The default bug view has changed. See this FAQ.

[fglrx] Reproducable WebGL crash in mozilla::WebGLContext::DrawElements with fglrx and x86_64 Ubuntu 10.04 (2.6.32) GNU/Linux

RESOLVED FIXED in mozilla14

Status

()

Core
Canvas: WebGL
--
critical
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: scientes, Assigned: bjacob)

Tracking

(Blocks: 1 bug, {crash, reproducible, sec-vector})

10 Branch
mozilla14
x86_64
Linux
crash, reproducible, sec-vector
Points:
---

Firefox Tracking Flags

(firefox12 affected, firefox-esr10 affected)

Details

(Whiteboard: [sg:vector-critical?], Keep Open until verified!, crash signature, URL)

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/10.0
Build ID: 20120130150400

Steps to reproduce:

go to http://www.inka3d.com/llvm2011/#phong
move around in the slide for maybe 30 seconds or so
-------
Ubuntu GNU/Linux 10.04, with backports enabled, and non-free fglrx driver


Actual results:

BAM, crashes and you see mozilla crash reporter


Expected results:

beautiful WebGL graphics, maybe a crash that doesn't also crash the browser as is implemented for add-ons, if WebGL is something much harder to make DoS-free
(Reporter)

Updated

5 years ago
Summary: Reproducable WebGL crash with fglrx and GNU/Linux → Reproducable WebGL crash with fglrx and x86_64 GNU/Linux
(Reporter)

Updated

5 years ago
Summary: Reproducable WebGL crash with fglrx and x86_64 GNU/Linux → [fglrx] Reproducable WebGL crash with fglrx and x86_64 GNU/Linux
(Reporter)

Comment 1

5 years ago
duplicate of #698040 ?
Blocks: 693168
Keywords: crash

Comment 2

5 years ago
Can you provide the crash ID from about:crashes?
Does it happen with Nightly you can download from http://nightly.mozilla.org/?
Severity: normal → critical
Component: Untriaged → Canvas: WebGL
Keywords: reproducible
Product: Firefox → Core
QA Contact: untriaged → canvas.webgl
(Reporter)

Comment 3

5 years ago
https://crash-stats.mozilla.com/report/index/bp-336a3a9e-6d21-43b9-8bc4-891a52120207
that is from nightly

Comment 4

5 years ago
(In reply to scientes from comment #1)
> duplicate of #698040 ?
Bug 698040 depends on the window size and the stack is different.

It seems to happen only on Ubuntu:
https://crash-stats.mozilla.com/report/list?signature=fglrx_dri.so%400x1941f4
Status: UNCONFIRMED → NEW
Crash Signature: [@ fglrx_dri.so@0x1941f4]
Ever confirmed: true
Summary: [fglrx] Reproducable WebGL crash with fglrx and x86_64 GNU/Linux → [fglrx] Reproducable WebGL crash in mozilla::WebGLContext::DrawElements with fglrx and x86_64 Ubuntu GNU/Linux
(Reporter)

Comment 5

5 years ago
I don't have a 11.10 or 12.04 Ubuntu, or even more recent GNU/Linux computer with AMD graphics so can't test with that, sorry. Request others test the url.
(Reporter)

Updated

5 years ago
Summary: [fglrx] Reproducable WebGL crash in mozilla::WebGLContext::DrawElements with fglrx and x86_64 Ubuntu GNU/Linux → [fglrx] Reproducable WebGL crash in mozilla::WebGLContext::DrawElements with fglrx and x86_64 Ubuntu 10.04 (2.6.32) GNU/Linux
(Assignee)

Comment 6

5 years ago
I'm afraid that this might be the tipping point where we have to blacklist FGLRX. A segfault at random address ( https://crash-stats.mozilla.com/report/index/bp-336a3a9e-6d21-43b9-8bc4-891a52120207 ) is potentially sg:critical.
(Assignee)

Updated

5 years ago
Whiteboard: [sg:critical?]
That stack doesn't make much sense. jemalloc calling back into their driver?

Without debugging what their drivers are doing it's hard to know if this is exploitable or relatively benign data reading, but the messed-up stack doesn't bode well. bug 698040 showed different but similarly nonsensical stacks.

We should probably blocklist at this point.
Whiteboard: [sg:critical?] → [sg:vector-critical?]
status-firefox-esr10: --- → affected
status-firefox12: --- → affected
What's the next step? Assigning to bjacob, please pass along if someone else manages the blocklist.
Assignee: nobody → bjacob
(Assignee)

Comment 9

5 years ago
I guess we should take advantage of the fact that's specific to the 2.6.32 linux kernel version.

Is there a preferred way for us to query the host linux kernel version? Do we already do it?
I guess I'll just read the linux kernel version in the glxtest process, which runs in parallel with the rest of startup so shouldn't slow down things.
Created attachment 610926 [details] [diff] [review]
block 2.6.32 linux kernel with fglrx driver
Attachment #610926 - Flags: review?(mh+mozilla)
Comment on attachment 610926 [details] [diff] [review]
block 2.6.32 linux kernel with fglrx driver

Review of attachment 610926 [details] [diff] [review]:
-----------------------------------------------------------------

::: toolkit/xre/glxtest.cpp
@@ +273,5 @@
> +                      "OS\n%s\n"
> +                      "OSRELEASE\n%s\n",
> +                      unameobj.sysname,
> +                      unameobj.release);
> +    write(write_end_of_the_pipe, buf, length);

Wouldn't it be much simpler to get utsname from the parent process?
That is very true. I started with this design when I thought that getting uname info would be expensive i.e. would involve running the uname program. New patch coming.
(Reporter)

Comment 14

5 years ago
I've tried to reproduce on differn't kernels with fglrx and been unsuccessful.
Can you be more specific? Can you go to about:crashes and give us the corresponding crash links? Or at least the uname -a of these machines.
Created attachment 611171 [details] [diff] [review]
block 2.6.32 linux kernel with fglrx driver

By the way, the chemical symbol for the Glandium element is... Gl ?
Attachment #610926 - Attachment is obsolete: true
Attachment #611171 - Flags: review?(mh+mozilla)
Attachment #610926 - Flags: review?(mh+mozilla)
QA verification test:

MOZ_GFX_SPOOF_GL_VENDOR="ATI Technologies Inc." MOZ_GFX_SPOOF_GL_RENDERER="ATI Radeon 3000 Graphics" MOZ_GFX_SPOOF_GL_VERSION="3.2.9756 Compatibility Profile Context" MOZ_GFX_SPOOF_OS=linux MOZ_GFX_SPOOF_OS_RELEASE="2.6.32.1-generic" obj-firefox-debug/dist/bin/firefox -P test -no-remote
Comment on attachment 611171 [details] [diff] [review]
block 2.6.32 linux kernel with fglrx driver

Review of attachment 611171 [details] [diff] [review]:
-----------------------------------------------------------------

::: widget/xpwidgets/GfxInfoX11.cpp
@@ +157,5 @@
>                  stringToFill = &textureFromPixmap;
> +            else if(!strcmp(line, "OS"))
> +                stringToFill = &mOS;
> +            else if(!strcmp(line, "OSRelease"))
> +                stringToFill = &mOSRelease;

I guess this is leftover from the previous patch. r+ with that removed.
Attachment #611171 - Flags: review?(mh+mozilla) → review+
Created attachment 611427 [details] [diff] [review]
block 2.6.32 linux kernel with fglrx driver (patch for landing)

Carrying forward r+.

Thanks for the catch; there was another mistake, but that was hard to miss as it caused everything to be blacklisted: the if(uname(...)) had to be if (!uname(...)) as zero means success.
Attachment #611427 - Flags: review+
http://hg.mozilla.org/integration/mozilla-inbound/rev/5a12884290a8

Let's keep this open until we've verified it no longer crashes for the original reporter here. We also expect a large decrease of crashes with linux 2.6.32 kernel and FGLRX driver on crash-stats.
Status: NEW → ASSIGNED
Whiteboard: [sg:vector-critical?] → [sg:vector-critical?], Keep Open until verified!
Target Milestone: --- → mozilla14
(In reply to scientes from comment #14)
> I've tried to reproduce on differn't kernels with fglrx and been
> unsuccessful.

Ah! I just reread your comment and had misread it the first time:

(In reply to Benoit Jacob [:bjacob] from comment #15)
> Can you be more specific? Can you go to about:crashes and give us the
> corresponding crash links? Or at least the uname -a of these machines.

Nevermind my comment 15 then. Your comment 14 is all good news, it confirms that we should be safe with the patch that just landed.

Expect it in Wednesday's Nightly build.
https://hg.mozilla.org/mozilla-central/rev/5a12884290a8
Target Milestone: mozilla14 → ---

Updated

5 years ago
Target Milestone: --- → mozilla14
Does the crash still occur? crash-stats should show a drop in # of crashes with FGLRX  + 2.6.32 kernel on Nightly.
Keywords: sec-other

Comment 24

5 years ago
I watch whole presentation without any issues.

Kubuntu 12.04 x86_64, Linux 3.2, latest fglrx, latest nightly build.
AMD Radeon HD 6620G.
(Reporter)

Comment 25

5 years ago
that is a very differn't system. I do not have a 10.04 system (and might just be that specific hardware) anymore so have been unable to confirm that this is fixed.

Comment 26

5 years ago
What version of fglrx do you use, when you register this bugreport? Catalyst 12.x or older?
(Reporter)

Comment 27

5 years ago
wheres 12?

http://packages.ubuntu.com/lucid/fglrx

Comment 28

5 years ago
Catalyst 12 is fglrx 8.931 and newer.

fglrx 8.723.1 is Catalyst 10.4.

Your issue probably fixed long time ago, but you just use not fresh enough driver in your Lucid setup.
Keywords: sec-vector
Keywords: sec-other
Closing this bug based on comment 20. The fix landed long ago. Reopen if needed.
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.