Assertion failed: (ch == '\0'), function ReadToken

RESOLVED FIXED

Status

()

Core
Canvas: WebGL
--
major
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: posidron, Assigned: jgilbert)

Tracking

(Blocks: 1 bug, {testcase})

Trunk
testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox5- wontfix, firefox6- affected, firefox7- affected, firefox8- affected)

Details

(URL)

Attachments

(4 attachments)

(Reporter)

Description

6 years ago
Created attachment 544397 [details]
callstack

This bug was discovered during a manual audit for bug: https://bugzilla.mozilla.org/show_bug.cgi?id=668366
(Reporter)

Comment 1

6 years ago
Created attachment 544398 [details]
testcase
(Reporter)

Updated

6 years ago
(Reporter)

Comment 2

6 years ago
Created attachment 544503 [details]
testcase - reduced

reduced testcase. looks like something went wrong during the assignment of the int variable and not during the uniform indexing.
Since I can't see the ANGLE bug I'm going to assume they are considering this a security vulnerability -> sg:critical until we know more.
Whiteboard: [sg:critical?]

Comment 4

6 years ago
This appears to be a simple bug in the preprocessor, which doesn't handle hexadecimal numbers correctly. As far as we can tell, it will only cause a compilation error and is not a security issue.
Does that mean you'll unhide the angleproject bug linked here?

Comment 6

6 years ago
(In reply to comment #5)
> Does that mean you'll unhide the angleproject bug linked here?
Done

Updated

6 years ago
Assignee: nobody → bjacob
status-firefox5: --- → wontfix
status-firefox6: --- → affected
status-firefox7: --- → affected
status-firefox8: --- → affected
tracking-firefox5: --- → -
tracking-firefox6: --- → +
tracking-firefox7: --- → +
tracking-firefox8: --- → +
remove sg:critical?
Group: core-security
tracking-firefox6: + → -
tracking-firefox7: + → -
tracking-firefox8: + → -
Whiteboard: [sg:critical?]
(Assignee)

Comment 8

6 years ago
This seems to just result in a link error on non-debug builds. It does crash on debug builds though.
Severity: critical → major
Keywords: crash
OS: Mac OS X → All
Hardware: x86_64 → All
(Assignee)

Comment 9

6 years ago
Basically, ANGLE interprets all integer literals as decimal. GLSL accepts octal and hexadecimal, and it seems like these should be required. Further, it appears that we must not be testing for these in the conformance tests.
(Assignee)

Updated

6 years ago
Depends on: 742138
(Assignee)

Comment 10

6 years ago
Created attachment 612064 [details] [diff] [review]
Parse octal/hexadecimal literals properly.

Prerequisite patch is the patch for too-large-tokens at bug 742138.
Assignee: bjacob → jgilbert
Status: NEW → ASSIGNED
Attachment #612064 - Flags: review?(bjacob)

Comment 11

6 years ago
Please file a bug on http://angleproject.googlecode.com/ and attach this patch for review and comment. Someone knowledgeable about the parser in ANGLE's shader translator (alokp at chromium.org in particular) should review this patch.
(Assignee)

Comment 12

6 years ago
(In reply to Kenneth Russell from comment #11)
> Please file a bug on http://angleproject.googlecode.com/ and attach this
> patch for review and comment. Someone knowledgeable about the parser in
> ANGLE's shader translator (alokp at chromium.org in particular) should
> review this patch.

Both have respective ANGLE bugs, but I just need to figure out what format the patch should be in. bjacob is more familiar with this process, so I'll sync up with him tomorrow.

Comment 13

6 years ago
Either an SVN diff or git diff would be fine.
(Assignee)

Comment 14

5 years ago
(In reply to daniel-bzmz from comment #13)
> Either an SVN diff or git diff would be fine.

I posted git diffs, but would hg diffs work, for future reference?
Also, I'm not sure how to trigger review, so the diffs are merely attached for now.
Note that hg knows how to generate git diffs:

  hg diff -g
  hg export -g
Comment on attachment 612064 [details] [diff] [review]
Parse octal/hexadecimal literals properly.

Waiting for review by real ANGLE devs.
Attachment #612064 - Flags: review?(bjacob)
Depends on: 734657
Fixed by update to ANGLE r1042 (bug 734657) which includes the fix for http://code.google.com/p/angleproject/issues/detail?id=178
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.