Closed Bug 1611837 Opened 4 years ago Closed 4 years ago

Assertion failure: data, at /builds/worker/workspace/build/src/dom/canvas/WebGLContextBuffers.cpp:257

Categories

(Core :: Graphics: CanvasWebGL, defect, P1)

Product:
Core
Component:
Graphics: CanvasWebGL
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla74
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox72 --- unaffected
firefox73 --- unaffected
firefox74 --- fixed

People

(Reporter: jkratzer, Assigned: jgilbert)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(5 files)

testcase.html
660 bytes, text/html
Details
script.js
55 bytes, application/x-javascript
Details
testcase-min.html
190 bytes, text/html
Details
testcase-bindbuffer.html
311 bytes, text/html
Details
Bug 1611837 - Allow null `data` if `dataLen` is zero.
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev c0fa6d007c58.

Steps to reproduce:

  1. Place both files, testcase.html and script.js in the same directoy.
  2. Access testcase.html with Firefox.
rax = 0x0000558c8a5b2340   rdx = 0x0000000000000000
rcx = 0x00007feeea10bc98   rbx = 0x00007ffc8047ccd8
rsi = 0x00007feef6bf28b0   rdi = 0x00007feef6bf1680
rbp = 0x00007ffc8047ccc0   rsp = 0x00007ffc8047cc70
r8 = 0x00007feef6bf28b0    r9 = 0x00007feef7d59780
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x00007ffc8047cd2c   r13 = 0x00007ffc8047cd20
r14 = 0x00007ffc8047cd48   r15 = 0xffffffffffffffff
rip = 0x00007feee696c422
OS|Linux|0.0.0 Linux 5.3.0-26-generic #28~18.04.1-Ubuntu SMP Wed Dec 18 16:40:14 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::WebGLContext::BufferSubData(unsigned int, unsigned long, unsigned long, unsigned char const*) const|hg:hg.mozilla.org/mozilla-central:dom/canvas/WebGLContextBuffers.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|257|0x2e
0|1|libxul.so|void mozilla::RunOn<void (mozilla::HostWebGLContext::*)(unsigned int, unsigned long, mozilla::RawBuffer<unsigned char const, unsigned char, 0> const&) const, &(mozilla::HostWebGLContext::BufferSubData(unsigned int, unsigned long, mozilla::RawBuffer<unsigned char const, unsigned char, 0> const&) const), void, 86ul, unsigned int&, long&, mozilla::RawBuffer<unsigned char const, unsigned char, 0> >(mozilla::ClientWebGLContext const&, unsigned int&, long&, mozilla::RawBuffer<unsigned char const, unsigned char, 0>&&)|hg:hg.mozilla.org/mozilla-central:dom/canvas/ClientWebGLContext.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|371|0x21
0|2|libxul.so|mozilla::ClientWebGLContext::BufferSubData(unsigned int, long, mozilla::dom::TypedArray<unsigned char, &JS::UnwrapArrayBufferMaybeShared, &JS::GetArrayBufferMaybeSharedData, &JS::GetArrayBufferMaybeSharedLengthAndData, &JS::NewArrayBuffer> const&)|hg:hg.mozilla.org/mozilla-central:dom/canvas/ClientWebGLContext.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|2653|0x5
0|3|libxul.so|mozilla::dom::WebGLRenderingContext_Binding::bufferSubData|s3:gecko-generated-sources:618398f528d24dc75111d50d9af0a64517ae40eaba9b6f6c009518901f3c9643dffd76bb7ac565d01dccc973ee14f4ee5d2bed8cb79ab94edd4203c39b789146/dom/bindings/WebGLRenderingContextBinding.cpp:|13318|0x19
0|4|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|3151|0x21
0|5|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|450|0x19
0|6|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|542|0x12
0|7|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|605|0x10
0|8|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|609|0x18
0|9|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|386|0xfe
0|10|libxul.so|js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|798|0x5
0|11|libxul.so|js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|831|0x28
0|12|libxul.so|ExecuteScript|hg:hg.mozilla.org/mozilla-central:js/src/vm/CompilationAndEvaluation.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|452|0x12
0|13|libxul.so|ExecuteScript|hg:hg.mozilla.org/mozilla-central:js/src/vm/CompilationAndEvaluation.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|472|0x1b
0|14|libxul.so|nsJSUtils::ExecutionContext::ExecScript()|hg:hg.mozilla.org/mozilla-central:dom/base/nsJSUtils.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|413|0x14
0|15|libxul.so|mozilla::dom::ExecuteCompiledScript|hg:hg.mozilla.org/mozilla-central:dom/script/ScriptLoader.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|2619|0x8
0|16|libxul.so|mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*)|hg:hg.mozilla.org/mozilla-central:dom/script/ScriptLoader.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|2843|0x12
0|17|libxul.so|mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*)|hg:hg.mozilla.org/mozilla-central:dom/script/ScriptLoader.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|2320|0xb
0|18|libxul.so|mozilla::dom::ScriptLoader::CompileOffThreadOrProcessRequest(mozilla::dom::ScriptLoadRequest*)|hg:hg.mozilla.org/mozilla-central:dom/script/ScriptLoader.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|2183|0xb
0|19|libxul.so|mozilla::dom::ScriptLoader::ProcessPendingRequests()|hg:hg.mozilla.org/mozilla-central:dom/script/ScriptLoader.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|3116|0x5
0|20|libxul.so|mozilla::dom::ScriptLoader::OnStreamComplete(nsIIncrementalStreamLoader*, mozilla::dom::ScriptLoadRequest*, nsresult, nsresult, mozilla::dom::SRICheckDataVerifier*)|hg:hg.mozilla.org/mozilla-central:dom/script/ScriptLoader.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|3323|0x8
0|21|libxul.so|mozilla::dom::ScriptLoadHandler::OnStreamComplete(nsIIncrementalStreamLoader*, nsISupports*, nsresult, unsigned int, unsigned char const*)|hg:hg.mozilla.org/mozilla-central:dom/script/ScriptLoadHandler.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|424|0x26
0|22|libxul.so|nsIncrementalStreamLoader::OnStopRequest(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsIncrementalStreamLoader.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|86|0x24
0|23|libxul.so|nsBaseChannel::OnStopRequest(nsIRequest*, nsresult)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsBaseChannel.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|844|0x10
0|24|libxul.so|nsInputStreamPump::OnStateStop()|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsInputStreamPump.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|672|0x1a
0|25|libxul.so|nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsInputStreamPump.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|420|0x8
0|26|libxul.so|nsInputStreamReadyEvent::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/io/nsStreamUtils.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|89|0x6
0|27|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|1220|0xe
0|28|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|486|0x11
0|29|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|87|0xa
0|30|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:c0fa6d007c58437398cc06a97d221c42d41dcf9e|315|0x19
0|31|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:c0fa6d007c58437398cc06a97d221c42d41dcf9e|290|0x8
0|32|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|137|0xd
0|33|libxul.so|nsAppStartup::Run()|hg:hg.mozilla.org/mozilla-central:toolkit/components/startup/nsAppStartup.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|272|0x10
0|34|libxul.so|XREMain::XRE_mainRun()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4624|0x16
0|35|libxul.so|XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4761|0x8
0|36|libxul.so|XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|4842|0x5
0|37|firefox-bin|do_main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|217|0x26
0|38|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|339|0xf
0|39|libc-2.27.so||||0x21b97
0|40|firefox-bin|__cxa_throw_bad_array_new_length|hg:hg.mozilla.org/mozilla-central:build/unix/stdc++compat/stdc++compat.cpp:c0fa6d007c58437398cc06a97d221c42d41dcf9e|82|0x12
0|41|firefox-bin||||0x10e30
0|42|ld-2.27.so||||0x10733
0|43|libdl-2.27.so||||0x202d80
0|44|libpthread-2.27.so||||0x219bb0
0|45|firefox-bin||||0x10e30
0|46|firefox-bin|_start|||0x29
Flags: in-testsuite?
Attached file script.js

:jgilbert, can you comment to the bug?

Flags: needinfo?(jgilbert)
Priority: -- → P3
Flags: needinfo?(jgilbert)
Priority: P3 → P1
Attached file testcase-min.html

Minimal testcase. postMessageing buffer truncates the length to zero, and the script.js file just calls bufferSubData(ARRAY_BUFFER, 0, buffer).

Assignee: nobody → jgilbert

Also test that bufferSubData(size:0) works well.

Status: NEW → ASSIGNED
Pushed by jgilbert@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/32be0a263990
Allow null `data` if `dataLen` is zero. r=lsalzman

https://hg.mozilla.org/mozilla-central/rev/32be0a263990

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox74: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla74

Can we land a test for this?

status-firefox72: --- → unaffected
status-firefox73: --- → unaffected
status-firefox-esr68: --- → unaffected
Flags: needinfo?(jgilbert)

I can upstream something.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: