Closed
Bug 966630
Opened 11 years ago
Closed 11 years ago
WebGL crash [@mozilla::gl::GLContext::fCompressedTexImage2D / gleEvaluateTextureImageChange]
Categories
(Core :: Graphics: CanvasWebGL, defect)
Tracking
()
VERIFIED
FIXED
mozilla31
People
(Reporter: posidron, Assigned: u480271)
References
Details
(Keywords: crash, sec-high, testcase, Whiteboard: [adv-main29+][adv-esr24.5+])
Crash Data
Attachments
(4 files)
|
882 bytes,
text/html
|
Details | |
|
4.29 KB,
text/plain
|
Details | |
|
2.24 KB,
patch
|
bjacob
:
review+
jgilbert
:
review+
abillings
:
approval-mozilla-beta+
abillings
:
approval-mozilla-esr24+
|
Details | Diff | Splinter Review |
|
1.77 KB,
patch
|
jgilbert
:
review+
abillings
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
|
Reporter | |
Comment 1•11 years ago
|
||
|
||
Comment 2•11 years ago
|
||
Doesn't seem to be the driver (crashes on Windows and Mac).
Keywords: sec-high
|
||
Comment 3•11 years ago
|
||
Dan, does this fall under the "refactoring so that we don't have to do them one by one"?
Assignee: nobody → dglastonbury
I've fixed this in the work I've done for 966624, so adding a dependency.
Instead of crashing, now detects invalid level. From console:
"Error: WebGL: compressedTexImage2D: level > maximum texture level"
Depends on: 966624
Fixed by Bug 966624.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
||
Updated•11 years ago
|
status-firefox30:
--- → fixed
Target Milestone: --- → mozilla30
I tested again the following and all are affected:
* aurora
* ff-27
* ff-24esr
Flags: needinfo?(dglastonbury)
|
||
Updated•11 years ago
|
status-firefox27:
--- → wontfix
status-firefox28:
--- → affected
status-firefox29:
--- → affected
status-firefox-esr24:
--- → affected
|
|
||
Comment 9•11 years ago
|
||
We should get this fixed on Aurora, Beta, and ESR24.
|
||
Updated•11 years ago
|
|
|
||
Comment 10•11 years ago
|
||
Can we get a nom for uplift in Bug 966624 in order to for the fix to make into into ESR24?
|
|
||
Comment 11•11 years ago
|
||
Dan - Can you handle the nom and uplift for ESR24?
Flags: needinfo?(dglastonbury)
|
Assignee | |
Comment 12•11 years ago
|
||
I'm not comfortable uplifting the patches from Bug 966624 to ESR24. I'll look at creating a fix for just this specific issue.
Flags: needinfo?(dglastonbury)
|
|
Assignee | |
Comment 13•11 years ago
|
||
Patch to fix the issue in ESR 24 instead of uplifting the whole refactoring of texture image parameters.
Attachment #8405996 -
Flags: review?(bjacob)
|
|
Assignee | |
Comment 14•11 years ago
|
||
Comment on attachment 8405996 [details] [diff] [review]
Patch for FF ESR 24
[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined: Ability to crash browser with bad WebGL parameters
Fix Landed on Version: FF30
Risk to taking this patch (and alternatives if risky): This patch is very small and easy to code review. The risk is negligible.
String or UUID changes made by this patch:
See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #8405996 -
Flags: approval-mozilla-esr24?
|
|
||
Updated•11 years ago
|
Attachment #8405996 -
Flags: approval-mozilla-esr24? → approval-mozilla-esr24+
|
|
||
Comment 15•11 years ago
|
||
Approved for ESR assuming it passed review.
|
||
Comment 17•11 years ago
|
||
Comment on attachment 8405996 [details] [diff] [review]
Patch for FF ESR 24
Review of attachment 8405996 [details] [diff] [review]:
-----------------------------------------------------------------
::: content/canvas/src/WebGLContextValidate.cpp
@@ +512,5 @@
> + * expecting.
> + */
> +
> + if (level > 31)
> + level = 31;
Good, and here is another justification for this good change: GLsizei is int32_t, so it can't exceed 2^31 - 1, so, even if we allowed NPOT cubemaps, there can't be a texture level > 30 (or else, texture mipmap completeness rules are violated, and we fake the sampling as a black texture).
Attachment #8405996 -
Flags: review?(bjacob) → review+
Attachment #8405996 -
Flags: review?(jgilbert)
Flags: needinfo?(dglastonbury)
|
||
Updated•11 years ago
|
Attachment #8405996 -
Flags: review?(jgilbert) → review+
|
|
Assignee | |
Comment 18•11 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #16)
> What about beta29?
This patch can be applied to Beta 29.
|
|
Assignee | |
Comment 19•11 years ago
|
||
Comment on attachment 8405996 [details] [diff] [review]
Patch for FF ESR 24
[Approval Request Comment]
Bug caused by (feature/regressing bug #):
User impact if declined: Ability to crash browser with bad WebGL parameters
Testing completed (on m-c, etc.):
Risk to taking this patch (and alternatives if risky): This patch is very small and easy to code review. The risk is negligible.
String or IDL/UUID changes made by this patch:
Attachment #8405996 -
Flags: approval-mozilla-beta?
|
|
||
Updated•11 years ago
|
Attachment #8405996 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
Assignee | |
Comment 20•11 years ago
|
||
Ported patch for ESR24 to Aurora.
Attachment #8406629 -
Flags: review?(jgilbert)
|
|
Assignee | |
Comment 21•11 years ago
|
||
Comment on attachment 8406629 [details] [diff] [review]
Aurora patch
[Approval Request Comment]
Bug caused by (feature/regressing bug #):
User impact if declined: Ability to crash firefox with bad WebGL parameters.
Testing completed (on m-c, etc.):
Risk to taking this patch (and alternatives if risky): Very low risk. Patch is easy to code review.
String or IDL/UUID changes made by this patch:
Attachment #8406629 -
Flags: approval-mozilla-aurora?
|
|
||
Comment 22•11 years ago
|
||
I'm confused, I thought this was fixed on Aurora by bug 966624? Does that mean that trunk (31) needs this fix as well?
|
|
||
Updated•11 years ago
|
Attachment #8406629 -
Flags: review?(jgilbert) → review+
|
|
Assignee | |
Comment 23•11 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #22)
> I'm confused, I thought this was fixed on Aurora by bug 966624? Does that
> mean that trunk (31) needs this fix as well?
Between comment 5 and my testing yesterday the bug regressed in m-c trunk.
|
|
Assignee | |
Comment 24•11 years ago
|
||
|
|
Assignee | |
Comment 25•11 years ago
|
||
Bear with me because I'm new to this, but who does the check-in of patch to ESR24, Aurora and Beta? Am I supposed to? And why in my name against the a? for Aurora?
|
|
||
Comment 26•11 years ago
|
||
(In reply to Dan Glastonbury :djg :kamidphish from comment #25)
> Bear with me because I'm new to this, but who does the check-in of patch to
> ESR24, Aurora and Beta? Am I supposed to? And why in my name against the a?
> for Aurora?
Your name is against the a? because you nominated it for Aurora approval?
Either you check it in or you get a sheriff like Ryan to do so.
|
|
||
Updated•11 years ago
|
Attachment #8406629 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
Assignee | |
Comment 27•11 years ago
|
||
|
||
Comment 28•11 years ago
|
||
landed on mozilla-central https://hg.mozilla.org/mozilla-central/rev/b300ff71f9b0
|
|
||
Updated•11 years ago
|
status-firefox31:
--- → fixed
Target Milestone: mozilla30 → mozilla31
|
|
||
Comment 29•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/5d9bf448a9a9
https://hg.mozilla.org/releases/mozilla-beta/rev/17432cc5074d
https://hg.mozilla.org/releases/mozilla-b2g28_v1_3/rev/6d9cfa6f24dd
https://hg.mozilla.org/releases/mozilla-b2g26_v1_2/rev/6a8a4bc602c6
status-b2g-v1.2:
--- → fixed
status-b2g-v1.3:
--- → fixed
status-b2g-v1.4:
--- → fixed
status-b2g-v2.0:
--- → fixed
|
|
||
Updated•11 years ago
|
status-b2g-v1.3T:
--- → fixed
|
|
||
Updated•11 years ago
|
status-b2g-v1.3T:
fixed → ---
Whiteboard: [adv-main29+][adv-esr24.5+]
|
|
||
Updated•11 years ago
|
status-b2g-v1.3T:
--- → fixed
|
||
Comment 30•11 years ago
|
||
Confirmed crash on ASan Fx29, 2013-12-19.
Verified fix on ASan Fx29, Fx30, Fx31, 2014-04-17.
|
||
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•