Last Comment Bug 724640 - [fglrx] Reproducable WebGL crash in mozilla::WebGLContext::DrawElements with fglrx and x86_64 Ubuntu 10.04 (2.6.32) GNU/Linux
: [fglrx] Reproducable WebGL crash in mozilla::WebGLContext::DrawElements with ...
Status: RESOLVED FIXED
[sg:vector-critical?], Keep Open unti...
: crash, reproducible, sec-vector
Product: Core
Classification: Components
Component: Canvas: WebGL (show other bugs)
: 10 Branch
: x86_64 Linux
: -- critical with 1 vote (vote)
: mozilla14
Assigned To: Benoit Jacob [:bjacob] (mostly away)
:
Mentors:
http://www.inka3d.com/llvm2011/#phong
Depends on:
Blocks: 693168
  Show dependency treegraph
 
Reported: 2012-02-06 12:32 PST by scientes
Modified: 2013-01-16 08:33 PST (History)
6 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
affected
affected


Attachments
block 2.6.32 linux kernel with fglrx driver (5.80 KB, patch)
2012-03-30 10:11 PDT, Benoit Jacob [:bjacob] (mostly away)
no flags Details | Diff | Review
block 2.6.32 linux kernel with fglrx driver (4.83 KB, patch)
2012-03-31 09:22 PDT, Benoit Jacob [:bjacob] (mostly away)
mh+mozilla: review+
Details | Diff | Review
block 2.6.32 linux kernel with fglrx driver (patch for landing) (4.39 KB, patch)
2012-04-02 05:59 PDT, Benoit Jacob [:bjacob] (mostly away)
jacob.benoit.1: review+
Details | Diff | Review

Description scientes 2012-02-06 12:32:09 PST
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/10.0
Build ID: 20120130150400

Steps to reproduce:

go to http://www.inka3d.com/llvm2011/#phong
move around in the slide for maybe 30 seconds or so
-------
Ubuntu GNU/Linux 10.04, with backports enabled, and non-free fglrx driver


Actual results:

BAM, crashes and you see mozilla crash reporter


Expected results:

beautiful WebGL graphics, maybe a crash that doesn't also crash the browser as is implemented for add-ons, if WebGL is something much harder to make DoS-free
Comment 1 scientes 2012-02-06 12:36:03 PST
duplicate of #698040 ?
Comment 2 Scoobidiver (away) 2012-02-07 00:59:33 PST
Can you provide the crash ID from about:crashes?
Does it happen with Nightly you can download from http://nightly.mozilla.org/?
Comment 4 Scoobidiver (away) 2012-02-07 10:08:55 PST
(In reply to scientes from comment #1)
> duplicate of #698040 ?
Bug 698040 depends on the window size and the stack is different.

It seems to happen only on Ubuntu:
https://crash-stats.mozilla.com/report/list?signature=fglrx_dri.so%400x1941f4
Comment 5 scientes 2012-02-07 12:42:25 PST
I don't have a 11.10 or 12.04 Ubuntu, or even more recent GNU/Linux computer with AMD graphics so can't test with that, sorry. Request others test the url.
Comment 6 Benoit Jacob [:bjacob] (mostly away) 2012-03-24 15:32:33 PDT
I'm afraid that this might be the tipping point where we have to blacklist FGLRX. A segfault at random address ( https://crash-stats.mozilla.com/report/index/bp-336a3a9e-6d21-43b9-8bc4-891a52120207 ) is potentially sg:critical.
Comment 7 Daniel Veditz [:dveditz] 2012-03-29 13:13:58 PDT
That stack doesn't make much sense. jemalloc calling back into their driver?

Without debugging what their drivers are doing it's hard to know if this is exploitable or relatively benign data reading, but the messed-up stack doesn't bode well. bug 698040 showed different but similarly nonsensical stacks.

We should probably blocklist at this point.
Comment 8 Daniel Veditz [:dveditz] 2012-03-29 13:17:36 PDT
What's the next step? Assigning to bjacob, please pass along if someone else manages the blocklist.
Comment 9 Benoit Jacob [:bjacob] (mostly away) 2012-03-29 14:54:45 PDT
I guess we should take advantage of the fact that's specific to the 2.6.32 linux kernel version.

Is there a preferred way for us to query the host linux kernel version? Do we already do it?
Comment 10 Benoit Jacob [:bjacob] (mostly away) 2012-03-29 18:55:20 PDT
I guess I'll just read the linux kernel version in the glxtest process, which runs in parallel with the rest of startup so shouldn't slow down things.
Comment 11 Benoit Jacob [:bjacob] (mostly away) 2012-03-30 10:11:22 PDT
Created attachment 610926 [details] [diff] [review]
block 2.6.32 linux kernel with fglrx driver
Comment 12 Mike Hommey [:glandium] 2012-03-30 10:17:25 PDT
Comment on attachment 610926 [details] [diff] [review]
block 2.6.32 linux kernel with fglrx driver

Review of attachment 610926 [details] [diff] [review]:
-----------------------------------------------------------------

::: toolkit/xre/glxtest.cpp
@@ +273,5 @@
> +                      "OS\n%s\n"
> +                      "OSRELEASE\n%s\n",
> +                      unameobj.sysname,
> +                      unameobj.release);
> +    write(write_end_of_the_pipe, buf, length);

Wouldn't it be much simpler to get utsname from the parent process?
Comment 13 Benoit Jacob [:bjacob] (mostly away) 2012-03-30 10:22:03 PDT
That is very true. I started with this design when I thought that getting uname info would be expensive i.e. would involve running the uname program. New patch coming.
Comment 14 scientes 2012-03-30 14:29:11 PDT
I've tried to reproduce on differn't kernels with fglrx and been unsuccessful.
Comment 15 Benoit Jacob [:bjacob] (mostly away) 2012-03-30 14:30:35 PDT
Can you be more specific? Can you go to about:crashes and give us the corresponding crash links? Or at least the uname -a of these machines.
Comment 16 Benoit Jacob [:bjacob] (mostly away) 2012-03-31 09:22:21 PDT
Created attachment 611171 [details] [diff] [review]
block 2.6.32 linux kernel with fglrx driver

By the way, the chemical symbol for the Glandium element is... Gl ?
Comment 17 Benoit Jacob [:bjacob] (mostly away) 2012-03-31 09:28:45 PDT
QA verification test:

MOZ_GFX_SPOOF_GL_VENDOR="ATI Technologies Inc." MOZ_GFX_SPOOF_GL_RENDERER="ATI Radeon 3000 Graphics" MOZ_GFX_SPOOF_GL_VERSION="3.2.9756 Compatibility Profile Context" MOZ_GFX_SPOOF_OS=linux MOZ_GFX_SPOOF_OS_RELEASE="2.6.32.1-generic" obj-firefox-debug/dist/bin/firefox -P test -no-remote
Comment 18 Mike Hommey [:glandium] 2012-04-02 05:37:27 PDT
Comment on attachment 611171 [details] [diff] [review]
block 2.6.32 linux kernel with fglrx driver

Review of attachment 611171 [details] [diff] [review]:
-----------------------------------------------------------------

::: widget/xpwidgets/GfxInfoX11.cpp
@@ +157,5 @@
>                  stringToFill = &textureFromPixmap;
> +            else if(!strcmp(line, "OS"))
> +                stringToFill = &mOS;
> +            else if(!strcmp(line, "OSRelease"))
> +                stringToFill = &mOSRelease;

I guess this is leftover from the previous patch. r+ with that removed.
Comment 19 Benoit Jacob [:bjacob] (mostly away) 2012-04-02 05:59:14 PDT
Created attachment 611427 [details] [diff] [review]
block 2.6.32 linux kernel with fglrx driver (patch for landing)

Carrying forward r+.

Thanks for the catch; there was another mistake, but that was hard to miss as it caused everything to be blacklisted: the if(uname(...)) had to be if (!uname(...)) as zero means success.
Comment 20 Benoit Jacob [:bjacob] (mostly away) 2012-04-02 06:03:42 PDT
http://hg.mozilla.org/integration/mozilla-inbound/rev/5a12884290a8

Let's keep this open until we've verified it no longer crashes for the original reporter here. We also expect a large decrease of crashes with linux 2.6.32 kernel and FGLRX driver on crash-stats.
Comment 21 Benoit Jacob [:bjacob] (mostly away) 2012-04-02 06:05:25 PDT
(In reply to scientes from comment #14)
> I've tried to reproduce on differn't kernels with fglrx and been
> unsuccessful.

Ah! I just reread your comment and had misread it the first time:

(In reply to Benoit Jacob [:bjacob] from comment #15)
> Can you be more specific? Can you go to about:crashes and give us the
> corresponding crash links? Or at least the uname -a of these machines.

Nevermind my comment 15 then. Your comment 14 is all good news, it confirms that we should be safe with the patch that just landed.

Expect it in Wednesday's Nightly build.
Comment 22 Marco Bonardo [::mak] 2012-04-03 01:55:45 PDT
https://hg.mozilla.org/mozilla-central/rev/5a12884290a8
Comment 23 Benoit Jacob [:bjacob] (mostly away) 2012-04-09 11:54:00 PDT
Does the crash still occur? crash-stats should show a drop in # of crashes with FGLRX  + 2.6.32 kernel on Nightly.
Comment 24 russianneuromancer 2012-05-22 11:30:59 PDT
I watch whole presentation without any issues.

Kubuntu 12.04 x86_64, Linux 3.2, latest fglrx, latest nightly build.
AMD Radeon HD 6620G.
Comment 25 scientes 2012-05-22 11:47:03 PDT
that is a very differn't system. I do not have a 10.04 system (and might just be that specific hardware) anymore so have been unable to confirm that this is fixed.
Comment 26 russianneuromancer 2012-05-22 11:56:47 PDT
What version of fglrx do you use, when you register this bugreport? Catalyst 12.x or older?
Comment 27 scientes 2012-05-22 11:59:41 PDT
wheres 12?

http://packages.ubuntu.com/lucid/fglrx
Comment 28 russianneuromancer 2012-05-22 12:50:41 PDT
Catalyst 12 is fglrx 8.931 and newer.

fglrx 8.723.1 is Catalyst 10.4.

Your issue probably fixed long time ago, but you just use not fresh enough driver in your Lucid setup.
Comment 29 Benoit Jacob [:bjacob] (mostly away) 2013-01-16 08:33:08 PST
Closing this bug based on comment 20. The fix landed long ago. Reopen if needed.

Note You need to log in before you can comment on or make changes to this bug.