Closed
Bug 850081
Opened 12 years ago
Closed 7 years ago
Shutdown crash in glrUpdateTexture (AppleIntelHD3000GraphicsGLDriver) with large azure canvas in drawImage
Categories
(Core :: Graphics: Canvas2D, defect)
Tracking
()
RESOLVED
INCOMPLETE
Tracking | Status | |
---|---|---|
firefox19 | --- | disabled |
firefox20 | --- | disabled |
firefox21 | --- | disabled |
firefox22 | --- | disabled |
firefox23 | --- | disabled |
firefox24 | --- | disabled |
firefox25 | --- | disabled |
firefox26 | --- | disabled |
firefox27 | --- | disabled |
firefox28 | --- | disabled |
firefox29 | --- | disabled |
firefox-esr17 | --- | disabled |
firefox-esr38 | --- | disabled |
b2g18 | --- | unaffected |
b2g18-v1.0.0 | --- | unaffected |
b2g18-v1.0.1 | --- | unaffected |
People
(Reporter: jruderman, Assigned: milan)
References
Details
(4 keywords, Whiteboard: Treat as a critical security bug if we enable accelerated Quartz graphics)
Attachments
(4 files)
With:
user_pref("gfx.canvas.azure.accelerated", true);
This testcase usually causes a shutdown crash, on Mac OS X 10.7 with Intel graphics (a Mac mini).
I couldn't reproduce on Mac OS X 10.8 with ATI (a MacBook Pro).
Reporter | ||
Comment 1•12 years ago
|
||
Reporter | ||
Comment 2•12 years ago
|
||
Reporter | ||
Comment 3•12 years ago
|
||
Updated•12 years ago
|
Assignee: nobody → milan
Assignee | ||
Comment 4•12 years ago
|
||
BenWa, can you take a look? Wonder if it's related to the double deletes we had, or a racing condition trying to delete and draw.
Assignee: milan → bgirard
Comment 5•12 years ago
|
||
Is this a driver bug we're going to have to work around?
Keywords: sec-vector
Comment 6•12 years ago
|
||
(In reply to Milan Sreckovic [:milan] from comment #4)
> BenWa, can you take a look? Wonder if it's related to the double deletes we
> had, or a racing condition trying to delete and draw.
It's not related to that. I suggest that for now we punt on it until we can staff enabling accelerated Quartz on mac. This issue is behind a preference which we haven't suggested users to flip.
It would be interesting to try with a dual GPU mac book pro in Intel/discrete gpu mode. This would confirm if we're hitting an Intel GPU bug.
Blocks: 836130
Updated•12 years ago
|
status-b2g18:
--- → unaffected
status-b2g18-v1.0.0:
--- → unaffected
status-b2g18-v1.0.1:
--- → unaffected
status-firefox19:
--- → disabled
status-firefox20:
--- → disabled
status-firefox21:
--- → disabled
status-firefox22:
--- → disabled
status-firefox-esr17:
--- → disabled
Assignee | ||
Comment 7•12 years ago
|
||
MacBook Pro, Intel graphics mode, I get a shutdown ASAN heap-buffer-overflow error.
Assignee | ||
Comment 8•12 years ago
|
||
If it's of any use, this is what the stack is on ASAN abort in the workflow above:
#1 0x000000010000b1bf in wrap_memmove ()
#2 0x00000001303b6ccd in glrUpdateTexture ()
#3 0x0000000115fe8823 in gpusLoadCurrentTextures ()
#4 0x00000001303bae83 in Gen7::updateDispatch ()
#5 0x000000012f42f146 in gleDoDrawDispatchCore ()
#6 0x000000012f3afadb in glDrawRangeElements_IMM_Exec ()
#7 0x00007fff8f0c8965 in CA::OGL::GLContext::draw_elements ()
#8 0x00007fff8f0c87b4 in CA::OGL::Context::array_flush ()
#9 0x00007fff8f0d339e in CA::OGL::Context::ClippedArray::next_rect ()
#10 0x00007fff8f09f3be in CA::OGL::emit_quad_indices ()
#11 0x00007fff8f0a6054 in CA::OGL::emit_nine_part_rect ()
#12 0x00007fff8f0d2c30 in CA::OGL::fill_rect_tex ()
#13 0x00007fff8f0d281e in CA::OGL::ContentsGeometry::fill ()
#14 0x00007fff8f0d21ef in CA::OGL::ContentsGeometry::fill ()
#15 0x00007fff8f177fdb in CA::CG::fill_image ()
#16 0x00007fff8f1786c7 in CA::CG::DrawImage::draw_image ()
#17 0x00007fff8f174d49 in CA::CG::DrawOp::render ()
#18 0x00007fff8f184d25 in CA::CG::Queue::render_callback ()
Comment 10•12 years ago
|
||
I think Jeff is looking at these WebGL problems, so I'll move this over to him. I'm marking 24 as affected in case Quartz gets enabled then. If that's not going to happen, feel free to mark it disabled.
Assignee: bgirard → jgilbert
status-firefox24:
--- → affected
Updated•12 years ago
|
Comment 11•12 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #10)
> I think Jeff is looking at these WebGL problems, so I'll move this over to
> him. I'm marking 24 as affected in case Quartz gets enabled then. If
> that's not going to happen, feel free to mark it disabled.
I am working on WebGL issues, but this is a canvas2d issue.
Assignee: jgilbert → nobody
Component: Graphics → Canvas: 2D
Updated•12 years ago
|
status-firefox25:
--- → disabled
Assignee | ||
Comment 12•11 years ago
|
||
On a side note; if you close the tab with this testcase explicitly, then shutdown, we get a clean exit.
Comment 13•11 years ago
|
||
Milan is accelerated Quartz on the radar for FF 26 or can this bug sleep?
Flags: needinfo?(milan)
Updated•11 years ago
|
status-firefox26:
--- → disabled
Comment 15•11 years ago
|
||
Marking disabled for FF 27 - please change status if there is a change.
status-firefox27:
--- → disabled
Updated•11 years ago
|
status-firefox28:
--- → disabled
Comment 17•11 years ago
|
||
We are diluting the "sec-critical" brand by having this big parked as such, since sec-criticals are supposed to be at the top of bug priority lists. I'm going to mark this sec-other since it isn't currently enabled (therefore likely not exploitable). I'll mark the whitboard with a note to treat this as sec-critical when enabled.
Milan what is the plan for enabling?
status-firefox29:
--- → disabled
Keywords: sec-critical → sec-other
Whiteboard: Treat as a critical security bug if we enable the feature.
Assignee | ||
Comment 18•11 years ago
|
||
(In reply to David Bolter [:davidb] from comment #17)
> ...
>
> Milan what is the plan for enabling?
We may never.
Reporter | ||
Updated•10 years ago
|
Group: core-security
Whiteboard: Treat as a critical security bug if we enable the feature. → Treat as a critical security bug if we enable gfx.canvas.azure.accelerated
Reporter | ||
Comment 19•9 years ago
|
||
The pref WAS enabled by default:
* Enabled in https://hg.mozilla.org/mozilla-central/rev/6444888e596c
* Disabled in https://hg.mozilla.org/mozilla-central/rev/499fd45447a2
* Enabled in https://hg.mozilla.org/mozilla-central/rev/5ed72fdd6327
But maybe we didn't 0-day ourselves. I can't reproduce the bug on any of my machines, including the Mac Mini from the original report. I tried debug and ASan, and on my laptop, both graphics cards (one of which is "Intel Iris Pro").
I'm guessing that's either because I'm on a newer version of Mac OS X (10.11.1) or a newer version of mozilla-central.
Milan, you were able to reproduce this at one point. Can you now?
Group: gfx-core-security
Flags: needinfo?(milan)
Assignee | ||
Comment 20•9 years ago
|
||
This was a problem with acceleration and Quartz backend for canvas. We are currently accelerating by default, but on Skia backend, rather than Quartz. So, we're still not in the offending configuration (acceleration+Quartz) by default, nor do we have any plans to get there.
Flags: needinfo?(milan)
Updated•9 years ago
|
status-firefox-esr38:
--- → disabled
Keywords: sec-other → sec-moderate
Whiteboard: Treat as a critical security bug if we enable gfx.canvas.azure.accelerated → Treat as a critical security bug if we enable accelerated Quartz graphics
Comment 21•7 years ago
|
||
Per IRC discussion with Milan.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INCOMPLETE
Updated•5 years ago
|
Group: gfx-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•