Closed
Bug 1506840
Opened 6 years ago
Closed 6 years ago
WebGL 2 blitFramebuffer crashes tab on attachment mismatch
Categories
(Core :: Graphics: CanvasWebGL, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox-esr60 | - | wontfix |
firefox63 | --- | wontfix |
firefox64 | --- | unaffected |
firefox65 | --- | unaffected |
People
(Reporter: tareksherif, Assigned: jgilbert)
References
Details
Crash Data
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0 Steps to reproduce: Load the attached html page in Firefox (can be loaded from the file system). The codes creates two framebuffer objects, the first has a color attachment and a depth attachment, the second has only a color attachment. Then it does a blit using the mask COLOR_BUFFER_BIT | DEPTH_BUFFER_BIT. This cause the tab to crash. Removing the DEPTH_BUFFER_BIT from the mask or removing the depth attachment to the first framebuffer resolves the issue. Chrome allows the original code, though I don't believe that's correct either. The relevant text form the ES 3.0 spec (section 4.3.3) suggests that it should cause an INVALID_OPERATION error: "Calling BlitFramebuffer will result in an INVALID_OPERATION error if mask includes DEPTH_BUFFER_BIT or STENCIL_BUFFER_BIT, and the source and destination depth and stencil buffer formats do not match." There appears to have been a similar issue a few years ago: https://bugzilla.mozilla.org/show_bug.cgi?id=1316327 Actual results: Tab crashes. Expected results: Do nothing.
Assignee | ||
Updated•6 years ago
|
Assignee | ||
Comment 1•6 years ago
|
||
Fixed by 1498070 in 64. Repros in 63release and 60esr.
Assignee: nobody → jgilbert
Status: UNCONFIRMED → ASSIGNED
status-firefox63:
--- → wontfix
status-firefox64:
--- → unaffected
status-firefox-esr60:
--- → affected
tracking-firefox-esr60:
--- → ?
Depends on: 1498070
Ever confirmed: true
Assignee | ||
Comment 2•6 years ago
|
||
It's crashing inside IsEquivalentForFeedback, called from: https://dxr.mozilla.org/mozilla-release/rev/99db2272d28e5feb66fd05bef4852e38bba6868f/dom/canvas/WebGLFramebuffer.cpp#1881 Though the permalink is 500ing for me, so here's the temporary link: https://dxr.mozilla.org/mozilla-release/source/dom/canvas/WebGLFramebuffer.cpp#1881
Assignee | ||
Comment 3•6 years ago
|
||
MozReview-Commit-ID: 5Jy0HL8Wxyx
Assignee | ||
Comment 4•6 years ago
|
||
FWIW, this is a benign null pointer member deref, so WONTFIX for Release.
Assignee | ||
Updated•6 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Updated•6 years ago
|
Crash Signature: [@ mozilla::WebGLFBAttachPoint::IsDefined ]
Assignee | ||
Comment 5•6 years ago
|
||
Thanks!
You need to log in
before you can comment on or make changes to this bug.
Description
•