Closed Bug 1519699 Opened 7 years ago Closed 2 years ago

Crash in rx::VertexDataManager::storeCurrentValue

Categories

(Core :: Graphics: CanvasWebGL, defect, P1)

Product:
Core
Component:
Graphics: CanvasWebGL
Version:
64 Branch
Platform:
All
Windows
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox64 --- wontfix
firefox65 --- wontfix
firefox66 --- wontfix
firefox67 --- wontfix
firefox68 --- wontfix
firefox69 --- wontfix

People

(Reporter: philipp, Assigned: jgilbert)

References

Details

(4 keywords, Whiteboard: gfx-noted)

Crash Data

This bug was filed from the Socorro interface and is
report bp-062a7294-e3b8-423a-b4da-01af80190112.

=============================================================

Top 10 frames of crashing thread:

0 libglesv2.dll rx::VertexDataManager::storeCurrentValue gfx/angle/checkout/src/libANGLE/renderer/d3d/VertexDataManager.cpp:565
1 libglesv2.dll rx::StateManager11::updateState gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/StateManager11.cpp:2084
2 libglesv2.dll rx::Context11::drawElementsInstanced gfx/angle/checkout/src/libANGLE/renderer/d3d/d3d11/Context11.cpp:290
3 libglesv2.dll gl::Context::drawElementsInstanced gfx/angle/checkout/src/libANGLE/Context.cpp:2250
4 libglesv2.dll gl::DrawElementsInstancedANGLE gfx/angle/checkout/src/libGLESv2/entry_points_gles_ext_autogen.cpp:131
5 xul.dll void mozilla::gl::GLContext::raw_fDrawElementsInstanced gfx/gl/GLContext.h:2407
6 xul.dll mozilla::WebGLContext::DrawElementsInstanced dom/canvas/WebGLContextDraw.cpp:741
7 xul.dll void mozilla::WebGLContext::DrawElements dom/canvas/WebGLContext.h:1351
8 xul.dll static bool mozilla::dom::WebGLRenderingContext_Binding::drawElements dom/bindings/WebGLRenderingContextBinding.cpp:15524
9 xul.dll mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions> dom/bindings/BindingUtils.cpp:3315

=============================================================

this tab crash signature on windows is getting more common since firefox 64.
a number of user comments link the crash to playing games on facebook (like https://apps.facebook.com/candycrushsoda/?fb_source=canvas_bookmark).

Group: core-security → gfx-core-security
Keywords: sec-high
Assignee: nobody → jgilbert

It doesn't look like we're missing any ANGLE fixes for functions in that crash-stack.

I can't repro a crash even after playing a few levels of those games.

The crashing GPUs look like they're all over the place, including all vendors.

The top of the crashstack is:


    CurrentValueState *cachedState = &mCurrentValueCache[attribIndex];
    StreamingVertexBufferInterface &buffer = *cachedState->buffer;

    if (buffer.getBufferSize() == 0)
-> EXCEPTION_ACCESS_VIOLATION_READ

cachedState->buffer is probably null.

That's a weird way to write it, equivalent to:

    CurrentValueState& cachedState = mCurrentValueCache[attribIndex];
    StreamingVertexBufferInterface* buffer = cachedState.buffer;

    if (buffer->getBufferSize() == 0)

Also:

unsigned int VertexBufferInterface::getBufferSize() const
{
    ASSERT(mVertexBuffer);
    return mVertexBuffer->getBufferSize();
}

unsigned int VertexBuffer11::getBufferSize() const
{
    return mBufferSize;
}

So, buffer or mVertexBuffer might be null here. Since there's an assert on mVertexBuffer, maybe that's a hint for something to check.

By crash address, it's mostly u64(-1):
1 0xffffffffffffffff 100 59.17 %

1 	0xffffffffffffffff 	440 	51.95 %
2 	0x0 	                 64 	7.56 %
3 	0x4 	                 30 	3.54 %
4 	0x10 	                 18 	2.13 %
5 	0xffffffffe5e5e5e5 	 10 	1.18 %

e5 is jemalloc poison. UAF?
https://searchfox.org/mozilla-central/source/memory/build/mozjemalloc.cpp#1170

mVertexBuffer is never nulled except in ~VertexBufferInterface.

Keywords: stalled
Priority: -- → P1
Whiteboard: gfx-noted
Assignee: jgilbert → nobody

Hey Sotaro - could you take a peak at this bug and see if it is actionable? Thank you!

Assignee: nobody → sotaro.ikeda.g

I can push this forward by adding some more asserts.

Assignee: sotaro.ikeda.g → jgilbert

I'm also requesting raw dump access for crash reports to see if I can't reverse-engineer from them what's happening.

See Also: → 1613685

(In reply to Jeff Gilbert [:jgilbert] from comment #7)

I can push this forward by adding some more asserts.

Jeff, any update on this?

Flags: needinfo?(jgilbert)

Not yet.

Flags: needinfo?(jgilbert)
See Also: → 1655002
Severity: critical → S2
Depends on: angle-111

This crash is only happening in 78 so I'm closing as WORKSFORME

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME

Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.

Keywords: stalled
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.