Closed Bug 724640 Opened 8 years ago Closed 7 years ago

[fglrx] Reproducable WebGL crash in mozilla::WebGLContext::DrawElements with fglrx and x86_64 Ubuntu 10.04 (2.6.32) GNU/Linux

Categories

(Core :: Canvas: WebGL, defect, critical)

10 Branch
x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla14
Tracking Status
firefox12 --- wontfix
firefox-esr10 --- wontfix

People

(Reporter: shawnlandden, Assigned: bjacob)

References

(Blocks 1 open bug, )

Details

(Keywords: crash, reproducible, sec-vector, Whiteboard: [sg:vector-critical?], Keep Open until verified!)

Crash Data

Attachments

(2 files, 1 obsolete file)

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/10.0
Build ID: 20120130150400

Steps to reproduce:

go to http://www.inka3d.com/llvm2011/#phong
move around in the slide for maybe 30 seconds or so
-------
Ubuntu GNU/Linux 10.04, with backports enabled, and non-free fglrx driver


Actual results:

BAM, crashes and you see mozilla crash reporter


Expected results:

beautiful WebGL graphics, maybe a crash that doesn't also crash the browser as is implemented for add-ons, if WebGL is something much harder to make DoS-free
Summary: Reproducable WebGL crash with fglrx and GNU/Linux → Reproducable WebGL crash with fglrx and x86_64 GNU/Linux
Summary: Reproducable WebGL crash with fglrx and x86_64 GNU/Linux → [fglrx] Reproducable WebGL crash with fglrx and x86_64 GNU/Linux
duplicate of #698040 ?
Blocks: 693168
Keywords: crash
Can you provide the crash ID from about:crashes?
Does it happen with Nightly you can download from http://nightly.mozilla.org/?
Severity: normal → critical
Component: Untriaged → Canvas: WebGL
Keywords: reproducible
Product: Firefox → Core
QA Contact: untriaged → canvas.webgl
(In reply to scientes from comment #1)
> duplicate of #698040 ?
Bug 698040 depends on the window size and the stack is different.

It seems to happen only on Ubuntu:
https://crash-stats.mozilla.com/report/list?signature=fglrx_dri.so%400x1941f4
Status: UNCONFIRMED → NEW
Crash Signature: [@ fglrx_dri.so@0x1941f4]
Ever confirmed: true
Summary: [fglrx] Reproducable WebGL crash with fglrx and x86_64 GNU/Linux → [fglrx] Reproducable WebGL crash in mozilla::WebGLContext::DrawElements with fglrx and x86_64 Ubuntu GNU/Linux
I don't have a 11.10 or 12.04 Ubuntu, or even more recent GNU/Linux computer with AMD graphics so can't test with that, sorry. Request others test the url.
Summary: [fglrx] Reproducable WebGL crash in mozilla::WebGLContext::DrawElements with fglrx and x86_64 Ubuntu GNU/Linux → [fglrx] Reproducable WebGL crash in mozilla::WebGLContext::DrawElements with fglrx and x86_64 Ubuntu 10.04 (2.6.32) GNU/Linux
I'm afraid that this might be the tipping point where we have to blacklist FGLRX. A segfault at random address ( https://crash-stats.mozilla.com/report/index/bp-336a3a9e-6d21-43b9-8bc4-891a52120207 ) is potentially sg:critical.
Whiteboard: [sg:critical?]
That stack doesn't make much sense. jemalloc calling back into their driver?

Without debugging what their drivers are doing it's hard to know if this is exploitable or relatively benign data reading, but the messed-up stack doesn't bode well. bug 698040 showed different but similarly nonsensical stacks.

We should probably blocklist at this point.
Whiteboard: [sg:critical?] → [sg:vector-critical?]
What's the next step? Assigning to bjacob, please pass along if someone else manages the blocklist.
Assignee: nobody → bjacob
I guess we should take advantage of the fact that's specific to the 2.6.32 linux kernel version.

Is there a preferred way for us to query the host linux kernel version? Do we already do it?
I guess I'll just read the linux kernel version in the glxtest process, which runs in parallel with the rest of startup so shouldn't slow down things.
Attachment #610926 - Flags: review?(mh+mozilla)
Comment on attachment 610926 [details] [diff] [review]
block 2.6.32 linux kernel with fglrx driver

Review of attachment 610926 [details] [diff] [review]:
-----------------------------------------------------------------

::: toolkit/xre/glxtest.cpp
@@ +273,5 @@
> +                      "OS\n%s\n"
> +                      "OSRELEASE\n%s\n",
> +                      unameobj.sysname,
> +                      unameobj.release);
> +    write(write_end_of_the_pipe, buf, length);

Wouldn't it be much simpler to get utsname from the parent process?
That is very true. I started with this design when I thought that getting uname info would be expensive i.e. would involve running the uname program. New patch coming.
I've tried to reproduce on differn't kernels with fglrx and been unsuccessful.
Can you be more specific? Can you go to about:crashes and give us the corresponding crash links? Or at least the uname -a of these machines.
By the way, the chemical symbol for the Glandium element is... Gl ?
Attachment #610926 - Attachment is obsolete: true
Attachment #611171 - Flags: review?(mh+mozilla)
Attachment #610926 - Flags: review?(mh+mozilla)
QA verification test:

MOZ_GFX_SPOOF_GL_VENDOR="ATI Technologies Inc." MOZ_GFX_SPOOF_GL_RENDERER="ATI Radeon 3000 Graphics" MOZ_GFX_SPOOF_GL_VERSION="3.2.9756 Compatibility Profile Context" MOZ_GFX_SPOOF_OS=linux MOZ_GFX_SPOOF_OS_RELEASE="2.6.32.1-generic" obj-firefox-debug/dist/bin/firefox -P test -no-remote
Comment on attachment 611171 [details] [diff] [review]
block 2.6.32 linux kernel with fglrx driver

Review of attachment 611171 [details] [diff] [review]:
-----------------------------------------------------------------

::: widget/xpwidgets/GfxInfoX11.cpp
@@ +157,5 @@
>                  stringToFill = &textureFromPixmap;
> +            else if(!strcmp(line, "OS"))
> +                stringToFill = &mOS;
> +            else if(!strcmp(line, "OSRelease"))
> +                stringToFill = &mOSRelease;

I guess this is leftover from the previous patch. r+ with that removed.
Attachment #611171 - Flags: review?(mh+mozilla) → review+
Carrying forward r+.

Thanks for the catch; there was another mistake, but that was hard to miss as it caused everything to be blacklisted: the if(uname(...)) had to be if (!uname(...)) as zero means success.
Attachment #611427 - Flags: review+
http://hg.mozilla.org/integration/mozilla-inbound/rev/5a12884290a8

Let's keep this open until we've verified it no longer crashes for the original reporter here. We also expect a large decrease of crashes with linux 2.6.32 kernel and FGLRX driver on crash-stats.
Status: NEW → ASSIGNED
Whiteboard: [sg:vector-critical?] → [sg:vector-critical?], Keep Open until verified!
Target Milestone: --- → mozilla14
(In reply to scientes from comment #14)
> I've tried to reproduce on differn't kernels with fglrx and been
> unsuccessful.

Ah! I just reread your comment and had misread it the first time:

(In reply to Benoit Jacob [:bjacob] from comment #15)
> Can you be more specific? Can you go to about:crashes and give us the
> corresponding crash links? Or at least the uname -a of these machines.

Nevermind my comment 15 then. Your comment 14 is all good news, it confirms that we should be safe with the patch that just landed.

Expect it in Wednesday's Nightly build.
Target Milestone: --- → mozilla14
Does the crash still occur? crash-stats should show a drop in # of crashes with FGLRX  + 2.6.32 kernel on Nightly.
I watch whole presentation without any issues.

Kubuntu 12.04 x86_64, Linux 3.2, latest fglrx, latest nightly build.
AMD Radeon HD 6620G.
that is a very differn't system. I do not have a 10.04 system (and might just be that specific hardware) anymore so have been unable to confirm that this is fixed.
What version of fglrx do you use, when you register this bugreport? Catalyst 12.x or older?
wheres 12?

http://packages.ubuntu.com/lucid/fglrx
Catalyst 12 is fglrx 8.931 and newer.

fglrx 8.723.1 is Catalyst 10.4.

Your issue probably fixed long time ago, but you just use not fresh enough driver in your Lucid setup.
Keywords: sec-vector
Keywords: sec-other
Closing this bug based on comment 20. The fix landed long ago. Reopen if needed.
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.