Bug 218601

Summary:

[RELEASE ASSERT][WK2][WebGL2] WebCore::WebGLTransformFeedback::getBoundIndexedTransformFeedbackBuffer triggers std::vector CrashOnOverflow

Product:

WebKit

Reporter:

Ryosuke Niwa <rniwa>

Component:

WebGL

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bfulgham, cgarcia, dino, ews-feeder, product-security, rbuis, svillar, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Reduced test case	none
Patch	none
Patch	none

Description Ryosuke Niwa 2020-11-04 23:26:35 PST

e.g.

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00000006eda964e9 WTF::CrashOnOverflow::crash() + 9 (CheckedArithmetic.h:127)
1   com.apple.WebCore             	0x00000006eda964ae WTF::CrashOnOverflow::overflowed() + 14 (CheckedArithmetic.h:120)
2   com.apple.WebCore             	0x00000006f191c212 WTF::Vector<WTF::RefPtr<WebCore::WebGLBuffer, WTF::DumbPtrTraits<WebCore::WebGLBuffer>, WTF::DefaultRefDerefTraits<WebCore::WebGLBuffer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::at(unsigned long) + 50 (Vector.h:701)
3   com.apple.WebCore             	0x00000006f18f2f29 WTF::Vector<WTF::RefPtr<WebCore::WebGLBuffer, WTF::DumbPtrTraits<WebCore::WebGLBuffer>, WTF::DefaultRefDerefTraits<WebCore::WebGLBuffer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::operator[](unsigned long) + 9 (Vector.h:721)
4   com.apple.WebCore             	0x00000006f19ab1a3 WebCore::WebGLTransformFeedback::getBoundIndexedTransformFeedbackBuffer(unsigned int, WebCore::WebGLBuffer**) + 51 (WebGLTransformFeedback.cpp:81)
5   com.apple.WebCore             	0x00000006f18f3339 WebCore::WebGL2RenderingContext::getIndexedParameter(unsigned int, unsigned int) + 585 (WebGL2RenderingContext.cpp:2438)
6   com.apple.WebCore             	0x00000006ef5d80f6 WebCore::jsWebGL2RenderingContextPrototypeFunctionGetIndexedParameterBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebGL2RenderingContext*) + 854 (JSWebGL2RenderingContext.cpp:7880)
7   com.apple.WebCore             	0x00000006ef4c3d5c long long WebCore::IDLOperation<WebCore::JSWebGL2RenderingContext>::call<&(WebCore::jsWebGL2RenderingContextPrototypeFunctionGetIndexedParameterBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebGL2RenderingContext*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) + 252 (JSDOMOperation.h:53)
8   com.apple.WebCore             	0x00000006ef4c3c59 WebCore::jsWebGL2RenderingContextPrototypeFunctionGetIndexedParameter(JSC::JSGlobalObject*, JSC::CallFrame*) + 9 (JSWebGL2RenderingContext.cpp:7885)
9   ???                           	0x00004c2f12001178 0 + 83765049168248
10  com.apple.JavaScriptCore      	0x000000070c47fc59 llint_entry + 114363 (LowLevelInterpreter.asm:1054)
11  com.apple.JavaScriptCore      	0x000000070c47fc59 llint_entry + 114363 (LowLevelInterpreter.asm:1054)
12  com.apple.JavaScriptCore      	0x000000070c463ba9 vmEntryToJavaScript + 216 (LowLevelInterpreter64.asm:310)
13  com.apple.JavaScriptCore      	0x000000070dbcc612 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 258 (JITCodeInlines.h:42) [inlined]
14  com.apple.JavaScriptCore      	0x000000070dbcc612 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1554 (Interpreter.cpp:904)
15  com.apple.JavaScriptCore      	0x000000070e26d265 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 101 (CallData.cpp:57)
16  com.apple.JavaScriptCore      	0x000000070e26d360 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 224 (CallData.cpp:64)

<rdar://problem/69646216>

Comment 1 Ryosuke Niwa 2020-11-04 23:28:42 PST

Created attachment 413256 [details]
Reduced test case

Comment 2 Rob Buis 2020-11-18 07:40:29 PST

Created attachment 414450 [details]
Patch

Comment 3 Ryosuke Niwa 2020-11-18 17:58:31 PST

Comment on attachment 414450 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=414450&action=review

> Source/WebCore/html/canvas/WebGLTransformFeedback.cpp:81
>      *outBuffer = m_boundIndexedTransformFeedbackBuffers[index].get();

Is this a release assert crash because of the bounds check?
If so, we can add the test?

Comment 4 Rob Buis 2020-11-19 08:39:26 PST

Created attachment 414584 [details]
Patch

Comment 5 Rob Buis 2020-11-19 08:42:39 PST

(In reply to Ryosuke Niwa from comment #3)
> Comment on attachment 414450 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=414450&action=review
> 
> > Source/WebCore/html/canvas/WebGLTransformFeedback.cpp:81
> >      *outBuffer = m_boundIndexedTransformFeedbackBuffers[index].get();
> 
> Is this a release assert crash because of the bounds check?
> If so, we can add the test?

Yes, it is a release assert crash, I now added the test.

Comment 6 Ryosuke Niwa 2020-11-21 18:14:13 PST

(In reply to Rob Buis from comment #5)
> (In reply to Ryosuke Niwa from comment #3)
> > Comment on attachment 414450 [details]
> > Patch
> > 
> > View in context:
> > https://bugs.webkit.org/attachment.cgi?id=414450&action=review
> > 
> > > Source/WebCore/html/canvas/WebGLTransformFeedback.cpp:81
> > >      *outBuffer = m_boundIndexedTransformFeedbackBuffers[index].get();
> > 
> > Is this a release assert crash because of the bounds check?
> > If so, we can add the test?
> 
> Yes, it is a release assert crash, I now added the test.

Great. Thanks for verifying!

Comment 7 EWS 2020-11-22 00:30:39 PST

Committed r270160: <https://trac.webkit.org/changeset/270160>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 414584 [details].