RESOLVED FIXED 211942
[GTK][WPE] webgl/1.0.3/conformance/more/functions/copyTexImage2DBadArgs.html is crashing 
https://bugs.webkit.org/show_bug.cgi?id=211942
Summary [GTK][WPE] webgl/1.0.3/conformance/more/functions/copyTexImage2DBadArgs.html ...
Diego Pino
Reported 2020-05-15 01:31:19 PDT
The test started crashing in r261023, together with other WebGL tests. This regression was partly fixed by r261609, but after r261609 this test is still crashing. Crash-log: https://build.webkit.org/results/WPE%20Linux%2064-bit%20Release%20(Tests)/r261729%20(18186)/webgl/1.0.3/conformance/more/functions/copyTexImage2DBadArgs-crash-log.txt Thread 1 (Thread 0x7f32608d4100 (LWP 13895)): #0 0x00007f326aece87e in WTFCrash () at /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3 #1 0x00007f3268c2be35 in () at /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3 #2 0x00007f3268c1fe1c in WebCore::WebGLRenderingContextBase::copyTexImage2D(unsigned int, int, unsigned int, int, int, int, int, int) () at /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3 #3 0x00007f3268245071 in WebCore::jsWebGLRenderingContextPrototypeFunctionCopyTexImage2DBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebGLRenderingContext*, JSC::ThrowScope&) () at /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3 #4 0x00007f326824943b in WebCore::jsWebGLRenderingContextPrototypeFunctionCopyTexImage2D(JSC::JSGlobalObject*, JSC::CallFrame*) () at /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3 #5 0x00007f321feff178 in () #6 0x00007ffd4866d5f0 in () #7 0x00007f326acb7371 in llint_op_call_varargs () at /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3 #8 0x0000000000000000 in () STDERR: 1 0x7f326aece879 WTFCrash STDERR: 2 0x7f3268c2be35 /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3(+0x390ae35) [0x7f3268c2be35] STDERR: 3 0x7f3268c1fe1c WebCore::WebGLRenderingContextBase::copyTexImage2D(unsigned int, int, unsigned int, int, int, int, int, int) STDERR: 4 0x7f3268245071 /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3(+0x2f24071) [0x7f3268245071] STDERR: 5 0x7f326824943b WebCore::jsWebGLRenderingContextPrototypeFunctionCopyTexImage2D(JSC::JSGlobalObject*, JSC::CallFrame*) STDERR: 6 0x7f321feff178 [0x7f321feff178]
Attachments
Fix for crashing copyTexImage2DBadArgs (828 bytes, patch)
2022-05-10 08:35 PDT, michal.kobylecki 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Diego Pino
Comment 1 2020-05-15 01:39:34 PDT
I decided to create a new ticket for this failure, independently of https://bugs.webkit.org/show_bug.cgi?id=211887, since this crash happens on GTK and WPE.
michal.kobylecki
Comment 2 2022-05-10 08:35:09 PDT
Created attachment 459120 [details] Fix for crashing copyTexImage2DBadArgs
michal.kobylecki
Comment 3 2022-05-10 08:40:33 PDT
Hi, do you plan to deliver a fix for this issue? I've come across it when running WebGL 1.0.3 tests on WPE 2.34.7. The analysis showed the reason is missing handling of incorrect level value which in the case of copyTexImage2DBadArgs test is -1. This further led to trying to access the vector element with index -1 and it ends up with a crash of course. I've worked out a potential fix (please see attached patch). It seems like it worked like that in the past but level value validation was removed at some point (see https://github.com/WebKit/WebKit/commit/96238bc353a16de3a120ebe925ecea631e97abd2#diff-559cea90f946de8eaeb87bb35e630916000e561eb725964fef24b902630b380fL4745). Thank you in advance.
Alejandro G. Castro
Comment 4 2022-09-29 12:40:47 PDT
After replacing the WebGL backend with ANGLE the crash is fixed. The gardening commit is: https://commits.webkit.org/255008@main
Radar WebKit Bug Importer
Comment 5 2022-09-29 12:41:18 PDT
<rdar://problem/100577689>
Note You need to log in before you can comment on or make changes to this bug.