Bug 218601 - [RELEASE ASSERT][WK2][WebGL2] WebCore::WebGLTransformFeedback::getBoundIndexedTransformFeedbackBuffer triggers std::vector CrashOnOverflow
Summary: [RELEASE ASSERT][WK2][WebGL2] WebCore::WebGLTransformFeedback::getBoundIndexe...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebGL (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-11-04 23:26 PST by Ryosuke Niwa
Modified: 2020-11-22 00:30 PST (History)
8 users (show)

See Also:

Attachments
Reduced test case (368 bytes, text/html)
2020-11-04 23:28 PST, Ryosuke Niwa 		no flags Details
Patch (1.63 KB, patch)
2020-11-18 07:40 PST, Rob Buis 		no flags Details | Formatted Diff | Diff
Patch (3.66 KB, patch)
2020-11-19 08:39 PST, Rob Buis 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2020-11-04 23:26:35 PST 
e.g.

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00000006eda964e9 WTF::CrashOnOverflow::crash() + 9 (CheckedArithmetic.h:127)
1   com.apple.WebCore             	0x00000006eda964ae WTF::CrashOnOverflow::overflowed() + 14 (CheckedArithmetic.h:120)
2   com.apple.WebCore             	0x00000006f191c212 WTF::Vector<WTF::RefPtr<WebCore::WebGLBuffer, WTF::DumbPtrTraits<WebCore::WebGLBuffer>, WTF::DefaultRefDerefTraits<WebCore::WebGLBuffer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::at(unsigned long) + 50 (Vector.h:701)
3   com.apple.WebCore             	0x00000006f18f2f29 WTF::Vector<WTF::RefPtr<WebCore::WebGLBuffer, WTF::DumbPtrTraits<WebCore::WebGLBuffer>, WTF::DefaultRefDerefTraits<WebCore::WebGLBuffer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::operator[](unsigned long) + 9 (Vector.h:721)
4   com.apple.WebCore             	0x00000006f19ab1a3 WebCore::WebGLTransformFeedback::getBoundIndexedTransformFeedbackBuffer(unsigned int, WebCore::WebGLBuffer**) + 51 (WebGLTransformFeedback.cpp:81)
5   com.apple.WebCore             	0x00000006f18f3339 WebCore::WebGL2RenderingContext::getIndexedParameter(unsigned int, unsigned int) + 585 (WebGL2RenderingContext.cpp:2438)
6   com.apple.WebCore             	0x00000006ef5d80f6 WebCore::jsWebGL2RenderingContextPrototypeFunctionGetIndexedParameterBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebGL2RenderingContext*) + 854 (JSWebGL2RenderingContext.cpp:7880)
7   com.apple.WebCore             	0x00000006ef4c3d5c long long WebCore::IDLOperation<WebCore::JSWebGL2RenderingContext>::call<&(WebCore::jsWebGL2RenderingContextPrototypeFunctionGetIndexedParameterBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebGL2RenderingContext*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) + 252 (JSDOMOperation.h:53)
8   com.apple.WebCore             	0x00000006ef4c3c59 WebCore::jsWebGL2RenderingContextPrototypeFunctionGetIndexedParameter(JSC::JSGlobalObject*, JSC::CallFrame*) + 9 (JSWebGL2RenderingContext.cpp:7885)
9   ???                           	0x00004c2f12001178 0 + 83765049168248
10  com.apple.JavaScriptCore      	0x000000070c47fc59 llint_entry + 114363 (LowLevelInterpreter.asm:1054)
11  com.apple.JavaScriptCore      	0x000000070c47fc59 llint_entry + 114363 (LowLevelInterpreter.asm:1054)
12  com.apple.JavaScriptCore      	0x000000070c463ba9 vmEntryToJavaScript + 216 (LowLevelInterpreter64.asm:310)
13  com.apple.JavaScriptCore      	0x000000070dbcc612 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 258 (JITCodeInlines.h:42) [inlined]
14  com.apple.JavaScriptCore      	0x000000070dbcc612 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1554 (Interpreter.cpp:904)
15  com.apple.JavaScriptCore      	0x000000070e26d265 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 101 (CallData.cpp:57)
16  com.apple.JavaScriptCore      	0x000000070e26d360 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 224 (CallData.cpp:64)

<rdar://problem/69646216>
Comment 1 Ryosuke Niwa 2020-11-04 23:28:42 PST 
Created attachment 413256 [details]
Reduced test case
Comment 2 Rob Buis 2020-11-18 07:40:29 PST 
Created attachment 414450 [details]
Patch
Comment 3 Ryosuke Niwa 2020-11-18 17:58:31 PST 
Comment on attachment 414450 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=414450&action=review

> Source/WebCore/html/canvas/WebGLTransformFeedback.cpp:81
>      *outBuffer = m_boundIndexedTransformFeedbackBuffers[index].get();

Is this a release assert crash because of the bounds check?
If so, we can add the test?
Comment 4 Rob Buis 2020-11-19 08:39:26 PST 
Created attachment 414584 [details]
Patch
Comment 5 Rob Buis 2020-11-19 08:42:39 PST 
(In reply to Ryosuke Niwa from comment #3)
> Comment on attachment 414450 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=414450&action=review
> 
> > Source/WebCore/html/canvas/WebGLTransformFeedback.cpp:81
> >      *outBuffer = m_boundIndexedTransformFeedbackBuffers[index].get();
> 
> Is this a release assert crash because of the bounds check?
> If so, we can add the test?

Yes, it is a release assert crash, I now added the test.
Comment 6 Ryosuke Niwa 2020-11-21 18:14:13 PST 
(In reply to Rob Buis from comment #5)
> (In reply to Ryosuke Niwa from comment #3)
> > Comment on attachment 414450 [details]
> > Patch
> > 
> > View in context:
> > https://bugs.webkit.org/attachment.cgi?id=414450&action=review
> > 
> > > Source/WebCore/html/canvas/WebGLTransformFeedback.cpp:81
> > >      *outBuffer = m_boundIndexedTransformFeedbackBuffers[index].get();
> > 
> > Is this a release assert crash because of the bounds check?
> > If so, we can add the test?
> 
> Yes, it is a release assert crash, I now added the test.

Great. Thanks for verifying!
Comment 7 EWS 2020-11-22 00:30:39 PST 
Committed r270160: <https://trac.webkit.org/changeset/270160>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 414584 [details].