Closed Bug 522199 Opened 15 years ago Closed 14 years ago

WebGL gl.drawElements segfaults when vertex array is enabled with no buffer bound

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: 00003b, Unassigned)

References

Details

Attachments

(2 files)

test case
1.80 KB, text/html
Details
restore buffer validation without index checking
2.82 KB, patch
vlad
: review+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20090910 Ubuntu/9.04 (jaunty) Shiretoko/3.5.3
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.3a1pre) Gecko/20091013 Minefield/3.7a1pre

gl.drawElements doesn't validate buffer state, so crashes when called after a gl.enableVertexAttribArray without corresponding gl.vertexAttribPointer.
(bindBuffer and bufferData are also required to actually draw anything, but that seems to be detected correctly)

Reproducible: Always

Steps to Reproduce:
1.open test case in webgl enabled browser
2.
3.
Actual Results:  
segfault

Expected Results:  
error is handled without crashing

tested in windows xp/32 and ubuntu 9.04 x86_64, both with nvidia cards and drivers
crash ID ff94c7d3-450e-43f3-a53c-303572091013 from the windows test
Attached file test case 

    
    

    
  
Confirming on Windows. Unfortunately that crash report doesn't have a useful stack. Interestingly the stack below from my laptop with an Intel graphics card is crashing in the Intel OpenGL driver.

Signature	ig4icd32.dll@0xff04c
UUID	e6119cff-323e-4315-8e3e-3ea662091015
Product	Firefox
Version	3.7a1pre
Build ID	20091014045102

Frame 	Module 	Signature [Expand] 	Source
0 	ig4icd32.dll 	ig4icd32.dll@0xff04c 	
1 	ig4icd32.dll 	ig4icd32.dll@0x10370e 	
2 	ig4icd32.dll 	ig4icd32.dll@0x103965 	
3 	ig4icd32.dll 	ig4icd32.dll@0x48a06 	
4 	ig4dev32.dll 	ig4dev32.dll@0x51d54 	
5 	ig4icd32.dll 	ig4icd32.dll@0x61cb6 	
6 	ig4icd32.dll 	ig4icd32.dll@0x62612 	
7 	xul.dll 	mozilla::WebGLContext::DrawElements 	content/canvas/src/WebGLContextGL.cpp:975
8 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101
9 	xul.dll 	XPCWrappedNative::CallMethod 	js/src/xpconnect/src/xpcwrappednative.cpp:2281
10 	xul.dll 	XPCWrappedNative::CallMethod 	js/src/xpconnect/src/xpcwrappednative.cpp:2690
11 	mozjs.dll 	OBJ_TO_INNER_OBJECT
Status: UNCONFIRMED → NEW
Ever confirmed: true

    
    

    
  


  
Code for checking indexes wasn't working, so validation was disabled. Restoring rough buffer validation fixes this and other crashes.

        Attachment #410168 -
        Flags: review?(vladimir)

    
  
Blocks: 525992
Component: Canvas: 2D → Canvas: WebGL

    
    

    
  
This bug has been fixed a couple of weeks ago.

But the testcase here won't run because of this error in it:

Error: CanvasUnsignedShortArray is not defined
Source File: https://bug522199.bugzilla.mozilla.org/attachment.cgi?id=406181
Line: 41
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: