211942 2020-05-15 01:31:19 -0700 [GTK][WPE] webgl/1.0.3/conformance/more/functions/copyTexImage2DBadArgs.html is crashing 2022-09-29 12:41:18 -0700 1 1 1 Unclassified WebKit WebGL WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=211887 InRadar P2 Normal --- 1 dpino webkit-unassigned alex clord dino kbr magomez michal.kobylecki webkit-bug-importer zdobersek oldest_to_newest 1652981 0 dpino 2020-05-15 01:31:19 -0700 The test started crashing in r261023, together with other WebGL tests. This regression was partly fixed by r261609, but after r261609 this test is still crashing. Crash-log: https://build.webkit.org/results/WPE%20Linux%2064-bit%20Release%20(Tests)/r261729%20(18186)/webgl/1.0.3/conformance/more/functions/copyTexImage2DBadArgs-crash-log.txt Thread 1 (Thread 0x7f32608d4100 (LWP 13895)): #0 0x00007f326aece87e in WTFCrash () at /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3 #1 0x00007f3268c2be35 in () at /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3 #2 0x00007f3268c1fe1c in WebCore::WebGLRenderingContextBase::copyTexImage2D(unsigned int, int, unsigned int, int, int, int, int, int) () at /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3 #3 0x00007f3268245071 in WebCore::jsWebGLRenderingContextPrototypeFunctionCopyTexImage2DBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSWebGLRenderingContext*, JSC::ThrowScope&) () at /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3 #4 0x00007f326824943b in WebCore::jsWebGLRenderingContextPrototypeFunctionCopyTexImage2D(JSC::JSGlobalObject*, JSC::CallFrame*) () at /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3 #5 0x00007f321feff178 in () #6 0x00007ffd4866d5f0 in () #7 0x00007f326acb7371 in llint_op_call_varargs () at /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3 #8 0x0000000000000000 in () STDERR: 1 0x7f326aece879 WTFCrash STDERR: 2 0x7f3268c2be35 /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3(+0x390ae35) [0x7f3268c2be35] STDERR: 3 0x7f3268c1fe1c WebCore::WebGLRenderingContextBase::copyTexImage2D(unsigned int, int, unsigned int, int, int, int, int, int) STDERR: 4 0x7f3268245071 /app/webkit/WebKitBuild/Release/lib/libWPEWebKit-1.0.so.3(+0x2f24071) [0x7f3268245071] STDERR: 5 0x7f326824943b WebCore::jsWebGLRenderingContextPrototypeFunctionCopyTexImage2D(JSC::JSGlobalObject*, JSC::CallFrame*) STDERR: 6 0x7f321feff178 [0x7f321feff178] 1652982 1 dpino 2020-05-15 01:39:34 -0700 I decided to create a new ticket for this failure, independently of https://bugs.webkit.org/show_bug.cgi?id=211887, since this crash happens on GTK and WPE. 1867933 2 459120 michal.kobylecki 2022-05-10 08:35:09 -0700 Created attachment 459120 Fix for crashing copyTexImage2DBadArgs 1867937 3 michal.kobylecki 2022-05-10 08:40:33 -0700 Hi, do you plan to deliver a fix for this issue? I've come across it when running WebGL 1.0.3 tests on WPE 2.34.7. The analysis showed the reason is missing handling of incorrect level value which in the case of copyTexImage2DBadArgs test is -1. This further led to trying to access the vector element with index -1 and it ends up with a crash of course. I've worked out a potential fix (please see attached patch). It seems like it worked like that in the past but level value validation was removed at some point (see https://github.com/WebKit/WebKit/commit/96238bc353a16de3a120ebe925ecea631e97abd2#diff-559cea90f946de8eaeb87bb35e630916000e561eb725964fef24b902630b380fL4745). Thank you in advance. 1902135 4 alex 2022-09-29 12:40:47 -0700 After replacing the WebGL backend with ANGLE the crash is fixed. The gardening commit is: https://commits.webkit.org/255008@main 1902136 5 webkit-bug-importer 2022-09-29 12:41:18 -0700 <rdar://problem/100577689> 459120 2022-05-10 08:35:09 -0700 2022-05-10 08:35:09 -0700 Fix for crashing copyTexImage2DBadArgs copyTexImage2DBadArgs.patch text/plain 828 michal.kobylecki ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL2h0bWwvY2FudmFzL1dlYkdMUmVuZGVyaW5nQ29u dGV4dEJhc2UuY3BwIGIvU291cmNlL1dlYkNvcmUvaHRtbC9jYW52YXMvV2ViR0xSZW5kZXJpbmdD b250ZXh0QmFzZS5jcHAKaW5kZXggYTc1YjVlODFlOTQ3Li45N2Y4M2I1OGMxNjQgMTAwNjQ0Ci0t LSBhL1NvdXJjZS9XZWJDb3JlL2h0bWwvY2FudmFzL1dlYkdMUmVuZGVyaW5nQ29udGV4dEJhc2Uu Y3BwCisrKyBiL1NvdXJjZS9XZWJDb3JlL2h0bWwvY2FudmFzL1dlYkdMUmVuZGVyaW5nQ29udGV4 dEJhc2UuY3BwCkBAIC01NTc0LDcgKzU1NzQsNyBAQCBib29sIFdlYkdMUmVuZGVyaW5nQ29udGV4 dEJhc2U6OnZhbGlkYXRlVGV4RnVuY1BhcmFtZXRlcnMoY29uc3QgY2hhciogZnVuY3Rpb25OYQog ICAgICAgICBpZiAoIXZhbGlkYXRlVGV4SW1hZ2VTb3VyY2VGb3JtYXRBbmRUeXBlKGZ1bmN0aW9u TmFtZSwgZnVuY3Rpb25UeXBlLCBpbnRlcm5hbGZvcm1hdCwgZm9ybWF0LCB0eXBlKSkKICAgICAg ICAgICAgIHJldHVybiBmYWxzZTsKICAgICB9IGVsc2UgewotICAgICAgICBpZiAoIXZhbGlkYXRl VGV4RnVuY0Zvcm1hdEFuZFR5cGUoZnVuY3Rpb25OYW1lLCBpbnRlcm5hbGZvcm1hdCwgZm9ybWF0 LCB0eXBlLCBsZXZlbCkpCisgICAgICAgIGlmICghdmFsaWRhdGVUZXhGdW5jRm9ybWF0QW5kVHlw ZShmdW5jdGlvbk5hbWUsIGludGVybmFsZm9ybWF0LCBmb3JtYXQsIHR5cGUsIGxldmVsKSB8fCAh dmFsaWRhdGVUZXhGdW5jTGV2ZWwoZnVuY3Rpb25OYW1lLCB0YXJnZXQsIGxldmVsKSkKICAgICAg ICAgICAgIHJldHVybiBmYWxzZTsKICAgICB9CiAK