closed Bug 1067542 Opened 10 years ago Closed 9 years ago

WebGL2: crash in CompileShader on conformance2/core/frag-depth.html test

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Version:
Other Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: bjacob, Unassigned)

References

Details

Attachments

(1 file)

avoid-compileshader-0length-crash
977 bytes, patch
u480271
: review+
Details | Diff | Splinter Review
The stack is: #6 __strcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:532 #7 0x00007f6ed7813d30 in ShGetObjectCode (handle=0x7f6eb49e3800, objCode=0x7f6ed8eb90ec <gNullChar> "") at /home/bjacob/hack/djg/gfx/angle/src/compiler/translator/ShaderLang.cpp:288 #8 0x00007f6ed533ad6e in mozilla::WebGLContext::CompileShader (this=0x7f6eadc74800, shader=0x7f6ea4b47dc0) at /home/bjacob/hack/djg/dom/canvas/WebGLContextGL.cpp:3314 #9 0x00007f6ed520d393 in mozilla::dom::WebGLRenderingContextBinding::compileShader (cx=0x7f6eb7baf210, obj=..., self=0x7f6eadc74800, args=...) at ./WebGLRenderingContextBinding.cpp:8669 Some debugging: (gdb) frame 8 #8 0x00007f6ed533ad6e in mozilla::WebGLContext::CompileShader (this=0x7f6eadc74800, shader=0x7f6ea4b47dc0) at /home/bjacob/hack/djg/dom/canvas/WebGLContextGL.cpp:3314 3314 (gdb) l 3309 MOZ_ASSERT(lenWithNull >= 1); 3310 size_t len = lenWithNull - 1; 3311 3312 nsAutoCString translatedSrc; 3313 translatedSrc.SetLength(len); // Allocates len+1, for the null-term. 3314 3315 if (len) { 3316 ShGetObjectCode(compiler, translatedSrc.BeginWriting()); 3317 } 3318 (gdb) p len $14 = 0 (gdb) p translatedSrc.BeginWriting() $15 = (nsACString_internal::char_type *) 0x7f6ed8eb90ec <gNullChar> "" What's this 0x7f6ed8eb90ec ? That's our storage for a singleton null string, a global read-only string. /proc/pid/maps confirms it's in a read-only segment from the libxul mapping itself: 7f6ed27ce000-7f6edad01000 r-xp 00000000 08:11 39071485 /home/bjacob/hack/djg/obj-firefox-debug/toolkit/library/libxul.so So our above code has to special-case 0-length strings, as even the action of overwriting a 0 byte with 0 is not allowed in a read-only segment.
Attachment #8489571 - Flags: review?(dglastonbury)
Attachment #8489571 - Flags: review?(dglastonbury) → review+
This code has been replaced.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: