Closed
Bug 1453209
Opened 5 years ago
Closed 5 years ago
Hit MOZ_CRASH(Unexpected error with MOZ_GL_DEBUG_ABORT_ON_ERROR) at /home/worker/workspace/build/src/gfx/gl/GLContext.h:769
Categories
(Core :: Graphics: CanvasWebGL, defect, P3)
Tracking
()
RESOLVED
WONTFIX
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | - | wontfix |
| firefox-esr60 | --- | unaffected |
| firefox59 | --- | unaffected |
| firefox60 | --- | unaffected |
| firefox61 | --- | unaffected |
| firefox62 | --- | unaffected |
People
(Reporter: jkratzer, Assigned: jgilbert)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [gfx-noted])
Attachments
(1 file)
|
354 bytes,
text/html
|
Details |
Testcase found while fuzzing esr52 rev d61516b059c1. rax = 0x0000000000625d50 rdx = 0x0000000000000000 rcx = 0x00007fc7b49f9231 rbx = 0x00007fc788560000 rsi = 0x00007fc7afb90770 rdi = 0x00007fc7afb8f540 rbp = 0x00007ffe8b67ba60 rsp = 0x00007ffe8b67ba40 r8 = 0x00007fc7afb90770 r9 = 0x00007fc7b7144c00 r10 = 0x0000000000000043 r11 = 0x0000000000000000 r12 = 0x0000000000000501 r13 = 0x00007fc7b4b4a1b0 r14 = 0x00007fc788560000 r15 = 0x0000000000000000 rip = 0x00007fc7b1c88cb9 OS|Linux|0.0.0 Linux 4.4.0-119-generic #143-Ubuntu SMP Mon Apr 2 16:08:24 UTC 2018 x86_64 CPU|amd64|family 6 model 78 stepping 3|1 GPU||| Crash|SIGSEGV|0x0|0 0|0|libxul.so|mozilla::gl::GLContext::AfterGLCall|hg:hg.mozilla.org/releases/mozilla-esr52:gfx/gl/GLContext.h:d61516b059c1|768|0x0 0|1|libxul.so|mozilla::WebGL2Context::BindSampler|hg:hg.mozilla.org/releases/mozilla-esr52:gfx/gl/GLContext.h:d61516b059c1|2988|0xf 0|2|libxul.so|mozilla::dom::WebGL2RenderingContextBinding::bindSampler|hg:hg.mozilla.org/releases/mozilla-esr52:obj-firefox/dom/bindings/WebGL2RenderingContextBinding.cpp:d61516b059c1|6753|0xf 0|3|libxul.so|mozilla::dom::GenericBindingMethod|hg:hg.mozilla.org/releases/mozilla-esr52:dom/bindings/BindingUtils.cpp:d61516b059c1|2904|0x9 0|4|libxul.so|js::CallJSNative|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/jscntxtinlines.h:d61516b059c1|239|0x9 0|5|libxul.so|js::InternalCallOrConstruct|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/vm/Interpreter.cpp:d61516b059c1|459|0xf 0|6|libxul.so|Interpret|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/vm/Interpreter.cpp:d61516b059c1|510|0xf 0|7|libxul.so|js::RunScript|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/vm/Interpreter.cpp:d61516b059c1|405|0xb 0|8|libxul.so|js::InternalCallOrConstruct|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/vm/Interpreter.cpp:d61516b059c1|477|0xb 0|9|libxul.so|js::Call|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/vm/Interpreter.cpp:d61516b059c1|523|0x5 0|10|libxul.so|JS::Call|hg:hg.mozilla.org/releases/mozilla-esr52:js/src/jsapi.cpp:d61516b059c1|2828|0x20 0|11|libxul.so|mozilla::dom::EventListener::HandleEvent|hg:hg.mozilla.org/releases/mozilla-esr52:obj-firefox/dom/bindings/EventListenerBinding.cpp:d61516b059c1|48|0xc 0|12|libxul.so|mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>|hg:hg.mozilla.org/releases/mozilla-esr52:obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:d61516b059c1|64|0x1c 0|13|libxul.so|mozilla::EventListenerManager::HandleEventSubType|hg:hg.mozilla.org/releases/mozilla-esr52:dom/events/EventListenerManager.cpp:d61516b059c1|1131|0x33 0|14|libxul.so|mozilla::EventListenerManager::HandleEventInternal|hg:hg.mozilla.org/releases/mozilla-esr52:dom/events/EventListenerManager.cpp:d61516b059c1|1287|0x23 0|15|libxul.so|mozilla::EventTargetChainItem::HandleEvent|hg:hg.mozilla.org/releases/mozilla-esr52:dom/events/EventListenerManager.h:d61516b059c1|375|0xa 0|16|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain|hg:hg.mozilla.org/releases/mozilla-esr52:dom/events/EventDispatcher.cpp:d61516b059c1|380|0xf 0|17|libxul.so|mozilla::EventDispatcher::Dispatch|hg:hg.mozilla.org/releases/mozilla-esr52:dom/events/EventDispatcher.cpp:d61516b059c1|712|0x5 0|18|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent|hg:hg.mozilla.org/releases/mozilla-esr52:dom/events/EventDispatcher.cpp:d61516b059c1|781|0x16 0|19|libxul.so|nsINode::DispatchEvent|hg:hg.mozilla.org/releases/mozilla-esr52:dom/base/nsINode.cpp:d61516b059c1|1309|0x5 0|20|libxul.so|nsContentUtils::DispatchEvent|hg:hg.mozilla.org/releases/mozilla-esr52:dom/base/nsContentUtils.cpp:d61516b059c1|4011|0x17 0|21|libxul.so|nsContentUtils::DispatchTrustedEvent|hg:hg.mozilla.org/releases/mozilla-esr52:dom/base/nsContentUtils.cpp:d61516b059c1|3980|0xf 0|22|libxul.so|nsDocument::DispatchContentLoadedEvents|hg:hg.mozilla.org/releases/mozilla-esr52:dom/base/nsDocument.cpp:d61516b059c1|4971|0x28 0|23|libxul.so|mozilla::detail::RunnableMethodImpl<void (nsDocument::*)(), true, false>::Run|hg:hg.mozilla.org/releases/mozilla-esr52:xpcom/glue/nsThreadUtils.h:d61516b059c1|810|0x5 0|24|libxul.so|nsThread::ProcessNextEvent|hg:hg.mozilla.org/releases/mozilla-esr52:xpcom/threads/nsThread.cpp:d61516b059c1|1216|0x11 0|25|libxul.so|NS_ProcessNextEvent|hg:hg.mozilla.org/releases/mozilla-esr52:xpcom/glue/nsThreadUtils.cpp:d61516b059c1|361|0xd 0|26|libxul.so|mozilla::ipc::MessagePump::Run|hg:hg.mozilla.org/releases/mozilla-esr52:ipc/glue/MessagePump.cpp:d61516b059c1|96|0xa 0|27|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/releases/mozilla-esr52:ipc/chromium/src/base/message_loop.cc:d61516b059c1|232|0x17 0|28|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/releases/mozilla-esr52:ipc/chromium/src/base/message_loop.cc:d61516b059c1|225|0x8 0|29|libxul.so|nsBaseAppShell::Run|hg:hg.mozilla.org/releases/mozilla-esr52:widget/nsBaseAppShell.cpp:d61516b059c1|156|0xd 0|30|libxul.so|XRE_RunAppShell|hg:hg.mozilla.org/releases/mozilla-esr52:toolkit/xre/nsEmbedFunctions.cpp:d61516b059c1|866|0x6 0|31|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run|hg:hg.mozilla.org/releases/mozilla-esr52:ipc/glue/MessagePump.cpp:d61516b059c1|269|0x5 0|32|libxul.so|MessageLoop::RunInternal|hg:hg.mozilla.org/releases/mozilla-esr52:ipc/chromium/src/base/message_loop.cc:d61516b059c1|232|0x17 0|33|libxul.so|MessageLoop::Run|hg:hg.mozilla.org/releases/mozilla-esr52:ipc/chromium/src/base/message_loop.cc:d61516b059c1|225|0x8 0|34|libxul.so|XRE_InitChildProcess|hg:hg.mozilla.org/releases/mozilla-esr52:toolkit/xre/nsEmbedFunctions.cpp:d61516b059c1|698|0xf 0|35|plugin-container|content_process_main|hg:hg.mozilla.org/releases/mozilla-esr52:ipc/contentproc/plugin-container.cpp:d61516b059c1|197|0xe 0|36|libc-2.23.so||||0x20830 0|37|plugin-container|MOZ_ReportAssertionFailure|hg:hg.mozilla.org/releases/mozilla-esr52:mfbt/Assertions.h:d61516b059c1|170|0x5
Flags: in-testsuite?
|
||
Comment 1•5 years ago
|
||
This was fixed in 57 by bug 1217290, where we used to cast to the uint32_t to an int32_t to do a signed comparison, but in this case it will just be 0xFFFFFFFF which is -1. https://searchfox.org/mozilla-central/diff/886fe4b600e6f3024c79e16095b97191b25dc971/dom/canvas/WebGL2ContextSamplers.cpp#62
|
|
||
Updated•5 years ago
|
status-firefox59:
--- → unaffected
status-firefox60:
--- → unaffected
status-firefox61:
--- → unaffected
status-firefox-esr52:
--- → affected
status-firefox-esr60:
--- → unaffected
Version: 59 Branch → 52 Branch
|
Assignee | |
Updated•5 years ago
|
Assignee: nobody → jgilbert
|
|
Assignee | |
Comment 2•5 years ago
|
||
[Tracking Requested - why for this release]:
This seems like a sec:dos. Do we want a fix for this late in esr52?
The GL driver will keep itself safe here.
The line that unconditionally follows is scary:
> mBoundSamplers[unit] = sampler;
But mBoundSamplers is an nsTArray, which will crash on invalid access, as would the accesses in InvalidateResolveCacheForTextureWithTexUnit.
tracking-firefox-esr52:
--- → ?
|
||
Comment 3•5 years ago
|
||
Doesn't sound severe enough to warrant concern this late in the ESR52 cycle.
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox62:
--- → unaffected
Flags: in-testsuite? → in-testsuite-
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•