RESOLVED FIXED 218601
[RELEASE ASSERT][WK2][WebGL2] WebCore::WebGLTransformFeedback::getBoundIndexedTransformFeedbackBuffer triggers std::vector CrashOnOverflow 
https://bugs.webkit.org/show_bug.cgi?id=218601
Summary [RELEASE ASSERT][WK2][WebGL2] WebCore::WebGLTransformFeedback::getBoundIndexe...
Ryosuke Niwa
Reported 2020-11-04 23:26:35 PST
e.g. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00000006eda964e9 WTF::CrashOnOverflow::crash() + 9 (CheckedArithmetic.h:127) 1 com.apple.WebCore 0x00000006eda964ae WTF::CrashOnOverflow::overflowed() + 14 (CheckedArithmetic.h:120) 2 com.apple.WebCore 0x00000006f191c212 WTF::Vector<WTF::RefPtr<WebCore::WebGLBuffer, WTF::DumbPtrTraits<WebCore::WebGLBuffer>, WTF::DefaultRefDerefTraits<WebCore::WebGLBuffer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::at(unsigned long) + 50 (Vector.h:701) 3 com.apple.WebCore 0x00000006f18f2f29 WTF::Vector<WTF::RefPtr<WebCore::WebGLBuffer, WTF::DumbPtrTraits<WebCore::WebGLBuffer>, WTF::DefaultRefDerefTraits<WebCore::WebGLBuffer> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::operator[](unsigned long) + 9 (Vector.h:721) 4 com.apple.WebCore 0x00000006f19ab1a3 WebCore::WebGLTransformFeedback::getBoundIndexedTransformFeedbackBuffer(unsigned int, WebCore::WebGLBuffer**) + 51 (WebGLTransformFeedback.cpp:81) 5 com.apple.WebCore 0x00000006f18f3339 WebCore::WebGL2RenderingContext::getIndexedParameter(unsigned int, unsigned int) + 585 (WebGL2RenderingContext.cpp:2438) 6 com.apple.WebCore 0x00000006ef5d80f6 WebCore::jsWebGL2RenderingContextPrototypeFunctionGetIndexedParameterBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebGL2RenderingContext*) + 854 (JSWebGL2RenderingContext.cpp:7880) 7 com.apple.WebCore 0x00000006ef4c3d5c long long WebCore::IDLOperation<WebCore::JSWebGL2RenderingContext>::call<&(WebCore::jsWebGL2RenderingContextPrototypeFunctionGetIndexedParameterBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebGL2RenderingContext*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) + 252 (JSDOMOperation.h:53) 8 com.apple.WebCore 0x00000006ef4c3c59 WebCore::jsWebGL2RenderingContextPrototypeFunctionGetIndexedParameter(JSC::JSGlobalObject*, JSC::CallFrame*) + 9 (JSWebGL2RenderingContext.cpp:7885) 9 ??? 0x00004c2f12001178 0 + 83765049168248 10 com.apple.JavaScriptCore 0x000000070c47fc59 llint_entry + 114363 (LowLevelInterpreter.asm:1054) 11 com.apple.JavaScriptCore 0x000000070c47fc59 llint_entry + 114363 (LowLevelInterpreter.asm:1054) 12 com.apple.JavaScriptCore 0x000000070c463ba9 vmEntryToJavaScript + 216 (LowLevelInterpreter64.asm:310) 13 com.apple.JavaScriptCore 0x000000070dbcc612 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 258 (JITCodeInlines.h:42) [inlined] 14 com.apple.JavaScriptCore 0x000000070dbcc612 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1554 (Interpreter.cpp:904) 15 com.apple.JavaScriptCore 0x000000070e26d265 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 101 (CallData.cpp:57) 16 com.apple.JavaScriptCore 0x000000070e26d360 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 224 (CallData.cpp:64) <rdar://problem/69646216>
Attachments
Reduced test case (368 bytes, text/html)
2020-11-04 23:28 PST, Ryosuke Niwa 		no flags
Details
Patch (1.63 KB, patch)
2020-11-18 07:40 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (3.66 KB, patch)
2020-11-19 08:39 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2020-11-04 23:28:42 PST
Created attachment 413256 [details] Reduced test case
Rob Buis
Comment 2 2020-11-18 07:40:29 PST
Created attachment 414450 [details] Patch
Ryosuke Niwa
Comment 3 2020-11-18 17:58:31 PST
Comment on attachment 414450 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=414450&action=review > Source/WebCore/html/canvas/WebGLTransformFeedback.cpp:81 > *outBuffer = m_boundIndexedTransformFeedbackBuffers[index].get(); Is this a release assert crash because of the bounds check? If so, we can add the test?
Rob Buis
Comment 4 2020-11-19 08:39:26 PST
Created attachment 414584 [details] Patch
Rob Buis
Comment 5 2020-11-19 08:42:39 PST
(In reply to Ryosuke Niwa from comment #3) > Comment on attachment 414450 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=414450&action=review > > > Source/WebCore/html/canvas/WebGLTransformFeedback.cpp:81 > > *outBuffer = m_boundIndexedTransformFeedbackBuffers[index].get(); > > Is this a release assert crash because of the bounds check? > If so, we can add the test? Yes, it is a release assert crash, I now added the test.
Ryosuke Niwa
Comment 6 2020-11-21 18:14:13 PST
(In reply to Rob Buis from comment #5) > (In reply to Ryosuke Niwa from comment #3) > > Comment on attachment 414450 [details] > > Patch > > > > View in context: > > https://bugs.webkit.org/attachment.cgi?id=414450&action=review > > > > > Source/WebCore/html/canvas/WebGLTransformFeedback.cpp:81 > > > *outBuffer = m_boundIndexedTransformFeedbackBuffers[index].get(); > > > > Is this a release assert crash because of the bounds check? > > If so, we can add the test? > > Yes, it is a release assert crash, I now added the test. Great. Thanks for verifying!
EWS
Comment 7 2020-11-22 00:30:39 PST
Committed r270160: <https://trac.webkit.org/changeset/270160> All reviewed patches have been landed. Closing bug and clearing flags on attachment 414584 [details].
Note You need to log in before you can comment on or make changes to this bug.