NULL_POINTER_WRITE_AVRF_c0000005_xul.dll!mozilla::WebGLTexture::CopyTexImage2D

NEW
Assigned to

Status

()

Core
Canvas: WebGL
P3
critical
2 years ago
a year ago

People

(Reporter: rforbes, Assigned: jgilbert)

Tracking

({crash, csectype-nullptr, testcase})

Trunk
x86_64
Windows 10
crash, csectype-nullptr, testcase
Points:
---

Firefox Tracking Flags

(firefox50 affected)

Details

(Whiteboard: [gfx-noted][sg:dos])

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
Created attachment 8771147 [details]
testcase

this is probably not a security issue but marking it as such until that is determined for sure.

450): Access violation - code c0000005 (!!! second chance !!!)
eax=66ed7458 ebx=edcfdb40 ecx=7029705d edx=702e612c esi=702445b0 edi=0000072b
eip=65a9777f esp=00b5e264 ebp=811cefdc iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
xul!mozilla::WebGLTexture::CopyTexImage2D+0x3d1:
65a9777f 893d00000000    mov     dword ptr ds:[0],edi ds:002b:00000000=????????
0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Unable to verify checksum for firefox.exe
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
*** WARNING: Unable to verify checksum for C:\src\mozilla-source\mozilla-central\obj-i686-pc-mingw32\dist\bin\nss3.dll
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
<repeat>

DUMP_CLASS: 2

DUMP_QUALIFIER: 0

FAULTING_IP: 
xul!mozilla::WebGLTexture::CopyTexImage2D+3d1 [c:\src\mozilla-source\mozilla-central\dom\canvas\webgltextureupload.cpp @ 1835]
65a9777f 893d00000000    mov     dword ptr ds:[0],edi

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 65a9777f (xul!mozilla::WebGLTexture::CopyTexImage2D+0x000003d1)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 00000000
Attempt to write to address 00000000

FAULTING_THREAD:  00001450

DEFAULT_BUCKET_ID:  NULL_POINTER_WRITE_AVRF

PROCESS_NAME:  firefox.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  00000000

WRITE_ADDRESS:  00000000 

FOLLOWUP_IP: 
xul!mozilla::WebGLTexture::CopyTexImage2D+3d1 [c:\src\mozilla-source\mozilla-central\dom\canvas\webgltextureupload.cpp @ 1835]
65a9777f 893d00000000    mov     dword ptr ds:[0],edi

BUGCHECK_STR:  NULL_POINTER_WRITE_AVRF

WATSON_BKT_PROCSTAMP:  577a2e5d

WATSON_BKT_PROCVER:  50.0.0.6029

PROCESS_VER_PRODUCT:  Nightly

WATSON_BKT_MODULE:  xul.dll

WATSON_BKT_MODSTAMP:  577a3045

WATSON_BKT_MODOFFSET:  c8777f

WATSON_BKT_MODVER:  50.0.0.6029

MODULE_VER_PRODUCT:  Nightly

BUILD_VERSION_STRING:  10.0.10586.494 (th2_release_sec.160630-1736)

MODLIST_WITH_TSCHKSUM_HASH:  71a760f46474017d8cd303c232fe540ae3aa932b

MODLIST_SHA1_HASH:  ae7a484bf0b3e7447649204846dadb1a83acbba6

NTGLOBALFLAG:  2000000

APPLICATION_VERIFIER_FLAGS:  0

PRODUCT_TYPE:  1

SUITE_MASK:  272

APPLICATION_VERIFIER_LOADED: 1

APP:  firefox.exe

ANALYSIS_SESSION_HOST:  DESKTOP-D3T92P6

ANALYSIS_SESSION_TIME:  07-13-2016 10:32:06.0330

ANALYSIS_VERSION: 10.0.10586.567 x86fre

THREAD_ATTRIBUTES: 
OS_LOCALE:  ENU

PROBLEM_CLASSES: 



AVRF
    Tid    [0x1450]
    Frame  [0x00]: xul!mozilla::WebGLTexture::CopyTexImage2D
    Failure Bucketing



NULL_POINTER_WRITE
    Tid    [0x1450]
    Frame  [0x00]: xul!mozilla::WebGLTexture::CopyTexImage2D


LAST_CONTROL_TRANSFER:  from 65a6c4ab to 65a9777f

STACK_TEXT:  
00b5e2fc 65a6c4ab 0000851a 00000010 00001909 xul!mozilla::WebGLTexture::CopyTexImage2D+0x3d1
00b5e340 658e4629 0000851a 00000010 00001909 xul!mozilla::WebGLContext::CopyTexImage2D+0x60
00b5e38c 65a26c64 14816a20 00b5e3cc 2093acc8 xul!mozilla::dom::WebGLRenderingContextBinding::copyTexImage2D+0x133
00b5e3d8 667f597e 14816a20 00000008 000002fe xul!mozilla::dom::GenericBindingMethod+0x15d
00b5e42c 667f5783 e7312d30 00b5e6f8 00000000 xul!js::InternalCallOrConstruct+0x1ee
00b5e448 667fb433 14816a20 00b5e6f8 9af0b0d0 xul!InternalCall+0x63
00b5ee04 66803ab0 14816a20 00b5eeac 00b5eebc xul!Interpret+0x57b3
00b5ee9c 667f22d5 14816a20 00b5eeac 67225000 xul!js::RunScript+0x250
00b5eee8 667f2194 14816a20 00b5ef4c 9af07160 xul!js::ExecuteKernel+0xa5
00b5ef20 6675dd15 14816a20 00b5ef4c 9af07160 xul!js::Execute+0xc4
00b5efdc 6675d957 14816a20 00b5f014 00b5f008 xul!Evaluate+0x145
00b5f014 6675dde9 14816a20 00b5f08c 00b5f1b0 xul!Evaluate+0xa7
00b5f02c 6565b2f4 14816a20 00b5f08c 00b5f1b0 xul!JS::Evaluate+0x19
00b5f0cc 6565b407 14816a20 00b5f184 00b5f198 xul!nsJSUtils::EvaluateString+0x28a
00b5f150 65685139 14816a20 00b5f184 00b5f198 xul!nsJSUtils::EvaluateString+0x81
00b5f320 65688d1a f29daf38 f29daf38 95028f50 xul!nsScriptLoader::EvaluateScript+0x2c2
00b5f354 656894ce f29daf01 95028f50 00000000 xul!nsScriptLoader::ProcessRequest+0x167
00b5f67c 656755c8 e7746fdc e7746fdc dc078e90 xul!nsScriptLoader::ProcessScriptElement+0x6d6
00b5f6a4 653f15b2 dc078e90 ab700fe0 653f4744 xul!nsScriptElement::MaybeProcessScript+0xff
00b5f6b0 653f4744 d7a2af98 e7746fdc dc078fb8 xul!nsIScriptElement::AttemptToExecute+0xd
00b5f6c0 653f4611 e7746f88 00b5f777 0f4c0f88 xul!nsHtml5TreeOpExecutor::RunScript+0x4d
00b5f6ec 653f42ab 64f3247b 0f431ff0 0f463fd8 xul!nsHtml5TreeOpExecutor::RunFlushLoop+0x202
00b5f6f0 64f3247b 0f431ff0 0f463fd8 0f459f40 xul!nsHtml5ExecutorFlusher::Run+0x16
00b5f758 64f48a82 0f4c0f88 00000000 00b5f777 xul!nsThread::ProcessNextEvent+0x231
00b5f76c 65177b35 014c0f88 00000000 00b5fb25 xul!NS_ProcessNextEvent+0x26
00b5f798 65165150 0f459f40 ebfb3451 0e94af98 xul!mozilla::ipc::MessagePump::Run+0x16b
00b5f7d0 65164f2c 0f4c0f88 00000001 00b5f800 xul!MessageLoop::RunHandler+0x53
00b5f7f0 65e94ed9 1b791fc0 00000000 65ed930a xul!MessageLoop::Run+0x19
00b5f7fc 65ed930a 0e94af98 1b791fc0 7014ce77 xul!nsBaseAppShell::Run+0x2a
00b5f80c 662e6690 0e94af98 00b5fa2c 10fbdfd0 xul!nsAppShell::Run+0x1f
00b5f81c 6631dcb8 1b791fc0 09050fa8 00b5fa40 xul!nsAppStartup::Run+0x20
00b5f824 09050fa8 00b5fa40 00b5fa2c 00000000 xul!XREMain::XRE_mainRun+0x918
WARNING: Frame IP not in any known module. Following frames may be wrong.
00b5f828 00b5fa40 00b5fa2c 00000000 00000000 0x9050fa8
00b5f82c 00b5fa2c 00000000 00000000 66b7843c 0xb5fa40
00b5fab0 779ab4c8 00000000 08d54ff0 08d52f08 0xb5fa2c
00b5fb04 70245eab 00c20000 00000000 08d52f08 ntdll!RtlFreeHeap+0x268
00b5fb18 01006d5b 08d52f08 08d50000 ebfb38ad ucrtbase!free+0x1b
00b5fb2c 00ff1902 00000004 06310fe8 00b5fb78 firefox!sandbox::PolicyBase::`scalar deleting destructor'+0x15
00b5fcc0 00ff1445 00000004 06310fe8 05e9cf58 firefox!do_main+0x2d7
00b5fd1c 00ff1c3f 00000004 06310fe8 05e9cf58 firefox!NS_internal_main+0xb9
00b5fd54 0100c59f 00000004 fffa1ea8 062b8f58 firefox!wmain+0x130
00b5fda0 74ea38f4 0086a000 74ea38d0 6f4905bf firefox!__scrt_common_main_seh+0xff
00b5fdb4 779d5de3 0086a000 c93b59e9 00000000 KERNEL32!BaseThreadInitThunk+0x24
00b5fdfc 779d5dae ffffffff 779fb7ce 00000000 ntdll!__RtlUserThreadStart+0x2f
00b5fe0c 00000000 0100c61c 0086a000 00000000 ntdll!_RtlUserThreadStart+0x1b


THREAD_SHA1_HASH_MOD_FUNC:  f4fbaa904a756f63488459b1b17606790b9f0446

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  534d07f726fac22bb00d1efe530ab38e795a56b6

THREAD_SHA1_HASH_MOD:  b244789a4edc2662ed0771173d500e0a539b05e2

FAULT_INSTR_CODE:  3d89

FAULTING_SOURCE_LINE:  c:\src\mozilla-source\mozilla-central\dom\canvas\webgltextureupload.cpp

FAULTING_SOURCE_FILE:  c:\src\mozilla-source\mozilla-central\dom\canvas\webgltextureupload.cpp

FAULTING_SOURCE_LINE_NUMBER:  1835

FAULTING_SOURCE_CODE:  
  1831:                                    funcName);
  1832:         return;
  1833:     }
  1834:     if (error) {
> 1835:         MOZ_RELEASE_ASSERT(false, "GFX: We should have caught all other errors.");
  1836:         mContext->GenerateWarning("%s: Unexpected error during texture copy. Context"
  1837:                                   " lost.",
  1838:                                   funcName);
  1839:         mContext->ForceLoseContext();
  1840:         return;


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  xul!mozilla::WebGLTexture::CopyTexImage2D+3d1

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: xul

IMAGE_NAME:  xul.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  577a3045

STACK_COMMAND:  ~0s ; kb

BUCKET_ID:  NULL_POINTER_WRITE_AVRF_xul!mozilla::WebGLTexture::CopyTexImage2D+3d1

PRIMARY_PROBLEM_CLASS:  NULL_POINTER_WRITE_AVRF_xul!mozilla::WebGLTexture::CopyTexImage2D+3d1

BUCKET_ID_OFFSET:  3d1

BUCKET_ID_MODULE_STR:  xul

BUCKET_ID_MODTIMEDATESTAMP:  577a3045

BUCKET_ID_MODCHECKSUM:  0

BUCKET_ID_MODVER_STR:  50.0.0.6029

BUCKET_ID_PREFIX_STR:  NULL_POINTER_WRITE_AVRF_

FAILURE_PROBLEM_CLASS:  NULL_POINTER_WRITE_AVRF

FAILURE_EXCEPTION_CODE:  c0000005

FAILURE_IMAGE_NAME:  xul.dll

FAILURE_FUNCTION_NAME:  mozilla::WebGLTexture::CopyTexImage2D

BUCKET_ID_FUNCTION_STR:  mozilla::WebGLTexture::CopyTexImage2D

FAILURE_SYMBOL_NAME:  xul.dll!mozilla::WebGLTexture::CopyTexImage2D

FAILURE_BUCKET_ID:  NULL_POINTER_WRITE_AVRF_c0000005_xul.dll!mozilla::WebGLTexture::CopyTexImage2D

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/firefox.exe/50.0.0.6029/577a2e5d/xul.dll/50.0.0.6029/577a3045/c0000005/00c8777f.htm?Retriage=1

TARGET_TIME:  2016-07-13T17:39:32.000Z

OSBUILD:  10586

OSSERVICEPACK:  0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

OSPLATFORM_TYPE:  x86

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt SingleUserTS

USER_LCID:  0

OSBUILD_TIMESTAMP:  2015-10-29 19:46:21

BUILDDATESTAMP_STR:  160630-1736

BUILDLAB_STR:  th2_release_sec

BUILDOSVER_STR:  10.0.10586.494

ANALYSIS_SESSION_ELAPSED_TIME: 6ce01

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:null_pointer_write_avrf_c0000005_xul.dll!mozilla::webgltexture::copyteximage2d

FAILURE_ID_HASH:  {1faf8b2c-ff92-a739-3740-dbb25f39c98d}

Followup:     MachineOwner
Flags: needinfo?(jgilbert)
(Assignee)

Comment 1

2 years ago
Ah, this again. I'll double-check.
Assignee: nobody → jgilbert
Flags: needinfo?(jgilbert)

Comment 2

2 years ago
I could reproduce this on OSX and window with latest m-c.

Updated

2 years ago
Whiteboard: [gfx-noted]
Group: gfx-core-security
Keywords: csectype-nullptr, testcase
Whiteboard: [gfx-noted] → [gfx-noted][sg:dos]
You need to log in before you can comment on or make changes to this bug.