Closed Bug 850081 Opened 11 years ago Closed 7 years ago

Shutdown crash in glrUpdateTexture (AppleIntelHD3000GraphicsGLDriver) with large azure canvas in drawImage

Categories

(Core :: Graphics: Canvas2D, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED INCOMPLETE
Tracking Status
firefox19 --- disabled
firefox20 --- disabled
firefox21 --- disabled
firefox22 --- disabled
firefox23 --- disabled
firefox24 --- disabled
firefox25 --- disabled
firefox26 --- disabled
firefox27 --- disabled
firefox28 --- disabled
firefox29 --- disabled
firefox-esr17 --- disabled
firefox-esr38 --- disabled
b2g18 --- unaffected
b2g18-v1.0.0 --- unaffected
b2g18-v1.0.1 --- unaffected

People

(Reporter: jruderman, Assigned: milan)

References

Details

(4 keywords, Whiteboard: Treat as a critical security bug if we enable accelerated Quartz graphics)

Attachments

(4 files)

With:
  user_pref("gfx.canvas.azure.accelerated", true);

This testcase usually causes a shutdown crash, on Mac OS X 10.7 with Intel graphics (a Mac mini).

I couldn't reproduce on Mac OS X 10.8 with ATI (a MacBook Pro).
Attached file stack (breakpad)
Attached file stack (gdb)
Assignee: nobody → milan
BenWa, can you take a look?  Wonder if it's related to the double deletes we had, or a racing condition trying to delete and draw.
Assignee: milan → bgirard
Is this a driver bug we're going to have to work around?
Keywords: sec-vector
(In reply to Milan Sreckovic [:milan] from comment #4)
> BenWa, can you take a look?  Wonder if it's related to the double deletes we
> had, or a racing condition trying to delete and draw.

It's not related to that. I suggest that for now we punt on it until we can staff enabling accelerated Quartz on mac. This issue is behind a preference which we haven't suggested users to flip.

It would be interesting to try with a dual GPU mac book pro in Intel/discrete gpu mode. This would confirm if we're hitting an Intel GPU bug.
Blocks: 836130
MacBook Pro, Intel graphics mode, I get a shutdown ASAN heap-buffer-overflow error.
If it's of any use, this is what the stack is on ASAN abort in the workflow above:
#1  0x000000010000b1bf in wrap_memmove ()
#2  0x00000001303b6ccd in glrUpdateTexture ()
#3  0x0000000115fe8823 in gpusLoadCurrentTextures ()
#4  0x00000001303bae83 in Gen7::updateDispatch ()
#5  0x000000012f42f146 in gleDoDrawDispatchCore ()
#6  0x000000012f3afadb in glDrawRangeElements_IMM_Exec ()
#7  0x00007fff8f0c8965 in CA::OGL::GLContext::draw_elements ()
#8  0x00007fff8f0c87b4 in CA::OGL::Context::array_flush ()
#9  0x00007fff8f0d339e in CA::OGL::Context::ClippedArray::next_rect ()
#10 0x00007fff8f09f3be in CA::OGL::emit_quad_indices ()
#11 0x00007fff8f0a6054 in CA::OGL::emit_nine_part_rect ()
#12 0x00007fff8f0d2c30 in CA::OGL::fill_rect_tex ()
#13 0x00007fff8f0d281e in CA::OGL::ContentsGeometry::fill ()
#14 0x00007fff8f0d21ef in CA::OGL::ContentsGeometry::fill ()
#15 0x00007fff8f177fdb in CA::CG::fill_image ()
#16 0x00007fff8f1786c7 in CA::CG::DrawImage::draw_image ()
#17 0x00007fff8f174d49 in CA::CG::DrawOp::render ()
#18 0x00007fff8f184d25 in CA::CG::Queue::render_callback ()
Any updates here?
I think Jeff is looking at these WebGL problems, so I'll move this over to him.  I'm marking 24 as affected in case Quartz gets enabled then.  If that's not going to happen, feel free to mark it disabled.
Assignee: bgirard → jgilbert
(In reply to Andrew McCreight [:mccr8] from comment #10)
> I think Jeff is looking at these WebGL problems, so I'll move this over to
> him.  I'm marking 24 as affected in case Quartz gets enabled then.  If
> that's not going to happen, feel free to mark it disabled.

I am working on WebGL issues, but this is a canvas2d issue.
Assignee: jgilbert → nobody
Component: Graphics → Canvas: 2D
On a side note; if you close the tab with this testcase explicitly, then shutdown, we get a clean exit.
Milan is accelerated Quartz on the radar for FF 26 or can this bug sleep?
Flags: needinfo?(milan)
it can sleep in 26.
Flags: needinfo?(milan)
Marking disabled for FF 27 - please change status if there is a change.
Assign while parked.
Assignee: nobody → milan
We are diluting the "sec-critical" brand by having this big parked as such, since sec-criticals are supposed to be at the top of bug priority lists. I'm going to mark this sec-other since it isn't currently enabled (therefore likely not exploitable). I'll mark the whitboard with a note to treat this as sec-critical when enabled.

Milan what is the plan for enabling?
Keywords: sec-criticalsec-other
Whiteboard: Treat as a critical security bug if we enable the feature.
(In reply to David Bolter [:davidb] from comment #17)
> ...
> 
> Milan what is the plan for enabling?

We may never.
Group: core-security
Whiteboard: Treat as a critical security bug if we enable the feature. → Treat as a critical security bug if we enable gfx.canvas.azure.accelerated
The pref WAS enabled by default:

* Enabled in https://hg.mozilla.org/mozilla-central/rev/6444888e596c
* Disabled in https://hg.mozilla.org/mozilla-central/rev/499fd45447a2
* Enabled in https://hg.mozilla.org/mozilla-central/rev/5ed72fdd6327

But maybe we didn't 0-day ourselves. I can't reproduce the bug on any of my machines, including the Mac Mini from the original report. I tried debug and ASan, and on my laptop, both graphics cards (one of which is "Intel Iris Pro").

I'm guessing that's either because I'm on a newer version of Mac OS X (10.11.1) or a newer version of mozilla-central.

Milan, you were able to reproduce this at one point. Can you now?
Group: gfx-core-security
Flags: needinfo?(milan)
This was a problem with acceleration and Quartz backend for canvas.  We are currently accelerating by default, but on Skia backend, rather than Quartz.  So, we're still not in the offending configuration (acceleration+Quartz) by default, nor do we have any plans to get there.
Flags: needinfo?(milan)
Keywords: sec-othersec-moderate
Whiteboard: Treat as a critical security bug if we enable gfx.canvas.azure.accelerated → Treat as a critical security bug if we enable accelerated Quartz graphics
Per IRC discussion with Milan.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INCOMPLETE
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: