Closed
Bug 724640
Opened 13 years ago
Closed 12 years ago
[fglrx] Reproducable WebGL crash in mozilla::WebGLContext::DrawElements with fglrx and x86_64 Ubuntu 10.04 (2.6.32) GNU/Linux
Categories
(Core :: Graphics: CanvasWebGL, defect)
Tracking
()
RESOLVED
FIXED
mozilla14
People
(Reporter: shawnlandden, Assigned: bjacob)
References
(Blocks 1 open bug, )
Details
(Keywords: crash, reproducible, sec-vector, Whiteboard: [sg:vector-critical?], Keep Open until verified!)
Crash Data
Attachments
(2 files, 1 obsolete file)
(deleted),
patch
|
glandium
:
review+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
bjacob
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/10.0
Build ID: 20120130150400
Steps to reproduce:
go to http://www.inka3d.com/llvm2011/#phong
move around in the slide for maybe 30 seconds or so
-------
Ubuntu GNU/Linux 10.04, with backports enabled, and non-free fglrx driver
Actual results:
BAM, crashes and you see mozilla crash reporter
Expected results:
beautiful WebGL graphics, maybe a crash that doesn't also crash the browser as is implemented for add-ons, if WebGL is something much harder to make DoS-free
Summary: Reproducable WebGL crash with fglrx and GNU/Linux → Reproducable WebGL crash with fglrx and x86_64 GNU/Linux
Summary: Reproducable WebGL crash with fglrx and x86_64 GNU/Linux → [fglrx] Reproducable WebGL crash with fglrx and x86_64 GNU/Linux
Comment 2•13 years ago
|
||
Can you provide the crash ID from about:crashes?
Does it happen with Nightly you can download from http://nightly.mozilla.org/?
Severity: normal → critical
Component: Untriaged → Canvas: WebGL
Keywords: reproducible
Product: Firefox → Core
QA Contact: untriaged → canvas.webgl
https://crash-stats.mozilla.com/report/index/bp-336a3a9e-6d21-43b9-8bc4-891a52120207
that is from nightly
Comment 4•13 years ago
|
||
(In reply to scientes from comment #1)
> duplicate of #698040 ?
Bug 698040 depends on the window size and the stack is different.
It seems to happen only on Ubuntu:
https://crash-stats.mozilla.com/report/list?signature=fglrx_dri.so%400x1941f4
Status: UNCONFIRMED → NEW
Crash Signature: [@ fglrx_dri.so@0x1941f4]
Ever confirmed: true
Summary: [fglrx] Reproducable WebGL crash with fglrx and x86_64 GNU/Linux → [fglrx] Reproducable WebGL crash in mozilla::WebGLContext::DrawElements with fglrx and x86_64 Ubuntu GNU/Linux
I don't have a 11.10 or 12.04 Ubuntu, or even more recent GNU/Linux computer with AMD graphics so can't test with that, sorry. Request others test the url.
Summary: [fglrx] Reproducable WebGL crash in mozilla::WebGLContext::DrawElements with fglrx and x86_64 Ubuntu GNU/Linux → [fglrx] Reproducable WebGL crash in mozilla::WebGLContext::DrawElements with fglrx and x86_64 Ubuntu 10.04 (2.6.32) GNU/Linux
Assignee | ||
Comment 6•13 years ago
|
||
I'm afraid that this might be the tipping point where we have to blacklist FGLRX. A segfault at random address ( https://crash-stats.mozilla.com/report/index/bp-336a3a9e-6d21-43b9-8bc4-891a52120207 ) is potentially sg:critical.
Assignee | ||
Updated•13 years ago
|
Whiteboard: [sg:critical?]
Comment 7•13 years ago
|
||
That stack doesn't make much sense. jemalloc calling back into their driver?
Without debugging what their drivers are doing it's hard to know if this is exploitable or relatively benign data reading, but the messed-up stack doesn't bode well. bug 698040 showed different but similarly nonsensical stacks.
We should probably blocklist at this point.
Whiteboard: [sg:critical?] → [sg:vector-critical?]
Updated•13 years ago
|
status-firefox-esr10:
--- → affected
status-firefox12:
--- → affected
Comment 8•13 years ago
|
||
What's the next step? Assigning to bjacob, please pass along if someone else manages the blocklist.
Assignee: nobody → bjacob
Assignee | ||
Comment 9•13 years ago
|
||
I guess we should take advantage of the fact that's specific to the 2.6.32 linux kernel version.
Is there a preferred way for us to query the host linux kernel version? Do we already do it?
Assignee | ||
Comment 10•13 years ago
|
||
I guess I'll just read the linux kernel version in the glxtest process, which runs in parallel with the rest of startup so shouldn't slow down things.
Assignee | ||
Comment 11•13 years ago
|
||
Attachment #610926 -
Flags: review?(mh+mozilla)
Comment 12•13 years ago
|
||
Comment on attachment 610926 [details] [diff] [review]
block 2.6.32 linux kernel with fglrx driver
Review of attachment 610926 [details] [diff] [review]:
-----------------------------------------------------------------
::: toolkit/xre/glxtest.cpp
@@ +273,5 @@
> + "OS\n%s\n"
> + "OSRELEASE\n%s\n",
> + unameobj.sysname,
> + unameobj.release);
> + write(write_end_of_the_pipe, buf, length);
Wouldn't it be much simpler to get utsname from the parent process?
Assignee | ||
Comment 13•13 years ago
|
||
That is very true. I started with this design when I thought that getting uname info would be expensive i.e. would involve running the uname program. New patch coming.
Reporter | ||
Comment 14•13 years ago
|
||
I've tried to reproduce on differn't kernels with fglrx and been unsuccessful.
Assignee | ||
Comment 15•13 years ago
|
||
Can you be more specific? Can you go to about:crashes and give us the corresponding crash links? Or at least the uname -a of these machines.
Assignee | ||
Comment 16•13 years ago
|
||
By the way, the chemical symbol for the Glandium element is... Gl ?
Attachment #610926 -
Attachment is obsolete: true
Attachment #611171 -
Flags: review?(mh+mozilla)
Attachment #610926 -
Flags: review?(mh+mozilla)
Assignee | ||
Comment 17•13 years ago
|
||
QA verification test:
MOZ_GFX_SPOOF_GL_VENDOR="ATI Technologies Inc." MOZ_GFX_SPOOF_GL_RENDERER="ATI Radeon 3000 Graphics" MOZ_GFX_SPOOF_GL_VERSION="3.2.9756 Compatibility Profile Context" MOZ_GFX_SPOOF_OS=linux MOZ_GFX_SPOOF_OS_RELEASE="2.6.32.1-generic" obj-firefox-debug/dist/bin/firefox -P test -no-remote
Comment 18•13 years ago
|
||
Comment on attachment 611171 [details] [diff] [review]
block 2.6.32 linux kernel with fglrx driver
Review of attachment 611171 [details] [diff] [review]:
-----------------------------------------------------------------
::: widget/xpwidgets/GfxInfoX11.cpp
@@ +157,5 @@
> stringToFill = &textureFromPixmap;
> + else if(!strcmp(line, "OS"))
> + stringToFill = &mOS;
> + else if(!strcmp(line, "OSRelease"))
> + stringToFill = &mOSRelease;
I guess this is leftover from the previous patch. r+ with that removed.
Attachment #611171 -
Flags: review?(mh+mozilla) → review+
Assignee | ||
Comment 19•13 years ago
|
||
Carrying forward r+.
Thanks for the catch; there was another mistake, but that was hard to miss as it caused everything to be blacklisted: the if(uname(...)) had to be if (!uname(...)) as zero means success.
Attachment #611427 -
Flags: review+
Assignee | ||
Comment 20•13 years ago
|
||
http://hg.mozilla.org/integration/mozilla-inbound/rev/5a12884290a8
Let's keep this open until we've verified it no longer crashes for the original reporter here. We also expect a large decrease of crashes with linux 2.6.32 kernel and FGLRX driver on crash-stats.
Status: NEW → ASSIGNED
Whiteboard: [sg:vector-critical?] → [sg:vector-critical?], Keep Open until verified!
Target Milestone: --- → mozilla14
Assignee | ||
Comment 21•13 years ago
|
||
(In reply to scientes from comment #14)
> I've tried to reproduce on differn't kernels with fglrx and been
> unsuccessful.
Ah! I just reread your comment and had misread it the first time:
(In reply to Benoit Jacob [:bjacob] from comment #15)
> Can you be more specific? Can you go to about:crashes and give us the
> corresponding crash links? Or at least the uname -a of these machines.
Nevermind my comment 15 then. Your comment 14 is all good news, it confirms that we should be safe with the patch that just landed.
Expect it in Wednesday's Nightly build.
Comment 22•13 years ago
|
||
Target Milestone: mozilla14 → ---
Updated•13 years ago
|
Target Milestone: --- → mozilla14
Assignee | ||
Comment 23•13 years ago
|
||
Does the crash still occur? crash-stats should show a drop in # of crashes with FGLRX + 2.6.32 kernel on Nightly.
Comment 24•13 years ago
|
||
I watch whole presentation without any issues.
Kubuntu 12.04 x86_64, Linux 3.2, latest fglrx, latest nightly build.
AMD Radeon HD 6620G.
Reporter | ||
Comment 25•13 years ago
|
||
that is a very differn't system. I do not have a 10.04 system (and might just be that specific hardware) anymore so have been unable to confirm that this is fixed.
Comment 26•13 years ago
|
||
What version of fglrx do you use, when you register this bugreport? Catalyst 12.x or older?
Reporter | ||
Comment 27•13 years ago
|
||
wheres 12?
http://packages.ubuntu.com/lucid/fglrx
Comment 28•13 years ago
|
||
Catalyst 12 is fglrx 8.931 and newer.
fglrx 8.723.1 is Catalyst 10.4.
Your issue probably fixed long time ago, but you just use not fresh enough driver in your Lucid setup.
Updated•13 years ago
|
Keywords: sec-vector
Assignee | ||
Comment 29•12 years ago
|
||
Closing this bug based on comment 20. The fix landed long ago. Reopen if needed.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•5 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•