Closed Bug 1506840 Opened Last year Closed Last year

WebGL 2 blitFramebuffer crashes tab on attachment mismatch

Categories

(Core :: Canvas: WebGL, defect)

63 Branch
defect
Not set

Tracking

()

RESOLVED FIXED
Tracking Status
firefox-esr60 - wontfix
firefox63 --- wontfix
firefox64 --- unaffected
firefox65 --- unaffected

People

(Reporter: tareksherif, Assigned: jgilbert)

References

Details

Crash Data

Attachments

(2 files)

Attached file ff-blit-bug.html
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0

Steps to reproduce:

Load the attached html page in Firefox (can be loaded from the file system).

The codes creates two framebuffer objects, the first has a color attachment and a depth attachment, the second has only a color attachment. Then it does a blit using the mask COLOR_BUFFER_BIT | DEPTH_BUFFER_BIT. This cause the tab to crash. Removing the DEPTH_BUFFER_BIT from the mask or removing the depth attachment to the first framebuffer resolves the issue. Chrome allows the original code, though I don't believe that's correct either. The relevant text form the ES 3.0 spec (section 4.3.3) suggests that it should cause an INVALID_OPERATION error:

"Calling BlitFramebuffer will result in an INVALID_OPERATION error if mask includes DEPTH_BUFFER_BIT or STENCIL_BUFFER_BIT, and the source and destination depth and stencil buffer formats do not match."

There appears to have been a similar issue a few years ago: https://bugzilla.mozilla.org/show_bug.cgi?id=1316327


Actual results:

Tab crashes.


Expected results:

Do nothing.
Component: Untriaged → Canvas: WebGL
Product: Firefox → Core
Fixed by 1498070 in 64. Repros in 63release and 60esr.
Assignee: nobody → jgilbert
Status: UNCONFIRMED → ASSIGNED
Depends on: 1498070
Ever confirmed: true
MozReview-Commit-ID: 5Jy0HL8Wxyx
FWIW, this is a benign null pointer member deref, so WONTFIX for Release.
Status: ASSIGNED → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Crash Signature: [@ mozilla::WebGLFBAttachPoint::IsDefined ]
Thanks!
You need to log in before you can comment on or make changes to this bug.