Closed Bug 1354197 Opened 7 years ago Closed 7 years ago

WebGL EXCEPTION_ACCESS_VIOLATION_READ in sh::CollectVariables::visitDeclaration

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Version:
55 Branch
Platform:
Unspecified
Windows 10
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla58
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox56 --- wontfix
firefox57 --- wontfix
firefox58 --- fixed

People

(Reporter: aral.yaman, Assigned: cleu)

References

Details

(Keywords: crash, csectype-nullptr, testcase, Whiteboard: [sg:dos])

Crash Data

Attachments

(1 file)

crash01.html
661 bytes, text/html
Details
Attached file crash01.html 
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Build ID: 20170406030206

Steps to reproduce:

Open crash01.html in the latest Firefox nightly on Windows 10 




Actual results:

Firefox is going to crash while trying to compile shader.

This causes the crash:

precision mediump float ; 
void main( ) {
	if (true) 
	const float aVariable = 0.0 ; 
}

unfortunately I was not able to analyze with WinDbg because I only got a ###!!! [Parent][MessageChannel] Error: (msgtype=0x2C008D,name=PBrowser::Msg_UpdateNativeWindowHandle) Channel error: cannot send/recv

So I'm not sure if the crash is realy security relevant. 

I sent a crash report as well:
https://crash-stats.mozilla.com/report/index/6ead8220-e7ec-4bcb-a839-21b6c2170406



Expected results:

No Crash
OS: Unspecified → Windows 10
Jeff: this looks like a null deref from the crash report, but please take a look and see if there's anything to worry about here.
Group: firefox-core-security → gfx-core-security
Component: Untriaged → Canvas: WebGL
Flags: needinfo?(jgilbert)
Keywords: crash, testcase
Product: Firefox → Core
Still a null deref in nightly. I'm going to open this up
bp-435b94d7-84e4-4a6a-95ed-9be2d0170511
Group: gfx-core-security
Keywords: csectype-nullptr
Whiteboard: [sg:dos]
I don't see the crashes after 2017/06. Michael, please help to confirm it was resolved or not.
Assignee: nobody → cleu
This crash still present in Nightly 56.0a1 (2017-07-09)

I will look into it and test whether it would be fixed by updating to a newer ANGLE version.
Status: UNCONFIRMED → NEW
Ever confirmed: true
It is confirmed that this issue will be fixed after updating ANGLE to chromium/3118.
Depends on: 1371190
It's fixed by updating ANGLE
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Crash Signature: [@ sh::CollectVariables::visitDeclaration ]
status-firefox56: --- → wontfix
status-firefox57: --- → wontfix
status-firefox58: --- → fixed
status-firefox-esr52: --- → unaffected
Flags: needinfo?(jgilbert)
Target Milestone: --- → mozilla58
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: