Closed Bug 1130086 Opened 9 years ago Closed 9 years ago

[Browser] Crash on Youtube site.

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla38
Project Flags:
blocking-b2g 2.5+
Tracking Flags:
Tracking Status
b2g-v2.2 --- unaffected
b2g-master --- verified

People

(Reporter: ychung, Assigned: jgilbert)

References

(
URL
)

Details

(Keywords: crash, regression, smoketest)

Crash Data

Attachments

(1 file)

logcat_20150205_YoutubeCrash.txt
130.74 KB, text/plain
Details 
Description:
The browser app frequently crashes when the user goes to the YouTube website.

*** This issue is observe on the latest mozilla-central-flame-kk-eng build from tinderbox folder. This issue does NOT occur on the nightly build.

Repro Steps:
1) Update a Flame to 20150205010209.
2) Connect to a Wi-Fi network or turn on data connection.
3) Type "youtube.com" on the rocket bar, and press the return key.

Actual:
The browser app crashes.

Expected:
YouTube page loads properly.

Environmental Variables:
Device: Flame 3.0 (319mb, shallow flash)
BuildID: 20150205054817
Gaia: 6afe4606da768aed62d8a200fd24e6a7fa52dc4b
Gecko: 58ce6051edf5
Version: 38.0a1 (3.0) 
Firmware Version: v18D-1
User Agent: Mozilla/5.0 (Mobile; rv:38.0) Gecko/38.0 Firefox/38.0

Repro frequency: 4/5
See attached: video clip, logcat
http://youtu.be/fXRjvWw2nKc
This issue does NOT reproduce on Flame 2.2

Result: YouTube page loads properly.

Environmental Variables:
Device: Flame 2.2
BuildID: 20150205071613
Gaia: 4661ea7e79511b25abcbb95e886187d6bd11c08d
Gecko: a0f3e9bfd260
Version: 37.0a2 (2.2) 
Firmware Version: v18D-1
User Agent: Mozilla/5.0 (Mobile; rv:37.0) Gecko/37.0 Firefox/37.0
QA Whiteboard: [QAnalyst-Triage?]
Flags: needinfo?(pbylenga)
[Blocking Requested - why for this release]:
Functional regression and crash that would fail smoke tests when it's on nightly.
blocking-b2g: --- → 3.0?
QA Whiteboard: [QAnalyst-Triage?]
Flags: needinfo?(pbylenga)
Keywords: qaurgent, regressionwindow-wanted
Unable to get crashlog since blocked by bug 1130067. The dialog button does not work when the user tries to send the crash report.
QA Contact: jmercado
I think I got it in gdb:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 2089.2089]
0xb4b99742 in mozilla::gl::GLScreenBuffer::Readback (this=0x0, src=src@entry=0xb18bb080, dest=0xb1a81190) at ../../../gfx/gl/GLScreenBuffer.cpp:528
528	  mGL->MakeCurrent();
(gdb) bt
#0  0xb4b99742 in mozilla::gl::GLScreenBuffer::Readback (this=0x0, src=src@entry=0xb18bb080, dest=0xb1a81190) at ../../../gfx/gl/GLScreenBuffer.cpp:528
#1  0xb4bac4ec in mozilla::layers::CopyableCanvasLayer::UpdateTarget (this=this@entry=0xb2d49660, aDestTarget=aDestTarget@entry=0x0) at ../../../gfx/layers/CopyableCanvasLayer.cpp:157
#2  0xb4bb220c in mozilla::layers::BasicCanvasLayer::Paint (this=0xb2d49660, aDT=0xb1a49d60, aDeviceOffset=..., aMaskLayer=0x0) at ../../../gfx/layers/basic/BasicCanvasLayer.cpp:35
#3  0xb4bc9f82 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren (this=this@entry=0xb1ae84c0, aPaintContext=..., aGroupTarget=aGroupTarget@entry=0xb17ec6d0) at ../../../gfx/layers/basic/BasicLayerManager.cpp:729
#4  0xb4bca234 in mozilla::layers::BasicLayerManager::PaintLayer (this=this@entry=0xb1ae84c0, aTarget=aTarget@entry=0xb17ec6d0, aLayer=0xb2d49660, aCallback=<optimized out>, aCallbackData=0xbed21460) at ../../../gfx/layers/basic/BasicLayerManager.cpp:850
#5  0xb4bc9faa in mozilla::layers::BasicLayerManager::PaintSelfOrChildren (this=this@entry=0xb1ae84c0, aPaintContext=..., aGroupTarget=aGroupTarget@entry=0xb17ec6d0) at ../../../gfx/layers/basic/BasicLayerManager.cpp:738
#6  0xb4bca234 in mozilla::layers::BasicLayerManager::PaintLayer (this=this@entry=0xb1ae84c0, aTarget=0xb17ec6d0, aLayer=0xb2c8d040, aCallback=aCallback@entry=
    0xb56662b9 <mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*)>, aCallbackData=aCallbackData@entry=0xbed21460)
    at ../../../gfx/layers/basic/BasicLayerManager.cpp:850
#7  0xb4bca9c8 in mozilla::layers::BasicLayerManager::EndTransactionInternal (this=0xb1ae84c0, 
    aCallback=0xb56662b9 <mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, nsIntRegion const&, mozilla::layers::DrawRegionClip, nsIntRegion const&, void*)>, aCallbackData=0xbed21460, aFlags=<optimized out>)
    at ../../../gfx/layers/basic/BasicLayerManager.cpp:528
#8  0xb56af858 in nsDisplayList::PaintRoot (this=this@entry=0xbed213ac, aBuilder=aBuilder@entry=0xbed21460, aCtx=aCtx@entry=0xbed218a4, aFlags=aFlags@entry=0) at ../../../layout/base/nsDisplayList.cpp:1694
#9  0xb56b0112 in nsLayoutUtils::PaintFrame (aRenderingContext=aRenderingContext@entry=0xbed218a4, aFrame=aFrame@entry=0xb1ccb2b8, aDirtyRegion=..., aBackstop=aBackstop@entry=4294967295, aFlags=aFlags@entry=40)
    at ../../../layout/base/nsLayoutUtils.cpp:3193
#10 0xb56b52a0 in PresShell::RenderDocument (this=0xb2c7c340, aRect=..., aFlags=88, aBackgroundColor=4294967295, aThebesContext=0xb17ec6d0) at ../../../layout/base/nsPresShell.cpp:4964
#11 0xb5101ce6 in mozilla::dom::CanvasRenderingContext2D::DrawWindow (this=this@entry=0xb2376800, window=..., x=<optimized out>, y=0, w=320, h=495, bgColor=..., flags=30, error=...) at ../../../dom/canvas/CanvasRenderingContext2D.cpp:4656
#12 0xb4ee98d8 in mozilla::dom::CanvasRenderingContext2DBinding::drawWindow (cx=0xb3889040, obj=..., self=0xb2376800, args=...) at CanvasRenderingContext2DBinding.cpp:5102
#13 0xb50f088c in mozilla::dom::GenericBindingMethod (cx=0xb3889040, argc=<optimized out>, vp=<optimized out>) at ../../../dom/bindings/BindingUtils.cpp:2522
#14 0xb5d6dee0 in js::CallJSNative (cx=0xb3889040, native=0xb50f07cd <mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*)>, args=...) at ../../../js/src/jscntxtinlines.h:226
#15 0xb5d96b4c in js::Invoke (cx=0xb3889040, args=..., construct=js::NO_CONSTRUCT) at ../../../js/src/vm/Interpreter.cpp:498
#16 0xb5d9318c in Interpret (cx=0xb3889040, state=...) at ../../../js/src/vm/Interpreter.cpp:2557
#17 0xb5d964c6 in js::RunScript (cx=cx@entry=0xb3889040, state=...) at ../../../js/src/vm/Interpreter.cpp:448
#18 0xb5d96b1a in js::Invoke (cx=cx@entry=0xb3889040, args=..., construct=construct@entry=js::NO_CONSTRUCT) at ../../../js/src/vm/Interpreter.cpp:517
#19 0xb5d973de in js::Invoke (cx=cx@entry=0xb3889040, thisv=..., fval=..., argc=0, argv=argv@entry=0xbed22d30, rval=rval@entry=$jsval(-nan(0xfff8200000000))) at ../../../js/src/vm/Interpreter.cpp:554
Python Exception <class 'gdb.error'> There is no member or method named type_.: 
#20 0xb5fe6a26 in JS_CallFunctionValue (cx=cx@entry=0xb3889040, obj=, fval=$jsval(-nan(0xfff88b25494a0)), args=..., rval=rval@entry=$jsval(-nan(0xfff8200000000))) at ../../../js/src/jsapi.cpp:4446
#21 0xb4a6fab6 in nsXPCWrappedJSClass::CallMethod (this=0xb1a2e490, wrapper=<optimized out>, methodIndex=<optimized out>, info_=0xb2d846f8, nativeParams=0xbed22df0) at ../../../../js/xpconnect/src/XPCWrappedJSClass.cpp:1205
#22 0xb4a5a73c in nsXPCWrappedJS::CallMethod (this=0xb1a454c0, methodIndex=<optimized out>, info=0xb2d846f8, params=0xbed22df0) at ../../../../js/xpconnect/src/XPCWrappedJS.cpp:532
#23 0xb46f91da in PrepareAndDispatch (self=0xb1a48200, methodIndex=<optimized out>, args=0xbed22e9c) at ../../../../../../xpcom/reflect/xptcall/md/unix/xptcstubs_arm.cpp:93
#24 0xb46f88cc in SharedStub () from /Volumes/2mac/moz/ib2g/kkdebrefbuild/toolkit/library/libxul.so
#25 0xb46c9f1e in (anonymous namespace)::MessageLoopIdleTask::Run (this=0xb17af9c0) at ../../../xpcom/base/nsMessageLoop.cpp:118
#26 0xb48a6f24 in MessageLoop::RunTask (this=this@entry=0xbed23040, task=task@entry=0xb17af9c0) at ../../../ipc/chromium/src/base/message_loop.cc:361
#27 0xb48a9674 in MessageLoop::ProcessNextDelayedNonNestableTask (this=this@entry=0xbed23040) at ../../../ipc/chromium/src/base/message_loop.cc:249
#28 0xb48a9684 in MessageLoop::DoIdleWork (this=0xbed23040) at ../../../ipc/chromium/src/base/message_loop.cc:478
#29 0xb48bc0d2 in mozilla::ipc::MessagePump::Run (this=0xb3801e20, aDelegate=0xbed23040) at ../../../ipc/glue/MessagePump.cpp:132
#30 0xb48a7f10 in MessageLoop::RunInternal (this=this@entry=0xbed23040) at ../../../ipc/chromium/src/base/message_loop.cc:233
#31 0xb48a7f2a in RunHandler (this=0xbed23040) at ../../../ipc/chromium/src/base/message_loop.cc:226
#32 MessageLoop::Run (this=0xbed23040) at ../../../ipc/chromium/src/base/message_loop.cc:200
#33 0xb552d456 in nsBaseAppShell::Run (this=0xb2327c40) at ../../widget/nsBaseAppShell.cpp:164
#34 0xb598798a in XRE_RunAppShell () at ../../../toolkit/xre/nsEmbedFunctions.cpp:738
#35 0xb48bc1c6 in mozilla::ipc::MessagePumpForChildProcess::Run (this=0xb3801e20, aDelegate=0xbed23040) at ../../../ipc/glue/MessagePump.cpp:272
---Type <return> to continue, or q <return> to quit---
#36 0xb48a7f10 in MessageLoop::RunInternal (this=this@entry=0xbed23040) at ../../../ipc/chromium/src/base/message_loop.cc:233
#37 0xb48a7f2a in RunHandler (this=0xbed23040) at ../../../ipc/chromium/src/base/message_loop.cc:226
#38 MessageLoop::Run (this=this@entry=0xbed23040) at ../../../ipc/chromium/src/base/message_loop.cc:200
#39 0xb59878e6 in XRE_InitChildProcess (aArgc=<optimized out>, aArgv=<optimized out>, aGMPLoader=<optimized out>) at ../../../toolkit/xre/nsEmbedFunctions.cpp:575
#40 0xb6f8ee14 in content_process_main (argc=6, argv=0xbed23b34) at ../../../ipc/app/../contentproc/plugin-container.cpp:211
#41 0xb6ec34a4 in __libc_init (raw_args=0xbed23b30, onexit=<optimized out>, slingshot=0xb6f8ee75 <main(int, char**)>, structors=<optimized out>) at bionic/libc/bionic/libc_init_dynamic.cpp:112
#42 0xb6f8ecf4 in _start ()
(gdb) p mGL
Cannot access memory at address 0x4
(gdb)
Component: Gaia::System::Browser Chrome → Graphics
Product: Firefox OS → Core
Flags: needinfo?(milan)
The changes in Bug 1124394 seem to have caused this issue.

Mozilla-inbound Regression Window

Last Working 
Environmental Variables:
Device: Flame 3.0
BuildID: 20150204160521
Gaia: b9607aef7debbde09a8db801ce4d021b8262e7f3
Gecko: 0527cb66b0fd
Version: 38.0a1 (3.0) 
Firmware Version: v18D-1
User Agent: Mozilla/5.0 (Mobile; rv:38.0) Gecko/38.0 Firefox/38.0

First Broken 
Environmental Variables:
Device: Flame 3.0
BuildID: 20150204163520
Gaia: b9607aef7debbde09a8db801ce4d021b8262e7f3
Gecko: 80a88a3badba
Version: 38.0a1 (3.0) 
Firmware Version: v18D-1
User Agent: Mozilla/5.0 (Mobile; rv:38.0) Gecko/38.0 Firefox/38.0

Last Working gaia / First Broken gecko - Issue DOES occur
Gaia: b9607aef7debbde09a8db801ce4d021b8262e7f3
Gecko: 80a88a3badba

First Broken gaia / Last Working gecko - Issue does NOT occur
Gaia: b9607aef7debbde09a8db801ce4d021b8262e7f3
Gecko: 0527cb66b0fd

Gecko Pushlog: hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=0527cb66b0fd&tochange=80a88a3badba
QA Whiteboard: [QAnalyst-Triage?]
Flags: needinfo?(ktucker)
Keywords: qaurgent, regressionwindow-wanted
Jeff, can you take a look at this please? Looks like the work done on bug 1124394 might have caused this issue to occur.
QA Whiteboard: [QAnalyst-Triage?] → [QAnalyst-Triage+]
Flags: needinfo?(ktucker) → needinfo?(jgilbert)
Whiteboard: [backout-needed]
I tried to get a minimal testcase, but failed. This is still crashing, though:
http://people.mozilla.org/~mwargers/tests/unminimized/Wat%20je%20kunt%20bekijken%20-%20YouTube.html
- Then tap the back button.
- tap the reload button
- Tap the back button
- Tap the reload button
Then, the content process crashes.

It seems to have something to do with window.location changing and history.pushState or something.
:roc, this is a smoketest blocker and the offending commit needs to be backed out asap.
Flags: needinfo?(roc)
Depends on: 1124394
Flags: needinfo?(jgilbert)
:njpark, please track this bug to resolution. Thanks!
Flags: needinfo?(npark)
Blocks: 1124394
No longer depends on: 1124394
jgilbert landed the backout directly on central: https://hg.mozilla.org/mozilla-central/rev/aa5f8d47a0ba
Flags: needinfo?(roc)
Flags: needinfo?(milan)
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: [backout-needed]
Assignee: nobody → jgilbert
status-b2g-master: affectedfixed
Target Milestone: --- → mozilla38
Flags: needinfo?(npark)
Jeff, I hope you can write a mochitest or crashtest for this. I tried something in comment 9, but that's nearly minimized.
Flags: needinfo?(jgilbert)
blocking-b2g: 3.0? → 3.0+
Crash Signature: [@ mozilla::gl::GLScreenBuffer::Readback(mozilla::gl::SharedSurface*, mozilla::gfx::DataSourceSurface*) ]
This issue is verified fixed on Flame 3.0 after 10 attempts

The user is able to open videos on youtube and navigate to different videos without youtube crashing

Environmental Variables:
Device: Flame 3.0 (319mb)(Kitkat)(Full Flash)
Build ID: 20150209010211
Gaia: 0d7b35f23402c4cb29bca6b98280fec48a196dec
Gecko: 3436787a82d0
Gonk: e7c90613521145db090dd24147afd5ceb5703190
Version: 38.0a1 (3.0)
Firmware Version: v18D-1
User Agent: Mozilla/5.0 (Mobile; rv:38.0) Gecko/38.0 Firefox/38.0
Status: RESOLVED → VERIFIED
QA Whiteboard: [QAnalyst-Triage+] → [QAnalyst-Triage?]
status-b2g-master: fixedverified
Flags: needinfo?(pbylenga)
QA Whiteboard: [QAnalyst-Triage?] → [QAnalyst-Triage+]
Flags: needinfo?(pbylenga)
Severity: normal → critical
Moving the bug to the component where the regression came from.
Component: Graphics → Canvas: WebGL
I don't know a good way to create a test for this, since I don't know what the problem was, or really how it presented itself.
Flags: needinfo?(jgilbert)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: