Closed
Bug 827225
Opened 11 years ago
Closed 11 years ago
"Assertion failure: obj->isTypedArray()" with WebGL readPixels
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla21
People
(Reporter: jruderman, Assigned: sfink)
Details
(Keywords: assertion, testcase)
Attachments
(4 files)
|
345 bytes,
text/html
|
Details | |
|
8.59 KB,
text/plain
|
Details | |
|
9.78 KB,
patch
|
bzbarsky
:
review+
dmandelin
:
superreview+
lsblakk
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-beta+
sfink
:
checkin+
|
Details | Diff | Splinter Review |
|
2.89 KB,
patch
|
bzbarsky
:
review+
lsblakk
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-beta+
sfink
:
checkin+
|
Details | Diff | Splinter Review |
Assertion failure: obj->isTypedArray(), at js/src/jstypedarray.cpp:3769
|
Reporter | |
Comment 1•11 years ago
|
||
|
||
Comment 2•11 years ago
|
||
Hey, there's DOM bindings stuff on the stack. Please cc me when that happens? ;)
|
|
||
Comment 3•11 years ago
|
||
So in the IDL, this is defined as "ArrayBufferView? pixels". And that's what the binding code passes in. But then the WebGL code didn't get updated from using JS_GetTypedArrayByteLength looks like...
|
|
||
Comment 4•11 years ago
|
||
So per spec this should throw if the type of the passed-in ArrayBufferView doesn't match the requested data type. Which is fine: we could move the length get to after that check. But JS_GetTypedArrayType will _also_ assert if the object is not a typed array. Can we have an API like that but for array buffer views in general?
|
|
||
Comment 5•11 years ago
|
||
There are similar issues with texImage2D, looks like. It's too bad there's no interface that's a subclass for all typed arrays but not data views. :(
|
Assignee | |
Comment 6•11 years ago
|
||
This patch renames the JSAPI call and also makes it accepts any ArrayBufferView, adding in a new TYPE_DATAVIEW to handle the DataView case. TYPE_DATAVIEW isn't an element type like the rest, but given that it was in the ArrayBufferView namespace, it makes sense this way. Do dmandelin, I'm really pegging you for review + super-review (the code change is pretty trivial) and bz for the renaming in the rest of the tree (following bz's suggestion that a simple JSAPI rename shouldn't require more than one reviewer.)
Assignee: general → sphink
Status: NEW → ASSIGNED
Attachment #698796 -
Flags: superreview?(dmandelin)
Attachment #698796 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Comment 7•11 years ago
|
||
s/Do/So/
|
|
||
Comment 8•11 years ago
|
||
Comment on attachment 698796 [details] [diff] [review] Born JS_GetTypedArrayType, now JS_GetArrayBufferViewType r=me. Note that this bug also needs a second patch to move that JS_GetTypedArrayByteLength call in WebGLContext::ReadPixels further down the function, to after the dataType has been validated.
Attachment #698796 -
Flags: review?(bzbarsky) → review+
|
||
Updated•11 years ago
|
Attachment #698796 -
Flags: superreview?(dmandelin) → superreview+
|
|
Assignee | |
Comment 9•11 years ago
|
||
Oh, I didn't look into what else was needed to fix this problem. But if that's all it is, sure, I'll pony up the patch for it. It builds, at least.
Attachment #698842 -
Flags: review?(bzbarsky)
|
|
||
Comment 10•11 years ago
|
||
Comment on attachment 698842 [details] [diff] [review] Avoid JS_GetArrayBufferViewType until safe to call Sweet. r=me!
Attachment #698842 -
Flags: review?(bzbarsky) → review+
|
|
Assignee | |
Updated•11 years ago
|
Attachment #698796 -
Flags: checkin+
|
|
Assignee | |
Updated•11 years ago
|
Attachment #698842 -
Flags: checkin+
|
|
Assignee | |
Comment 11•11 years ago
|
||
http://hg.mozilla.org/integration/mozilla-inbound/rev/669bc3bb9a87 http://hg.mozilla.org/integration/mozilla-inbound/rev/0757dd0a653d
|
|
||
Comment 12•11 years ago
|
||
We probably want this on branches too... I guess data view is on everything including 17, right? Or is the code safe enough in opt builds that we don't need to worry about that?
tracking-firefox20:
--- → ?
|
||
Comment 13•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/0757dd0a653d https://hg.mozilla.org/mozilla-central/rev/669bc3bb9a87
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
|
|
||
Updated•11 years ago
|
Flags: needinfo?(sphink)
|
||
Comment 14•11 years ago
|
||
(In reply to Boris Zbarsky (:bz) from comment #12) > We probably want this on branches too... I guess data view is on everything > including 17, right? > > Or is the code safe enough in opt builds that we don't need to worry about > that? If this impacts FF17 (without any user complaints), why uplift any risk?
|
|
||
Comment 15•11 years ago
|
||
> If this impacts FF17 (without any user complaints), why uplift any risk? Because typically assertion failures mean a security problem. I have yet to see any indication that that's not the case here. In particular, no response to comment 12 indicating this is NOT a security bug. Re-nominating, since apparently this wasn't clear.
|
|
||
Comment 16•11 years ago
|
||
In that case, we'll leave the tracking nom on until Steve answers comment 12.
|
|
Assignee | |
Updated•11 years ago
|
Flags: needinfo?(sphink)
|
|
Assignee | |
Comment 18•11 years ago
|
||
Comment on attachment 698796 [details] [diff] [review] Born JS_GetTypedArrayType, now JS_GetArrayBufferViewType [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 575688 User impact if declined: possible read of private data Testing completed (on m-c, etc.): on m-c for a week or three now Risk to taking this patch (and alternatives if risky): low. It's patching up a hole in error detection. String or UUID changes made by this patch: none
Attachment #698796 -
Flags: approval-mozilla-beta?
Attachment #698796 -
Flags: approval-mozilla-aurora?
|
|
Assignee | |
Comment 19•11 years ago
|
||
Comment on attachment 698842 [details] [diff] [review] Avoid JS_GetArrayBufferViewType until safe to call This patch must be paired with the other one on this bug, but to repeat the justification: [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 575688 User impact if declined: possible read of private data Testing completed (on m-c, etc.): on m-c for a week or three now Risk to taking this patch (and alternatives if risky): low. It's patching up a hole in error detection. String or UUID changes made by this patch: none
Attachment #698842 -
Flags: approval-mozilla-beta?
Attachment #698842 -
Flags: approval-mozilla-aurora?
|
||
Updated•11 years ago
|
status-firefox18:
--- → affected
status-firefox19:
--- → affected
status-firefox20:
--- → affected
status-firefox21:
--- → fixed
tracking-firefox19:
--- → +
|
|
||
Comment 20•11 years ago
|
||
Comment on attachment 698796 [details] [diff] [review] Born JS_GetTypedArrayType, now JS_GetArrayBufferViewType Approving given Steve's feedback - we'll want to close up this hole and the fix is low enough risk as this stage in beta cycle.
Attachment #698796 -
Flags: approval-mozilla-beta?
Attachment #698796 -
Flags: approval-mozilla-beta+
Attachment #698796 -
Flags: approval-mozilla-aurora?
Attachment #698796 -
Flags: approval-mozilla-aurora+
|
|
||
Updated•11 years ago
|
Attachment #698842 -
Flags: approval-mozilla-beta?
Attachment #698842 -
Flags: approval-mozilla-beta+
Attachment #698842 -
Flags: approval-mozilla-aurora?
Attachment #698842 -
Flags: approval-mozilla-aurora+
|
||
Comment 21•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-beta/rev/e0f496d7265e https://hg.mozilla.org/releases/mozilla-beta/rev/0859365a27e3 This is also in my queue to land on Aurora once it reopens.
|
|
||
Comment 22•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/97f3a2f13f32 https://hg.mozilla.org/releases/mozilla-aurora/rev/454902c3c709
|
||
Comment 23•11 years ago
|
||
Reproduced the crash on 2013-01-07 Nightly Debug using testcase from comment 0. Verified the fix for 2013-01-23 Beta Debug using the same testcase from comment 0. No crashes for this version. Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:19.0) Gecko/20130122 Firefox/19.0 Build ID: 20130122230158
|
||
Comment 24•11 years ago
|
||
Verified fixed with Firefox 20 beta 7 debug build, on Mac OSX 10.8.2, using the testcase provided in the description. Firefox doesn't crash after the testcase is opened. Build ID: 20130323031722
|
||
Comment 25•11 years ago
|
||
Verified fixed on Firefox 21 beta 2 (latest beta debug build), on Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20130411 Firefox/21.0 Build ID: 20130411111427
You need to log in
before you can comment on or make changes to this bug.
Description
•