Open Bug 1535801 Opened 6 years ago Updated 2 years ago

memcpy-param-overlap in [@ rx::Buffer11::setSubData]

Categories

(Core :: Graphics: CanvasWebGL, defect, P3)

x86_64
Windows
defect

Tracking

()

Tracking Status
firefox67 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: gfx-noted)

Crash Data

Attachments

(1 file)

Attached file testcase.html (deleted) —
==4496==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x12162f658000,0x12172f657fff) and [0x1216368e1800, 0x1217368e17ff) overlap
    #0 0x7ff97eb33d7f in __asan_memcpy src\build\build-clang\build-clang\src\llvm\projects\compiler-rt\lib\asan\asan_interceptors_memintrinsics.cc:23
    #1 0x7ff96716ed23 in rx::Buffer11::setSubData src\gfx\angle\checkout\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:410
    #2 0x7ff96716e206 in rx::Buffer11::setData src\gfx\angle\checkout\src\libANGLE\renderer\d3d\d3d11\Buffer11.cpp:345
    #3 0x7ff966d8b4b0 in gl::Buffer::bufferData src\gfx\angle\checkout\src\libANGLE\Buffer.cpp:87
    #4 0x7ff966e07a06 in gl::Context::bufferData src\gfx\angle\checkout\src\libANGLE\Context.cpp:4900
    #5 0x7ff966ce9dfd in gl::BufferData src\gfx\angle\checkout\src\libGLESv2\entry_points_gles_2_0_autogen.cpp:240
    #6 0x7ff96adb86f1 in mozilla::gl::GLContext::fBufferData src\gfx\gl\GLContext.h:866
    #7 0x7ff96fc52f94 in mozilla::WebGLBuffer::BufferData src\dom\canvas\WebGLBuffer.cpp:124
    #8 0x7ff96fc7e128 in mozilla::WebGLContext::BufferData src\dom\canvas\WebGLContextBuffers.cpp:309
    #9 0x7ff96e5c660f in mozilla::dom::WebGLRenderingContext_Binding::bufferData src\obj-firefox\dom\bindings\WebGLRenderingContextBinding.cpp:12290
    #10 0x7ff96fabfd1e in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions> src\dom\bindings\BindingUtils.cpp:3144
    #11 0x7ff976ba46e5 in js::InternalCallOrConstruct src\js\src\vm\Interpreter.cpp:534
    #12 0x7ff976ba74d5 in InternalCall src\js\src\vm\Interpreter.cpp:589
    #13 0x7ff976b8392b in Interpret src\js\src\vm\Interpreter.cpp:3075
    #14 0x7ff976b67fd4 in js::RunScript src\js\src\vm\Interpreter.cpp:422
    #15 0x7ff976ba4fc5 in js::InternalCallOrConstruct src\js\src\vm\Interpreter.cpp:562
    #16 0x7ff976ba74d5 in InternalCall src\js\src\vm\Interpreter.cpp:589
    #17 0x7ff976ba7706 in js::Call src\js\src\vm\Interpreter.cpp:605
    #18 0x7ff9778027d8 in JS::Call src\js\src\jsapi.cpp:2623
    #19 0x7ff96ec82ee0 in mozilla::dom::EventHandlerNonNull::Call src\obj-firefox\dom\bindings\EventHandlerBinding.cpp:266
    #20 0x7ff97034d92a in mozilla::dom::EventHandlerNonNull::Call<nsISupports *> src\obj-firefox\dist\include\mozilla\dom\EventHandlerBinding.h:363
    #21 0x7ff97034aa42 in mozilla::JSEventHandler::HandleEvent src\dom\events\JSEventHandler.cpp:205
    #22 0x7ff970309172 in mozilla::EventListenerManager::HandleEventSubType src\dom\events\EventListenerManager.cpp:1043
    #23 0x7ff97030b002 in mozilla::EventListenerManager::HandleEventInternal src\dom\events\EventListenerManager.cpp:1238
    #24 0x7ff9702ed421 in mozilla::EventTargetChainItem::HandleEvent src\dom\events\EventDispatcher.cpp:351
    #25 0x7ff9702eb66f in mozilla::EventTargetChainItem::HandleEventTargetChain src\dom\events\EventDispatcher.cpp:553
    #26 0x7ff9702f0eb4 in mozilla::EventDispatcher::Dispatch src\dom\events\EventDispatcher.cpp:1048
    #27 0x7ff9702fa796 in mozilla::EventDispatcher::DispatchDOMEvent src\dom\events\EventDispatcher.cpp
    #28 0x7ff96c2a353e in nsINode::DispatchEvent src\dom\base\nsINode.cpp:1024
    #29 0x7ff97031a2a6 in mozilla::dom::EventTarget::DispatchEvent src\dom\events\EventTarget.cpp:178
    #30 0x7ff97026f962 in mozilla::AsyncEventDispatcher::Run src\dom\events\AsyncEventDispatcher.cpp:69
    #31 0x7ff968302d65 in mozilla::SchedulerGroup::Runnable::Run src\xpcom\threads\SchedulerGroup.cpp:295
    #32 0x7ff968335c60 in nsThread::ProcessNextEvent src\xpcom\threads\nsThread.cpp:1179
    #33 0x7ff96833daf8 in NS_ProcessNextEvent src\xpcom\threads\nsThreadUtils.cpp:482
    #34 0x7ff9694090ff in mozilla::ipc::MessagePump::Run src\ipc\glue\MessagePump.cpp:88
    #35 0x7ff9693562ce in MessageLoop::RunHandler src\ipc\chromium\src\base\message_loop.cc:308
    #36 0x7ff969356065 in MessageLoop::Run src\ipc\chromium\src\base\message_loop.cc:290
    #37 0x7ff97262490a in nsBaseAppShell::Run src\widget\nsBaseAppShell.cpp:137
    #38 0x7ff9727b4b28 in nsAppShell::Run src\widget\windows\nsAppShell.cpp:411
    #39 0x7ff9768b4f6d in XRE_RunAppShell src\toolkit\xre\nsEmbedFunctions.cpp:933
    #40 0x7ff9693562ce in MessageLoop::RunHandler src\ipc\chromium\src\base\message_loop.cc:308
    #41 0x7ff969356065 in MessageLoop::Run src\ipc\chromium\src\base\message_loop.cc:290
    #42 0x7ff9768b425e in XRE_InitChildProcess src\toolkit\xre\nsEmbedFunctions.cpp:771
    #43 0x7ff667bf21a8 in Ordinal0+0x21a8 (firefox.exe+0x1400021a8)
    #44 0x7ff667bf14f2 in Ordinal0+0x14f2 (firefox.exe+0x1400014f2
Flags: in-testsuite?
Crash Signature: [@ vcruntime140.dll | rx::Buffer11::setSubData]
Crash Signature: [@ vcruntime140.dll | rx::Buffer11::setSubData] → [@ vcruntime140.dll | rx::Buffer11::setSubData][@ memcpy | rx::Buffer11::setSubData ]

Overlap could cause correctness issues, but should be safe.
Also those ranges look really really big?

Severity: normal → minor
Priority: -- → P3
Whiteboard: gfx-noted
Severity: minor → S4
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: