Closed Bug 1452830 Opened 2 years ago Closed 9 months ago

Assertion failure: false (GFX: We should have caught all other errors.), at /builds/worker/workspace/build/src/dom/canvas/WebGLTextureUpload.cpp:1514

Categories

(Core :: Canvas: WebGL, defect, P3, critical)

59 Branch
Unspecified
Linux
defect

Tracking

()

RESOLVED FIXED
Tracking Status
firefox-esr60 --- wontfix
firefox67 --- unaffected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase, Whiteboard: [gfx-noted])

Attachments

(2 files)

Attached file trigger.html
Testcase found while fuzzing mozilla-central rev 30d72755b174.

==4607==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f0aba46ab1a bp 0x7fff87224600 sp 0x7fff872243a0 T0)
==4607==The signal is caused by a WRITE memory access.
==4607==Hint: address points to the zero page.
    #0 0x7f0aba46ab19 in _M_set_node /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/bits/stl_deque.h:242:10
    #1 0x7f0aba46ab19 in _M_pop_back_aux /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/bits/deque.tcc:513
    #2 0x7f0aba46ab19 in pop_back /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/bits/stl_deque.h:1459
    #3 0x7f0aba46ab19 in pop /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/bits/stl_stack.h:218
    #4 0x7f0aba46ab19 in ~LocalErrorScope /builds/worker/workspace/build/src/gfx/gl/GLContext.h:640
    #5 0x7f0aba46ab19 in DoCompressedTexImage /builds/worker/workspace/build/src/dom/canvas/WebGLTextureUpload.cpp:919
    #6 0x7f0aba46ab19 in mozilla::WebGLTexture::CompressedTexImage(char const*, StrongGLenum<TexImageTargetDetails>, int, unsigned int, int, int, int, int, mozilla::TexImageSource const&, mozilla::Maybe<int> const&) /builds/worker/workspace/build/src/dom/canvas/WebGLTextureUpload.cpp:1505
    #7 0x7f0aba3a1446 in mozilla::WebGLContext::CompressedTexImage(char const*, unsigned char, unsigned int, int, unsigned int, int, int, int, int, mozilla::TexImageSource const&, mozilla::Maybe<int> const&) /builds/worker/workspace/build/src/dom/canvas/WebGLContextTextures.cpp:325:10
    #8 0x7f0ab934abd7 in CompressedTexImage3D<mozilla::dom::RootedSpiderMonkeyInterface<mozilla::dom::ArrayBufferView_base<&js::UnwrapArrayBufferView, &js::GetArrayBufferViewLengthAndData, &JS_GetArrayBufferViewType> > > /builds/worker/workspace/build/src/dom/canvas/WebGL2Context.h:138:9
    #9 0x7f0ab934abd7 in mozilla::dom::WebGL2RenderingContextBinding::compressedTexImage3D(JSContext*, JS::Handle<JSObject*>, mozilla::WebGL2Context*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WebGL2RenderingContextBinding.cpp:3186
    #10 0x7f0aba174631 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3191:13
    #11 0x7f0ac0a89927 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:290:15
    #12 0x7f0ac0a89927 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
    #13 0x7f0ac0a743e1 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
    #14 0x7f0ac0a743e1 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
    #15 0x7f0ac0a5a82a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
    #16 0x7f0ac0a896a5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
    #17 0x7f0ac0a8a922 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10
    #18 0x7f0ac15ab84d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3003:12
    #19 0x7f0ab98bd9df in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:51:8
    #20 0x7f0aba8a93f1 in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #21 0x7f0aba8a93f1 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1104
    #22 0x7f0aba8aacb5 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1276:20
    #23 0x7f0aba895047 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:527:16
    #24 0x7f0aba898de7 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:914:9
    #25 0x7f0aba89b0fc in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:993:12
    #26 0x7f0ab7c5dac8 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1084:5
    #27 0x7f0ab77a5994 in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, bool, bool, bool, bool*, bool) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4480:28
    #28 0x7f0ab77a5754 in nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, bool, bool, bool*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4448:10
    #29 0x7f0ab7b90518 in nsIDocument::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5219:3
    #30 0x7f0ab7ca7a74 in applyImpl<nsIDocument, void (nsIDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1164:12
    #31 0x7f0ab7ca7a74 in apply<nsIDocument, void (nsIDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1170
    #32 0x7f0ab7ca7a74 in mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1215
    #33 0x7f0ab49615c1 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #34 0x7f0ab4980f18 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1096:14
    #35 0x7f0ab499d350 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #36 0x7f0ab587145a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #37 0x7f0ab57c1229 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #38 0x7f0ab57c1229 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #39 0x7f0ab57c1229 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #40 0x7f0abc4e2eba in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #41 0x7f0ac07a4edb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #42 0x7f0ab57c1229 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #43 0x7f0ab57c1229 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #44 0x7f0ab57c1229 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #45 0x7f0ac07a48a2 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
    #46 0x4f50dc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #47 0x4f50dc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #48 0x7f0ad486282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
Flags: in-testsuite?
Attached file glxinfo.log
I can reproduce this as well. From my attached glxinfo, OpenGLCore has GL_EXT_texture_compression_s3tc and GL_EXT_texture_sRGB, which causes WebGLExtensionCompressedTextureS3TC_SRGB to be marked as supported, whitelist COMPRESSED_SRGB_ALPHA_S3TC_DXT1_EXT as a valid format.

From https://www.khronos.org/registry/OpenGL/extensions/EXT/EXT_texture_sRGB.txt,

>    9)  Should S3TC compressed sRGB formats be supported?
>        
>        RESOLVED:  Yes, but only if EXT_texture_compression_s3tc is also
>        advertised.  For competitive reasons, we expect OpenGL will need
>        an S3TC-based block compression format for sRGB data.
>        
>        Rather than expose a separate "sRGB_compression" extension,
>        it makes more sense to specify a dependency between
>        EXT_texture_compression_s3tc and this extension such that when
>        BOTH extensions are exposed, the GL_COMPRESSED_SRGB*_S3TC_DXT*_EXT
>        tokens are accepted.
>        
>        We avoid explicitly requiring S3TC formats when EXT_texture_sRGB
>        is advertised to avoid IP encumbrances.

So we did the right thing. However it looks like if it had used OpenGLES instead, it would have failed, because my glxinfo output is missing the explicit extension which enables those formats, EXT_texture_compression_s3tc_srgb (https://www.khronos.org/registry/OpenGL/extensions/EXT/EXT_texture_compression_s3tc_srgb.txt).

apitrace did not produce much useful logging:

> major api error 4: GL_INVALID_ENUM in glCompressedTexImage3D(target)
> glGetError(glCompressedTexImage3D) = GL_INVALID_ENUM

So driver bug? (Thanks for the help debugging kvark!)
Flags: needinfo?(jgilbert)
Priority: -- → P3
Whiteboard: [gfx-noted]
OS: Unspecified → Linux
Attachment #8967342 - Attachment mime type: text/x-log → text/plain

We have code that very explicitly checks for this, and this is what I hit on my Windows machine:
https://searchfox.org/mozilla-central/rev/da3f3eaaacb6fb344fd21ac29ace2da0e33f12d3/dom/canvas/WebGLTextureUpload.cpp#995

These changes landed in v45, so I'm not sure why this would repro in 59.
Can you retest this?

Flags: needinfo?(jkratzer)

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression

:jgilbert, I can no longer reproduce this using the latest nightly. Bisection reveals the following fix range:

Start: b89a744deccb5be6113036d95c5c208e1ae2b59f (20181011035309)
End: e4220fa7a191903a814e8cf473cf544fe9762625 (20181011035433)
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b89a744deccb5be6113036d95c5c208e1ae2b59f&tochange=e4220fa7a191903a814e8cf473cf544fe9762625

Flags: needinfo?(jkratzer)

Awesome, thanks!

Status: NEW → RESOLVED
Closed: 9 months ago
Depends on: 1494809
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.