The default bug view has changed. See this FAQ.

WebGL crash [@mozilla::WebGLContext::ReadPixels]

RESOLVED FIXED in mozilla16

Status

()

Core
Canvas: WebGL
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: posidron, Assigned: bjacob)

Tracking

(Blocks: 1 bug, 4 keywords)

15 Branch
mozilla16
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox15 affected)

Details

(Whiteboard: [asan] webgl-test-needed, crash signature)

Attachments

(4 attachments)

(Reporter)

Description

5 years ago
Created attachment 633476 [details]
testcase
(Reporter)

Comment 1

5 years ago
Created attachment 633477 [details]
callstack

Comment 2

5 years ago
On Windows: bp-4163d421-8c71-4a16-b481-777092120615
Crash Signature: [@ mozilla::WebGLContext::ReadPixels(int, int, int, int, unsigned int, unsigned int, mozilla::dom::TypedArray_base<unsigned char, void, &JS_GetArrayBufferViewData(JSObject*, JSContext*), &JS_GetArrayBufferViewByteLength(JSObject*, JSContext*)>* moz&hellip;
OS: Mac OS X → All
Hardware: x86_64 → All

Comment 3

5 years ago
It's a regression, you can add 'regression' keyword.

Regression range:

m-c
good=2012-06-02
bad=2012-06-03
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=5199196b65ec&tochange=d0ebcaa7efb5

m-i
good=2012-06-01
bad=2012-06-02
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=50c9995aa7d0&tochange=9abc60f44fd5

Suspected bug:
Boris Zbarsky — Bug 748266. Switch the WebGL canvas context to new DOM bindings. r=peterv
(Assignee)

Comment 4

5 years ago
Many thanks for the report. The crash is trivial: the testcase calls readpixels with null |pixels| argument and we crash at:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff3e2e703 in mozilla::WebGLContext::ReadPixels (this=0x3a3f2b0, x=7, y=7, width=7, height=63, format=6406, type=32820, pixels=0x0, 
    rv=...) at /hack/mozilla-central/content/canvas/src/WebGLContextGL.cpp:3856
3856        void* data = pixels->mData;
(gdb) p pixels
$1 = (mozilla::dom::ArrayBufferView *) 0x0
(Assignee)

Comment 5

5 years ago
Created attachment 633529 [details] [diff] [review]
check for null pixels in readPixels

Per spec, 5.14.12: If pixels is null, an INVALID_VALUE error is generated.
Attachment #633529 - Flags: review?(bzbarsky)
(Assignee)

Comment 6

5 years ago
Confirming the testcase doesn't crash anymore with this patch.

Updated

5 years ago
Blocks: 748266
Keywords: regression
Version: Trunk → 15 Branch
> Per spec, 5.14.12: If pixels is null, an INVALID_VALUE error is generated.

This should probably have a test in the test suite, if there isn't one already; our old binding code threw NS_ERROR_FAILURE in that case....
Comment on attachment 633529 [details] [diff] [review]
check for null pixels in readPixels

r=me
Attachment #633529 - Flags: review?(bzbarsky) → review+
(Assignee)

Comment 9

5 years ago
http://hg.mozilla.org/integration/mozilla-inbound/rev/82c5ff778cab
Assignee: nobody → bjacob
Whiteboard: [asan] → [asan] webgl-test-needed
Target Milestone: --- → mozilla15

Updated

5 years ago
Target Milestone: mozilla15 → mozilla16
https://hg.mozilla.org/mozilla-central/rev/82c5ff778cab
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED

Updated

5 years ago
status-firefox15: --- → affected
(Reporter)

Comment 11

5 years ago
Created attachment 634365 [details]
callstack-new.txt

The testcase now produces an assertion failure:

JavaScript warning: file:///765198/testcase.html, line 40: WebGL: readPixels: null destination buffer
Assertion failure: !AccessCheck::callerIsChrome(), at /Users/cdiehl/Code/Mozilla/mc-asan/js/xpconnect/wrappers/XrayWrapper.cpp:770
(Reporter)

Updated

5 years ago
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

Updated

5 years ago
Keywords: assertion
I can only reproduce this crash on Win7 and on Mac; I cannot reproduce on Linux and WinXP. So I will need a bit more time than normal to debug this.
Actually, I can't reproduce anymore on my Mac since I updated Nightly from June 11's build to today's.

Can you still reproduce in current Nightly?
(Reporter)

Comment 14

5 years ago
I can reproduce it with an ASAN enabled build (trunk).
Can't easily debug on Windows at the moment due to bug 767006.
Depends on: 767006
I can't reproduce the crash anymore in a Windows debug build from today's mozilla-central. Last week, I could reproduce. Can you still reproduce a crash or is ASAN necessary to observe any issue?
(Reporter)

Comment 17

5 years ago
Yes, an ASAN build seems to be necessary.
Can you teach me how to make an ASAN build? And then, how to reproduce with it?
(Reporter)

Comment 19

5 years ago
The steps for building are described here:
https://developer.mozilla.org/en/Building_Firefox_with_Address_Sanitizer

Once you have done that, you can just open the testcase with Firefox and you will see the result in the shell.
(Reporter)

Comment 20

5 years ago
Fixed. The bug is indeed fixed with a build of today even with ASAN enabled.
Status: REOPENED → RESOLVED
Last Resolved: 5 years ago5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.