Closed Bug 1315979 Opened 4 years ago Closed 4 years ago

Crash at [@ memcpy | rx::Buffer11::BufferStorage::setData ]

Categories

(Core :: Canvas: WebGL, defect)

50 Branch
defect
Not set
normal

Tracking

()

RESOLVED FIXED
Tracking Status
firefox49 --- unaffected
firefox-esr45 --- unaffected
firefox50 --- disabled
firefox51 + fixed
firefox52 + fixed
firefox53 --- fixed

People

(Reporter: cbook, Assigned: jgilbert)

References

()

Details

(Keywords: assertion, crash, regression)

Attachments

(1 file)

Attached file stack
found via bughunter and reproduced on latest windows opt and debug tinderbox trunk builds.

Crash at  [@ memcpy | rx::Buffer11::BufferStorage::setData ] 

Steps to reproduce:
-> Load https://floooh.github.io/oryol-webgl2/asmjs/PackedNormals.html
--> Crash on opt and debug 

Bughunter rated this high to medium exploitable - windows only and so far only on trunk builds (aurora builds crash with https://crash-stats.mozilla.com/report/index/d1d068a7-b111-4fdf-af5b-5e5b52161108 no idea if this related or a different bug)

opt crash report https://crash-stats.mozilla.com/report/index/70ad7dec-f89f-4b06-b26c-c329c2161108
[Tracking Requested - why for this release]:
affects at least trunk opt and debug builds (aurora crashes too but not sure if this is this regression here)

Milan, Jeff: could you take a look, thanks!
Flags: needinfo?(milan)
Flags: needinfo?(jgilbert)
See Also: → 1315984
Regression range: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4ebed327385b6827b9275c21e29f23b13aa92457&tochange=fa9844b0dee37aeb4c94d027f7c68a94721db320

Confirmed that it reproduces on 50 as well if webgl2 is preffed on. I *think* we're planning to disable on 51 as well?
Version: unspecified → 50 Branch
It actually needs WebGL2 pref'd on?
(In reply to Milan Sreckovic [:milan] from comment #3)
> It actually needs WebGL2 pref'd on?

Correct. No crashes with WebGL2 off (even on nightly). Bisected locally to rev 7a6514210303.
https://hg.mozilla.org/integration/mozilla-inbound/rev/7a6514210303
Blocks: 1300946, webgl2
Keywords: regression
Group: core-security → gfx-core-security
(In reply to Ryan VanderMeulen [:RyanVM] from comment #2)
> Regression range:
> https://hg.mozilla.org/integration/mozilla-inbound/
> pushloghtml?fromchange=4ebed327385b6827b9275c21e29f23b13aa92457&tochange=fa98
> 44b0dee37aeb4c94d027f7c68a94721db320
> 
> Confirmed that it reproduces on 50 as well if webgl2 is preffed on. I
> *think* we're planning to disable on 51 as well?

We are not. We need to fix this in 51. I'll take a look.
Assignee: nobody → jgilbert
Flags: needinfo?(jgilbert)
Track 51+/52+ as regression and Web GL 2 issue.
Flags: needinfo?(milan)
I'm 80% sure this is bug 1316533.
(In reply to Jeff Gilbert [:jgilbert] from comment #7)
> I'm 80% sure this is bug 1316533.

Specifically, this is a bug in ANGLE. We're looking to update ANGLE in 52 and 53. We're going to look at cherry-picking a couple csets for 51, but likely taking the ANGLE update on 51 after it bakes on Aurora52 for a bit.
This appears to be fixed in Nightly 53 now. Bug 1319004 updated ANGLE, and should eventually be headed out to 51, but at least to 52.
Depends on: 1319004
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.