WebGL EXCEPTION_ACCESS_VIOLATION_READ in sh::CollectVariables::visitDeclaration

RESOLVED FIXED in Firefox 58

Status

()

Core
Canvas: WebGL
RESOLVED FIXED
a year ago
7 months ago

People

(Reporter: Aral Yaman, Assigned: Lenzak)

Tracking

({crash, csectype-nullptr, testcase})

55 Branch
mozilla58
Unspecified
Windows 10
crash, csectype-nullptr, testcase
Points:
---

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox56 wontfix, firefox57 wontfix, firefox58 fixed)

Details

(Whiteboard: [sg:dos], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

a year ago
Created attachment 8855368 [details]
crash01.html

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Build ID: 20170406030206

Steps to reproduce:

Open crash01.html in the latest Firefox nightly on Windows 10 




Actual results:

Firefox is going to crash while trying to compile shader.

This causes the crash:

precision mediump float ; 
void main( ) {
	if (true) 
	const float aVariable = 0.0 ; 
}

unfortunately I was not able to analyze with WinDbg because I only got a ###!!! [Parent][MessageChannel] Error: (msgtype=0x2C008D,name=PBrowser::Msg_UpdateNativeWindowHandle) Channel error: cannot send/recv

So I'm not sure if the crash is realy security relevant. 

I sent a crash report as well:
https://crash-stats.mozilla.com/report/index/6ead8220-e7ec-4bcb-a839-21b6c2170406



Expected results:

No Crash
(Reporter)

Updated

a year ago
OS: Unspecified → Windows 10
Jeff: this looks like a null deref from the crash report, but please take a look and see if there's anything to worry about here.
Group: firefox-core-security → gfx-core-security
Component: Untriaged → Canvas: WebGL
Flags: needinfo?(jgilbert)
Keywords: crash, testcase
Product: Firefox → Core
Still a null deref in nightly. I'm going to open this up
bp-435b94d7-84e4-4a6a-95ed-9be2d0170511
Group: gfx-core-security
Keywords: csectype-nullptr
Whiteboard: [sg:dos]

Comment 3

11 months ago
I don't see the crashes after 2017/06. Michael, please help to confirm it was resolved or not.
Assignee: nobody → cleu
(Assignee)

Comment 4

11 months ago
This crash still present in Nightly 56.0a1 (2017-07-09)

I will look into it and test whether it would be fixed by updating to a newer ANGLE version.
(Assignee)

Updated

11 months ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Assignee)

Comment 5

11 months ago
It is confirmed that this issue will be fixed after updating ANGLE to chromium/3118.
(Assignee)

Updated

11 months ago
Depends on: 1371190
(Assignee)

Comment 6

7 months ago
It's fixed by updating ANGLE
Status: NEW → RESOLVED
Last Resolved: 7 months ago
Resolution: --- → FIXED
Crash Signature: [@ sh::CollectVariables::visitDeclaration ]
status-firefox56: --- → wontfix
status-firefox57: --- → wontfix
status-firefox58: --- → fixed
status-firefox-esr52: --- → unaffected
Flags: needinfo?(jgilbert)
Target Milestone: --- → mozilla58
You need to log in before you can comment on or make changes to this bug.