Closed Bug 1315979 Opened 8 years ago Closed 8 years ago

Crash at [@ memcpy | rx::Buffer11::BufferStorage::setData ]

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Version:
50 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox49 --- unaffected
firefox-esr45 --- unaffected
firefox50 --- disabled
firefox51 + fixed
firefox52 + fixed
firefox53 --- fixed

People

(Reporter: cbook, Assigned: jgilbert)

References

(
URL
)

Details

(Keywords: assertion, crash, regression)

Attachments

(1 file)

stack
(deleted), text/plain
Details
Attached file stack (deleted) —
found via bughunter and reproduced on latest windows opt and debug tinderbox trunk builds. Crash at [@ memcpy | rx::Buffer11::BufferStorage::setData ] Steps to reproduce: -> Load https://floooh.github.io/oryol-webgl2/asmjs/PackedNormals.html --> Crash on opt and debug Bughunter rated this high to medium exploitable - windows only and so far only on trunk builds (aurora builds crash with https://crash-stats.mozilla.com/report/index/d1d068a7-b111-4fdf-af5b-5e5b52161108 no idea if this related or a different bug) opt crash report https://crash-stats.mozilla.com/report/index/70ad7dec-f89f-4b06-b26c-c329c2161108
[Tracking Requested - why for this release]: affects at least trunk opt and debug builds (aurora crashes too but not sure if this is this regression here) Milan, Jeff: could you take a look, thanks!
status-firefox52: --- → affected
tracking-firefox52: --- → ?
Flags: needinfo?(milan)
Flags: needinfo?(jgilbert)
Regression range: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=4ebed327385b6827b9275c21e29f23b13aa92457&tochange=fa9844b0dee37aeb4c94d027f7c68a94721db320 Confirmed that it reproduces on 50 as well if webgl2 is preffed on. I *think* we're planning to disable on 51 as well?
status-firefox49: --- → unaffected
status-firefox50: --- → disabled
status-firefox51: --- → affected
status-firefox-esr45: --- → unaffected
tracking-firefox51: --- → ?
Version: unspecified → 50 Branch
It actually needs WebGL2 pref'd on?
(In reply to Milan Sreckovic [:milan] from comment #3) > It actually needs WebGL2 pref'd on? Correct. No crashes with WebGL2 off (even on nightly). Bisected locally to rev 7a6514210303. https://hg.mozilla.org/integration/mozilla-inbound/rev/7a6514210303
Blocks: 1300946, webgl2
Keywords: regression
Group: core-security → gfx-core-security
(In reply to Ryan VanderMeulen [:RyanVM] from comment #2) > Regression range: > https://hg.mozilla.org/integration/mozilla-inbound/ > pushloghtml?fromchange=4ebed327385b6827b9275c21e29f23b13aa92457&tochange=fa98 > 44b0dee37aeb4c94d027f7c68a94721db320 > > Confirmed that it reproduces on 50 as well if webgl2 is preffed on. I > *think* we're planning to disable on 51 as well? We are not. We need to fix this in 51. I'll take a look.
Assignee: nobody → jgilbert
Flags: needinfo?(jgilbert)
Track 51+/52+ as regression and Web GL 2 issue.
tracking-firefox51: ?+
tracking-firefox52: ?+
Flags: needinfo?(milan)
I'm 80% sure this is bug 1316533.
(In reply to Jeff Gilbert [:jgilbert] from comment #7) > I'm 80% sure this is bug 1316533. Specifically, this is a bug in ANGLE. We're looking to update ANGLE in 52 and 53. We're going to look at cherry-picking a couple csets for 51, but likely taking the ANGLE update on 51 after it bakes on Aurora52 for a bit.
status-firefox53: --- → fixed
This appears to be fixed in Nightly 53 now. Bug 1319004 updated ANGLE, and should eventually be headed out to 51, but at least to 52.
Depends on: 1319004
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Group: gfx-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: