Closed Bug 1351547 Opened 3 years ago Closed 3 years ago

WebVR: crash [@mozilla::WebGLContext::StartVRPresentation()]

Categories

(Core :: WebVR, defect, critical)

51 Branch
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla55
Tracking Status
firefox-esr45 --- unaffected
firefox-esr52 --- disabled
firefox53 --- disabled
firefox54 --- disabled
firefox55 --- fixed

People

(Reporter: posidron, Assigned: daoshengmu)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, sec-audit, testcase, Whiteboard: [post-critsmash-triage])

Attachments

(3 files)

Attached file testcase.html
Marked as s-s only because I am unsure at the moment why it does a READ from page zero.

It was found while using the PuppetVR driver. The following prefs were set:

user_pref("dom.vr.enabled", true);
user_pref("dom.vr.test.enabled", true);
user_pref("dom.vr.puppet.enabled", true);
user_pref("dom.vr.require-gesture", false);
user_pref("dom.vr.poseprediction.enabled", false);


==17086==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00010fae2280 bp 0x7fff58282500 sp 0x7fff58281ca0 T0)
==17086==The signal is caused by a READ memory access.
==17086==Hint: address points to the zero page.
#0 0x10fae227f in __asan_memcpy (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d27f)
#1 0x11d234363 in mozilla::gl::SurfaceCaps::SurfaceCaps(mozilla::gl::SurfaceCaps const&) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x29fd363)
#2 0x1201dd691 in mozilla::WebGLContext::StartVRPresentation() (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x59a6691)
#3 0x1206f735c in mozilla::dom::HTMLCanvasElement::StartVRPresentation() (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x5ec035c)
#4 0x11d84c1b8 in mozilla::gfx::VRLayerChild::Initialize(mozilla::dom::HTMLCanvasElement*) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x30151b8)
#5 0x11d84b993 in mozilla::gfx::VRDisplayPresentation::CreateLayers() (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x3014993)
#6 0x11d847aef in mozilla::gfx::VRDisplayClient::BeginPresentation(nsTArray<mozilla::dom::VRLayer> const&) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x3010aef)
#7 0x1220ba05e in mozilla::dom::VRDisplay::RequestPresent(nsTArray<mozilla::dom::VRLayer> const&, mozilla::dom::CallerType, mozilla::ErrorResult&) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x788305e)
#8 0x11f45279a in mozilla::dom::VRDisplayBinding::requestPresent_promiseWrapper(JSContext*, JS::Handle<JSObject*>, mozilla::dom::VRDisplay*, JSJitMethodCallArgs const&) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x4c1b79a)
#9 0x11ffdd24e in mozilla::dom::GenericPromiseReturningBindingMethod(JSContext*, unsigned int, JS::Value*) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x57a624e)
#10 0x126733bbd in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xbefcbbd)
#11 0x1267332b4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xbefc2b4)
#12 0x1266ff46b in Interpret(JSContext*, js::RunState&) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xbec846b)
#13 0x1266fb1e8 in js::RunScript(JSContext*, js::RunState&) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xbec41e8)
#14 0x1267332f9 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xbefc2f9)
#15 0x1267347f7 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xbefd7f7)
#16 0x12693e649 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xc107649)
#17 0x126733bbd in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xbefcbbd)
#18 0x1267332b4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xbefc2b4)
#19 0x1267347f7 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xbefd7f7)
#20 0x1273b06cb in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xcb796cb)
#21 0x11e9cbb38 in mozilla::dom::PromiseJobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x4194b38)
#22 0x11a96b4ad in mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JSCompartment*) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x1344ad)
#23 0x11a96b09c in mozilla::dom::PromiseJobCallback::Call(char const*) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x13409c)
#24 0x11a969694 in PromiseJobRunnable::Run() (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x132694)
#25 0x121d04325 in mozilla::dom::Promise::PerformMicroTaskCheckpoint() (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x74cd325)
#26 0x11a9596e6 in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x1226e6)
#27 0x11c9c5ef9 in XPCJSContext::AfterProcessTask(unsigned int) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x218eef9)
#28 0x11ab3ad73 in nsThread::ProcessNextEvent(bool, bool*) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x303d73)
#29 0x11ab32b50 in NS_ProcessPendingEvents(nsIThread*, unsigned int) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x2fbb50)
#30 0x12233bcd2 in nsBaseAppShell::NativeEventCallback() (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x7b04cd2)
#31 0x1224488f8 in nsAppShell::ProcessGeckoEvents(void*) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x7c118f8)
#32 0x7fffb448b980 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa7980)
#33 0x7fffb446c9f6 in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x889f6)
#34 0x7fffb446bf75 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87f75)
#35 0x7fffb446b973 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87973)
#36 0x7fffb39f7a5b in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30a5b)
#37 0x7fffb39f7890 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30890)
#38 0x7fffb39f76c5 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x306c5)
#39 0x7fffb1f9d5b3 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x475b3)
#40 0x7fffb2717d6a in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c1d6a)
#41 0x122446ec4 in -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x7c0fec4)
#42 0x7fffb1f91f34 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3bf34)
#43 0x122449a56 in nsAppShell::Run() (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x7c12a56)
#44 0x125ed451c in nsAppStartup::Run() (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xb69d51c)
#45 0x1260de24d in XREMain::XRE_mainRun() (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xb8a724d)
#46 0x1260e1559 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xb8aa559)
#47 0x1260e2a0f in XRE_main(int, char**, mozilla::BootstrapConfig const&) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xb8aba0f)
#48 0x107976e00 in main (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/firefox:x86_64+0x100001e00)
#49 0x107976703 in start (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/firefox:x86_64+0x100001703)

==17086==Register values:
rax = 0x0007a0c4682ff002  rbx = 0x000000011085c4c0  rcx = 0x0000100000000000  rdx = 0x0000000000000009
rdi = 0x00007fff58282560  rsi = 0x003d0623417f8010  rbp = 0x00007fff58282500  rsp = 0x00007fff58281ca0
r8 = 0x00001c32000aad67   r9 = 0x00007fff582821e0  r10 = 0x00001fffeb05043c  r11 = 0x00001fffeb050440
r12 = 0x00007fff58282540  r13 = 0x003d0623417f8010  r14 = 0x0000000000000009  r15 = 0x00007fff58282560
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d27f) in __asan_memcpy

Command: /srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/firefox -width 512 -height 512 file:///Users/posidron/Google Drive/projects/framboise/index.html?fuzzer=1:WebVR,1:Canvas2D&timeout=0&max-commands=50&seed=None&debug=True&with-set-timeout=True&with-set-interval=True&with-events=True&ws-logger=0
Group: core-security → gfx-core-security
Keywords: sec-audit
Assignee: nobody → dmu
As attachment 8852322 [details], I notice `o3 = o0.getContext('2d');` is different from our existing tests. It will call `canvas.getContext(`2d`)`.  All of  our existing tests do not call `canvas.getContext('webgl') or "2d"`, so they will return at here https://dxr.mozilla.org/mozilla-central/rev/20dff607fb88ee69135a280bbb7f32df75a86237/dom/html/HTMLCanvasElement.cpp#1478.

For the general WebVR samples, it should need to get a WebGL context. I am not quite sure whether it is fine for using a canvas2d context. If it is available, I think probably our code needs to do some adjustment.

Btw, If we wanna this sample code could be run well, I have to rewrite it like below:
--------------------------------------------
<script>
o0 = document.createElement('canvas');
(document.body || document.documentElement).appendChild(o0);
o0.width = 500;
o0.height = 500;

// getContext and clear buffer need to be put before getVRDisplays();
// Otherwise, our textureClient can't get ScreenBuffer.
o3 = o0.getContext('webgl');
o3.viewport(0, 0, 500, 500);
o3.clear(gl.COLOR_BUFFER_BIT | gl.DEPTH_BUFFER_BIT);
navigator.requestVRServiceTest();
navigator.getVRDisplays().then(function(d) {
  o1 = d[0];
  o2 = new VRFrameData();
  o1.requestPresent([{source:o0}]).then(function() {
    o1.requestAnimationFrame(function() {
      o1.resetPose()
      o1.getLayers()
      o1.submitFrame()
      o1.getEyeParameters("right")
    })
  })
});
</script>
Kip, is it ok for sending a Canvas2dElement for VRDisplay?
Flags: needinfo?(kgilbert)
(In reply to Daosheng Mu[:daoshengmu] from comment #2)
> Kip, is it ok for sending a Canvas2dElement for VRDisplay?

We don't currently support Canvas2D's, but should not crash if one is passed in.

It might be a good test to make sure nothing crashes with a Canvas2D, but I wouldn't expect it to render.
Flags: needinfo?(kgilbert)
Attachment #8860779 - Flags: review?(kgilbert)
Attachment #8860779 - Flags: review?(kgilbert) → review+
Attachment #8860780 - Flags: review?(kgilbert) → review+
Keywords: checkin-needed
Flags: in-testsuite+
Version: Trunk → 51 Branch
Group: gfx-core-security → core-security-release
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Group: core-security-release
Blocks: 1402873
You need to log in before you can comment on or make changes to this bug.