New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 70070 link

Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Email to this user bounced
Closed: Mar 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug-Security

Blocked on:
issue angleproject:122

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

WebGL crashes depending on uniform names

Reported by yuri.ko...@gmail.com, Jan 19 2011

Issue description

Chrome Version       : 8 stable, 9 beta
URLs (if applicable) :
Other browsers tested: Firefox 4 beta
Add OK or FAIL after other browsers where you have tested this issue:
Safari 5:
Firefox 3.x:
IE 7/8:

What steps will reproduce the problem?
1. Open the page attached
2. It will print to console "before link call" and "after link call"
3. Change uniform name "bone_trans_before" to "bone_trans_before2"
or "u_alpha_discard_tttt" to "u_alpha_discard_ttt"

What is the expected result?
It must print to console "before link call" and "after link call"

What happens instead?
It print "before link call" and crashes

Please provide any additional information below. Attach a screenshot if
possible.

Working fine on Linux, Win XP and Win 7 in Firefox 4 beta 9 and in Chrome 8 with --use-gl=desktop flag, and on Linux in Chrome 8 without that flag

 
crash_test.html
1.5 KB View Download
Labels: Crash FeedbackRequested
- What crashes? Just the tab or the entire browser?
- What OS do you experience the crash on?
- What exact version is crashing for you?
- What command line switches did you pass to the browser?

Can you get a crash report id?
http://dev.chromium.org/for-testers/bug-reporting-guidelines/reporting-crash-bug

Comment 2 by zmo@chromium.org, Jan 20 2011

I'll have a look.

Comment 3 by gman@chromium.org, Jan 20 2011

Looking at the shaders this looks like it could be the NVidia bug.

The shader is declaring an array of vec3 but only using 1 element

...
uniform vec3 bone_trans_before[2]; 
void main(void) {
    vec3 newpos  = a_position + bone_trans_before[0];
...

The NVidia drivers see that only 1 element is used and optimize to just 1 element instead of 2 but then report 2 in other places and corrupt memory. This is true of all WIndows Nvidia drivers until at least 11/2010 when the bug was found. (not sure about other OSes but I'd be surprised if it wasn't there too)

Do you happen to be using an NVidia card? if you change

    uniform vec3 bone_trans_before[2]; 

to

   uniform vec3 bone_trans_before[1]; 

does the problem go away?

Comment 4 by zmo@chromium.org, Jan 20 2011

Hi Greg,

Yes I'm using Nvidia cards. In my new test the drivers cannot see how many elements are used but the problem still here.
screen.png
177 KB View Download
About GPU.htm
6.3 KB View Download
crash_test2.html
1.6 KB View Download
I also tried an ATI / Win XP combo
About GPU.htm
6.2 KB View Download
screen.PNG
78.3 KB View Download

Comment 7 by gman@chromium.org, Jan 22 2011

Status: Assigned
So I've confirmed this on my machine. Unfortunately it's a memory corruption bug and I'm not sure where the corruption happens. On my work machine it doesn't crash Chrome immediately on link. I crashes sometime after by manipulating the browser. For example opening the dev console sometimes crashes after running this program.

Al's machine, no crash. Ken's machine, no crash. My Macbookpro, no crash.

Will try some other stuff.

Comment 8 by kbr@chromium.org, Jan 22 2011

Labels: -Area-Undefined Area-Internals Internals-Graphics Feature-GPU
On the hypothesis that it's the NVIDIA bug can you try modifying the shader to reference the last element of the uniform array in the way we figured out earlier?

If that seems to fix the crash then we can try to fix the shader validator to patch up such shaders on NVIDIA hardware.

I've reproduced this behavior using latest browsers: Firefox 4 beta 12 (always works), Chrome 9.0.597.107 stable, Chrome 11.0.686.0 canary (both crash, work with use-gl=desktop). 

I've also made absolutely minimal shaders and supplied code with compile/link status reporting. There are 3 test files now - one is working and other 2 contain slight changes in uniform names already applied, one in vertex shader and another in fragment one. 

Some findings:

1. This issue supposedly is not card vendor/driver specific as it takes place both on NVidia Quadro FX 1800 and ATI Radeon HD 4550.
2. It happens only on Windows (7 and XP tested), all is ok on Linux (Mac not tested).
3. It happens when OpenGL-to-D3D translator (ANGLE) is used.
4. It seems to be tied to GLSL vector arrays somehow.
5. Lexical subroutines involved. 

Hope this will help.

test3-not-working-vertex.html
1.8 KB View Download
test3-not-working-fragment.html
1.8 KB View Download
test3-working.html
1.6 KB View Download

Comment 11 by kbr@chromium.org, Mar 1 2011

Filed http://code.google.com/p/angleproject/issues/detail?id=122 to track this issue in ANGLE.

Comment 12 by Deleted ...@, Mar 8 2011

I've had the same issue while making a skinned mesh shader for webgl. It kept crashing the browser until I changed "uniform mat4 u_Bones[50]" to "uniform mat4 u_SkinTransforms[50]" and the problem went away.
Blockedon: angleproject:122
Labels: -Pri-2 -Feature-GPU Pri-1 Feature-GPU-WebGL Mstone-11
let's try to fix this for m11.

Comment 14 by kbr@chromium.org, Mar 9 2011

If you are experiencing this crash please add yourself to the CC: list for http://code.google.com/p/angleproject/issues/detail?id=122 . TransGaming has been unable to reproduce the crash.

Comment 15 by kareng@google.com, Mar 9 2011

Labels: -Mstone-11 MovedFrom-11 Mstone-12
rolling non releaseblocker mstone 11 bugs to mstone 12. 
Labels: -Crash bulkmove Stability-Crash
Chrome Version       : 8 stable, 9 beta
URLs (if applicable) :
Other browsers tested: Firefox 4 beta
Add OK or FAIL after other browsers where you have tested this issue:
Safari 5:
Firefox 3.x:
IE 7/8:

What steps will reproduce the problem?
1. Open the page attached
2. It will print to console "before link call" and "after link call"
3. Change uniform name "bone_trans_before" to "bone_trans_before2"
or "u_alpha_discard_tttt" to "u_alpha_discard_ttt"

What is the expected result?
It must print to console "before link call" and "after link call"

What happens instead?
It print "before link call" and crashes

Please provide any additional information below. Attach a screenshot if
possible.

Working fine on Linux, Win XP and Win 7 in Firefox 4 beta 9 and in Chrome 8 with --use-gl=desktop flag, and on Linux in Chrome 8 without that flag
Labels: -FeedbackRequested Action-FeedbackNeeded
Chrome Version       : 8 stable, 9 beta
URLs (if applicable) :
Other browsers tested: Firefox 4 beta
Add OK or FAIL after other browsers where you have tested this issue:
Safari 5:
Firefox 3.x:
IE 7/8:

What steps will reproduce the problem?
1. Open the page attached
2. It will print to console "before link call" and "after link call"
3. Change uniform name "bone_trans_before" to "bone_trans_before2"
or "u_alpha_discard_tttt" to "u_alpha_discard_ttt"

What is the expected result?
It must print to console "before link call" and "after link call"

What happens instead?
It print "before link call" and crashes

Please provide any additional information below. Attach a screenshot if
possible.

Working fine on Linux, Win XP and Win 7 in Firefox 4 beta 9 and in Chrome 8 with --use-gl=desktop flag, and on Linux in Chrome 8 without that flag

Comment 18 by zmo@chromium.org, Mar 24 2011

Labels: Feature-Security
This might be fixed with Angle r592,r593,r594.  See http://code.google.com/p/angleproject/issues/detail?id=135.

Adding Feature-Security to this bug.
Labels: -Type-Bug -MovedFrom-11 -Mstone-12 -Feature-Security Type-Security Mstone-11 Restrict-View-SecurityTeam ReleaseBlock-Stable SecSeverity-Critical
Cc: security...@gtempaccount.com

Comment 21 by kbr@chromium.org, Mar 30 2011

Owner: zmo@chromium.org

Comment 22 by zmo@chromium.org, Mar 30 2011

Owner: vangelis...@gtempaccount.com
Since Vangelis is doing the merging, re-assign this bug.
Status: Fixed
Created chrome_m11 branch for ANGLE at rev 562, merged in changes 563-571 (M11 branch had actually moved to 571) and 592, 593 that fix the bug. 

Updated 696 buildspec to point to the ANGLE branch @603 in rev 14105:
http://goto.ext.google.com/viewvc/chrome-internal?view=rev&revision=14105




Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Status: FixUnreleased
Labels: reward-topanel
Labels: -reward-topanel reward-500 reward-unpaid
@yuri.ko616: thanks for reporting this issue! Although not originally reported as a Chromium security issue, it does provisionally qualify for a $500 Chromium Security Reward, so thanks and congrats!
Also, is there some name other than "yuri.ko616" you would like us to use to credit you in the release notes?

---
NOTE: normally we do not reward security bugs unless initially filed with the
security template. Sometimes we make an exception for the first time an individual
files a security bug as a non-security issue.
For full guidelines on filing security bugs, see:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs
---

----
Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
----
Labels: -Mstone-11 Mstone-10
Thanks. Please use Yuri Ko.
@yuri.ko616 -- looks like we fixed this a while back; please e-mail cevans@chromium.org for details on how to collect your reward.
Going to charity (increasing donation to $1337 as is customary in these cases).
Labels: -reward-unpaid
Labels: reward-decline
Labels: SecImpacts-Stable
Batch update.
Lifting view restrictions.
Labels: -Restrict-View-SecurityNotify
Lifting view restrictions.
Status: Fixed
Project Member

Comment 37 by bugdroid1@chromium.org, Oct 13 2012

Blockedon: -angleproject:122 angleproject:122
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 38 by bugdroid1@chromium.org, Mar 9 2013

Labels: -Action-FeedbackNeeded Needs-Feedback
Project Member

Comment 39 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-Internals -Internals-Graphics -Feature-GPU-WebGL -Mstone-10 -SecSeverity-Critical -SecImpacts-Stable Cr-Internals-GPU-WebGL Security-Impact-Stable Cr-Internals-Graphics Cr-Internals M-10 Type-Bug-Security Security-Severity-Critical
Project Member

Comment 40 by bugdroid1@chromium.org, Mar 13 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member

Comment 41 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 42 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Critical Security_Severity-Critical
Project Member

Comment 43 by bugdroid1@chromium.org, Apr 10 2013

Labels: -Cr-Internals-GPU-WebGL Cr-Blink-WebGL
Project Member

Comment 44 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 45 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Components: -Internals>Graphics Internals>GPU
Moving old issues out of Internal>Graphics to delete this obsolete component ( crbug.com/685425  for details)

Sign in to add a comment