The default bug view has changed. See this FAQ.

crash at [@ libc-2.15.so@0x36445 ] at MapsGL with webgl.msaa-level = 1

VERIFIED FIXED in Firefox 15

Status

()

Core
Canvas: WebGL
--
critical
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: dholbert, Assigned: bjacob)

Tracking

({crash, sec-moderate})

Trunk
mozilla17
All
Linux
crash, sec-moderate
Points:
---

Firefox Tracking Flags

(firefox15+ fixed, firefox16+ fixed, firefox17+ verified, firefox-esr1015+ fixed)

Details

(Whiteboard: [advisory-tracking+][qa-], URL)

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

5 years ago
STR:
 1. Visit about:config
 2. Set the pref webgl.msaa-level = 1
     (I didn't do this manually, at first -- this was already set in my profile for
      some reason. Not sure why.)

 3. Visit https://maps.google.com/?vector=1  (which should enable MapsGL)

ACTUAL RESULTS: Crash, with this printed to my terminal:
firefox: nvc0_surface.c:218: nvc0_resource_copy_region: Assertion `src->nr_samples == dst->nr_samples' failed.

Sample crash reports:
 bp-63b77e54-c5e4-45c6-b933-c26a32120730
 bp-5ec26eac-8033-4661-977d-b52222120730
(Reporter)

Comment 1

5 years ago
about:support info:

User Agent
   Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Firefox/17.0

GRAPHICS:
Adapter Description
   nouveau -- Gallium 0.4 on NVC1
Vendor ID
   nouveau
Device ID
   Gallium 0.4 on NVC1
Driver Version
   3.0 Mesa 8.0.3
WebGL Renderer
   nouveau -- Gallium 0.4 on NVC1 -- 3.0 Mesa 8.0.3
GPU Accelerated Windows
   0
AzureBackend
   none
(Reporter)

Comment 2

5 years ago
Flagging as security-sensitive because this is a crash at a random-ish address (e.g. 0x3e80000175f in the first crash report from comment 0) that sometimes happens inside of free() (in the second crash report from comment 0)
Whiteboard: [sg:critical?]
(Reporter)

Comment 3

5 years ago
I'm running Ubuntu 12.10 alpha 3 as my OS, too, BTW.
(Assignee)

Comment 4

5 years ago
Jeff, should we blacklist msaa on the Nouveau driver, or do you see a workaround from the assert message,

firefox: nvc0_surface.c:218: nvc0_resource_copy_region: Assertion `src->nr_samples == dst->nr_samples' failed.

?
(Assignee)

Comment 5

5 years ago
Created attachment 647224 [details] [diff] [review]
block MSAA on nouveau
Attachment #647224 - Flags: review?(jgilbert)
(In reply to Daniel Holbert [:dholbert] (away from 7/28-8/5) from comment #0)
> STR:
>  1. Visit about:config
>  2. Set the pref webgl.msaa-level = 1
>      (I didn't do this manually, at first -- this was already set in my
> profile for
>       some reason. Not sure why.)
> 
>  3. Visit https://maps.google.com/?vector=1  (which should enable MapsGL)
> 
> ACTUAL RESULTS: Crash, with this printed to my terminal:
> firefox: nvc0_surface.c:218: nvc0_resource_copy_region: Assertion
> `src->nr_samples == dst->nr_samples' failed.
> 
> Sample crash reports:
>  bp-63b77e54-c5e4-45c6-b933-c26a32120730
>  bp-5ec26eac-8033-4661-977d-b52222120730

Here you say when it's when 'msaa-level=1', but the bug title says '=2'.
Is it both, or just one of them?

It looks like there could have been an issue with using msaa-level=1 that was fixed in:
http://cgit.freedesktop.org/mesa/mesa/commit/src/gallium/drivers/nvc0/nvc0_surface.c?id=b328949a37fee7b0f68ed3e068ffc4426c083042

Unfortunately, this isn't in 8.0.3, and it's also not in the 8.0.4 package available on their FTP.

Instead of blocklisting here, we should probably just round 'samples=1' down to 'samples=0' here. (We should probably be doing this everywhere, anyways)

If it's instead a problem with 'aa=2', then we should blocklist AA on this platform.
Comment on attachment 647224 [details] [diff] [review]
block MSAA on nouveau

Review of attachment 647224 [details] [diff] [review]:
-----------------------------------------------------------------

R+ if this is a 'samples=2' problem, but if it's a 'samples=1' problem, we should probably just work around this.
Attachment #647224 - Flags: review?(jgilbert) → review+
(Reporter)

Comment 8

5 years ago
(In reply to Jeff Gilbert [:jgilbert] from comment #6)
> Here you say when it's when 'msaa-level=1', but the bug title says '=2'.
> Is it both, or just one of them?

It's msaa-level = 1.  Sorry for the typo on that.  (2 is currently the default, but my profile had 1 instead for some reason, and 1 is the value that causes crashes.)
Summary: crash at [@ libc-2.15.so@0x36445 ] at MapsGL with webgl.msaa-level = 2 → crash at [@ libc-2.15.so@0x36445 ] at MapsGL with webgl.msaa-level = 1
(Assignee)

Comment 9

5 years ago
Jeff, didn't we say at some point that we should silently interprete 1 as 0 ?

That would work around the problem without user-noticeable effects, right?
Oh right, I guess we wanted to keep 1 != 0 for testing/debugging purposes. But we should special-case Nouveau there. The GL_RENDERER string allows to identify Nouveau, see GfxInfoX11.cpp.
(In reply to Benoit Jacob [:bjacob] from comment #10)
> Oh right, I guess we wanted to keep 1 != 0 for testing/debugging purposes.
> But we should special-case Nouveau there. The GL_RENDERER string allows to
> identify Nouveau, see GfxInfoX11.cpp.

I don't think it's worth keeping the '1xAA' stuff around, since it can be different from 'no AA' anyways. (sample locations, etc) We should dig up that old bug and finally force samples=1 to samples=0.
Created attachment 648472 [details] [diff] [review]
samples: change 1 into 0

Like this? This doesn't catch direct calls to renderbufferstoragemultisample, but we don't have any at the moment.
Attachment #648472 - Flags: review?(jgilbert)
Attachment #648472 - Flags: review?(jgilbert) → review+
http://hg.mozilla.org/integration/mozilla-inbound/rev/0d1da7c6afd5
Assignee: nobody → bjacob
Target Milestone: --- → mozilla17
(Assignee)

Updated

5 years ago
Attachment #647224 - Attachment is obsolete: true
Comment on attachment 648472 [details] [diff] [review]
samples: change 1 into 0

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Existing driver bug, that we run into at least since we turned on WebGL antialiasing in Firefox 10
User impact if declined: crash, possibly exploitable, in nouveau driver (concerns maybe 10%-20% of linux users, so maybe 0.1% of total users), triggerable by WebGL
Testing completed (on m-c, etc.): m-i
Risk to taking this patch (and alternatives if risky): No risk, trivial patch
String or UUID changes made by this patch: none
Attachment #648472 - Flags: approval-mozilla-beta?
Attachment #648472 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/0d1da7c6afd5
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox17: --- → fixed
Resolution: --- → FIXED
Comment on attachment 648472 [details] [diff] [review]
samples: change 1 into 0

trivial patch, not sure if it's going to be sec:critical or not but willing to take on branches regardless at this stage in the cycle.
Attachment #648472 - Flags: approval-mozilla-beta?
Attachment #648472 - Flags: approval-mozilla-beta+
Attachment #648472 - Flags: approval-mozilla-aurora?
Attachment #648472 - Flags: approval-mozilla-aurora+
Given it's a driver bug workaround I'm going to assume ESR is affected.

Rating this sec-moderate on the assumption--possibly mistaken--that the msaa setting is non-default and the average user is unlikely to change it. That may be incorrect if some popular software or addon fiddles this pref for users, though. Since the workaround is simple and safe we should perhaps take this anyway on ESR.
status-firefox-esr10: --- → affected
status-firefox15: --- → affected
status-firefox16: --- → affected
tracking-firefox-esr10: --- → ?
tracking-firefox15: --- → +
tracking-firefox16: --- → +
tracking-firefox17: --- → +
Keywords: sec-moderate
Whiteboard: [sg:critical?]
please nominate for ESR uplift as well, assuming that this lands cleanly - let us know if that's not the case.
tracking-firefox-esr10: ? → 15+
(Reporter)

Comment 19

5 years ago
(In reply to Daniel Veditz [:dveditz] from comment #17)
> Rating this sec-moderate on the assumption--possibly mistaken--that the msaa
> setting is non-default and the average user is unlikely to change it. That
> may be incorrect if some popular software or addon fiddles this pref for
> users, though.

The bad value (webgl.msaa-level = 1) is currently non-default, that's true.

However, I don't recall ever touching that pref manually, so I don't know how it got set to the non-default bad value in my profile.  It might've be from an intermediate nightly version temporarily setting it to 1, or perhaps from an addon setting it, as dveditz suggested.

I suppose it's also remotely possible that someone blogged and recommended setting it to 1 at some point in the past, to test a piece of New Shiny, and I toggled it then and forgot about it... Perhaps bjacob/jgilbert know whether it's possible that any Planet blogs might've suggested toggling it in the past?

(Just discussing this in the interest of guessing how many other people might have it set to 1, for whatever reason.)
webgl.msaa-level=1 is non-default indeed, BUT this is not the only way to reproduce this. If the driver reports that 1 is the max supported value, we'll adjust down to it, to avoid exceeding it. That's why this bug could be reproduced in default configuration.

The patch probably won't apply cleanly to ESR, but making a ESR patch shouldn't be hard.
http://hg.mozilla.org/releases/mozilla-aurora/rev/aba52cb488fa
http://hg.mozilla.org/releases/mozilla-beta/rev/3bb3b14f262a
status-firefox15: affected → fixed
status-firefox16: affected → fixed
For Firefox 10 ESR, notice that in bug 777028 we are blacklisting all Mesa drivers for WebGL in ESR10. This will, in particular, fix this issue.
Keywords: verifyme
(Assignee)

Updated

5 years ago
status-firefox-esr10: affected → fixed
Still pending Firefox ESR 10 patch from bug 777028.
status-firefox-esr10: fixed → affected
Whiteboard: [advisory-tracking+]
ESR10 patch in bug 777028 just landed.
status-firefox-esr10: affected → fixed
I'm unable to reproduce this with the 2012-07-19 Firefox 17.0a1 Debug build on Ubuntu 12.04 64-bit. I followed the steps in comment 0 and Google MapsGL works without crashing. I checked my graphics driver and it's reported as "2.1 Mesa 8.0.2" in about:support.

Does this require a specific graphic chipset/driver?
Keywords: verifyme
Whiteboard: [advisory-tracking+] → [advisory-tracking+][qa?]
(Reporter)

Comment 26

5 years ago
I verified on my system that an old nightly (from the comment 0 date) still crashes with STR:
https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-30-03-05-40-mozilla-central/firefox-17.0a1.en-US.linux-x86_64.tar.bz2
...and that today's nightly does not crash:
https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/08/2012-08-24-03-05-30-mozilla-central/firefox-17.0a1.en-US.linux-x86_64.tar.bz2

FWIW, I'm using Ubuntu 12.10 alpha (up-to-date), with about:support saying:
  Driver Version:  3.0 Mesa 8.0.4
  WebGL Renderer:  nouveau -- Gallium 0.4 on NVC1 -- 3.0 Mesa 8.0.4

Marking as VERIFIED.
(Reporter)

Updated

5 years ago
Status: RESOLVED → VERIFIED
That same Nightly does not crash for me so I guess this is driver dependent. Daniel, if you have time, can you please test if this is fixed with the latest Firefox 15, 10.0.7esr, and 16.0a2 (in order of priority)?

Thank you.
status-firefox17: fixed → verified
Whiteboard: [advisory-tracking+][qa?] → [advisory-tracking+][qa-]
Yes, this is specific to the Nouveau driver.
Group: core-security
You need to log in before you can comment on or make changes to this bug.