Closed
Bug 646825
Opened 14 years ago
Closed 13 years ago
[ANGLE] crash [@ gl::VertexDataConverter<float, gl::WidenRule<int, 2>, gl::ConversionRule<int, 0, int>, gl::DefaultVertexValues<float, int> >::convertArray(float const*, unsigned int, unsigned int, float*)]with Google Labs' Body Map
Categories
(Core :: Graphics: CanvasWebGL, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox5 | --- | affected |
| firefox6 | + | fixed |
| firefox7 | + | fixed |
| firefox8 | + | fixed |
| status2.0 | --- | wanted |
| status1.9.2 | --- | unaffected |
| status1.9.1 | --- | unaffected |
People
(Reporter: kairo, Assigned: bjacob)
References
()
Details
(Keywords: crash, Whiteboard: [sg:critical?][qa?])
Crash Data
Attachments
(1 file)
|
7.83 KB,
patch
|
christian
:
approval-mozilla-aurora+
christian
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is
report bp-8a45c98b-589b-481f-99c1-f042b2110330 .
=============================================================
Since 2011-03-29, but really on 2011-03-03, we see a rise in crashes with that signature, the comments in https://crash-stats.mozilla.com/report/list?signature=gl%3A%3AVertexDataConverter%3Cfloat%2C%20gl%3A%3AWidenRule%3Cint%2C%202%3E%2C%20gl%3A%3AConversionRule%3Cint%2C%200%2C%20int%3E%2C%20gl%3A%3ADefaultVertexValues%3Cfloat%2C%20int%3E%20%3E%3A%3AconvertArray%28float%20const%2A%2C%20unsigned%20int%2C%20unsigned%20int%2C%20float%2A%29 seem to almost all point to Google Labs' Body Map and http://bodybrowser.googlelabs.com/body.html# and as I heard this launched in the last days, the rise seems to correspond.
There was a small amount of crashes with this signature around before, 2-20 crashes per day when we still processed all crash reports. On 2011-03-30, we have 61 crashes with only 10% of all crashes being processed by the Socorro system (so in reality we probably have ~600), making this #186 on this day's topcrash list for 4.0* versions.
|
Assignee | |
Comment 1•14 years ago
|
||
This is a ANGLE bug. This code didn't change recently in ANGLE so I'll assume that it's still present in upstream.
|
|
Assignee | |
Comment 2•14 years ago
|
||
|
|
Assignee | |
Updated•14 years ago
|
Summary: crash [@ gl::VertexDataConverter<float, gl::WidenRule<int, 2>, gl::ConversionRule<int, 0, int>, gl::DefaultVertexValues<float, int> >::convertArray(float const*, unsigned int, unsigned int, float*)]with Google Labs' Body Map → [ANGLE] crash [@ gl::VertexDataConverter<float, gl::WidenRule<int, 2>, gl::ConversionRule<int, 0, int>, gl::DefaultVertexValues<float, int> >::convertArray(float const*, unsigned int, unsigned int, float*)]with Google Labs' Body Map
|
||
Updated•14 years ago
|
Crash Signature: [@ gl::VertexDataConverter<float, gl::WidenRule<int, 2>, gl::ConversionRule<int, 0, int>, gl::DefaultVertexValues<float, int> >::convertArray(float const*, unsigned int, unsigned int, float*)]
|
||
Comment 3•13 years ago
|
||
Chris Evans says this looks like a Windows-specific buffer overflow in the ANGLE code. If there's an ANGLE fix for this in time would be great to pick it up in time for Firefox 6 (although it's late in the game).
Assignee: nobody → bjacob
Group: core-security
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
status-firefox5:
--- → affected
status-firefox6:
--- → affected
status-firefox7:
--- → affected
status-firefox8:
--- → affected
tracking-firefox6:
--- → ?
tracking-firefox7:
--- → +
Whiteboard: [sg:critical?]
|
|
||
Comment 4•13 years ago
|
||
A reduced testcase would be great for debugging and verification. The bodybrowser site code could change over time (and in fact is likely to if this is a common crash).
Keywords: testcase-wanted
|
|
||
Comment 5•13 years ago
|
||
This crash is fixed in ANGLE r702 according to the two angleproject bugs.
|
|
||
Comment 6•13 years ago
|
||
That patch looks appropriate to take during the Fx6 beta period
https://code.google.com/p/angleproject/source/detail?r=702
|
|
Assignee | |
Comment 7•13 years ago
|
||
OK, will do tomorrow. Worried I might forget. Ping me if I do.
|
|
Assignee | |
Comment 8•13 years ago
|
||
Tryserver:
http://hg.mozilla.org/try/rev/3cd4da06cf08
|
|
Assignee | |
Comment 9•13 years ago
|
||
Landed on central:
http://hg.mozilla.org/mozilla-central/rev/85b0cc81a189
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Updated•13 years ago
|
Attachment #548223 -
Flags: approval-mozilla-beta?
Attachment #548223 -
Flags: approval-mozilla-aurora?
|
||
Comment 10•13 years ago
|
||
Comment on attachment 548223 [details] [diff] [review]
angle r702
Approved for beta and aurora. Please land asap
Attachment #548223 -
Flags: approval-mozilla-beta?
Attachment #548223 -
Flags: approval-mozilla-beta+
Attachment #548223 -
Flags: approval-mozilla-aurora?
Attachment #548223 -
Flags: approval-mozilla-aurora+
|
|
Assignee | |
Comment 11•13 years ago
|
||
|
||
Comment 13•13 years ago
|
||
As per the testcase-wanted keyword, is there something QA can do to verify this bug fix?
Whiteboard: [sg:critical?] → [sg:critical?][qa?]
|
|
||
Updated•13 years ago
|
Group: core-security
|
||
Updated•9 years ago
|
Keywords: testcase-wanted
You need to log in
before you can comment on or make changes to this bug.
Description
•