Last Comment Bug 699033 - [ANGLE] Assertion `typeName' failed // Parser Crash [@ TType::TType]
: [ANGLE] Assertion `typeName' failed // Parser Crash [@ TType::TType]
Status: VERIFIED FIXED
[sg:critical][qa!]
: crash, testcase
Product: Core
Classification: Components
Component: Canvas: WebGL (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: Benoit Jacob [:bjacob] (mostly away)
:
:
Mentors:
Depends on:
Blocks: langfuzz 731046
  Show dependency treegraph
 
Reported: 2011-11-02 07:04 PDT by Christian Holler (:decoder)
Modified: 2012-04-10 21:25 PDT (History)
10 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
-
wontfix
-
wontfix
-
wontfix
verified
+
verified
verified
11+
verified
unaffected


Attachments
Test case for browser (3.52 KB, text/html)
2011-11-02 07:04 PDT, Christian Holler (:decoder)
no flags Details
castrate angle bug 241 to guarantee it's a plain crash, nothing worse (825 bytes, patch)
2012-02-23 14:16 PST, Benoit Jacob [:bjacob] (mostly away)
jst: review+
lukasblakk+bugs: approval‑mozilla‑aurora+
lukasblakk+bugs: approval‑mozilla‑beta+
lukasblakk+bugs: approval‑mozilla‑esr10+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2011-11-02 07:04:06 PDT
Created attachment 571323 [details]
Test case for browser

This bug was filed from the Socorro interface and is 
report bp-611f2a52-3fc5-4d96-8f62-67a322111102 .
============================================================= 

The attached WebGL testcase asserts in Firefox Nightly Debug (tested with mesa llvmpipe software rendering):

firefox: /builds/slave/m-cen-lnx64-dbg/build/gfx/angle/src/compiler/Types.h:209: const TString& TType::getTypeName() const: Assertion `typeName' failed.

Running in a release build, the test crashes at TType::TType (see crash report).

The test might require MOZ_GL_DEBUG=1.

This is another parser crash but not a null-deref according to the crash report. Marking this s-s until triaged and rated. Let me know if I shall report this to ANGLE or if you do so.
Comment 1 Benoit Jacob [:bjacob] (mostly away) 2011-11-02 13:37:41 PDT
oh, this one is very different from the others (bug 698963, bug 620222, bug 699015) and might be more serious. Not a null deref.
Comment 2 Benoit Jacob [:bjacob] (mostly away) 2011-11-02 13:42:33 PDT
No need for MOZ_GL_DEBUG to reproduce this.
Comment 3 Benoit Jacob [:bjacob] (mostly away) 2011-11-02 13:48:50 PDT
ANGLE security bug: http://code.google.com/p/angleproject/issues/detail?id=241
Comment 4 Johnny Stenback (:jst, jst@mozilla.com) 2011-11-17 13:36:50 PST
Benoit, any idea what the timeline for getting a fix here, either cherry picked from Angle or through a new drop?
Comment 5 Benoit Jacob [:bjacob] (mostly away) 2011-11-21 11:32:29 PST
I just upgraded ANGLE to r885 which includes deep changes in the ANGLE compiler.

I can't reproduce the crash anymore in today's Nightly on Linux x86_64. Can you still reproduce?
Comment 6 Christian Holler (:decoder) 2011-11-21 13:16:55 PST
I can still reproduce the crash using nightly on Linux x86_64 (build 2011-11-21): https://crash-stats.mozilla.com/report/index/bp-0548938d-5942-40fc-a1b6-572cf2111121
Comment 7 Johnny Stenback (:jst, jst@mozilla.com) 2011-12-08 13:49:13 PST
Benoit, looks like this still happens after the angle update. Can you investigate further? Thanks!
Comment 8 Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]] 2012-01-05 13:31:57 PST
Chistian can you check that this is still valid? I believe a new version of angle has landed again in since the last time this bug was touched.
Comment 9 Christian Holler (:decoder) 2012-01-10 05:55:31 PST
Still crashes on a recent nightly: bp-a0a9f4e4-63d7-4136-ae5e-5f4a42120110
Comment 10 Johnny Stenback (:jst, jst@mozilla.com) 2012-02-23 13:51:05 PST
Benoit, this was filed 4 months ago, we need to move forward here, either by fixing this problem, or something else if we can't fix this.
Comment 11 Benoit Jacob [:bjacob] (mostly away) 2012-02-23 13:56:09 PST
I just pinged the bug @ANGLE. It's not clear whether it's been looked into.
Comment 12 Benoit Jacob [:bjacob] (mostly away) 2012-02-23 13:57:11 PST
If we want to fix this bug ourselves, we need a developer who knows how to debug a compiler that uses bison-generated code.
Comment 13 Benoit Jacob [:bjacob] (mostly away) 2012-02-23 14:04:39 PST
The crash I'm still able to reproduce is a null pointer deref:
https://crash-stats.mozilla.com/report/index/fe00b5ce-d353-441b-9176-ef0102120223

I can't reproduce anymore the non-null pointer deref from the original crash report.
Comment 14 Benoit Jacob [:bjacob] (mostly away) 2012-02-23 14:13:20 PST
In a debug build it's pretty what's happening:

#2  0x00007ffff7343d4d in __GI___assert_fail (
    assertion=0x7ffff5e697b4 "typeName", file=<optimized out>, line=211, 
    function=<optimized out>) at assert.c:81
#3  0x00007ffff54b693c in TType::getTypeName (this=0x7fffd0c00000)
    at /home/bjacob/mozilla-central/gfx/angle/src/compiler/Types.h:211

    const TString& getTypeName() const
    {
        assert(typeName);  // <-- line Types.h:211
        return *typeName;
    }

We could turn this into a clear non-security bug by making this assert stay in release builds.

Also, the shader source triggering this is:

"\ninvariant Vertex  , Tex    , notEqual    , tan        ;\n"
Comment 15 Benoit Jacob [:bjacob] (mostly away) 2012-02-23 14:16:33 PST
Created attachment 600176 [details] [diff] [review]
castrate angle bug 241 to guarantee it's a plain crash, nothing worse
Comment 16 Benoit Jacob [:bjacob] (mostly away) 2012-02-23 14:51:07 PST
Landed on central, so this is no longer a serious security bug on central, but still a crash bug.

http://hg.mozilla.org/mozilla-central/rev/69255fe4cb94
Comment 17 Benoit Jacob [:bjacob] (mostly away) 2012-02-23 14:53:00 PST
Comment on attachment 600176 [details] [diff] [review]
castrate angle bug 241 to guarantee it's a plain crash, nothing worse

[Approval Request Comment]
Regression caused by (bug #): probably ever since we enabled WebGL
User impact if declined: potential heap corruption (this patch turns it into a plain 'innocuous' crash by abort())
Testing completed (on m-c, etc.): just landed on m-c
Risk to taking this patch (and alternatives if risky): No risk, trivial 1-line patch
String changes made by this patch: none
Comment 18 Lukas Blakk [:lsblakk] use ?needinfo 2012-02-27 15:43:43 PST
Comment on attachment 600176 [details] [diff] [review]
castrate angle bug 241 to guarantee it's a plain crash, nothing worse

[Triage comment]
Looks good, low risk.  Please land this today (02/27/12) in time for tomorrow's go-to-build on beta5
Comment 19 Gary Kwong [:gkw] [:nth10sd] 2012-02-27 15:57:40 PST
Transplanted comment 16 to mozilla-aurora and mozilla-beta:

hg transplant -s ../mozilla-central/ 69255fe4cb94

http://hg.mozilla.org/releases/mozilla-aurora/rev/fa54977e954e
http://hg.mozilla.org/releases/mozilla-beta/rev/42612e9b5e2c
Comment 20 Daniel Veditz [:dveditz] 2012-02-27 16:01:56 PST
Cloning bug to deal with the non-exploitable crash as a follow-up
Comment 21 Gary Kwong [:gkw] [:nth10sd] 2012-02-27 16:07:59 PST
-> Fixed since mitigation landed on mozilla-central, mozilla-beta and mozilla-aurora.

esr10 is affected, waiting on tracking + flag for approval to land on esr10.
Comment 22 Lukas Blakk [:lsblakk] use ?needinfo 2012-02-29 14:57:33 PST
Comment on attachment 600176 [details] [diff] [review]
castrate angle bug 241 to guarantee it's a plain crash, nothing worse

[Triage Comment]
Approving taking this for esr10, please land asap as go-to-build is coming up on Friday March 1. See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for details on ESR landing process.
Comment 23 Benoit Jacob [:bjacob] (mostly away) 2012-03-01 14:53:29 PST
http://hg.mozilla.org/releases/mozilla-esr10/rev/9b4aa9c5f05d
Comment 24 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-03-05 10:09:08 PST
Verified fixed on Firefox 10.0.3esr
Comment 25 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-03-07 14:52:02 PST
Verified fixed in Firefox 11.0b6 (tried both build1 and debug build -- did not crash with the attached testcase).
Comment 26 Christian Holler (:decoder) 2012-03-23 16:36:26 PDT
Verified that the crash is now a null-pointer crash on Nightly.
Comment 27 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-04-04 15:42:59 PDT
Verified fixed on Firefox 12b4 and Aurora 13.0a2 2012-04-04

Note You need to log in before you can comment on or make changes to this bug.