Bug 211942 - [GTK][WPE] webgl/1.0.3/conformance/more/functions/copyTexImage2DBadArgs.html is crashing
Summary: [GTK][WPE] webgl/1.0.3/conformance/more/functions/copyTexImage2DBadArgs.html ...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebGL (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-05-15 01:31 PDT by Diego Pino
Modified: 2022-09-29 12:41 PDT (History)
8 users (show)

See Also:

Attachments
Fix for crashing copyTexImage2DBadArgs (828 bytes, patch)
2022-05-10 08:35 PDT, michal.kobylecki 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Diego Pino 2020-05-15 01:31:19 PDT 
The test started crashing in r261023, together with other WebGL tests. This regression was partly fixed by r261609, but after r261609 this test is still crashing.

Crash-log: https://build.webkit.org/results/WPE%20Linux%2064-bit%20Release%20(Tests)/r261729%20(18186)/webgl/1.0.3/conformance/more/functions/copyTexImage2DBadArgs-crash-log.txt


Thread 1 (Thread 0x7f32608d4100 (LWP 13895)):
#0  0x00007f326aece87e in WTFCrash () at /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3
#1  0x00007f3268c2be35 in  () at /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3
#2  0x00007f3268c1fe1c in WebCore::WebGLRenderingContextBase::copyTexImage2D(unsigned int, int, unsigned int, int, int, int, int, int) () at /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3
#3  0x00007f3268245071 in WebCore::jsWebGLRenderingContextPrototypeFunctionCopyTexImage2DBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebGLRenderingContext*, JSC::ThrowScope&) () at /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3
#4  0x00007f326824943b in WebCore::jsWebGLRenderingContextPrototypeFunctionCopyTexImage2D(JSC::JSGlobalObject*, JSC::CallFrame*) () at /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3
#5  0x00007f321feff178 in  ()
#6  0x00007ffd4866d5f0 in  ()
#7  0x00007f326acb7371 in llint_op_call_varargs () at /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3
#8  0x0000000000000000 in  ()

STDERR: 1   0x7f326aece879 WTFCrash
STDERR: 2   0x7f3268c2be35 /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3(+0x390ae35) [0x7f3268c2be35]
STDERR: 3   0x7f3268c1fe1c WebCore::WebGLRenderingContextBase::copyTexImage2D(unsigned int, int, unsigned int, int, int, int, int, int)
STDERR: 4   0x7f3268245071 /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3(+0x2f24071) [0x7f3268245071]
STDERR: 5   0x7f326824943b WebCore::jsWebGLRenderingContextPrototypeFunctionCopyTexImage2D(JSC::JSGlobalObject*, JSC::CallFrame*)
STDERR: 6   0x7f321feff178 [0x7f321feff178]
Comment 1 Diego Pino 2020-05-15 01:39:34 PDT 
I decided to create a new ticket for this failure, independently of https://bugs.webkit.org/show_bug.cgi?id=211887, since this crash happens on GTK and WPE.
Comment 2 michal.kobylecki 2022-05-10 08:35:09 PDT 
Created attachment 459120 [details]
Fix for crashing copyTexImage2DBadArgs
Comment 3 michal.kobylecki 2022-05-10 08:40:33 PDT 
Hi,
do you plan to deliver a fix for this issue?
I've come across it when running WebGL 1.0.3 tests on WPE 2.34.7.
The analysis showed the reason is missing handling of incorrect level value which in the case of copyTexImage2DBadArgs test is -1.
This further led to trying to access the vector element with index -1 and it ends up with a crash of course.
I've worked out a potential fix (please see attached patch).
It seems like it worked like that in the past but level value validation was removed at some point (see https://github.com/WebKit/WebKit/commit/96238bc353a16de3a120ebe925ecea631e97abd2#diff-559cea90f946de8eaeb87bb35e630916000e561eb725964fef24b902630b380fL4745).

Thank you in advance.
Comment 4 Alejandro G. Castro 2022-09-29 12:40:47 PDT 
After replacing the WebGL backend with ANGLE the crash is fixed. The gardening commit is:

https://commits.webkit.org/255008@main
Comment 5 Radar WebKit Bug Importer 2022-09-29 12:41:18 PDT 
<rdar://problem/100577689>