Closed Bug 1151930 Opened 9 years ago Closed 9 years ago

Firefox Nightly and Aurora crash with deferred rendering WebGL demos (OOM)

Tracking

()

Status:

VERIFIED FIXED

Milestone:

mozilla40

Tracking Flags:

Tracking

Status

firefox38

---

unaffected

firefox39

verified

firefox40

verified

People

(Reporter: postfilter, Assigned: jgilbert)

Details

(Keywords: regression)

Crash Data

Attachments

(1 file)

0001-Check-against-updated-length-while-appending.patch 9 years ago Kelsey Gilbert [:jgilbert] 1.28 KB, patch	u480271 : review+ lizzard : approval-mozilla-aurora+	Details \| Diff \| Splinter Review

AlteredQualia

Reporter

Description

•

9 years ago

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:40.0) Gecko/20100101 Firefox/40.0
Build ID: 20150407030207

Steps to reproduce:

Visit some of the XG deferred rendering demos with latest Firefox Nightly or Firefox Developer Edition, for example:

http://alteredqualia.com/xg/examples/deferred_skin.html
http://alteredqualia.com/xg/examples/animation_physics_terrain.html

Tested on:

Firefox Nightly 40.0a1 (2015-04-07)
Firefox Developer Edition (Aurora) 39.0a2 (2015-04-07)


Actual results:

Firefox crashed, closed itself and opened Mozilla Crash Reporter.


Expected results:

No crashes should happen.

These crashes seem to differ from some other WebGL crashes reported elsewhere:

https://bugzilla.mozilla.org/show_bug.cgi?id=1125466
https://bugzilla.mozilla.org/show_bug.cgi?id=1147447
https://bugzilla.mozilla.org/show_bug.cgi?id=1124427

Differences from other crash reports:

- both ANGLE and OpenGL WebGL rendering backends crash
- both notebooks with Optimus (Nvidia GTX 970M) and without Optimus (Nvidia Quadro 2000M) crash
- crashes happen on Windows 7 64-bit and Windows 8 64-bit
- crashes happen both with and without E10S flag enabled
- non-deferred XG demos do work, e.g.:

http://alteredqualia.com/xg/examples/forward_materials_skin_jonas.html

thundercat

Comment 1

•

9 years ago

Crashes in Nightly 40.0a1 for me also, ok in FF 37.0.1

Windows 10 64bit (build 10049) iMac NVIDIA GeForce GTX 660M

Mayank Bansal

Comment 2

•

9 years ago

got a crash with HWA disabled on win7 x64:

https://crash-stats.mozilla.com/report/index/abb83a42-4b18-4ffc-b6cd-fb93d2150407

Kelsey Gilbert [:jgilbert]

Assignee

Comment 3

•

9 years ago

I confirm this.

Status: UNCONFIRMED → NEW

Ever confirmed: true

Kelsey Gilbert [:jgilbert]

Assignee

Comment 4

•

9 years ago

Attached patch 0001-Check-against-updated-length-while-appending.patch — Details — Splinter Review

I made a dumb in a previous patch. Oops.

Assignee: nobody → jgilbert

Status: NEW → ASSIGNED

Attachment #8589289 - Flags: review?(dglastonbury)

Kelsey Gilbert [:jgilbert]

Assignee

Updated

•

9 years ago

Hardware: x86 → All

Summary: Firefox Nightly and Aurora crash with deferred rendering WebGL demos → Firefox Nightly and Aurora crash with deferred rendering WebGL demos (OOM)

Version: 35 Branch → 39 Branch

Loic

Comment 5

•

9 years ago

With e10s enabled, it killed my computer, I needed to hard reboot.

status-firefox38: --- → unaffected

tracking-firefox39: --- → ?

tracking-firefox40: --- → ?

Keywords: regression

u480271

Comment 6

•

9 years ago

Comment on attachment 8589289 [details] [diff] [review]
0001-Check-against-updated-length-while-appending.patch

Review of attachment 8589289 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/canvas/WebGLFramebuffer.cpp
@@ -829,5 @@
>      if (colorAttachmentId < ColorAttachmentCount())
>          return;
>  
> -    size_t colorAttachmentCount = ColorAttachmentCount();
> -    while (colorAttachmentCount < WebGLContext::kMaxColorAttachments) {

WAT? I hope I didn't write that.

@@ +834,1 @@
>          mMoreColorAttachments.AppendElement(AttachPoint(this, nextAttachPoint));

Why don't we just allocate this array at context creation time?

Attachment #8589289 - Flags: review?(dglastonbury) → review+

Kelsey Gilbert [:jgilbert]

Assignee

Comment 7

•

9 years ago

 https://hg.mozilla.org/integration/mozilla-inbound/rev/7658ee66cba9

Kelsey Gilbert [:jgilbert]

Assignee

Comment 8

•

9 years ago

(In reply to Dan Glastonbury :djg :kamidphish from comment #6)
> Comment on attachment 8589289 [details] [diff] [review]
> 0001-Check-against-updated-length-while-appending.patch
> 
> Review of attachment 8589289 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> ::: dom/canvas/WebGLFramebuffer.cpp
> @@ -829,5 @@
> >      if (colorAttachmentId < ColorAttachmentCount())
> >          return;
> >  
> > -    size_t colorAttachmentCount = ColorAttachmentCount();
> > -    while (colorAttachmentCount < WebGLContext::kMaxColorAttachments) {
> 
> WAT? I hope I didn't write that.
> 
> @@ +834,1 @@
> >          mMoreColorAttachments.AppendElement(AttachPoint(this, nextAttachPoint));
> 
> Why don't we just allocate this array at context creation time?
We can do it after GL initialization, but not before. It should probably be a UniquePtr<Foo[]> though.

Ryan VanderMeulen [:RyanVM]

Comment 9

•

9 years ago

https://hg.mozilla.org/mozilla-central/rev/7658ee66cba9

Status: ASSIGNED → RESOLVED

Closed: 9 years ago

status-firefox40: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla40

Liz Henry (:lizzard) (relman/hg->git project)

Comment 10

•

9 years ago

Tracking for 39+ since this is a recent regression.

QA Whiteboard: [good first verify]

tracking-firefox39: ? → +

tracking-firefox40: ? → +

Liz Henry (:lizzard) (relman/hg->git project)

Comment 11

•

9 years ago

Jeff, from the bug summary it looks like this also affects 39. Is this something that you may want to uplift to aurora?

status-firefox39: --- → affected

Flags: needinfo?(jgilbert)

Kelsey Gilbert [:jgilbert]

Assignee

Comment 12

•

9 years ago

(In reply to Liz Henry (:lizzard) from comment #11)
> Jeff, from the bug summary it looks like this also affects 39. Is this
> something that you may want to uplift to aurora?

Yes.

Flags: needinfo?(jgilbert)

Kelsey Gilbert [:jgilbert]

Assignee

Comment 13

•

9 years ago

Comment on attachment 8589289 [details] [diff] [review]
0001-Check-against-updated-length-while-appending.patch

Approval Request Comment
[Feature/regressing bug #]: 1017865
[User impact if declined]: OOM crashes
[Describe test coverage new/current, TreeHerder]: on nightly
[Risks and why]: none
[String/UUID change made/needed]: none

Attachment #8589289 - Flags: approval-mozilla-aurora?

Liz Henry (:lizzard) (relman/hg->git project)

Comment 14

•

9 years ago

Comment on attachment 8589289 [details] [diff] [review]
0001-Check-against-updated-length-while-appending.patch

Approving for uplift to aurora as this may help with OOM crashes.

Attachment #8589289 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

Ryan VanderMeulen [:RyanVM]

Comment 15

•

9 years ago

https://hg.mozilla.org/releases/mozilla-aurora/rev/3cea876963c4

status-firefox39: affected → fixed

suleman.ravla

Comment 16

•

9 years ago

Hi,

Reproduced the bug in version Firefox Developer Edition (Aurora) 39.0a2 (2015-04-07).
Bug is resolved in version Firefox Developer Edition (Aurora) 39.0a2 (2015-05-03).

-Thanks
Suleman Rawla

suleman.ravla

Comment 17

•

9 years ago

Hi,

Bug is resolved in version FireFox Nightly 40.0a1 (2015-05-03).

-Thanks
Suleman Rawla

[SV Manager] Florin Mezei, QA (:FlorinMezei)

Comment 18

•

9 years ago

Thank you for your work to verify this Suleman! Setting status flags accordingly.

Status: RESOLVED → VERIFIED

status-firefox39: fixed → verified

status-firefox40: fixed → verified

You need to log in before you can comment on or make changes to this bug.