Open Bug 1507813 Opened 6 years ago Updated 2 years ago

Assertion failure: groupSize <= groupStride, at /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:2224

Categories

(Core :: Graphics: CanvasWebGL, defect, P3)

Product:
Core
Component:
Graphics: CanvasWebGL
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox65 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

testcase.html
2.00 KB, text/html
Details
Attached file testcase.html 
Testcase found while fuzzing mozilla-central rev 4d6d3403eb6b.

Assertion failure: groupSize <= groupStride, at /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:2224

rax = 0x00005600c9554e40   rdx = 0x0000000000000000
rcx = 0x0000000000000b40   rbx = 0x00007fc48ab12080
rsi = 0x00007fc4a299e97f   rdi = 0x00007fc4af6bf680
rbp = 0x00007ffe4265fda0   rsp = 0x00007ffe4265fda0
r8 = 0x00007fc4af6c08b0    r9 = 0x00007fc4b0831740
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x00007fc4944b7ba0   r13 = 0xffffffffffffffff
r14 = 0x00007fc494b76800   r15 = 0x00007fc495e71408
rip = 0x00007fc49eac8a95
OS|Linux|0.0.0 Linux 4.15.0-38-generic #41-Ubuntu SMP Wed Oct 10 10:59:38 UTC 2018 x86_64
CPU|amd64|family 6 model 78 stepping 3|1
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|0
0|0|libxul.so|mozilla::AvailGroups(unsigned long, unsigned long, unsigned int, unsigned int)|hg:hg.mozilla.org/mozilla-central:dom/canvas/WebGLContext.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|2224|0x0
0|1|libxul.so|mozilla::webgl::LinkedProgramInfo::GetDrawFetchLimits() const|hg:hg.mozilla.org/mozilla-central:dom/canvas/WebGLProgram.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|539|0x16
0|2|libxul.so|mozilla::ValidateDraw(mozilla::WebGLContext*, unsigned int, unsigned int)|hg:hg.mozilla.org/mozilla-central:dom/canvas/WebGLContextDraw.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|321|0x10
0|3|libxul.so|mozilla::WebGLContext::DrawArraysInstanced(unsigned int, int, int, int)|hg:hg.mozilla.org/mozilla-central:dom/canvas/WebGLContextDraw.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|487|0x11
0|4|libxul.so|mozilla::WebGLContext::DrawArrays(unsigned int, int, int)|hg:hg.mozilla.org/mozilla-central:dom/canvas/WebGLContext.h:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|1354|0x17
0|5|libxul.so|mozilla::dom::WebGLRenderingContext_Binding::drawArrays|s3:gecko-generated-sources:d4059690b855768aa609214d903948d158dec197f69184b4e0fed259643e2793cb5a615615ec292643c88c07ae770890dcf3037f966b0d1446fd3c252770d687/dom/bindings/WebGLRenderingContextBinding.cpp:|15819|0x11
0|6|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|3378|0x9
0|7|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|468|0x3
0|8|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|560|0xf
0|9|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|614|0xd
0|10|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|620|0xf
0|11|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|447|0xb
0|12|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|587|0xf
0|13|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|614|0xd
0|14|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|633|0x5
0|15|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|2975|0x1c
0|16|libxul.so|mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&)|s3:gecko-generated-sources:b504f583ed3111ab416617cd63caa012e7478d0516eb5d3bc3cd43cef007715c1a91854c0528b0ec8e85f6341ccebf73a1b2c32556687ebaf4023e3c38ff4197/dom/bindings/EventListenerBinding.cpp:|52|0x5
0|17|libxul.so|void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*)|s3:gecko-generated-sources:f3d9c01258576daaac3afc4fb3b283652e7f1168abb5287eff6775451ebd0ab6a0e4c8d88d3a67f7147042501bc091c6dfed25b4b8ccf4e4f420897b8d0ba906/dist/include/mozilla/dom/EventListenerBinding.h:|66|0x1c
0|18|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|1112|0x26
0|19|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|1317|0x16
0|20|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.h:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|391|0x6
0|21|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|642|0x12
0|22|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|1165|0x1a
0|23|libxul.so|nsDocumentViewer::LoadComplete(nsresult)|hg:hg.mozilla.org/mozilla-central:layout/base/nsDocumentViewer.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|1167|0x2c
0|24|libxul.so|nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|7050|0x18
0|25|libxul.so|nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|6841|0x18
0|26|libxul.so|nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|1309|0x2b
0|27|libxul.so|nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|852|0x22
0|28|libxul.so|nsDocLoader::DocLoaderIsEmpty(bool)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|741|0xf
0|29|libxul.so|nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsDocLoader.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|630|0x16
0|30|libxul.so|mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsLoadGroup.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|630|0x1f
0|31|libxul.so|nsIDocument::DoUnblockOnload()|hg:hg.mozilla.org/mozilla-central:dom/base/nsDocument.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|8488|0x20
0|32|libxul.so|nsDocument::UnblockOnload(bool)|hg:hg.mozilla.org/mozilla-central:dom/base/nsDocument.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|8410|0x8
0|33|libxul.so|nsIDocument::DispatchContentLoadedEvents()|hg:hg.mozilla.org/mozilla-central:dom/base/nsDocument.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|5306|0x11
0|34|libxul.so|mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|1191|0x13
0|35|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|337|0x15
0|36|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|1244|0x11
0|37|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|530|0x11
0|38|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|97|0xa
0|39|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|325|0x17
0|40|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|318|0x8
0|41|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|158|0xd
0|42|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|961|0x11
0|43|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|269|0x5
0|44|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|325|0x17
0|45|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|318|0x8
0|46|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|787|0x8
0|47|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|50|0x14
0|48|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|287|0x11
0|49|libc-2.27.so||||0x21b97
0|50|firefox-bin|MOZ_ReportAssertionFailure|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:4d6d3403eb6b015ebd2e6949d57dd518d07d024f|164|0x5
Flags: in-testsuite?
Flags: needinfo?(jgilbert)
Priority: -- → P3
Thanks!
Flags: needinfo?(jgilbert)
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: