Bug 211942

Summary: [GTK][WPE] webgl/1.0.3/conformance/more/functions/copyTexImage2DBadArgs.html is crashing
Product: WebKit Reporter: Diego Pino <dpino>
Component: WebGLAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: alex, clord, dino, kbr, magomez, michal.kobylecki, webkit-bug-importer, zdobersek
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=211887
Attachments:
Description Flags
Fix for crashing copyTexImage2DBadArgs none

Description Diego Pino 2020-05-15 01:31:19 PDT 
The test started crashing in r261023, together with other WebGL tests. This regression was partly fixed by r261609, but after r261609 this test is still crashing.

Crash-log: https://build.webkit.org/results/WPE%20Linux%2064-bit%20Release%20(Tests)/r261729%20(18186)/webgl/1.0.3/conformance/more/functions/copyTexImage2DBadArgs-crash-log.txt


Thread 1 (Thread 0x7f32608d4100 (LWP 13895)):
#0  0x00007f326aece87e in WTFCrash () at /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3
#1  0x00007f3268c2be35 in  () at /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3
#2  0x00007f3268c1fe1c in WebCore::WebGLRenderingContextBase::copyTexImage2D(unsigned int, int, unsigned int, int, int, int, int, int) () at /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3
#3  0x00007f3268245071 in WebCore::jsWebGLRenderingContextPrototypeFunctionCopyTexImage2DBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebGLRenderingContext*, JSC::ThrowScope&) () at /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3
#4  0x00007f326824943b in WebCore::jsWebGLRenderingContextPrototypeFunctionCopyTexImage2D(JSC::JSGlobalObject*, JSC::CallFrame*) () at /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3
#5  0x00007f321feff178 in  ()
#6  0x00007ffd4866d5f0 in  ()
#7  0x00007f326acb7371 in llint_op_call_varargs () at /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3
#8  0x0000000000000000 in  ()

STDERR: 1   0x7f326aece879 WTFCrash
STDERR: 2   0x7f3268c2be35 /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3(+0x390ae35) [0x7f3268c2be35]
STDERR: 3   0x7f3268c1fe1c WebCore::WebGLRenderingContextBase::copyTexImage2D(unsigned int, int, unsigned int, int, int, int, int, int)
STDERR: 4   0x7f3268245071 /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3(+0x2f24071) [0x7f3268245071]
STDERR: 5   0x7f326824943b WebCore::jsWebGLRenderingContextPrototypeFunctionCopyTexImage2D(JSC::JSGlobalObject*, JSC::CallFrame*)
STDERR: 6   0x7f321feff178 [0x7f321feff178]
Comment 1 Diego Pino 2020-05-15 01:39:34 PDT 
I decided to create a new ticket for this failure, independently of https://bugs.webkit.org/show_bug.cgi?id=211887, since this crash happens on GTK and WPE.
Comment 2 michal.kobylecki 2022-05-10 08:35:09 PDT 
Created attachment 459120 [details]
Fix for crashing copyTexImage2DBadArgs
Comment 3 michal.kobylecki 2022-05-10 08:40:33 PDT 
Hi,
do you plan to deliver a fix for this issue?
I've come across it when running WebGL 1.0.3 tests on WPE 2.34.7.
The analysis showed the reason is missing handling of incorrect level value which in the case of copyTexImage2DBadArgs test is -1.
This further led to trying to access the vector element with index -1 and it ends up with a crash of course.
I've worked out a potential fix (please see attached patch).
It seems like it worked like that in the past but level value validation was removed at some point (see https://github.com/WebKit/WebKit/commit/96238bc353a16de3a120ebe925ecea631e97abd2#diff-559cea90f946de8eaeb87bb35e630916000e561eb725964fef24b902630b380fL4745).

Thank you in advance.
Comment 4 Alejandro G. Castro 2022-09-29 12:40:47 PDT 
After replacing the WebGL backend with ANGLE the crash is fixed. The gardening commit is:

https://commits.webkit.org/255008@main
Comment 5 Radar WebKit Bug Importer 2022-09-29 12:41:18 PDT 
<rdar://problem/100577689>