Closed Bug 1199923 (CVE-2016-1956) Opened 9 years ago Closed 9 years ago

Possible stack corruption with WebGL shaders

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Version:
43 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla46
Tracking Flags:
Tracking Status
firefox43 --- wontfix
firefox44 --- wontfix
firefox45 --- fixed
firefox46 --- fixed

People

(Reporter: ugobejishvili, Assigned: eflores)

References

(Blocks 1 open bug)

Details

(Keywords: reporter-external, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main45+] can force user to reboot machine)

Attachments

(2 files, 1 obsolete file)

testcase.html
2.68 KB, text/html
Details
1199923.patch
1.74 KB, patch
jgilbert
: review+
ritu
: approval-mozilla-aurora+
ritu
: approval-mozilla-beta-
Details | Diff | Splinter Review
Attached file testcase.html
User Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0 Build ID: 20150828123452 Steps to reproduce: Test on: OS: Linux Ubuntu 14.04 LTS x86 memory: 2GB Processor: Intel® Core™ i5-2400 CPU @ 3.10GHz × 4 Firefox build: 43.0a1 (2015-08-28) Firefox nightly Load testcase.html Actual results: Program received signal SIGPIPE, Broken pipe. [Switching to Thread 0xafbffb40 (LWP 5040)] 0xb7fdd424 in ?? () (gdb) (gdb) (gdb) (gdb) Done sleeping... (gdb) bt #0 0xb7fdd424 in ?? () #1 0xb1989a0a in ?? () from /home/hidan/ff/firefox/libxul.so #2 0xb197327c in ?? () from /home/hidan/ff/firefox/libxul.so #3 0xb1978963 in ?? () from /home/hidan/ff/firefox/libxul.so #4 0xb1978af7 in ?? () from /home/hidan/ff/firefox/libxul.so #5 0xb19729c4 in ?? () from /home/hidan/ff/firefox/libxul.so #6 0xb1973b18 in ?? () from /home/hidan/ff/firefox/libxul.so #7 0xb1973b3e in ?? () from /home/hidan/ff/firefox/libxul.so #8 0xb197c6cc in ?? () from /home/hidan/ff/firefox/libxul.so #9 0xb1978fe8 in ?? () from /home/hidan/ff/firefox/libxul.so #10 0xb7faff70 in start_thread (arg=0xafbffb40) at pthread_create.c:312 #11 0xb7d8b70e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:129 (gdb) i r eax 0xffffffe0 -32 ecx 0xafbfebf0 -1346376720 edx 0xb6617d60 -1235124896 ebx 0x10 16 esp 0xafbfebd8 0xafbfebd8 ebp 0xafbff058 0xafbff058 esi 0x0 0 edi 0xafbfec4c -1346376628 eip 0xb7fdd424 0xb7fdd424 eflags 0x200293 [ CF AF SF IF ID ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) exploitable Description: Possible stack corruption Short description: PossibleStackCorruption (7/22) Hash: 0e927d7f07bff32e2ed81d34aef68ae9.5a355df4001f81c4ed3369028d229b6d Exploitability Classification: EXPLOITABLE Explanation: GDB generated an error while unwinding the stack and/or the stack contained return addresses that were not mapped in the inferior's process address space and/or the stack pointer is pointing to a location outside the default stack region. These conditions likely indicate stack corruption, which is generally considered exploitable. Other tags: UncategorizedSignal (22/22) (gdb) where #0 0xb7fdd424 in ?? () #1 0xb1989a0a in ?? () from /home/hidan/ff/firefox/libxul.so #2 0xb197327c in ?? () from /home/hidan/ff/firefox/libxul.so #3 0xb1978963 in ?? () from /home/hidan/ff/firefox/libxul.so #4 0xb1978af7 in ?? () from /home/hidan/ff/firefox/libxul.so #5 0xb19729c4 in ?? () from /home/hidan/ff/firefox/libxul.so #6 0xb1973b18 in ?? () from /home/hidan/ff/firefox/libxul.so #7 0xb1973b3e in ?? () from /home/hidan/ff/firefox/libxul.so #8 0xb197c6cc in ?? () from /home/hidan/ff/firefox/libxul.so #9 0xb1978fe8 in ?? () from /home/hidan/ff/firefox/libxul.so #10 0xb7faff70 in start_thread (arg=0xafbffb40) at pthread_create.c:312 #11 0xb7d8b70e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:129
OS: Unspecified → Linux
Hardware: Unspecified → x86
On a stock Mac nightly I don't see a crash, will have to try a Linux machine at work. Given the lack of symbols I assume this is a local build you've done? Any "interesting" non-default build values? Since this is a WebGL testcase can you tell us about the graphics drivers you're using? if you open the about:support page we're looking for the information in the "Graphics" section.
Group: firefox-core-security → gfx-core-security
Component: Untriaged → Canvas: WebGL
Product: Firefox → Core
Flags: sec-bounty?
I opened the test case from comment #0 on my personal desktop machine and it basically rendered my entire desktop useless. Input from the mouse and keyboard stopped being registered in the OS. I couldn't even move the mouse to try to close the tab/restart the machine. Seemed like the entire machine was completely starved for resources. In one instance, I managed to recover my machine after receiving the following prompt in fx (got the below prompt after about 1.5hrs of the desktop being stalled): "A script on this page may be busy, or it may have stopped responding. You can stop the script now, open the script in the debugger, or let the script contine. - Script:resource:///modules/sessionstore/SessionStore.jsm:2514" Once I did recover, fx was basically unusable so I restarted it and eventually got the following crash: (not sure if it's related) - https://crash-stats.mozilla.com/report/index/193fd749-79bd-486e-8620-3f3d62150831 Used the following OS's: * Ubuntu 14.04.3 x64 (Desktop) using the latest fx43 with 16GB of RAM * Ubuntu 14.04.3 x64 (VM) using the fx43 asan build linked below with 6GB of RAM * Ubutnu 14.04.3 x86 (VM) using the the latest fx43 (no x86 asan) with 2GB of RAM Used the following build: - https://archive.mozilla.org/pub/firefox/nightly/2015-08-31-03-02-09-mozilla-central/ - http://inbound-archive.pub.build.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1440986987/
meant to needinfo the reporter for comment 1
Flags: needinfo?(ugobejishvili)
Summary: Possible stack corruption → Possible stack corruption with WebGL shaders
This is a very, very large canvas (2^31-257 x 2^31-257), we may be overflowing some computations.
(In reply to Daniel Veditz [:dveditz] from comment #3) > meant to needinfo the reporter for comment 1 Tomorrow i will provide you the details.. (In reply to Milan Sreckovic [:milan] from comment #4) > This is a very, very large canvas (2^31-257 x 2^31-257), we may be > overflowing some computations. Exactly! that the reason :)
Graphics ------------ Adapter Description Intel Open Source Technology Center -- Mesa DRI Intel(R) Sandybridge Desktop x86/MMX/SSE2 Asynchronous Pan/Zoom none Device ID Mesa DRI Intel(R) Sandybridge Desktop x86/MMX/SSE2 Driver Version 3.0 Mesa 10.1.3 GPU Accelerated Windows 0/1 Basic (OMTC) Supports Hardware H264 Decoding No; Vendor ID Intel Open Source Technology Center WebGL Renderer Intel Open Source Technology Center -- Mesa DRI Intel(R) Sandybridge Desktop x86/MMX/SSE2 windowLayerManagerRemote true AzureCanvasBackend cairo AzureContentBackend cairo AzureFallbackCanvasBackend none AzureSkiaAccelerated 0 CairoUseXRender 1 glaxinfo ----------- name of display: :0 display: :0 screen: 0 direct rendering: Yes server glx vendor string: SGI server glx version string: 1.4 server glx extensions: GLX_ARB_create_context, GLX_ARB_create_context_profile, GLX_ARB_create_context_robustness, GLX_ARB_fbconfig_float, GLX_ARB_framebuffer_sRGB, GLX_ARB_multisample, GLX_EXT_create_context_es2_profile, GLX_EXT_framebuffer_sRGB, GLX_EXT_import_context, GLX_EXT_texture_from_pixmap, GLX_EXT_visual_info, GLX_EXT_visual_rating, GLX_INTEL_swap_event, GLX_MESA_copy_sub_buffer, GLX_OML_swap_method, GLX_SGIS_multisample, GLX_SGIX_fbconfig, GLX_SGIX_pbuffer, GLX_SGIX_visual_select_group, GLX_SGI_swap_control client glx vendor string: Mesa Project and SGI client glx version string: 1.4 client glx extensions: GLX_ARB_create_context, GLX_ARB_create_context_profile, GLX_ARB_create_context_robustness, GLX_ARB_fbconfig_float, GLX_ARB_framebuffer_sRGB, GLX_ARB_get_proc_address, GLX_ARB_multisample, GLX_EXT_create_context_es2_profile, GLX_EXT_fbconfig_packed_float, GLX_EXT_framebuffer_sRGB, GLX_EXT_import_context, GLX_EXT_texture_from_pixmap, GLX_EXT_visual_info, GLX_EXT_visual_rating, GLX_INTEL_swap_event, GLX_MESA_copy_sub_buffer, GLX_MESA_multithread_makecurrent, GLX_MESA_query_renderer, GLX_MESA_swap_control, GLX_OML_swap_method, GLX_OML_sync_control, GLX_SGIS_multisample, GLX_SGIX_fbconfig, GLX_SGIX_pbuffer, GLX_SGIX_visual_select_group, GLX_SGI_make_current_read, GLX_SGI_swap_control, GLX_SGI_video_sync GLX version: 1.4 GLX extensions: GLX_ARB_create_context, GLX_ARB_create_context_profile, GLX_ARB_create_context_robustness, GLX_ARB_fbconfig_float, GLX_ARB_framebuffer_sRGB, GLX_ARB_get_proc_address, GLX_ARB_multisample, GLX_EXT_create_context_es2_profile, GLX_EXT_framebuffer_sRGB, GLX_EXT_import_context, GLX_EXT_texture_from_pixmap, GLX_EXT_visual_info, GLX_EXT_visual_rating, GLX_INTEL_swap_event, GLX_MESA_copy_sub_buffer, GLX_MESA_multithread_makecurrent, GLX_MESA_query_renderer, GLX_MESA_swap_control, GLX_OML_swap_method, GLX_OML_sync_control, GLX_SGIS_multisample, GLX_SGIX_fbconfig, GLX_SGIX_pbuffer, GLX_SGIX_visual_select_group, GLX_SGI_make_current_read, GLX_SGI_swap_control, GLX_SGI_video_sync OpenGL vendor string: Intel Open Source Technology Center OpenGL renderer string: Mesa DRI Intel(R) Sandybridge Desktop x86/MMX/SSE2 OpenGL core profile version string: 3.1 (Core Profile) Mesa 10.1.3 OpenGL core profile shading language version string: 1.40 OpenGL core profile context flags: (none) OpenGL core profile extensions: GL_3DFX_texture_compression_FXT1, GL_AMD_draw_buffers_blend, GL_AMD_performance_monitor, GL_AMD_seamless_cubemap_per_texture, GL_AMD_shader_trinary_minmax, GL_ANGLE_texture_compression_dxt3, GL_ANGLE_texture_compression_dxt5, GL_APPLE_object_purgeable, GL_ARB_ES2_compatibility, GL_ARB_ES3_compatibility, GL_ARB_base_instance, GL_ARB_blend_func_extended, GL_ARB_clear_buffer_object, GL_ARB_copy_buffer, GL_ARB_debug_output, GL_ARB_depth_buffer_float, GL_ARB_depth_clamp, GL_ARB_draw_buffers, GL_ARB_draw_buffers_blend, GL_ARB_draw_elements_base_vertex, GL_ARB_draw_instanced, GL_ARB_explicit_attrib_location, GL_ARB_fragment_coord_conventions, GL_ARB_fragment_shader, GL_ARB_framebuffer_object, GL_ARB_framebuffer_sRGB, GL_ARB_get_program_binary, GL_ARB_half_float_pixel, GL_ARB_half_float_vertex, GL_ARB_instanced_arrays, GL_ARB_internalformat_query, GL_ARB_invalidate_subdata, GL_ARB_map_buffer_alignment, GL_ARB_map_buffer_range, GL_ARB_occlusion_query2, GL_ARB_pixel_buffer_object, GL_ARB_point_sprite, GL_ARB_provoking_vertex, GL_ARB_robustness, GL_ARB_sample_shading, GL_ARB_sampler_objects, GL_ARB_seamless_cube_map, GL_ARB_shader_bit_encoding, GL_ARB_shader_objects, GL_ARB_shader_texture_lod, GL_ARB_shading_language_420pack, GL_ARB_shading_language_packing, GL_ARB_sync, GL_ARB_texture_buffer_object, GL_ARB_texture_buffer_object_rgb32, GL_ARB_texture_buffer_range, GL_ARB_texture_compression_rgtc, GL_ARB_texture_cube_map_array, GL_ARB_texture_float, GL_ARB_texture_mirror_clamp_to_edge, GL_ARB_texture_multisample, GL_ARB_texture_non_power_of_two, GL_ARB_texture_query_levels, GL_ARB_texture_query_lod, GL_ARB_texture_rectangle, GL_ARB_texture_rg, GL_ARB_texture_rgb10_a2ui, GL_ARB_texture_storage, GL_ARB_texture_storage_multisample, GL_ARB_texture_swizzle, GL_ARB_timer_query, GL_ARB_uniform_buffer_object, GL_ARB_vertex_array_bgra, GL_ARB_vertex_array_object, GL_ARB_vertex_attrib_binding, GL_ARB_vertex_shader, GL_ARB_vertex_type_10f_11f_11f_rev, GL_ARB_vertex_type_2_10_10_10_rev, GL_ATI_blend_equation_separate, GL_ATI_texture_float, GL_EXT_abgr, GL_EXT_blend_equation_separate, GL_EXT_draw_buffers2, GL_EXT_draw_instanced, GL_EXT_framebuffer_blit, GL_EXT_framebuffer_multisample, GL_EXT_framebuffer_multisample_blit_scaled, GL_EXT_framebuffer_sRGB, GL_EXT_packed_depth_stencil, GL_EXT_packed_float, GL_EXT_pixel_buffer_object, GL_EXT_provoking_vertex, GL_EXT_shader_integer_mix, GL_EXT_texture_array, GL_EXT_texture_compression_dxt1, GL_EXT_texture_compression_rgtc, GL_EXT_texture_compression_s3tc, GL_EXT_texture_filter_anisotropic, GL_EXT_texture_integer, GL_EXT_texture_sRGB, GL_EXT_texture_sRGB_decode, GL_EXT_texture_shared_exponent, GL_EXT_texture_snorm, GL_EXT_texture_swizzle, GL_EXT_timer_query, GL_EXT_transform_feedback, GL_EXT_vertex_array_bgra, GL_IBM_multimode_draw_arrays, GL_KHR_debug, GL_MESA_pack_invert, GL_MESA_texture_signed_rgba, GL_NV_conditional_render, GL_NV_depth_clamp, GL_NV_packed_depth_stencil, GL_OES_EGL_image, GL_OES_read_format, GL_S3_s3tc OpenGL version string: 3.0 Mesa 10.1.3 OpenGL shading language version string: 1.30 OpenGL context flags: (none) OpenGL extensions: GL_3DFX_texture_compression_FXT1, GL_AMD_draw_buffers_blend, GL_AMD_performance_monitor, GL_AMD_seamless_cubemap_per_texture, GL_AMD_shader_trinary_minmax, GL_ANGLE_texture_compression_dxt3, GL_ANGLE_texture_compression_dxt5, GL_APPLE_object_purgeable, GL_APPLE_packed_pixels, GL_APPLE_vertex_array_object, GL_ARB_ES2_compatibility, GL_ARB_ES3_compatibility, GL_ARB_blend_func_extended, GL_ARB_clear_buffer_object, GL_ARB_color_buffer_float, GL_ARB_copy_buffer, GL_ARB_debug_output, GL_ARB_depth_buffer_float, GL_ARB_depth_clamp, GL_ARB_depth_texture, GL_ARB_draw_buffers, GL_ARB_draw_buffers_blend, GL_ARB_draw_elements_base_vertex, GL_ARB_draw_instanced, GL_ARB_explicit_attrib_location, GL_ARB_fragment_coord_conventions, GL_ARB_fragment_program, GL_ARB_fragment_program_shadow, GL_ARB_fragment_shader, GL_ARB_framebuffer_object, GL_ARB_framebuffer_sRGB, GL_ARB_get_program_binary, GL_ARB_half_float_pixel, GL_ARB_half_float_vertex, GL_ARB_instanced_arrays, GL_ARB_internalformat_query, GL_ARB_invalidate_subdata, GL_ARB_map_buffer_alignment, GL_ARB_map_buffer_range, GL_ARB_multisample, GL_ARB_multitexture, GL_ARB_occlusion_query, GL_ARB_occlusion_query2, GL_ARB_pixel_buffer_object, GL_ARB_point_parameters, GL_ARB_point_sprite, GL_ARB_provoking_vertex, GL_ARB_robustness, GL_ARB_sample_shading, GL_ARB_sampler_objects, GL_ARB_seamless_cube_map, GL_ARB_shader_bit_encoding, GL_ARB_shader_objects, GL_ARB_shader_texture_lod, GL_ARB_shading_language_100, GL_ARB_shading_language_420pack, GL_ARB_shading_language_packing, GL_ARB_shadow, GL_ARB_sync, GL_ARB_texture_border_clamp, GL_ARB_texture_compression, GL_ARB_texture_compression_rgtc, GL_ARB_texture_cube_map, GL_ARB_texture_cube_map_array, GL_ARB_texture_env_add, GL_ARB_texture_env_combine, GL_ARB_texture_env_crossbar, GL_ARB_texture_env_dot3, GL_ARB_texture_float, GL_ARB_texture_mirror_clamp_to_edge, GL_ARB_texture_mirrored_repeat, GL_ARB_texture_multisample, GL_ARB_texture_non_power_of_two, GL_ARB_texture_query_levels, GL_ARB_texture_query_lod, GL_ARB_texture_rectangle, GL_ARB_texture_rg, GL_ARB_texture_rgb10_a2ui, GL_ARB_texture_storage, GL_ARB_texture_storage_multisample, GL_ARB_texture_swizzle, GL_ARB_timer_query, GL_ARB_transpose_matrix, GL_ARB_uniform_buffer_object, GL_ARB_vertex_array_bgra, GL_ARB_vertex_array_object, GL_ARB_vertex_attrib_binding, GL_ARB_vertex_buffer_object, GL_ARB_vertex_program, GL_ARB_vertex_shader, GL_ARB_vertex_type_10f_11f_11f_rev, GL_ARB_vertex_type_2_10_10_10_rev, GL_ARB_window_pos, GL_ATI_blend_equation_separate, GL_ATI_draw_buffers, GL_ATI_envmap_bumpmap, GL_ATI_separate_stencil, GL_ATI_texture_env_combine3, GL_ATI_texture_float, GL_EXT_abgr, GL_EXT_bgra, GL_EXT_blend_color, GL_EXT_blend_equation_separate, GL_EXT_blend_func_separate, GL_EXT_blend_minmax, GL_EXT_blend_subtract, GL_EXT_compiled_vertex_array, GL_EXT_copy_texture, GL_EXT_draw_buffers2, GL_EXT_draw_instanced, GL_EXT_draw_range_elements, GL_EXT_fog_coord, GL_EXT_framebuffer_blit, GL_EXT_framebuffer_multisample, GL_EXT_framebuffer_multisample_blit_scaled, GL_EXT_framebuffer_object, GL_EXT_framebuffer_sRGB, GL_EXT_gpu_program_parameters, GL_EXT_multi_draw_arrays, GL_EXT_packed_depth_stencil, GL_EXT_packed_float, GL_EXT_packed_pixels, GL_EXT_pixel_buffer_object, GL_EXT_point_parameters, GL_EXT_polygon_offset, GL_EXT_provoking_vertex, GL_EXT_rescale_normal, GL_EXT_secondary_color, GL_EXT_separate_shader_objects, GL_EXT_separate_specular_color, GL_EXT_shader_integer_mix, GL_EXT_shadow_funcs, GL_EXT_stencil_two_side, GL_EXT_stencil_wrap, GL_EXT_subtexture, GL_EXT_texture, GL_EXT_texture3D, GL_EXT_texture_array, GL_EXT_texture_compression_dxt1, GL_EXT_texture_compression_rgtc, GL_EXT_texture_compression_s3tc, GL_EXT_texture_cube_map, GL_EXT_texture_edge_clamp, GL_EXT_texture_env_add, GL_EXT_texture_env_combine, GL_EXT_texture_env_dot3, GL_EXT_texture_filter_anisotropic, GL_EXT_texture_integer, GL_EXT_texture_lod_bias, GL_EXT_texture_object, GL_EXT_texture_rectangle, GL_EXT_texture_sRGB, GL_EXT_texture_sRGB_decode, GL_EXT_texture_shared_exponent, GL_EXT_texture_snorm, GL_EXT_texture_swizzle, GL_EXT_timer_query, GL_EXT_transform_feedback, GL_EXT_vertex_array, GL_EXT_vertex_array_bgra, GL_IBM_multimode_draw_arrays, GL_IBM_rasterpos_clip, GL_IBM_texture_mirrored_repeat, GL_INGR_blend_func_separate, GL_KHR_debug, GL_MESA_pack_invert, GL_MESA_texture_signed_rgba, GL_MESA_window_pos, GL_NV_blend_square, GL_NV_conditional_render, GL_NV_depth_clamp, GL_NV_light_max_exponent, GL_NV_packed_depth_stencil, GL_NV_primitive_restart, GL_NV_texgen_reflection, GL_NV_texture_env_combine4, GL_NV_texture_rectangle, GL_OES_EGL_image, GL_OES_read_format, GL_S3_s3tc, GL_SGIS_generate_mipmap, GL_SGIS_texture_border_clamp, GL_SGIS_texture_edge_clamp, GL_SGIS_texture_lod, GL_SUN_multi_draw_arrays 16 GLX Visuals visual x bf lv rg d st colorbuffer sr ax dp st accumbuffer ms cav id dep cl sp sz l ci b ro r g b a F gb bf th cl r g b a ns b eat ---------------------------------------------------------------------------- 0x020 24 tc 0 32 0 r y . 8 8 8 8 . . 0 24 8 0 0 0 0 0 0 None 0x021 24 dc 0 32 0 r y . 8 8 8 8 . . 0 24 8 0 0 0 0 0 0 None 0x083 24 tc 0 32 0 r y . 8 8 8 8 . . 0 0 0 0 0 0 0 0 0 None 0x084 24 tc 0 32 0 r . . 8 8 8 8 . . 0 0 0 0 0 0 0 0 0 None 0x085 24 tc 0 32 0 r . . 8 8 8 8 . . 0 24 8 0 0 0 0 0 0 None 0x086 24 tc 0 32 0 r y . 8 8 8 8 . . 0 24 8 16 16 16 16 0 0 Slow 0x087 24 tc 0 32 0 r y . 8 8 8 8 . . 0 0 0 0 0 0 0 4 1 None 0x088 24 tc 0 32 0 r y . 8 8 8 8 . . 0 24 8 0 0 0 0 4 1 None 0x089 24 dc 0 32 0 r y . 8 8 8 8 . . 0 0 0 0 0 0 0 0 0 None 0x08a 24 dc 0 32 0 r . . 8 8 8 8 . . 0 0 0 0 0 0 0 0 0 None 0x08b 24 dc 0 32 0 r . . 8 8 8 8 . . 0 24 8 0 0 0 0 0 0 None 0x08c 24 dc 0 32 0 r y . 8 8 8 8 . . 0 24 8 0 0 0 0 0 0 None 0x08d 24 dc 0 32 0 r y . 8 8 8 8 . . 0 24 8 16 16 16 16 0 0 Slow 0x08e 24 dc 0 32 0 r y . 8 8 8 8 . . 0 0 0 0 0 0 0 4 1 None 0x08f 24 dc 0 32 0 r y . 8 8 8 8 . . 0 24 8 0 0 0 0 4 1 None 0x05e 32 tc 0 32 0 r y . 8 8 8 8 . . 0 24 8 0 0 0 0 0 0 None 36 GLXFBConfigs: visual x bf lv rg d st colorbuffer sr ax dp st accumbuffer ms cav id dep cl sp sz l ci b ro r g b a F gb bf th cl r g b a ns b eat ---------------------------------------------------------------------------- 0x05f 0 tc 0 16 0 r y . 5 6 5 0 . . 0 0 0 0 0 0 0 0 0 None 0x060 0 tc 0 16 0 r . . 5 6 5 0 . . 0 0 0 0 0 0 0 0 0 None 0x061 0 tc 0 16 0 r y . 5 6 5 0 . . 0 16 0 0 0 0 0 0 0 None 0x062 0 tc 0 16 0 r . . 5 6 5 0 . . 0 16 0 0 0 0 0 0 0 None 0x063 0 tc 0 16 0 r y . 5 6 5 0 . . 0 24 8 0 0 0 0 0 0 None 0x064 0 tc 0 16 0 r . . 5 6 5 0 . . 0 24 8 0 0 0 0 0 0 None 0x065 24 tc 0 32 0 r y . 8 8 8 8 . . 0 0 0 0 0 0 0 0 0 None 0x066 24 tc 0 32 0 r . . 8 8 8 8 . . 0 0 0 0 0 0 0 0 0 None 0x067 24 tc 0 32 0 r y . 8 8 8 8 . . 0 24 8 0 0 0 0 0 0 None 0x068 24 tc 0 32 0 r . . 8 8 8 8 . . 0 24 8 0 0 0 0 0 0 None 0x069 0 tc 0 16 0 r y . 5 6 5 0 . . 0 16 0 0 0 0 0 0 0 None 0x06a 0 tc 0 16 0 r y . 5 6 5 0 . . 0 16 0 16 16 16 0 0 0 Slow 0x06b 32 tc 0 32 0 r y . 8 8 8 8 . . 0 24 8 0 0 0 0 0 0 None 0x06c 24 tc 0 32 0 r y . 8 8 8 8 . . 0 24 8 16 16 16 16 0 0 Slow 0x06d 0 tc 0 16 0 r y . 5 6 5 0 . . 0 0 0 0 0 0 0 4 1 None 0x06e 0 tc 0 16 0 r y . 5 6 5 0 . . 0 16 0 0 0 0 0 4 1 None 0x06f 24 tc 0 32 0 r y . 8 8 8 8 . . 0 0 0 0 0 0 0 4 1 None 0x070 24 tc 0 32 0 r y . 8 8 8 8 . . 0 24 8 0 0 0 0 4 1 None 0x071 0 dc 0 16 0 r y . 5 6 5 0 . . 0 0 0 0 0 0 0 0 0 None 0x072 0 dc 0 16 0 r . . 5 6 5 0 . . 0 0 0 0 0 0 0 0 0 None 0x073 0 dc 0 16 0 r y . 5 6 5 0 . . 0 16 0 0 0 0 0 0 0 None 0x074 0 dc 0 16 0 r . . 5 6 5 0 . . 0 16 0 0 0 0 0 0 0 None 0x075 0 dc 0 16 0 r y . 5 6 5 0 . . 0 24 8 0 0 0 0 0 0 None 0x076 0 dc 0 16 0 r . . 5 6 5 0 . . 0 24 8 0 0 0 0 0 0 None 0x077 24 dc 0 32 0 r y . 8 8 8 8 . . 0 0 0 0 0 0 0 0 0 None 0x078 24 dc 0 32 0 r . . 8 8 8 8 . . 0 0 0 0 0 0 0 0 0 None 0x079 24 dc 0 32 0 r y . 8 8 8 8 . . 0 24 8 0 0 0 0 0 0 None 0x07a 24 dc 0 32 0 r . . 8 8 8 8 . . 0 24 8 0 0 0 0 0 0 None 0x07b 0 dc 0 16 0 r y . 5 6 5 0 . . 0 16 0 0 0 0 0 0 0 None 0x07c 0 dc 0 16 0 r y . 5 6 5 0 . . 0 16 0 16 16 16 0 0 0 Slow 0x07d 24 dc 0 32 0 r y . 8 8 8 8 . . 0 24 8 0 0 0 0 0 0 None 0x07e 24 dc 0 32 0 r y . 8 8 8 8 . . 0 24 8 16 16 16 16 0 0 Slow 0x07f 0 dc 0 16 0 r y . 5 6 5 0 . . 0 0 0 0 0 0 0 4 1 None 0x080 0 dc 0 16 0 r y . 5 6 5 0 . . 0 16 0 0 0 0 0 4 1 None 0x081 24 dc 0 32 0 r y . 8 8 8 8 . . 0 0 0 0 0 0 0 4 1 None 0x082 24 dc 0 32 0 r y . 8 8 8 8 . . 0 24 8 0 0 0 0 4 1 None
Flags: needinfo?(ugobejishvili)
A DoS that requires a reboot is at least a sec-moderate. Somebody should look into this to see if there's more evidence of corruption, and it might need to be rated higher. So I'll just leave it untriaged for now.
Flags: sec-bounty? → sec-bounty+
Whiteboard: can force user to reboot machine
Assignee: nobody → edwin
Note: the build in the previous comment should fix the problem on Intel, still looking at the nVidia case.
(In reply to Edwin Flores [:eflores] [:edwin] from comment #8) > Hi Ucha, > > Could you try the build here and see if the problem goes away? > > http://archive.mozilla.org/pub/firefox/try-builds/eflores@mozilla.com- > b9820fd1e0f1028ec4791880df53a27e28817ed3/try-linux64-debug/ ./firefox --safe-mode ++DOCSHELL 0x7fe4875aa800 == 1 [pid = 3148] [id = 1] ++DOMWINDOW == 1 (0x7fe4875f7000) [pid = 3148] [serial = 1] [outer = (nil)] [3148] WARNING: Hardware Vsync support not yet implemented. Falling back to software timers: file /builds/slave/try-l64-d-00000000000000000000/build/src/gfx/thebes/gfxPlatform.cpp, line 2091 ++DOMWINDOW == 2 (0x7fe4875fac00) [pid = 3148] [serial = 2] [outer = 0x7fe4875f7000] [3148] WARNING: dependent window created without a parent: file /builds/slave/try-l64-d-00000000000000000000/build/src/toolkit/components/startup/nsAppStartup.cpp, line 660 ++DOCSHELL 0x7fe4828c5000 == 2 [pid = 3148] [id = 2] ++DOMWINDOW == 3 (0x7fe482603c00) [pid = 3148] [serial = 3] [outer = (nil)] ++DOMWINDOW == 4 (0x7fe482604800) [pid = 3148] [serial = 4] [outer = 0x7fe482603c00] ++DOMWINDOW == 5 (0x7fe482609000) [pid = 3148] [serial = 5] [outer = 0x7fe4875f7000] --DOCSHELL 0x7fe4828c5000 == 1 [pid = 3148] [id = 2] ++DOCSHELL 0x7fe47ccbb000 == 2 [pid = 3148] [id = 3] ++DOMWINDOW == 6 (0x7fe47ca1f400) [pid = 3148] [serial = 6] [outer = (nil)] ++DOMWINDOW == 7 (0x7fe47ca20000) [pid = 3148] [serial = 7] [outer = 0x7fe47ca1f400] ++DOCSHELL 0x7fe47c473800 == 3 [pid = 3148] [id = 4] ++DOMWINDOW == 8 (0x7fe47c14fc00) [pid = 3148] [serial = 8] [outer = (nil)] ++DOCSHELL 0x7fe47c474000 == 4 [pid = 3148] [id = 5] ++DOMWINDOW == 9 (0x7fe47c150400) [pid = 3148] [serial = 9] [outer = (nil)] [3148] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80040111: file /builds/slave/try-l64-d-00000000000000000000/build/src/dom/base/nsFrameLoader.cpp, line 272 ++DOCSHELL 0x7fe47b833000 == 5 [pid = 3148] [id = 6] ++DOMWINDOW == 10 (0x7fe47b9b6c00) [pid = 3148] [serial = 10] [outer = (nil)] [3148] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80040111: file /builds/slave/try-l64-d-00000000000000000000/build/src/dom/base/nsFrameLoader.cpp, line 272 ++DOMWINDOW == 11 (0x7fe47b662400) [pid = 3148] [serial = 11] [outer = 0x7fe47b9b6c00] ++DOMWINDOW == 12 (0x7fe47bbd4400) [pid = 3148] [serial = 12] [outer = 0x7fe47c14fc00] ++DOMWINDOW == 13 (0x7fe47cab8800) [pid = 3148] [serial = 13] [outer = 0x7fe47c150400] ++DOMWINDOW == 14 (0x7fe47b5efc00) [pid = 3148] [serial = 14] [outer = 0x7fe47b9b6c00] ++DOMWINDOW == 15 (0x7fe47a6e1000) [pid = 3148] [serial = 15] [outer = 0x7fe47b9b6c00] [3148] WARNING: attempt to modify an immutable nsStandardURL: file /builds/slave/try-l64-d-00000000000000000000/build/src/netwerk/base/nsStandardURL.cpp, line 1302 JavaScript error: resource://gre/components/nsUrlClassifierListManager.js, line 75: NS_ERROR_XPC_GS_RETURNED_FAILURE: Component returned failure code: 0x80570016 (NS_ERROR_XPC_GS_RETURNED_FAILURE) [nsIJSCID.getService] JavaScript error: resource://gre/components/nsUrlClassifierListManager.js, line 75: NS_ERROR_XPC_GS_RETURNED_FAILURE: Component returned failure code: 0x80570016 (NS_ERROR_XPC_GS_RETURNED_FAILURE) [nsIJSCID.getService] ++DOCSHELL 0x7fe47e21b000 == 6 [pid = 3148] [id = 7] ++DOMWINDOW == 16 (0x7fe4775d0c00) [pid = 3148] [serial = 16] [outer = (nil)] ++DOMWINDOW == 17 (0x7fe4775d2c00) [pid = 3148] [serial = 17] [outer = 0x7fe4775d0c00] ++DOMWINDOW == 18 (0x7fe4775d3400) [pid = 3148] [serial = 18] [outer = 0x7fe4775d0c00] ++DOCSHELL 0x7fe4775e5000 == 7 [pid = 3148] [id = 8] ++DOMWINDOW == 19 (0x7fe4775d3000) [pid = 3148] [serial = 19] [outer = (nil)] ++DOMWINDOW == 20 (0x7fe4775d9800) [pid = 3148] [serial = 20] [outer = 0x7fe4775d3000] [3148] WARNING: Could not get disk status from nsIDiskSpaceWatcher: file /builds/slave/try-l64-d-00000000000000000000/build/src/uriloader/prefetch/nsOfflineCacheUpdateService.cpp, line 319 ]: Done sleeping... [Child 3204] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005: file /builds/slave/try-l64-d-00000000000000000000/build/src/toolkit/xre/nsXREDirProvider.cpp, line 1412 ++DOCSHELL 0x7f7501065000 == 1 [pid = 3204] [id = 1] ++DOMWINDOW == 1 (0x7f74fde44c00) [pid = 3204] [serial = 1] [outer = (nil)] ++DOMWINDOW == 2 (0x7f74fdeb7000) [pid = 3204] [serial = 2] [outer = 0x7f74fde44c00] [Parent 3148] WARNING: Could not get disk information from DiskSpaceWatcher: file /builds/slave/try-l64-d-00000000000000000000/build/src/dom/storage/DOMStorageIPC.cpp, line 320 ++DOMWINDOW == 3 (0x7f74fd77c000) [pid = 3204] [serial = 3] [outer = 0x7f74fde44c00] [Child 3204] WARNING: NS_ENSURE_TRUE(ParseTypeAttribute(type, &version)) failed: file /builds/slave/try-l64-d-00000000000000000000/build/src/dom/base/nsScriptLoader.cpp, line 515 [Child 3204] WARNING: NS_ENSURE_TRUE(ParseTypeAttribute(type, &version)) failed: file /builds/slave/try-l64-d-00000000000000000000/build/src/dom/base/nsScriptLoader.cpp, line 515 [Child 3204] WARNING: NS_ENSURE_TRUE(startupCache) failed: file /builds/slave/try-l64-d-00000000000000000000/build/src/dom/xbl/nsXBLDocumentInfo.cpp, line 199 [Child 3204] WARNING: NS_ENSURE_TRUE(startupCache) failed: file /builds/slave/try-l64-d-00000000000000000000/build/src/dom/xbl/nsXBLDocumentInfo.cpp, line 267 nsLineLayout: HTMLCanvas(canvas)(1)@7f74fd7fae60 metrics=1073741824,1073741824! nsBlockReflowContext: Block(body)(2)@7f74fd7fa9a8 metrics=67320,1073742064! nsLineLayout: HTMLCanvas(canvas)(1)@7f74fd7fae60 metrics=1073741824,1073741824! nsBlockReflowContext: Block(body)(2)@7f74fd7fa9a8 metrics=67320,1073742064! ATTENTION: default value of option force_s3tc_enable overridden by environment. JavaScript warning: file:///home/lab/testcase.html, line 33: Error: WebGL: Requested size 2147483391x2147483391 was too large, but resize to 4095x4095 succeeded. ++DOMWINDOW == 21 (0x7fe47fd91000) [pid = 3148] [serial = 21] [outer = 0x7fe4775d3000] JavaScript warning: https://self-repair.mozilla.org/en-US/repair/, line 8: mutating the [[Prototype]] of an object will cause your code to run very slowly; instead create the object with the correct initial [[Prototype]] value using Object.create ++DOCSHELL 0x7fe4792e3800 == 8 [pid = 3148] [id = 9] ++DOMWINDOW == 22 (0x7fe482768400) [pid = 3148] [serial = 22] [outer = (nil)] ++DOMWINDOW == 23 (0x7fe48276e000) [pid = 3148] [serial = 23] [outer = 0x7fe482768400] JavaScript warning: file:///home/lab/testcase.html, line 78: Error: WebGL: linkProgram: Must have a compiled vertex shader attached. JavaScript warning: file:///home/lab/testcase.html, line 82: Error: WebGL: getAttribLocation: `program` must be linked. JavaScript warning: file:///home/lab/testcase.html, line 83: Error: WebGL: getUniformLocation: `program` must be linked. JavaScript warning: file:///home/lab/testcase.html, line 99: Error: WebGL: useProgram: Program has not been successfully linked. JavaScript warning: file:///home/lab/testcase.html, line 100: Error: WebGL: disableVertexAttribArray: -1 is not a valid `index`. This value probably comes from a getAttribLocation() call, where this return value -1 means that the passed name didn't correspond to an active attribute in the specified program. JavaScript warning: file:///home/lab/testcase.html, line 113: Error: WebGL: vertexAttrib3fv: -1 is not a valid `index`. This value probably comes from a getAttribLocation() call, where this return value -1 means that the passed name didn't correspond to an active attribute in the specified program. JavaScript warning: file:///home/lab/testcase.html, line 115: Error: WebGL: drawArrays: null CURRENT_PROGRAM JavaScript warning: file:///home/lab/testcase.html, line 113: Error: WebGL: vertexAttrib3fv: -1 is not a valid `index`. This value probably comes from a getAttribLocation() call, where this return value -1 means that the passed name didn't correspond to an active attribute in the specified program. JavaScript warning: file:///home/lab/testcase.html, line 115: Error: WebGL: drawArrays: null CURRENT_PROGRAM JavaScript warning: file:///home/lab/testcase.html, line 113: Error: WebGL: vertexAttrib3fv: -1 is not a valid `index`. This value probably comes from a getAttribLocation() call, where this return value -1 means that the passed name didn't correspond to an active attribute in the specified program. JavaScript warning: file:///home/lab/testcase.html, line 115: Error: WebGL: drawArrays: null CURRENT_PROGRAM [Parent 3148] WARNING: GetDefaultCharsetForLocale: need to add multi locale support: file /builds/slave/try-l64-d-00000000000000000000/build/src/intl/locale/unix/nsUNIXCharset.cpp, line 101 --DOCSHELL 0x7fe4792e3800 == 7 [pid = 3148] [id = 9] --DOMWINDOW == 22 (0x7fe4775d2c00) [pid = 3148] [serial = 17] [outer = (nil)] [url = about:blank] --DOMWINDOW == 21 (0x7fe47b5efc00) [pid = 3148] [serial = 14] [outer = (nil)] [url = about:blank] --DOMWINDOW == 20 (0x7fe47b662400) [pid = 3148] [serial = 11] [outer = (nil)] [url = about:blank] --DOMWINDOW == 19 (0x7fe4875fac00) [pid = 3148] [serial = 2] [outer = (nil)] [url = about:blank] --DOMWINDOW == 18 (0x7fe482603c00) [pid = 3148] [serial = 3] [outer = (nil)] [url = chrome://browser/content/safeMode.xul] --DOMWINDOW == 2 (0x7f74fdeb7000) [pid = 3204] [serial = 2] [outer = (nil)] [url = about:blank] ++DOMWINDOW == 3 (0x7f74fd741400) [pid = 3204] [serial = 4] [outer = 0x7f74fde44c00] [Child 3204] WARNING: NS_ENSURE_TRUE(ParseTypeAttribute(type, &version)) failed: file /builds/slave/try-l64-d-00000000000000000000/build/src/dom/base/nsScriptLoader.cpp, line 515 [Child 3204] WARNING: NS_ENSURE_TRUE(ParseTypeAttribute(type, &version)) failed: file /builds/slave/try-l64-d-00000000000000000000/build/src/dom/base/nsScriptLoader.cpp, line 515 nsLineLayout: HTMLCanvas(canvas)(1)@7f75010cae60 metrics=1073741824,1073741824! nsBlockReflowContext: Block(body)(2)@7f75010ca9a8 metrics=67320,1073742064! nsLineLayout: HTMLCanvas(canvas)(1)@7f75010cae60 metrics=1073741824,1073741824! nsBlockReflowContext: Block(body)(2)@7f75010ca9a8 metrics=67320,1073742064! JavaScript warning: file:///home/lab/testcase.html, line 33: Error: WebGL: Requested size 2147483391x2147483391 was too large, but resize to 4095x4095 succeeded. --DOCSHELL 0x7fe47b833000 == 6 [pid = 3148] [id = 0] --DOMWINDOW == 17 (0x7fe482604800) [pid = 3148] [serial = 4] [outer = (nil)] [url = about:blank] JavaScript warning: file:///home/lab/testcase.html, line 78: Error: WebGL: linkProgram: Must have a compiled vertex shader attached. JavaScript warning: file:///home/lab/testcase.html, line 82: Error: WebGL: getAttribLocation: `program` must be linked. JavaScript warning: file:///home/lab/testcase.html, line 83: Error: WebGL: getUniformLocation: `program` must be linked. JavaScript warning: file:///home/lab/testcase.html, line 99: Error: WebGL: useProgram: Program has not been successfully linked. JavaScript warning: file:///home/lab/testcase.html, line 100: Error: WebGL: disableVertexAttribArray: -1 is not a valid `index`. This value probably comes from a getAttribLocation() call, where this return value -1 means that the passed name didn't correspond to an active attribute in the specified program. JavaScript warning: file:///home/lab/testcase.html, line 113: Error: WebGL: vertexAttrib3fv: -1 is not a valid `index`. This value probably comes from a getAttribLocation() call, where this return value -1 means that the passed name didn't correspond to an active attribute in the specified program. JavaScript warning: file:///home/lab/testcase.html, line 115: Error: WebGL: drawArrays: null CURRENT_PROGRAM JavaScript warning: file:///home/lab/testcase.html, line 113: Error: WebGL: vertexAttrib3fv: -1 is not a valid `index`. This value probably comes from a getAttribLocation() call, where this return value -1 means that the passed name didn't correspond to an active attribute in the specified program. JavaScript warning: file:///home/lab/testcase.html, line 115: Error: WebGL: drawArrays: null CURRENT_PROGRAM JavaScript warning: file:///home/lab/testcase.html, line 113: Error: WebGL: vertexAttrib3fv: -1 is not a valid `index`. This value probably comes from a getAttribLocation() call, where this return value -1 means that the passed name didn't correspond to an active attribute in the specified program. JavaScript warning: file:///home/lab/testcase.html, line 115: Error: WebGL: drawArrays: null CURRENT_PROGRAM --DOMWINDOW == 16 (0x7fe4775d9800) [pid = 3148] [serial = 20] [outer = (nil)] [url = about:blank] --DOMWINDOW == 15 (0x7fe48276e000) [pid = 3148] [serial = 23] [outer = (nil)] [url = about:blank] --DOMWINDOW == 14 (0x7fe47b9b6c00) [pid = 3148] [serial = 10] [outer = (nil)] [url = about:sessionrestore] --DOMWINDOW == 13 (0x7fe482768400) [pid = 3148] [serial = 22] [outer = (nil)] [url = about:srcdoc] --DOMWINDOW == 12 (0x7fe47a6e1000) [pid = 3148] [serial = 15] [outer = (nil)] [url = about:sessionrestore] 1448700091425 addons.productaddons WARN Failed downloading XML, status: 0, reason: timeout --DOMWINDOW == 2 (0x7f74fd77c000) [pid = 3204] [serial = 3] [outer = (nil)] [url = file:///home/lab/testcase.html] ++DOMWINDOW == 3 (0x7f74f7d28800) [pid = 3204] [serial = 5] [outer = 0x7f74fde44c00] [Child 3204] WARNING: NS_ENSURE_TRUE(ParseTypeAttribute(type, &version)) failed: file /builds/slave/try-l64-d-00000000000000000000/build/src/dom/base/nsScriptLoader.cpp, line 515 [Child 3204] WARNING: NS_ENSURE_TRUE(ParseTypeAttribute(type, &version)) failed: file /builds/slave/try-l64-d-00000000000000000000/build/src/dom/base/nsScriptLoader.cpp, line 515 nsLineLayout: HTMLCanvas(canvas)(1)@7f74f80fbe60 metrics=1073741824,1073741824! nsBlockReflowContext: Block(body)(2)@7f74f80fb9a8 metrics=67320,1073742064! nsLineLayout: HTMLCanvas(canvas)(1)@7f74f80fbe60 metrics=1073741824,1073741824! nsBlockReflowContext: Block(body)(2)@7f74f80fb9a8 metrics=67320,1073742064! JavaScript warning: file:///home/lab/testcase.html, line 33: Error: WebGL: Requested size 2147483391x2147483391 was too large, but resize to 4095x4095 succeeded. JavaScript warning: file:///home/lab/testcase.html, line 78: Error: WebGL: linkProgram: Must have a compiled vertex shader attached. JavaScript warning: file:///home/lab/testcase.html, line 82: Error: WebGL: getAttribLocation: `program` must be linked. JavaScript warning: file:///home/lab/testcase.html, line 83: Error: WebGL: getUniformLocation: `program` must be linked. JavaScript warning: file:///home/lab/testcase.html, line 99: Error: WebGL: useProgram: Program has not been successfully linked. JavaScript warning: file:///home/lab/testcase.html, line 100: Error: WebGL: disableVertexAttribArray: -1 is not a valid `index`. This value probably comes from a getAttribLocation() call, where this return value -1 means that the passed name didn't correspond to an active attribute in the specified program. JavaScript warning: file:///home/lab/testcase.html, line 113: Error: WebGL: vertexAttrib3fv: -1 is not a valid `index`. This value probably comes from a getAttribLocation() call, where this return value -1 means that the passed name didn't correspond to an active attribute in the specified program. JavaScript warning: file:///home/lab/testcase.html, line 115: Error: WebGL: drawArrays: null CURRENT_PROGRAM JavaScript warning: file:///home/lab/testcase.html, line 113: Error: WebGL: vertexAttrib3fv: -1 is not a valid `index`. This value probably comes from a getAttribLocation() call, where this return value -1 means that the passed name didn't correspond to an active attribute in the specified program. JavaScript warning: file:///home/lab/testcase.html, line 115: Error: WebGL: drawArrays: null CURRENT_PROGRAM JavaScript warning: file:///home/lab/testcase.html, line 113: Error: WebGL: vertexAttrib3fv: -1 is not a valid `index`. This value probably comes from a getAttribLocation() call, where this return value -1 means that the passed name didn't correspond to an active attribute in the specified program. JavaScript warning: file:///home/lab/testcase.html, line 115: Error: WebGL: drawArrays: null CURRENT_PROGRAM --DOMWINDOW == 2 (0x7f74fd741400) [pid = 3204] [serial = 4] [outer = (nil)] [url = file:///home/lab/testcase.html] --DOCSHELL 0x7fe47e21b000 == 5 [pid = 3148] [id = 7] JavaScript error: resource://gre/modules/PerformanceStats.jsm, line 208: NS_ERROR_NOT_AVAILABLE: Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIPerformanceStatsService.isMonitoringJank] --DOCSHELL 0x7fe4875aa800 == 4 [pid = 3148] [id = 1] [Parent 3148] WARNING: cannot post event if not initialized: file /builds/slave/try-l64-d-00000000000000000000/build/src/netwerk/protocol/http/nsHttpConnectionMgr.cpp, line 231 [Parent 3148] WARNING: cannot post event if not initialized: file /builds/slave/try-l64-d-00000000000000000000/build/src/netwerk/protocol/http/nsHttpConnectionMgr.cpp, line 231 [Child 3204] WARNING: NS_ENSURE_TRUE(context) failed: file /builds/slave/try-l64-d-00000000000000000000/build/src/xpcom/threads/nsThread.cpp, line 769 --DOCSHELL 0x7f7501065000 == 0 [pid = 3204] [id = 1] --DOMWINDOW == 1 (0x7f74fde44c00) [pid = 3204] [serial = 1] [outer = (nil)] [url = file:///home/lab/testcase.html] --DOMWINDOW == 0 (0x7f74f7d28800) [pid = 3204] [serial = 5] [outer = (nil)] [url = file:///home/lab/testcase.html] nsStringStats => mAllocCount: 16664 => mReallocCount: 592 => mFreeCount: 16664 => mShareCount: 13086 => mAdoptCount: 2641 => mAdoptFreeCount: 2641 => Process ID: 3204, Thread ID: 140140939323840 console.error: Message: Error: SessionFile is closed Stack: SessionFileInternal.write@resource:///modules/sessionstore/SessionFile.jsm:269:29 this.SessionFile.write@resource:///modules/sessionstore/SessionFile.jsm:74:12 SessionSaverInternal._writeState@resource:///modules/sessionstore/SessionSaver.jsm:242:12 SessionSaverInternal._saveState@resource:///modules/sessionstore/SessionSaver.jsm:213:12 SessionSaverInternal._saveStateAsync@resource:///modules/sessionstore/SessionSaver.jsm:226:5 SessionSaverInternal.runDelayed/this._timeoutID<@resource:///modules/sessionstore/SessionSaver.jsm:145:40 setTimeout_timer@resource://gre/modules/Timer.jsm:30:5 --DOCSHELL 0x7fe4775e5000 == 3 [pid = 3148] [id = 8] --DOCSHELL 0x7fe47ccbb000 == 2 [pid = 3148] [id = 3] --DOCSHELL 0x7fe47c473800 == 1 [pid = 3148] [id = 4] --DOCSHELL 0x7fe47c474000 == 0 [pid = 3148] [id = 5] --DOMWINDOW == 11 (0x7fe47bbd4400) [pid = 3148] [serial = 12] [outer = 0x7fe47c14fc00] [url = about:blank] ]: --DOMWINDOW == 10 (0x7fe47c14fc00) [pid = 3148] [serial = 8] [outer = (nil)] [url = about:blank] --DOMWINDOW == 9 (0x7fe47cab8800) [pid = 3148] [serial = 13] [outer = 0x7fe47c150400] [url = about:blank] JavaScript error: resource://gre/modules/PerformanceStats.jsm, line 492: Error: forget() called twice [Parent 3148] WARNING: NS_ENSURE_TRUE(context) failed: file /builds/slave/try-l64-d-00000000000000000000/build/src/xpcom/threads/nsThread.cpp, line 769 --DOMWINDOW == 8 (0x7fe47c150400) [pid = 3148] [serial = 9] [outer = (nil)] [url = about:blank] --DOMWINDOW == 7 (0x7fe47ca20000) [pid = 3148] [serial = 7] [outer = (nil)] [url = about:blank] --DOMWINDOW == 6 (0x7fe47ca1f400) [pid = 3148] [serial = 6] [outer = (nil)] [url = chrome://browser/content/browser.xul] --DOMWINDOW == 5 (0x7fe4875f7000) [pid = 3148] [serial = 1] [outer = (nil)] [url = resource://gre-resources/hiddenWindow.html] --DOMWINDOW == 4 (0x7fe4775d3000) [pid = 3148] [serial = 19] [outer = (nil)] [url = https://self-repair.mozilla.org/en-US/repair/] --DOMWINDOW == 3 (0x7fe4775d3400) [pid = 3148] [serial = 18] [outer = (nil)] [url = data:application/vnd.mozilla.xul+xml;charset=utf-8,<window%20id='win'/>] --DOMWINDOW == 2 (0x7fe4775d0c00) [pid = 3148] [serial = 16] [outer = (nil)] [url = data:application/vnd.mozilla.xul+xml;charset=utf-8,<window%20id='win'/>] --DOMWINDOW == 1 (0x7fe47fd91000) [pid = 3148] [serial = 21] [outer = (nil)] [url = https://self-repair.mozilla.org/en-US/repair/] --DOMWINDOW == 0 (0x7fe482609000) [pid = 3148] [serial = 5] [outer = (nil)] [url = resource://gre-resources/hiddenWindow.html] nsStringStats => mAllocCount: 141317 => mReallocCount: 35374 => mFreeCount: 141311 -- LEAKED 6 !!! => mShareCount: 446843 => mAdoptCount: 6512 => mAdoptFreeCount: 6512 => Process ID: 3148, Thread ID: 140619998836544
Flags: needinfo?(ugobejishvili)
In the nVidia case, we're simply running out of video memory, or close to it. WebGLContext::ResizeBackbuffer uses the driver-reported max size of 16K when resizing. Fortunately, unlike on Intel, it *does* actually support this size. Less fortunately, most cards can fit only a few of these surfaces at most (16K * 16K * 32-bit colour = 1GB, not to mention the depth buffer). Video cards apparently HATE running out of video memory. The stall seems to come largely from glRenderbufferStorage as it tries to find a place to allocate the enormous buffer. Also glBindFramebuffer takes a while -- not sure what that's about just yet. We should add a check against the max allocation size pref (like in gfx::Factory::CheckSurfaceSize), but this doesn't buy us much leeway -- simply allocating a bunch of slightly smaller buffers brings my box to a crawl in the same way. Maybe we should have a heuristic to fail allocations that are likely to bite us in this way.
(In reply to Ucha Gobejishvili from comment #10) To be clear, you no longer get a crash, but just the WebGL warnings?
(In reply to Edwin Flores [:eflores] [:edwin] from comment #12) > (In reply to Ucha Gobejishvili from comment #10) > > To be clear, you no longer get a crash, but just the WebGL warnings? Exactly!
Sweet. I'll put that patch up and spin the nVidia issue out into a new bug.
Attached patch 1199923.patch (obsolete) — Splinter Review
Attachment #8695275 - Flags: review?(jgilbert)
Comment on attachment 8695275 [details] [diff] [review] 1199923.patch Review of attachment 8695275 [details] [diff] [review]: ----------------------------------------------------------------- I thought we'd need more thought to handle this based on reported GPU memory, but this heuristic is probably better. ::: gfx/gl/GLContext.cpp @@ +1616,5 @@ > + mNeedsTextureSizeChecks = true; > + } else if (mVendor == GLVendor::Intel) { > + // Bug 1199923. Driver seems to report a larger max size than > + // actually supported. > + mMaxTextureSize = std::min(mMaxTextureSize, 4096); We really don't want to capping things if we can avoid it, particularly since 5k monitors are hitting the market, and 2x supersampling is a thing even at lower resolutions. Let's just take mMaxTextureSize /= 2 as a heuristic for the present, and move towards a d3d-like resource-size cap based on GPU memory in the longer term.
Attachment #8695275 - Flags: review?(jgilbert) → review-
NI so it's not missed!
Flags: needinfo?(edwin)
Attached patch 1199923.patchSplinter Review
To be clear, this is just for the Intel crashing bug on Linux. There probably is a cleverer(/more correct), but dirtier way to do this (e.g. we could empirically determine at startup how big a renderbuffer we can allocate without crashing, but... ew). I'll spin off a couple of other bugs (including the nVidia bug).
Attachment #8695275 - Attachment is obsolete: true
Flags: needinfo?(edwin)
Attachment #8706375 - Flags: review?(jgilbert)
Comment on attachment 8706375 [details] [diff] [review] 1199923.patch Review of attachment 8706375 [details] [diff] [review]: ----------------------------------------------------------------- Awesome, thanks.
Attachment #8706375 - Flags: review?(jgilbert) → review+
Comment on attachment 8706375 [details] [diff] [review] 1199923.patch Approval Request Comment [Feature/regressing bug #]: Driver bug. [User impact if declined]: Some WebGL pages can crash Firefox on Linux with Intel drivers. [Describe test coverage new/current, TreeHerder]: Fixes crash for me. [Risks and why]: Might impact WebGL quality (by limiting texture size). [String/UUID change made/needed]: None.
Attachment #8706375 - Flags: approval-mozilla-beta?
Attachment #8706375 - Flags: approval-mozilla-aurora?
Comment on attachment 8706375 [details] [diff] [review] 1199923.patch Milan's suggestion on this one was to take it to Aurora45 but not Beta44. Makes sense to me.
Attachment #8706375 - Flags: approval-mozilla-beta?
Attachment #8706375 - Flags: approval-mozilla-beta-
Attachment #8706375 - Flags: approval-mozilla-aurora?
Attachment #8706375 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/mozilla-central/rev/7ae35892e712
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox43: --- → wontfix
status-firefox44: --- → wontfix
status-firefox45: --- → affected
status-firefox46: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
Group: gfx-core-security → core-security-release
Whiteboard: can force user to reboot machine → [post-critsmash-triage] can force user to reboot machine
Whiteboard: [post-critsmash-triage] can force user to reboot machine → [post-critsmash-triage][adv-main45+] can force user to reboot machine
Alias: CVE-2016-1956
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: