Closed Bug 1506840 Opened Last year Closed Last year
GL 2 blit Framebuffer crashes tab on attachment mismatch
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0 Steps to reproduce: Load the attached html page in Firefox (can be loaded from the file system). The codes creates two framebuffer objects, the first has a color attachment and a depth attachment, the second has only a color attachment. Then it does a blit using the mask COLOR_BUFFER_BIT | DEPTH_BUFFER_BIT. This cause the tab to crash. Removing the DEPTH_BUFFER_BIT from the mask or removing the depth attachment to the first framebuffer resolves the issue. Chrome allows the original code, though I don't believe that's correct either. The relevant text form the ES 3.0 spec (section 4.3.3) suggests that it should cause an INVALID_OPERATION error: "Calling BlitFramebuffer will result in an INVALID_OPERATION error if mask includes DEPTH_BUFFER_BIT or STENCIL_BUFFER_BIT, and the source and destination depth and stencil buffer formats do not match." There appears to have been a similar issue a few years ago: https://bugzilla.mozilla.org/show_bug.cgi?id=1316327 Actual results: Tab crashes. Expected results: Do nothing.
Fixed by 1498070 in 64. Repros in 63release and 60esr.
It's crashing inside IsEquivalentForFeedback, called from: https://dxr.mozilla.org/mozilla-release/rev/99db2272d28e5feb66fd05bef4852e38bba6868f/dom/canvas/WebGLFramebuffer.cpp#1881 Though the permalink is 500ing for me, so here's the temporary link: https://dxr.mozilla.org/mozilla-release/source/dom/canvas/WebGLFramebuffer.cpp#1881
FWIW, this is a benign null pointer member deref, so WONTFIX for Release.
Status: ASSIGNED → RESOLVED
Closed: Last year
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.