New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 120977 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
OOO until 2019-01-24
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

Crash in texSubImage2D on Mozilla's WebGL performance regression tests

Project Member Reported by kbr@chromium.org, Mar 29 2012

Issue description

Version: 19.0.1082.1 (Official Build 129233) canary
OS: Mac OS X 10.6.8


What steps will reproduce the problem?
1. Visit http://hg.mozilla.org/users/bjacob_mozilla.com/webgl-perf-tests/raw-file/tip/webgl-performance-tests.html

What is the expected output? What do you see instead?

Expect the tests to run. Instead, the renderer crashes while running test 23 out of 45 (I think) inside texSubImage2D. One representative crash (af76d177c3e02e63):

0x04598bdf	 [Google Chrome Framework	 - gles2_implementation.cc:1884]	gpu::gles2::GLES2Implementation::TexSubImage2DImpl
0x04598e48	 [Google Chrome Framework	 - gles2_implementation.cc:1818]	gpu::gles2::GLES2Implementation::TexSubImage2D
0x04559c32	 [Google Chrome Framework	 - webgraphicscontext3d_command_buffer_impl.cc:1009]	WebGraphicsContext3DCommandBufferImpl::texSubImage2D
0x047323e8	 [Google Chrome Framework	 - GraphicsContext3DChromium.cpp:682]	WebCore::GraphicsContext3D::texSubImage2D
0x049f6946	 [Google Chrome Framework	 - WebGLRenderingContext.cpp:3623]	WebCore::WebGLRenderingContext::texSubImage2DBase
0x049f6a5a	 [Google Chrome Framework	 - WebGLRenderingContext.cpp:3640]	WebCore::WebGLRenderingContext::texSubImage2DImpl
0x049f6fa2	 [Google Chrome Framework	 - WebGLRenderingContext.cpp:3718]	WebCore::WebGLRenderingContext::texSubImage2D
0x0517bd67	 [Google Chrome Framework	 - V8WebGLRenderingContext.cpp:1863]	WebCore::WebGLRenderingContextInternal::texSubImage2DCallback

 

Comment 1 by kbr@chromium.org, May 9 2012

Labels: WebKit-ID-85942

Comment 2 by kbr@chromium.org, May 9 2012

Owner: kbr@chromium.org
Status: Assigned
Project Member

Comment 3 by bugdroid1@chromium.org, May 9 2012

Labels: -WebKit-ID-85942 WebKit-ID-85942-ASSIGNED
https://bugs.webkit.org/show_bug.cgi?id=85942
Project Member

Comment 4 by bugdroid1@chromium.org, May 17 2012

Labels: -WebKit-ID-85942-ASSIGNED WebKit-ID-85942-RESOLVED WebKit-Rev-117191
https://bugs.webkit.org/show_bug.cgi?id=85942
http://trac.webkit.org/changeset/117191

Comment 5 by kbr@chromium.org, May 17 2012

Status: Fixed
Fixed per above bug.

Comment 6 by kbr@chromium.org, May 24 2012

Cc: infe...@chromium.org scarybea...@gmail.com
Labels: Mstone-20 Merge-Requested
Requesting backport to M20. Related  issue 128688  was approved for backport, and this one is similar.

Labels: -Type-Bug -Pri-2 -Merge-Requested Type-Security Pri-1 Merge-Approved SecSeverity-High SecImpacts-Stable SecImpacts-Beta
Status: FixUnreleased
Had a chat with Ken, it does affect m19, however it is preferred for m20.

Comment 8 by kbr@chromium.org, May 24 2012

FYI, the rationale for fixing this only in M20 is that it is not triggered in commonly used functionality, and  Issue 128688  would also have to be backported to M19.

Comment 10 by kbr@chromium.org, May 24 2012

Labels: -Merge-Approved Merge-Merged-1132
Labels: CVE-2012-2819
Project Member

Comment 12 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Status: Fixed
Project Member

Comment 14 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-Internals -Internals-Graphics -Feature-GPU-WebGL -Mstone-20 -SecSeverity-High -SecImpacts-Stable -SecImpacts-Beta Cr-Internals-GPU-WebGL Security-Impact-Stable Security-Impact-Beta Cr-Internals-Graphics M-20 Cr-Internals Security-Severity-High Type-Bug-Security
Project Member

Comment 15 by bugdroid1@chromium.org, Mar 14 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member

Comment 16 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 17 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 18 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member

Comment 19 by bugdroid1@chromium.org, Apr 10 2013

Labels: -Cr-Internals-GPU-WebGL Cr-Blink-WebGL
Project Member

Comment 20 by sheriffbot@chromium.org, Jun 14 2016

Labels: -security_impact-beta
Project Member

Comment 21 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 22 by sheriffbot@chromium.org, Oct 1 2016

Labels: Restrict-View-SecurityNotify
Project Member

Comment 23 by sheriffbot@chromium.org, Oct 2 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Components: -Internals>Graphics Internals>GPU
Moving old issues out of Internal>Graphics to delete this obsolete component ( crbug.com/685425  for details)
Labels: CVE_description-submitted

Sign in to add a comment