Closed Bug 1349055 Opened 3 years ago Closed 3 years ago

WebGL: crash [@mozilla::WebGLContext::AssertCachedGlobalState]

Categories

(Core :: Canvas: WebGL, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla55
Tracking Status
firefox52 --- wontfix
firefox-esr52 --- wontfix
firefox53 --- wontfix
firefox54 --- fixed
firefox55 --- fixed

People

(Reporter: posidron, Assigned: daoshengmu)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(2 files)

Attached file testcase.html
==11683==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000124338b68 bp 0x7fff58e22950 sp 0x7fff58e22720 T0)
#0 0x124338b67 in mozilla::WebGLContext::AssertCachedGlobalState() (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x5bceb67)
#1 0x1242e9ad1 in mozilla::WebGLContext::ForceClearFramebufferWithDefaultValues(unsigned int, bool) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x5b7fad1)
#2 0x1242e71a9 in mozilla::WebGLContext::ClearScreen() (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x5b7d1a9)
#3 0x1242edc02 in mozilla::WebGLContext::ScopedDrawCallWrapper::ScopedDrawCallWrapper(mozilla::WebGLContext&) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x5b83c02)
#4 0x1242c35a0 in mozilla::WebGL2Context::ClearBufferiv(unsigned int, int, mozilla::WebGLContext::Arr<int, mozilla::dom::TypedArray<int, &(js::UnwrapInt32Array(JSObject*)), &(JS_GetInt32ArrayData(JSObject*, bool*, JS::AutoCheckCannotGC const&)), &(js::GetInt32ArrayLengthAndData(JSObject*, unsigned int*, bool*, int**)), &(JS_NewInt32Array(JSContext*, unsigned int))> > const&, unsigned int) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x5b595a0)
#5 0x1235a795d in mozilla::dom::WebGL2RenderingContextBinding::clearBufferiv(JSContext*, JS::Handle<JSObject*>, mozilla::WebGL2Context*, JSJitMethodCallArgs const&) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x4e3d95d)
#6 0x1240de61d in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x597461d)
#7 0x12aaf5c6d in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xc38bc6d)
#8 0x12aaf5388 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xc38b388)
#9 0x12aad28d2 in Interpret(JSContext*, js::RunState&) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xc3688d2)
#10 0x12aabe740 in js::RunScript(JSContext*, js::RunState&) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xc354740)
#11 0x12aaf53b3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xc38b3b3)
#12 0x12aaf68f7 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xc38c8f7)
#13 0x12b7c748c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xd05d48c)
#14 0x123b7eee2 in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x5414ee2)
#15 0x121c1fd71 in void mozilla::dom::Function::Call<nsCOMPtr<nsISupports> >(nsCOMPtr<nsISupports> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JSCompartment*) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x34b5d71)
#16 0x121c1e56c in nsGlobalWindow::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x34b456c)
#17 0x121e59864 in mozilla::dom::TimeoutManager::RunTimeout(mozilla::dom::Timeout*) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x36ef864)
#18 0x121e548e7 in mozilla::dom::(anonymous namespace)::TimerCallback(nsITimer*, void*) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x36ea8e7)
#19 0x11ea9137e in nsTimerImpl::Fire(int) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x32737e)
#20 0x11ea48897 in nsTimerEvent::Run() (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x2de897)
#21 0x11ea62c62 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x2f8c62)
#22 0x11ea6257f in mozilla::ThrottledEventQueue::Inner::Executor::Run() (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x2f857f)
#23 0x11ea7d3aa in nsThread::ProcessNextEvent(bool, bool*) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x3133aa)
#24 0x11ea75580 in NS_ProcessPendingEvents(nsIThread*, unsigned int) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x30b580)
#25 0x1265093cf in nsBaseAppShell::NativeEventCallback() (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x7d9f3cf)
#26 0x12661a555 in nsAppShell::ProcessGeckoEvents(void*) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x7eb0555)
#27 0x7fffb448b980 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xa7980)
#28 0x7fffb446c9f6 in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x889f6)
#29 0x7fffb446bf75 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x87f75)
#30 0x7fffb446b973 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x87973)
#31 0x7fffb39f7a5b in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30a5b)
#32 0x7fffb39f7890 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30890)
#33 0x7fffb39f76c5 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x306c5)
#34 0x7fffb1f9d5b3 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x475b3)
#35 0x7fffb2717d6a in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x7c1d6a)
#36 0x126618a6c in -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x7eaea6c)
#37 0x7fffb1f91f34 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3bf34)
#38 0x12661b5e6 in nsAppShell::Run() (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x7eb15e6)
#39 0x12a257c8d in nsAppStartup::Run() (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xbaedc8d)
#40 0x12a477795 in XREMain::XRE_mainRun() (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xbd0d795)
#41 0x12a47a76a in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xbd1076a)
#42 0x12a47bddd in XRE_main(int, char**, mozilla::BootstrapConfig const&) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xbd11ddd)
#43 0x106dd70df in main (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/firefox+0x1000020df)
#44 0x106dd6993 in start (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/firefox+0x100001993)
Assignee: nobody → dmu
This crash happens when checking AssertUintParamCorrect(gl, LOCAL_GL_STENCIL_CLEAR_VALUE, mStencilClearValue) at ForceClearFramebufferWithDefaultValues();
It is only happened on MacOSX, and it seems to be a driver issue.

When I make

WebGLContext::ClearStencil(GLint v)

gl->fClearStencil(v); // v is -8
GLint stencilClearValue = 0;
gl->fGetIntegerv(LOCAL_GL_STENCIL_CLEAR_VALUE, &stencilClearValue);

stencilClearValue will be 248. But, if I let v to 8, the result of stencilClearValue is 8. That is correct.

By the way, I think using AssertUintParamCorrect() to check stencilClearValue is not right. Because stencilClearValue is allowed to be an integer.
(-8) is FFFFFFFFFFFFFFF8, and (248) is F8 in hex.
(In reply to Daosheng Mu[:daoshengmu] from comment #4)
> Created attachment 8851849 [details]
> Bug 1349055 - Using fGetIntegerv to get the stencil clear value instead of
> the Uint one;
> 
> Review commit: https://reviewboard.mozilla.org/r/124050/diff/#index_header
> See other reviews: https://reviewboard.mozilla.org/r/124050/

It doesn't solve the problem on MacOSX. It needs more workaround to help MacOSX to get the right value.
I have confirmed it with Mac with Intel, NV, and AMD GPUs. All of them get crash because of the negative stencil value.
What type is STENCIL_CLEAR_VALUE according to the state tables?
Is the value returned by the query masked before being returned?
Flags: needinfo?(dmu)
STENCIL_CLEAR_VALUE is a GLint, according to OpenGL ES 2.0
https://www.khronos.org/registry/OpenGL-Refpages/es2.0/xhtml/glClearStencil.xml.
nope, it returns by raw_fGetIntegerv().
Flags: needinfo?(dmu)
Comment on attachment 8851849 [details]
Bug 1349055 - Stencil clear value needs to mask to be an unsigned integer;

https://reviewboard.mozilla.org/r/124050/#review128718

Please detail why we can't support negative numbers here.
We're supposed to support them per-spec.
Attachment #8851849 - Flags: review?(jgilbert) → review-
After masking the negative stencil clear value to be an unsigned integer, it can solve the problem.
Comment on attachment 8851849 [details]
Bug 1349055 - Stencil clear value needs to mask to be an unsigned integer;

https://reviewboard.mozilla.org/r/124050/#review130706

Sweet, thanks!
Attachment #8851849 - Flags: review?(jgilbert) → review+
Pushed by dmu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/88e03e8c6f34
Stencil clear value needs to mask to be an unsigned integer; r=jgilbert
https://hg.mozilla.org/mozilla-central/rev/88e03e8c6f34
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Can this ride the trains or we should consider uplifting this? Also, should the attached testcase land as a crashtest?
Comment on attachment 8851849 [details]
Bug 1349055 - Stencil clear value needs to mask to be an unsigned integer;

Approval Request Comment
[Feature/Bug causing the regression]: stencil clear value on MacOSX has to been converted to an unsigned int.
[User impact if declined]: would hit glError assertion while the value is invalid.
[Is this code covered by automated tests?]: yes.
[Has the fix been verified in Nightly?]: yes.
[Needs manual test from QE? If yes, steps to reproduce]:  nope.
[List of other uplifts needed for the feature/fix]: nope.
[Is the change risky?]: nope.
[Why is the change risky/not risky?]: It just adds a mask to make it more safer.
[String changes made/needed]: nope.
Flags: needinfo?(dmu)
Attachment #8851849 - Flags: approval-mozilla-aurora?
Depends on: 1355362
Comment on attachment 8851849 [details]
Bug 1349055 - Stencil clear value needs to mask to be an unsigned integer;

Fix a crash. Aurora54+.
Attachment #8851849 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(In reply to Ryan VanderMeulen [:RyanVM] from comment #18)
> Can this ride the trains or we should consider uplifting this? Also, should
> the attached testcase land as a crashtest?

After doing some consideration, I don't think the test file can be added into our crashtest. Please refer Bug 1355362 Comment 1.
Flags: in-testsuite-
(In reply to Daosheng Mu[:daoshengmu] from comment #19)
> [Is this code covered by automated tests?]: yes.
> [Needs manual test from QE? If yes, steps to reproduce]:  nope.

Setting qe-verify- based on Daosheng Mu's assessment on manual testing needs and the fact that this fix has automated coverage.
Flags: qe-verify-
You need to log in before you can comment on or make changes to this bug.