New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 116637 link

Starred by 5 users

Issue metadata

Status: Fixed
Closed: Mar 2012
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

  • Only users with EditIssue permission may comment.

Sign in to add a comment

Renderer process crash when doing WebGL canvas to 2D canvas drawImage()

Project Member Reported by, Mar 3 2012

Issue description

Version: 17+ (including ToT)
OS: Win7 x64, OS X 10.7 (untested on Linux)

What steps will reproduce the problem?
1. Visit
2. Click 'UI', wait for the panel to appear
3. Click 'Capture'
4. Move the mouse over the preview in the bottom right - you should get an 'Aw Snap'
5. If no 'Aw Snap' occurs, click on the preview in the bottom right to pop up a new window - this will likely 'Aw Snap', and future page reloads will 'Aw Snap' on step 4

What is the expected output? What do you see instead?
No tab crashes!


Comment 1 by, Mar 3 2012

Labels: Feature-GPU-WebGL

Comment 2 by, Mar 3 2012

Here's the apparent stack trace when the crash occurs. It's odd that the crash seems to be happening in a thread associated with V8's runtime rather than WebKit code.

>	chrome.dll!v8::internal::NoBarrier_Load(const int * ptr=0xff003fbe)  Line 104 + 0x3 bytes	C++
 	chrome.dll!v8::internal::Sampler::IsProfiling()  Line 666 + 0x1a bytes	C++
 	chrome.dll!v8::internal::ComputeCpuProfiling(v8::internal::Sampler * sampler=0xff003fb2, void * flag_ptr=0x04ddfbaf)  Line 1747 + 0xe bytes	C++
 	chrome.dll!v8::internal::SamplerRegistry::IterateActiveSamplers(void (v8::internal::Sampler *, void *)* func=0x6244b460, void * param=0x04ddfbaf)  Line 1739 + 0x1b bytes	C++
 	chrome.dll!v8::internal::SamplerRegistry::GetState()  Line 1753 + 0xe bytes	C++
 	chrome.dll!v8::internal::SamplerThread::Run()  Line 1928 + 0x5 bytes	C++
 	chrome.dll!v8::internal::ThreadEntry(void * arg=0x0314ddb0)  Line 1512 + 0xf bytes	C++
 	chrome.dll!_callthreadstartex()  Line 348 + 0x6 bytes	C
 	chrome.dll!_threadstartex(void * ptd=0x031846c0)  Line 326 + 0x5 bytes	C

Comment 3 by, Mar 3 2012

Ben points out that the operation provoking the crash is a draw from a WebGL canvas to a 2D canvas. He also mentions that he's seen similar crashes when heap corruption occurs for other reasons. So it's likely that the real problem is that the WebGL canvas -> 2D canvas draw is corrupting the heap and we're crashing soon afterward.

Haven't tried reproducing this on other platforms yet. If it's reproducible on Linux maybe we could use ASAN to narrow down the problem more quickly.

We should probably treat this with high priority. Heap corruptions are bad.

The exact sequence seems to be a drawImage() call on a 2D canvas context with a source of a WebGL canvas, with the drawImage occurring in a mousemove event handler (instead of a RAF or timeout). I was unable to produce a repro with this sequence, however. In the link provided if I comment out the drawImage() call it does not crash.
The originally posted link has been updated with a workaround. For the old version that hits this issue, please see:

Comment 6 by, Mar 6 2012

This is reproducible on all supported OSs; Mac OS 10.6.8, 10.7, Linux and Windows. Have reproduced with both NVIDIA and AMD GPUs.

Comment 7 by, Mar 7 2012

Status: Started
Currently investigating this.

Comment 8 by, Mar 7 2012

ASAN is awesome. Here's its error log, in the readback path as expected.

I wonder how many renderer heap corruption crashes are caused by this.

12.0 KB View Download

Comment 9 by, Mar 7 2012

Labels: Restrict-View-SecurityTeam SecSeverity-High SecImpacts-Stable SecImpacts-Beta Mstone-18 reward-topanel ReleaseBlock-Stable
Labels: -Type-Bug Type-Security

Comment 12 by, Mar 7 2012

Labels: -Pri-2 Pri-1
Is the issue that reshape isn't called (now that we're using the DrawingBuffer) and so scanline_ is too small?
Project Member

Comment 14 by, Mar 7 2012

The following revision refers to this bug:

r125301 | | Tue Mar 06 18:35:23 PST 2012

Changed paths:

Fix mismanagement in handling of temporary scanline for vertical flip.

BUG= 116637 
TEST=manual test from bug report with ASAN

Review URL:
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify Merge-Merged
Status: FixUnreleased
Merged to M18: r125304
Labels: -reward-topanel

Comment 17 by, Mar 7 2012


Comment 18 by, Mar 7 2012

> Is the issue that reshape isn't called (now that we're using the DrawingBuffer) and so scanline_ is too small?

I'm pretty sure reshape() is still getting called. There was an obvious and unnecessary possibility for mismatches between calls to reshape() and readBackFramebuffer() which the above patch squelches.

 Issue 116157  has been merged into this issue.
Project Member

Comment 20 by, Mar 20 2012

Labels: merge-merged-963
The following revision refers to this bug:

r127764 | | Tue Mar 20 13:23:59 PDT 2012

Changed paths:

Merge GPU fix to M17.

BUG= 116637 
Review URL:
Labels: -Mstone-18 Mstone-17
Labels: CVE-2011-3052

Comment 23 by, May 15 2012

Status: Fixed
Marking old security bugs Fixed..
Project Member

Comment 24 by, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.

Comment 25 by, Jan 18 2013

Labels: Restrict-View-EditIssue
Project Member

Comment 26 by, Mar 10 2013

Labels: -Type-Security -Area-WebKit -Feature-GPU-WebGL -SecSeverity-High -SecImpacts-Stable -SecImpacts-Beta -Mstone-17 Cr-Content Cr-Internals-GPU-WebGL Security-Impact-Stable Security-Impact-Beta Security-Severity-High Type-Bug-Security M-17
Project Member

Comment 27 by, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member

Comment 29 by, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 30 by, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 31 by, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 32 by, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 33 by, Apr 10 2013

Labels: -Cr-Internals-GPU-WebGL Cr-Blink-WebGL
Project Member

Comment 34 by, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 35 by, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member

Comment 36 by, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment