Closed Bug 731046 Opened 13 years ago Closed 9 years ago

[ANGLE] Assertion `typeName' failed // Parser Crash [@ TType::TType]

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Version:
10 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INCOMPLETE
Tracking Flags:
Tracking Status
status1.9.2 --- unaffected

People

(Reporter: dveditz, Assigned: bjacob)

References

(
URL
)

Details

(Keywords: crash, testcase, Whiteboard: [sg:dos] webgl-angle)

Crash Data

+++ This bug was initially created as a clone of Bug #699033 +++ A potentially exploitable condition triggered by Attachment 571323 [details] was mitigated in bug 699033. A non-exploitable crash remains after that band-aide which will be tracked in this bug.
A ANGLE developer has found the cause of the crash: http://code.google.com/p/angleproject/issues/detail?id=241#c7 > I located the problem: in glslang.y line 1183 a symbol is being added to a declarator list and the type is inferred from the existing declarator list, but the variables haven't been previously declared so there is no valid type He is referring to: http://code.google.com/p/angleproject/source/browse/trunk/src/compiler/glslang.y?spec=svn998&r=965#1183 Code: init_declarator_list : single_declaration { $$ = $1; <---- this line }
What is blocking me from fixing this now is that I don't know the syntax of Bison parser generator sources. Someone who does know that would probably find this easy to fix.
This is fixed in ANGLE r1002! In addition to upgrading to r1002, we'll have to drop our local patch mitigating this crash.
Depends on: 734657
I will do the angle update on mozilla-central. But it's a relatively intrusive change in a codebase that I don't understand (Bison parser generator syntax). And just before r1002, there is r1001 affecting the same files so we might need it too. So, I'm not very comfortable about putting this on beta. Considering that this 'security' bug is a plain sg:dos, really a plain abort() crash i.e. not a real security bug, I'm tempted to say: let's just fix this on mozilla-central and not backport at all.
(In reply to Benoit Jacob [:bjacob] from comment #4) > I will do the angle update on mozilla-central. > [...] > Considering that this 'security' bug is a plain sg:dos, really a plain > abort() crash i.e. not a real security bug, I'm tempted to say: let's just > fix this on mozilla-central and not backport at all. I agree. If there is no risk right now on beta/aurora, and the fix is an angle update, then chances are that we introduce new security vulnerabilities by that. So I would just keep the abort() and do the angle update only on central.
Group: core-security
(In reply to Benoit Jacob [:bjacob] from comment #4) > Considering that this 'security' bug is a plain sg:dos, really a plain > abort() crash i.e. not a real security bug, I'm tempted to say: let's just > fix this on mozilla-central and not backport at all. Agreed - let's get this fixed first in FF14.
status-firefox11: affectedwontfix
status-firefox12: affectedwontfix
tracking-firefox12: +-
Whiteboard: [sg:dos] → [sg:dos] webgl-angle
I still see reports in current builds: * bp-b7c7571c-27d3-4755-8d19-e73772160716 * bp-740bcffa-1c62-4d91-a072-8e5f92160713 * bp-542b1328-fe5b-43b8-8b99-5d3c62160713 However we currently see this reported about once every couple months on average. We never got this fixed like we said we were going doing four years ago so I'm going to just close this bug. Please reopen it if you want to actually fix this.
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox-esr10: affected → ---
status-firefox10: wontfix → ---
status-firefox11: wontfix → ---
status-firefox12: wontfix → ---
status-firefox13: affected → ---
tracking-firefox10: - → ---
tracking-firefox11: - → ---
tracking-firefox12: - → ---
Resolution: --- → INCOMPLETE
Version: Trunk → 10 Branch
You need to log in before you can comment on or make changes to this bug.