Crash at [@ memcpy | rx::Buffer11::BufferStorage::setData ]

RESOLVED FIXED

Status

()

Core
Canvas: WebGL
RESOLVED FIXED
a year ago
2 months ago

People

(Reporter: Tomcat, Assigned: jgilbert)

Tracking

(Blocks: 2 bugs, {assertion, crash, regression})

50 Branch
assertion, crash, regression
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox49 unaffected, firefox-esr45 unaffected, firefox50 disabled, firefox51+ fixed, firefox52+ fixed, firefox53 fixed)

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

a year ago
Created attachment 8808620 [details]
stack

found via bughunter and reproduced on latest windows opt and debug tinderbox trunk builds.

Crash at  [@ memcpy | rx::Buffer11::BufferStorage::setData ] 

Steps to reproduce:
-> Load https://floooh.github.io/oryol-webgl2/asmjs/PackedNormals.html
--> Crash on opt and debug 

Bughunter rated this high to medium exploitable - windows only and so far only on trunk builds (aurora builds crash with https://crash-stats.mozilla.com/report/index/d1d068a7-b111-4fdf-af5b-5e5b52161108 no idea if this related or a different bug)

opt crash report https://crash-stats.mozilla.com/report/index/70ad7dec-f89f-4b06-b26c-c329c2161108
(Reporter)

Comment 1

a year ago
[Tracking Requested - why for this release]:
affects at least trunk opt and debug builds (aurora crashes too but not sure if this is this regression here)

Milan, Jeff: could you take a look, thanks!
status-firefox52: --- → affected
tracking-firefox52: --- → ?
Flags: needinfo?(milan)
Flags: needinfo?(jgilbert)
(Reporter)

Updated

a year ago
See Also: → bug 1315984
Regression range: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4ebed327385b6827b9275c21e29f23b13aa92457&tochange=fa9844b0dee37aeb4c94d027f7c68a94721db320

Confirmed that it reproduces on 50 as well if webgl2 is preffed on. I *think* we're planning to disable on 51 as well?
status-firefox49: --- → unaffected
status-firefox50: --- → disabled
status-firefox51: --- → affected
status-firefox-esr45: --- → unaffected
tracking-firefox51: --- → ?
Version: unspecified → 50 Branch
It actually needs WebGL2 pref'd on?
(In reply to Milan Sreckovic [:milan] from comment #3)
> It actually needs WebGL2 pref'd on?

Correct. No crashes with WebGL2 off (even on nightly). Bisected locally to rev 7a6514210303.
https://hg.mozilla.org/integration/mozilla-inbound/rev/7a6514210303
Blocks: 1300946, 889977
Keywords: regression
Group: core-security → gfx-core-security
(Assignee)

Comment 5

a year ago
(In reply to Ryan VanderMeulen [:RyanVM] from comment #2)
> Regression range:
> https://hg.mozilla.org/integration/mozilla-inbound/
> pushloghtml?fromchange=4ebed327385b6827b9275c21e29f23b13aa92457&tochange=fa98
> 44b0dee37aeb4c94d027f7c68a94721db320
> 
> Confirmed that it reproduces on 50 as well if webgl2 is preffed on. I
> *think* we're planning to disable on 51 as well?

We are not. We need to fix this in 51. I'll take a look.
Assignee: nobody → jgilbert
Flags: needinfo?(jgilbert)
Track 51+/52+ as regression and Web GL 2 issue.
tracking-firefox51: ? → +
tracking-firefox52: ? → +
Flags: needinfo?(milan)
(Assignee)

Comment 7

11 months ago
I'm 80% sure this is bug 1316533.
(Assignee)

Comment 8

11 months ago
(In reply to Jeff Gilbert [:jgilbert] from comment #7)
> I'm 80% sure this is bug 1316533.

Specifically, this is a bug in ANGLE. We're looking to update ANGLE in 52 and 53. We're going to look at cherry-picking a couple csets for 51, but likely taking the ANGLE update on 51 after it bakes on Aurora52 for a bit.
(Assignee)

Updated

11 months ago
status-firefox53: --- → fixed
(Assignee)

Comment 9

11 months ago
This appears to be fixed in Nightly 53 now. Bug 1319004 updated ANGLE, and should eventually be headed out to 51, but at least to 52.
Depends on: 1319004
(Assignee)

Updated

11 months ago
status-firefox52: affected → fixed
(Assignee)

Updated

10 months ago
status-firefox51: affected → fixed
(Assignee)

Updated

10 months ago
Status: NEW → RESOLVED
Last Resolved: 10 months ago
Resolution: --- → FIXED

Updated

10 months ago
Group: gfx-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.