Closed
Bug 699033
Opened 12 years ago
Closed 11 years ago
[ANGLE] Assertion `typeName' failed // Parser Crash [@ TType::TType]
Categories
(Core :: Graphics: CanvasWebGL, defect)
Tracking
()
People
(Reporter: decoder, Assigned: bjacob)
References
Details
(Keywords: crash, testcase, Whiteboard: [sg:critical][qa!])
Crash Data
Attachments
(2 files)
|
3.52 KB,
text/html
|
Details | |
|
825 bytes,
patch
|
jst
:
review+
lsblakk
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-beta+
lsblakk
:
approval-mozilla-esr10+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is report bp-611f2a52-3fc5-4d96-8f62-67a322111102 . ============================================================= The attached WebGL testcase asserts in Firefox Nightly Debug (tested with mesa llvmpipe software rendering): firefox: /builds/slave/m-cen-lnx64-dbg/build/gfx/angle/src/compiler/Types.h:209: const TString& TType::getTypeName() const: Assertion `typeName' failed. Running in a release build, the test crashes at TType::TType (see crash report). The test might require MOZ_GL_DEBUG=1. This is another parser crash but not a null-deref according to the crash report. Marking this s-s until triaged and rated. Let me know if I shall report this to ANGLE or if you do so.
|
Assignee | |
Comment 1•12 years ago
|
||
oh, this one is very different from the others (bug 698963, bug 620222, bug 699015) and might be more serious. Not a null deref.
|
|
Assignee | |
Comment 2•12 years ago
|
||
No need for MOZ_GL_DEBUG to reproduce this.
|
|
Assignee | |
Comment 3•12 years ago
|
||
ANGLE security bug: http://code.google.com/p/angleproject/issues/detail?id=241
|
||
Updated•12 years ago
|
Whiteboard: [sg:critical]
|
||
Updated•12 years ago
|
status-firefox10:
--- → affected
status-firefox11:
--- → affected
status-firefox8:
--- → wontfix
status-firefox9:
--- → affected
tracking-firefox10:
--- → +
tracking-firefox11:
--- → +
tracking-firefox8:
--- → -
tracking-firefox9:
--- → +
|
|
||
Comment 4•12 years ago
|
||
Benoit, any idea what the timeline for getting a fix here, either cherry picked from Angle or through a new drop?
Assignee: nobody → bjacob
|
|
Assignee | |
Comment 5•12 years ago
|
||
I just upgraded ANGLE to r885 which includes deep changes in the ANGLE compiler. I can't reproduce the crash anymore in today's Nightly on Linux x86_64. Can you still reproduce?
|
Reporter | |
Comment 6•12 years ago
|
||
I can still reproduce the crash using nightly on Linux x86_64 (build 2011-11-21): https://crash-stats.mozilla.com/report/index/bp-0548938d-5942-40fc-a1b6-572cf2111121
|
|
||
Comment 7•11 years ago
|
||
Benoit, looks like this still happens after the angle update. Can you investigate further? Thanks!
tracking-firefox9:
+ → ---
|
|
||
Updated•11 years ago
|
tracking-firefox9:
--- → -
Chistian can you check that this is still valid? I believe a new version of angle has landed again in since the last time this bug was touched.
|
|
Reporter | |
Comment 9•11 years ago
|
||
Still crashes on a recent nightly: bp-a0a9f4e4-63d7-4136-ae5e-5f4a42120110
|
|
||
Updated•11 years ago
|
status-firefox12:
--- → affected
tracking-firefox12:
--- → +
|
|
||
Updated•11 years ago
|
|
|
||
Comment 10•11 years ago
|
||
Benoit, this was filed 4 months ago, we need to move forward here, either by fixing this problem, or something else if we can't fix this.
|
|
Assignee | |
Comment 11•11 years ago
|
||
I just pinged the bug @ANGLE. It's not clear whether it's been looked into.
|
|
Assignee | |
Comment 12•11 years ago
|
||
If we want to fix this bug ourselves, we need a developer who knows how to debug a compiler that uses bison-generated code.
|
|
Assignee | |
Comment 13•11 years ago
|
||
The crash I'm still able to reproduce is a null pointer deref: https://crash-stats.mozilla.com/report/index/fe00b5ce-d353-441b-9176-ef0102120223 I can't reproduce anymore the non-null pointer deref from the original crash report.
|
|
Assignee | |
Comment 14•11 years ago
|
||
In a debug build it's pretty what's happening:
#2 0x00007ffff7343d4d in __GI___assert_fail (
assertion=0x7ffff5e697b4 "typeName", file=<optimized out>, line=211,
function=<optimized out>) at assert.c:81
#3 0x00007ffff54b693c in TType::getTypeName (this=0x7fffd0c00000)
at /home/bjacob/mozilla-central/gfx/angle/src/compiler/Types.h:211
const TString& getTypeName() const
{
assert(typeName); // <-- line Types.h:211
return *typeName;
}
We could turn this into a clear non-security bug by making this assert stay in release builds.
Also, the shader source triggering this is:
"\ninvariant Vertex , Tex , notEqual , tan ;\n"|
|
Assignee | |
Comment 15•11 years ago
|
||
Attachment #600176 -
Flags: review?(jst)
|
|
||
Updated•11 years ago
|
Attachment #600176 -
Flags: review?(jst) → review+
|
|
Assignee | |
Comment 16•11 years ago
|
||
Landed on central, so this is no longer a serious security bug on central, but still a crash bug. http://hg.mozilla.org/mozilla-central/rev/69255fe4cb94
|
|
Assignee | |
Comment 17•11 years ago
|
||
Comment on attachment 600176 [details] [diff] [review] castrate angle bug 241 to guarantee it's a plain crash, nothing worse [Approval Request Comment] Regression caused by (bug #): probably ever since we enabled WebGL User impact if declined: potential heap corruption (this patch turns it into a plain 'innocuous' crash by abort()) Testing completed (on m-c, etc.): just landed on m-c Risk to taking this patch (and alternatives if risky): No risk, trivial 1-line patch String changes made by this patch: none
Attachment #600176 -
Flags: approval-mozilla-beta?
Attachment #600176 -
Flags: approval-mozilla-aurora?
|
||
Comment 18•11 years ago
|
||
Comment on attachment 600176 [details] [diff] [review] castrate angle bug 241 to guarantee it's a plain crash, nothing worse [Triage comment] Looks good, low risk. Please land this today (02/27/12) in time for tomorrow's go-to-build on beta5
Attachment #600176 -
Flags: approval-mozilla-beta?
Attachment #600176 -
Flags: approval-mozilla-beta+
Attachment #600176 -
Flags: approval-mozilla-aurora?
Attachment #600176 -
Flags: approval-mozilla-aurora+
|
|
||
Updated•11 years ago
|
|
||
Comment 19•11 years ago
|
||
Transplanted comment 16 to mozilla-aurora and mozilla-beta: hg transplant -s ../mozilla-central/ 69255fe4cb94 http://hg.mozilla.org/releases/mozilla-aurora/rev/fa54977e954e http://hg.mozilla.org/releases/mozilla-beta/rev/42612e9b5e2c
|
|
||
Comment 20•11 years ago
|
||
Cloning bug to deal with the non-exploitable crash as a follow-up
|
|
||
Comment 21•11 years ago
|
||
-> Fixed since mitigation landed on mozilla-central, mozilla-beta and mozilla-aurora. esr10 is affected, waiting on tracking + flag for approval to land on esr10.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
|
||
Updated•11 years ago
|
tracking-firefox-esr10:
--- → 11+
tracking-firefox11:
- → ---
|
|
||
Comment 22•11 years ago
|
||
Comment on attachment 600176 [details] [diff] [review] castrate angle bug 241 to guarantee it's a plain crash, nothing worse [Triage Comment] Approving taking this for esr10, please land asap as go-to-build is coming up on Friday March 1. See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for details on ESR landing process.
Attachment #600176 -
Flags: approval-mozilla-esr10+
|
|
Assignee | |
Comment 23•11 years ago
|
||
http://hg.mozilla.org/releases/mozilla-esr10/rev/9b4aa9c5f05d
|
|
Assignee | |
Updated•11 years ago
|
|
||
Comment 24•11 years ago
|
||
Verified fixed on Firefox 10.0.3esr
|
|
||
Comment 25•11 years ago
|
||
Verified fixed in Firefox 11.0b6 (tried both build1 and debug build -- did not crash with the attached testcase).
|
|
Reporter | |
Comment 26•11 years ago
|
||
Verified that the crash is now a null-pointer crash on Nightly.
Status: RESOLVED → VERIFIED
|
|
||
Comment 27•11 years ago
|
||
Verified fixed on Firefox 12b4 and Aurora 13.0a2 2012-04-04
Whiteboard: [sg:critical][qa+] → [sg:critical][qa!]
|
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•