Last Comment Bug 631258 - WebGL shader paints using arbitrary textures, some even belonging to other processes, on Mac OS 10.5
: WebGL shader paints using arbitrary textures, some even belonging to other pr...
Product: Core
Classification: Components
Component: Canvas: WebGL (show other bugs)
: unspecified
: x86 Mac OS X
: -- normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
: Milan Sreckovic [:milan]
Depends on: 636611
  Show dependency treegraph
Reported: 2011-02-03 09:15 PST by /\/\arcio Galli
Modified: 2012-11-07 05:29 PST (History)
9 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Image of demo shows blend of picture with content from tab ( gmail inbox ) (418.15 KB, image/png)
2011-02-03 09:26 PST, /\/\arcio Galli
no flags Details
log GL calls on WebGL context (~500 first calls) (85.89 KB, text/plain)
2011-02-03 12:37 PST, Benoit Jacob [:bjacob] (mostly away)
no flags Details
Snapshot of demo shows a cylinder with incorrect rendering (354.14 KB, image/png)
2011-02-04 08:10 PST, /\/\arcio Galli
no flags Details
Another screenshot, shows images, at the top of a terminal console. (323.11 KB, image/png)
2011-02-04 11:02 PST, /\/\arcio Galli
no flags Details
Screenshot of the issue happening. (705.86 KB, image/png)
2011-10-29 07:29 PDT, Reuben Morais [:reuben]
no flags Details

Description /\/\arcio Galli 2011-02-03 09:15:54 PST
This is quite interesting. I am attaching an image. The original sample is:

I saved to the disk. Them modified the sample, local, to use images from the hosted site ( full URLs to the above domain etc ). Also changed a bit some of the sin/cos parameters so I could have a cylinder, not a sphere. Problem: 

Notice that the contents of my gmail inbox are blended in the middle of the images loaded from the net.
Comment 1 Benoit Jacob [:bjacob] (mostly away) 2011-02-03 09:26:11 PST
Sounds like a major security bug. But does not necessarily have to be hidden at this point, as it is most likely to be a driver bug and not to be scriptable. Investoigating ASAP.
Comment 2 /\/\arcio Galli 2011-02-03 09:26:24 PST
Created attachment 509453 [details]
Image of demo shows blend of picture with content from tab ( gmail inbox )
Comment 3 /\/\arcio Galli 2011-02-03 11:07:54 PST
Yeah, that is why I filed this quickly. BTW when I reloaded this page the problem was gone. But it appears if you leave the page ( the tab of the DEMO ) for a while -- also confirming now it shows with the URL demo from comment #1.
Comment 4 Benoit Jacob [:bjacob] (mostly away) 2011-02-03 11:15:10 PST
Can you please go to about:support, copy to clipboard, and paste here the Graphics section.
Comment 5 Benoit Jacob [:bjacob] (mostly away) 2011-02-03 11:29:29 PST
This demo is using renderbuffers, where proper initialization is notably nontrivial. I am currently checking that we're getting it right. In other words, at this stage, it could still be our bug.
Comment 6 Benoit Jacob [:bjacob] (mostly away) 2011-02-03 12:37:14 PST
Created attachment 509531 [details]
log GL calls on WebGL context (~500 first calls)

Ah! No, this demo is not using renderbuffers. The calls I was seeing were our own initialization stuff, when creating a WebGL context. There isn't a single renderbuffer/framebuffer related call in this WebGL app.

See attached log of all GL calls on the GL context used by this WebGL context.
Comment 7 Benoit Jacob [:bjacob] (mostly away) 2011-02-03 12:44:53 PST
So, I am still interested in what I asked for in comment 4; and I would also like you to try the following:

please download a debug build of Minefield:



install it, open a Terminal, do

   export MOZ_GL_DEBUG=1

and then run Minefield (that debug build) from that Terminal.

Does it make a difference? Does it crash? If it does, what's the output in the Terminal?
Comment 8 /\/\arcio Galli 2011-02-04 07:44:32 PST
Info you requested: 


        Adapter Description

        Vendor ID

        Device ID

        Adapter RAM

        Adapter Drivers

        Driver Version

        Driver Date

        Direct2D Enabled

        DirectWrite Enabled

        WebGL Renderer
        NVIDIA Corporation -- NVIDIA GeForce 9400M OpenGL Engine -- 2.0 NVIDIA-1.5.48

        GPU Accelerated Windows
        3/3 OpenGL
Comment 9 /\/\arcio Galli 2011-02-04 08:00:48 PST
Ok. Downloaded the 32 bit and opened the demo. The problem was ( before ) coming up after hours with the tab kept in my list of opened tabs. So I found a way now, using Mac OSX 10.5.8 here, to replicate it much faster. I am able to see the problem right away if I put my computer screen, wait Mac OS X sleep, and open the screen. Then I got a bunch of snapshot of the tabs mixed in the shading, mostly in the bottom and upper part of the cylinder ( the part where usually a shadow or light would be placed ). What is even more weird now ( attaching the image in a bit ) is that the images I have showed there are from a previous minefield session -- not the current. Notice the current I have only 3 tabs, but not gmail. But gmail still shows in there. 

* No Crash; 
* Nothing in the console that seems WebGl weird. When the page loads

OpenGL vendor ('NVIDIA Corporation') recognized as: NVIDIA
--- WebGL context created: 0x257a4a00

Then nothing more except a lot of WARNING: Overflowed nscoord_MAX in conversion to nscoord: file ../../dist/include/nsCoord.h, line 359
 that I get when I load any new tab.
Comment 10 /\/\arcio Galli 2011-02-04 08:10:21 PST
Created attachment 509770 [details]
Snapshot of demo shows a cylinder with incorrect rendering

Also noticed the images in there are from an old session I think. I Saw a piano web page I did access that page some time ago.
Comment 11 Benoit Jacob [:bjacob] (mostly away) 2011-02-04 09:05:34 PST
Did you do the 

   export MOZ_GL_DEBUG=1


Also, here's an important question. If you actually Quit firefox, and re-run it, can you still see old pages from your previous firefox session? Or is the bug happening only within pages of the same firefox session?
Comment 12 /\/\arcio Galli 2011-02-04 10:58:43 PST
Yes, I thought I got the "--- WebGL context created: 0x257a4a00" because was in export MOZ_GL_DEBUG=1. I did open from the terminal. So the images I saw were from other sessions. BTW, new information. I see pieces from a terminal. So looks like the images in there are from the desktop raw buffer, not content of other tabs. I thought it was tabs probably because I keep with firefox using most of the screen.
Comment 13 /\/\arcio Galli 2011-02-04 11:02:02 PST
Created attachment 509819 [details]
Another screenshot, shows images, at the top of a terminal console.
Comment 14 Vladimir Vukicevic [:vlad] [:vladv] 2011-02-04 12:51:12 PST
I wonder if we're somehow losing the GL context and/or textures, and GL just doesn't tell us (makecurrent doesn't seem to be failing?); we then use existing texture IDs which end up pointing to other random objects in memory.  Marcio, what version of OSX are you on?
Comment 15 /\/\arcio Galli 2011-02-07 13:44:27 PST
I am using Mac OSX 10.5.8. So when you run the Google demo ( ) put the computer screen to sleep and open, you do not see any texture problems? Could this be simply a trouble with the Mac OSX Webgl drivers?
Comment 16 Benoit Jacob [:bjacob] (mostly away) 2011-02-07 14:20:41 PST
Oh, 10.5.

Given the number of grave bugs we have with 10.5 OpenGL, especially bug 618848 and bug 622836, and now this, I think it may be safest to blacklist 10.5.
Comment 17 Vladimir Vukicevic [:vlad] [:vladv] 2011-02-07 15:32:04 PST
I concur.
Comment 18 Benoit Jacob [:bjacob] (mostly away) 2011-02-07 15:34:54 PST
In addition, bug 593867 (the validateProgram crash) is on 10.5.

Unfortunately, at least the present bug is 10.5.8, killing hopes that some 10.5.x might be all good.
Comment 19 Benoit Jacob [:bjacob] (mostly away) 2011-02-23 14:56:13 PST
OK, I kind of forgot about this. Going to blacklist 10.5.
Comment 20 Jeff Muizelaar [:jrmuizel] 2011-02-25 12:20:33 PST
It seems like this only happens on sleep? If so we may be able to reupload the textures when we come out from sleep.
Comment 21 Benoit Jacob [:bjacob] (mostly away) 2011-03-14 10:22:40 PDT
Filed Apple bug 9129398
Comment 22 Benoit Jacob [:bjacob] (mostly away) 2011-09-06 07:09:31 PDT
Today I came across a report of the same bug, this time on Mac OS 10.6.8 with a Intel GPU.
Comment 23 Benoit Jacob [:bjacob] (mostly away) 2011-09-06 07:23:37 PDT
(In reply to Jeff Muizelaar [:jrmuizel] from comment #20)
> It seems like this only happens on sleep? If so we may be able to reupload
> the textures when we come out from sleep.

It would be nice if this were sleep specific. But we wouldn't be able to reupload WebGL textures anyway. Rather, the solution would be to lose all WebGL contexts when coming out from sleep.

How do we detect that we just came out of sleep, on Mac?
Comment 24 Benoit Jacob [:bjacob] (mostly away) 2011-09-10 16:44:14 PDT
Marcio: can you please try Nightly from today or later? It has a tentative work-around for this bug. Notice that since WebGL is blocked on Mac OS 10.5 you have to force-enable it (go to about:config and set webgl.force-enabled). Also, this bug has been confirmed on Mac OS 10.6 and 10.7 now, and on other GPUs. It might be affecting all Macs.
Comment 25 Benoit Jacob [:bjacob] (mostly away) 2011-09-10 16:44:55 PDT
See bug 684882 (currently non public but I gave you access to it)
Comment 26 Reuben Morais [:reuben] 2011-10-28 21:24:37 PDT
Today I saw this bug on Peacekeeper's dandelion test, the dandelion textures were my Dock icons.
This was in a session that was running for quite some time, and the notebook possibly slept while it was running, but I'm not sure about that.

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0a1) Gecko/20111028 Firefox/10.0a1 ID:20111028031044
Comment 27 Benoit Jacob [:bjacob] (mostly away) 2011-10-29 06:45:27 PDT

please attach about:support contents.

Please try these links on this machine. Reload each of them a few times.
         (do you see junk in the background?)
         (should show just a green/black grid on a triangle)
         (should show only a large black square area)

the next time it happens, can you please:
 - take a screenshot
 - try above links
 - try in another browser
Comment 28 Benoit Jacob [:bjacob] (mostly away) 2011-10-29 06:47:26 PDT
erm, though... my links use a 1024x1024 cube map which should be disallowed on your machine following Bug 684882... so I expect they'll just generate a WebGL error on your machine. Can you try this instead a few times:
Comment 29 Reuben Morais [:reuben] 2011-10-29 07:29:43 PDT
Created attachment 570475 [details]
Screenshot of the issue happening.

(In reply to Benoit Jacob [:bjacob] from comment #27)
> please attach about:support contents.

> Please try these links on this machine. Reload each of them a few times.
>          (do you see junk in the background?)

Yes, while it's loading. See attached screenshot. Doesn't happen in Chrome stable.

>          (should show just a green/black grid on a triangle)
>          (should show only a large black square area)

Both work as intended.
Comment 30 Benoit Jacob [:bjacob] (mostly away) 2011-10-29 07:37:14 PDT
OK. The fact that works for you means that Firefox is not using the work-around we have for Bug 684882 which we use only for Intel GPUs.

Indeed your about:support shows that it _thinks_ it's using a NVIDIA card (but it could be wrong about that).

I'm afraid that the graphics card is changing under our feet without us noticing.

Can you please install the gfxCardStatus utility and force usage of only 1 GPU: first try forcing Intel integrated graphics, then try forcing the discrete NVIDIA chip. Can the bug still be reproduced in either case?

The present bug was only for Mac OS 10.5. It should have been marked as FIXED a long time ago, as we blacklist WebGL on 10.5. If this bug turns out to be specific to the Intel GPU, please continue this conversation on Bug 684882; if this actually happens on the NVIDIA GPU, please file a new bug.
Comment 31 mgalli 2012-11-07 05:22:01 PST
Just for reference, I saw a problem similar to this

"image frame buffer from another video session showed in the "webcam" area of Web rtc infra in Chrome 23 with Mountain Lion Mac OS X. 

I am mentioning Chrome case here as reference on the possible problem that may still be active towards the Mac OS X side.
Comment 32 Benoit Jacob [:bjacob] (mostly away) 2012-11-07 05:29:58 PST
I would recomment that you file a Chrome bug report then; and if you can reproduce in Firefox, please file a new Mozilla bug too. At least on Mozilla side that would be a security bug report.

Note You need to log in before you can comment on or make changes to this bug.