Closed Bug 1959138 Opened 1 year ago Closed 10 months ago

macOS Crash in [@ glrWriteTextureData]

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Platform:
Unspecified
macOS
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1966083
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 --- wontfix
firefox-esr140 --- fixed
firefox137 --- wontfix
firefox138 --- wontfix
firefox139 --- fixed
firefox140 --- fixed
firefox141 --- fixed

People

(Reporter: aryx, Unassigned)

References

Details

(Keywords: crash)

Crash Data

The crash volume multiplied with the release of Firefox 137.0. Crashes are on macOS with 44% of crashes on 12.7.6 21H1320.

Crash report: https://crash-stats.mozilla.org/report/index/cc0c1fd2-9866-4810-86cf-89d810250408

Reason:

EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE

Top 10 frames:

0  libsystem_platform.dylib  _platform_memmove$VARIANT$Haswell
1  ?  @0x00007000129b7c8f
2  AppleIntelBDWGraphicsGLDriver  glrWriteTextureData
3  GLEngine  glTexSubImage2D_Exec
4  GLEngine  glTexSubImage2D_PackThread
5  libGL.dylib  glTexSubImage2D
6  XUL  mozilla::gl::GLContext::fTexSubImage2D(unsigned int, int, int, int, int, int,...  gfx/gl/GLContext.h:1704
6  XUL  mozilla::DoTexSubImage(mozilla::gl::GLContext*, StrongGLenum<TexImageTargetDe...  dom/canvas/WebGLTextureUpload.cpp:656
7  XUL  mozilla::webgl::DoTexOrSubImage(bool, mozilla::gl::GLContext*, StrongGLenum<T...  dom/canvas/TexUnpackBlob.cpp:493
8  XUL  mozilla::webgl::TexUnpackSurface::TexOrSubImage(bool, bool, mozilla::WebGLTex...  dom/canvas/TexUnpackBlob.cpp:1137

Kelsey, could you take a look?

Flags: needinfo?(jgilbert)
Summary: Crash in [@ glrWriteTextureData] → macOS Crash in [@ glrWriteTextureData]

I bet this bug is related to bug 1963920.

URL: 1963920
URL: 1963920
See Also: → 1963920

(In reply to Steven Michaud [:smichaud] (Retired) from comment #2)

I bet this bug is related to bug 1963920.

I've confirmed this with my HookCase hook library for bug 1963920. Both bugs happen copying past the end of a Mozilla-created buffer, which is the source buffer for the memcpy() operations.

Typical crash stack:

Crashing Thread (29), Name: CanvasRenderer
Frame  Module  Signature  Source  Trust
0  libsystem_platform.dylib  _platform_memmove$VARIANT$Haswell   context
Ø 1  None  @0x00007000035d2c2f   cfi
2  AppleIntelKBLGraphicsGLDriver  glrWriteTextureData   frame_pointer
3  GLEngine  glTexImage2D_Exec   cfi
4  libGL.dylib  glTexImage2D   cfi
5  XUL  mozilla::gl::GLContext::raw_fTexImage2D(unsigned int, int, int, int, int, int, unsigned int, unsigned int, void const*)  gfx/gl/GLContext.h:1688  cfi
6  XUL  mozilla::gl::GLContext::fTexImage2D(unsigned int, int, int, int, int, int, unsigned int, unsigned int, void const*)  gfx/gl/GLContext.cpp:2417  cfi
7  XUL  mozilla::DoTexImage(mozilla::gl::GLContext*, StrongGLenum<TexImageTargetDetails>, int, mozilla::webgl::DriverUnpackInfo const*, int, int, int, void const*)  dom/canvas/WebGLTextureUpload.cpp:637  cfi
8  XUL  mozilla::webgl::DoTexOrSubImage(bool, mozilla::gl::GLContext*, StrongGLenum<TexImageTargetDetails>, int, mozilla::webgl::DriverUnpackInfo const*, int, int, int, int, int, int, void const*)  dom/canvas/TexUnpackBlob.cpp:496  cfi
9  XUL  mozilla::webgl::TexUnpackSurface::TexOrSubImage(bool, bool, mozilla::WebGLTexture*, int, mozilla::webgl::DriverUnpackInfo const*, int, int, int, mozilla::webgl::PackingInfo const&, unsigned int*) const  dom/canvas/TexUnpackBlob.cpp:1137  cfi
10  XUL  mozilla::WebGLTexture::TexImage(unsigned int, unsigned int, mozilla::avec3<unsigned int> const&, mozilla::webgl::PackingInfo const&, mozilla::webgl::TexUnpackBlobDesc const&)  dom/canvas/WebGLTextureUpload.cpp:1110  cfi
11  XUL  mozilla::WebGLContext::TexImage(unsigned int, unsigned int, mozilla::avec3<unsigned int>, mozilla::webgl::PackingInfo const&, mozilla::webgl::TexUnpackBlobDesc const&) const  dom/canvas/WebGLContextTextures.cpp:206  cfi
12  XUL  mozilla::HostWebGLContext::TexImage(unsigned int, unsigned int, mozilla::avec3<unsigned int> const&, mozilla::webgl::PackingInfo const&, mozilla::webgl::TexUnpackBlobDesc const&) const  dom/canvas/HostWebGLContext.h:579  inlined
12  XUL  mozilla::dom::WebGLParent::RecvTexImage(unsigned int, unsigned int, mozilla::avec3<unsigned int> const&, mozilla::webgl::PackingInfo const&, mozilla::webgl::TexUnpackBlobDesc&&)  dom/canvas/WebGLParent.cpp:108  cfi
13  XUL  mozilla::dom::PWebGLParent::OnMessageReceived(IPC::Message const&)  ipc/ipdl/PWebGLParent.cpp:471  cfi
14  XUL  mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&)  ipc/ipdl/PCanvasManagerParent.cpp:261  cfi
15  XUL  mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&)  ipc/glue/MessageChannel.cpp:1789  inlined
15  XUL  mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >)  ipc/glue/MessageChannel.cpp:1716  inlined
15  XUL  mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&)  ipc/glue/MessageChannel.cpp:1507  inlined
15  XUL  mozilla::ipc::MessageChannel::MessageTask::Run()  ipc/glue/MessageChannel.cpp:1607  cfi
16  XUL  nsThread::ProcessNextEvent(bool, bool*)  xpcom/threads/nsThread.cpp:1153  inlined
16  XUL  NS_ProcessNextEvent(nsIThread*, bool)  xpcom/threads/nsThreadUtils.cpp:480  cfi
17  XUL  mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*)  ipc/glue/MessagePump.cpp:299  cfi
18  XUL  MessageLoop::RunInternal()  ipc/chromium/src/base/message_loop.cc:369  inlined
18  XUL  MessageLoop::RunHandler()  ipc/chromium/src/base/message_loop.cc:362  inlined
18  XUL  MessageLoop::Run()  ipc/chromium/src/base/message_loop.cc:344  cfi
19  XUL  nsThread::ThreadFunc(void*)  xpcom/threads/nsThread.cpp:366  cfi
20  libnss3.dylib  _pt_root  nsprpub/pr/src/pthreads/ptthread.c:191  cfi
21  libsystem_pthread.dylib  _pthread_start   cfi
22  libsystem_pthread.dylib  thread_start   cfi

How to search for this bug's crashes:

https://crash-stats.mozilla.org/search/?signature=glrWriteTextureData&platform=Mac%20OS%20X&date=%3E%3D2025-02-05T17%3A13%3A00.000Z&date=%3C2025-05-05T17%3A13%3A00.000Z&_facets=signature&_facets=platform_version&_facets=proto_signature&_facets=address&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform_version#facet-proto_signature

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 5 desktop browser crashes on Mac on release

For more information, please visit BugBot documentation.

Keywords: topcrash

Redirect a needinfo that is pending on an inactive user to the triage owner.
:ahale, since the bug has recent activity, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(jgilbert) → needinfo?(ahale)

Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.

For more information, please visit BugBot documentation.

Keywords: topcrash

This bug should be fixed by bug 1966083.

Status: NEW → RESOLVED
Closed: 10 months ago
Duplicate of bug: CVE-2025-49709
Flags: needinfo?(ahale)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.