Closed Bug 1041785 Opened 10 years ago Closed 10 years ago

Nightly 33.0a1 crashes on ANGLE_instanced_arrays WebGL demo

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Version:
33 Branch
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla34
Tracking Flags:
Tracking Status
firefox32 --- unaffected
firefox33 + verified
firefox34 + verified

People

(Reporter: floooh, Assigned: bjacob)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

fix a null deref and remove dangerous default pointer value so the compiler would catch that
2.02 KB, patch
u480271
: review+
Sylvestre
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:33.0) Gecko/20100101 Firefox/33.0 (Beta/Release)
Build ID: 20140720030203

Steps to reproduce:

On OSX 10.10 beta4 (other OSes or OS versions not tested) in latest Nightly, go to: 

http://floooh.github.io/oryol/Instancing.html

The browser crashes almost instantly and brings up the Mozilla Crash Reporter. I am not sure whether this bug is related to the OSX 10.10 beta4 which just came out today, or the latest Nightly update. If the bug is in Nightly, it must be very new, at most 2 or 3 days old (tested in version 2014-07-20).


Actual results:

...


Expected results:

...
bp-773f9712-b3d7-4c07-bb64-726032140721

Regression window(m-i)
Good:
https://hg.mozilla.org/integration/mozilla-inbound/rev/cd5e53d2aabd
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 ID:20140718073332
Bad:
https://hg.mozilla.org/integration/mozilla-inbound/rev/fad52f3c9132
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 ID:20140718080032
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=cd5e53d2aabd&tochange=fad52f3c9132

Regressed by:
fad52f3c9132	Benoit Jacob — Bug 1038928 - WebGL element array cache: dont try to handle null out_upperBound, and add some test coverage for out_upperBound - r=jgilbert
Blocks: 1038928
Severity: normal → critical
Status: UNCONFIRMED → NEW
Crash Signature: [@ mozilla::WebGLElementArrayCache::Validate<unsigned short>(unsigned int, unsigned int, unsigned int, unsigned int*)]
status-firefox32: --- → unaffected
status-firefox33: --- → affected
status-firefox34: --- → affected
tracking-firefox33: --- → ?
tracking-firefox34: --- → ?
Component: Untriaged → Canvas: WebGL
Ever confirmed: true
Keywords: crash, regression
OS: Mac OS X → All
Product: Firefox → Core
Summary: Nightly 33.0a1 crashes on OSX 10.10 on ANGLE_instanced_arrays WebGL demo → Nightly 33.0a1 crashes on ANGLE_instanced_arrays WebGL demo
Attachment #8459862 - Flags: review?(jgilbert) → review+
Thanks for jumping on this, Benoit.
No problem; I won't be able to land this until tomorrow morning; anyone's welcome to land this ;-) but if you do, do first check that this compiles, as I haven't tested even compilation.
(In reply to Benoit Jacob [:bjacob] from comment #4)
> No problem; I won't be able to land this until tomorrow morning; anyone's
> welcome to land this ;-) but if you do, do first check that this compiles,
> as I haven't tested even compilation.

I compiled the patch against latest central. It fixed crash I encountered when running 1.0.3 conformance tests at https://www.khronos.org/registry/webgl/sdk/tests/webgl-conformance-tests.html
https://hg.mozilla.org/integration/mozilla-inbound/rev/437d959ab919

Thanks for the testing!
Assignee: nobody → bjacob
Comment on attachment 8459862 [details] [diff] [review]
fix a null deref and remove dangerous default pointer value so the compiler would catch that

Approval Request Comment
[Feature/regressing bug #]: bug 1038928
[User impact if declined]: consistent crashes on some WebGL demos
[Describe test coverage new/current, TBPL]: is covered by 1.0.3 online WebGL conformance tests, https://www.khronos.org/registry/webgl/sdk/tests/webgl-conformance-tests.html, see above comment
[Risks and why]: no risk, trivial
[String/UUID change made/needed]: none
Attachment #8459862 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/437d959ab919
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
Attachment #8459862 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
QA Whiteboard: [qa+]
Reproduced with Nightly 2014-07-20 on Mac OS X after loading http://floooh.github.io/oryol/Instancing.html - Crash report: bp-cc9a6fa7-b64d-4abf-a583-6fd3a2140902
No crashes with latest Nightly (Build ID: 20140901091008) and Aurora builds (Build ID: 20140901004002) on Windows 7 64-bit, Mac OS X 10.9.4 and Ubuntu 14.04 32-bit.
Although, when running 1.0.3 conformance tests at https://www.khronos.org/registry/webgl/sdk/tests/webgl-conformance-tests.html, both Nightly and Aurora crashed, but with different signatures:

- bp-6f1c15bd-b08a-4bf4-821f-3b56e2140902
- bp-a7804816-17da-4dbd-8b56-bf9812140902
- bp-710b289c-e1b1-4738-8b05-9a5d62140902

Any idea why?
Flags: needinfo?(bjacob)
d3dcompiler_46.dll is Microsoft's Direct3D shader compiler, of which we ship a copy with Firefox. It's worrying that it has a crash that we hit while running conformance tests. It would be worth filing a bug under Core -> WebGL and CC'ing :jgilbert and :djg on it.
Flags: needinfo?(bjacob)
(In reply to Benoit Jacob [:bjacob] from comment #12)
> d3dcompiler_46.dll is Microsoft's Direct3D shader compiler, of which we ship
> a copy with Firefox. It's worrying that it has a crash that we hit while
> running conformance tests. It would be worth filing a bug under Core ->
> WebGL and CC'ing :jgilbert and :djg on it.

Sure thing!
Logged bug 1062356.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: