ANGLE crash in ConstantUnion::getBConst with this=null, called from TIntermediate::promoteConstantUnion, from yyparse

RESOLVED FIXED

Status

()

Core
Canvas: WebGL
--
critical
RESOLVED FIXED
7 years ago
3 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
x86_64
Linux
crash, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: webgl-angle, crash signature)

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
Created attachment 571303 [details]
Test case for browser

The attached WebGL testcase crashes Firefox Nightly (tested with mesa llvmpipe software rendering). The test might require MOZ_GL_DEBUG=1.

The crash is in the ANGLE parser just like in bug 698963:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff3bbcd96 in ConstantUnion::getBConst (this=0x0) at /home/decoder/LangFuzz/mozilla-central-browser/gfx/angle/src/compiler/ConstantUnion.h:22
22          bool getBConst() { return bConst; }
(gdb) bt
#0  0x00007ffff3bbcd96 in ConstantUnion::getBConst (this=0x0) at /home/decoder/LangFuzz/mozilla-central-browser/gfx/angle/src/compiler/ConstantUnion.h:22
#1  0x00007ffff3bc1f52 in TIntermediate::promoteConstantUnion (this=0x7fffffff9a30, promoteTo=EbtFloat, node=0x7fffd3c089a8)
    at /home/decoder/LangFuzz/mozilla-central-browser/gfx/angle/src/compiler/Intermediate.cpp:1394
#2  0x00007ffff3bbebb9 in TIntermediate::addConversion (this=0x7fffffff9a30, op=EOpConstructFloat, type=..., node=0x7fffd3c089a8)
    at /home/decoder/LangFuzz/mozilla-central-browser/gfx/angle/src/compiler/Intermediate.cpp:478
#3  0x00007ffff3bbe76b in TIntermediate::addUnaryMath (this=0x7fffffff9a30, op=EOpConstructFloat, childNode=0x7fffd3c089a8, line=5, symbolTable=...)
    at /home/decoder/LangFuzz/mozilla-central-browser/gfx/angle/src/compiler/Intermediate.cpp:326
#4  0x00007ffff3bcb802 in TParseContext::constructBuiltIn (this=0x7fffffff9960, type=0x7fffffff87f0, op=EOpConstructVec4, node=0x7fffd3c089a8, line=5, subset=true)
    at /home/decoder/LangFuzz/mozilla-central-browser/gfx/angle/src/compiler/ParseHelper.cpp:1242
#5  0x00007ffff3bcb3f6 in TParseContext::addConstructor (this=0x7fffffff9960, node=0x7fffd3c08da8, type=0x7fffffff87f0, op=EOpConstructVec4, fnCall=0x7fffd3c07bd8, line=5)
    at /home/decoder/LangFuzz/mozilla-central-browser/gfx/angle/src/compiler/ParseHelper.cpp:1159
#6  0x00007ffff3be1f17 in yyparse (context=0x7fffffff9960) at /home/decoder/LangFuzz/mozilla-central-browser/gfx/angle/src/compiler/glslang_tab.cpp:2468


I'm not sure if this is the same issue as in bug 698963, please check that :) If that is not the case, I'll report this to ANGLE as well.
Not sure if it's a duplicate. But I missed Bug 620222, forwarding it now (can still be reproduced)
Forwarded as http://code.google.com/p/angleproject/issues/detail?id=240
Summary: ANGLE crash in ConstantUnion::getBConst, after null dereference in yyparse → ANGLE crash in ConstantUnion::getBConst with this=null, called from TIntermediate::promoteConstantUnion, from yyparse
This should has been fixed in one of the ANGLE updates.
I'll try out the testcase.
Flags: needinfo?(jgilbert)
Flags: needinfo?(jgilbert)
Whiteboard: webgl-angle
Flags: needinfo?(jgilbert)
This must have been fixed by an ANGLE update.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Flags: needinfo?(jgilbert)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.