1349067 - WebGL crash: [mozilla::gl::GLScreenBuffer::GetReadFB]

Status: RESOLVED FIXED

(Core :: Graphics: CanvasWebGL, defect)

Description

[Christoph Diehl [:posidron]]

Attachment: testcase.html

==14568==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000116e0f680 bp 0x7fff5a56b800 sp 0x7fff5a56b720 T0)
==14568==WARNING: invalid path to external symbolizer!
==14568==WARNING: Failed to use and restart external symbolizer!
#0 0x116e0f67f in mozilla::gl::GLScreenBuffer::GetReadFB() const (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x2a6567f)
#1 0x116e2f144 in mozilla::gl::GLScreenBuffer::SetReadBuffer(unsigned int) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x2a85144)
#2 0x119f02a62 in mozilla::WebGL2Context::ReadBuffer(unsigned int) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x5b58a62)
#3 0x119197c25 in mozilla::dom::WebGL2RenderingContextBinding::readBuffer(JSContext*, JS::Handle<JSObject*>, mozilla::WebGL2Context*, JSJitMethodCallArgs const&) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x4dedc25)
#4 0x119d1e61d in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x597461d)
#5 0x120735c6d in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xc38bc6d)
#6 0x120735388 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xc38b388)
#7 0x1207128d2 in Interpret(JSContext*, js::RunState&) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xc3688d2)
#8 0x1206fe740 in js::RunScript(JSContext*, js::RunState&) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xc354740)
#9 0x120739881 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xc38f881)
#10 0x12073a617 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xc390617)
#11 0x121422c7d in Evaluate(JSContext*, js::ScopeKind, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xd078c7d)
#12 0x12142409c in Evaluate(JSContext*, JS::AutoObjectVector&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xd07a09c)
#13 0x117d78801 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x39ce801)
#14 0x117d7a3d4 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x39d03d4)
#15 0x117e20cb7 in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x3a76cb7)
#16 0x117e1ccb7 in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x3a72cb7)
#17 0x117dfc763 in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x3a52763)
#18 0x117df82a6 in nsScriptElement::MaybeProcessScript() (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x3a4e2a6)
#19 0x116b31f50 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x2787f50)
#20 0x116b2fba9 in nsHtml5TreeOpExecutor::RunFlushLoop() (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x2785ba9)
#21 0x116b36fbe in nsHtml5ExecutorFlusher::Run() (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x278cfbe)
#22 0x1146bd3aa in nsThread::ProcessNextEvent(bool, bool*) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x3133aa)
#23 0x1146b5580 in NS_ProcessPendingEvents(nsIThread*, unsigned int) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x30b580)
#24 0x11c1493cf in nsBaseAppShell::NativeEventCallback() (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x7d9f3cf)
#25 0x11c25a555 in nsAppShell::ProcessGeckoEvents(void*) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x7eb0555)
#26 0x7fffb448b980 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xa7980)
#27 0x7fffb446ca7c in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88a7c)
#28 0x7fffb446bf75 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x87f75)
#29 0x7fffb446b973 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x87973)
#30 0x7fffb39f7a5b in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30a5b)
#31 0x7fffb39f7890 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30890)
#32 0x7fffb39f76c5 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x306c5)
#33 0x7fffb1f9d5b3 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x475b3)
#34 0x7fffb2717d6a in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x7c1d6a)
#35 0x11c258a6c in -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x7eaea6c)
#36 0x7fffb1f91f34 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3bf34)
#37 0x11c25b5e6 in nsAppShell::Run() (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0x7eb15e6)
#38 0x11fe97c8d in nsAppStartup::Run() (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xbaedc8d)
#39 0x1200b7795 in XREMain::XRE_mainRun() (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xbd0d795)
#40 0x1200ba76a in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xbd1076a)
#41 0x1200bbddd in XRE_main(int, char**, mozilla::BootstrapConfig const&) (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/XUL+0xbd11ddd)
#42 0x10568d0df in main (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/firefox+0x1000020df)
#43 0x10568c993 in start (/srv/mozilla/mozilla-inbound/ff-asan-debug/dist/NightlyDebug.app/Contents/MacOS/firefox+0x100001993)

Comment 1

[Daosheng Mu[:daoshengmu]]

It is because we will check MOZ_ASSERT(mGL->IsCurrent()) in GLScreenBuffer::GetReadFB() at DEBUG. Therefore, we need to MakeCurrent() before getting ReadFB, although we will MakeCurrent() in ReadBuffer::SetReadBuffer() later.

Comment 2

[Daosheng Mu[:daoshengmu]]

Attachment: Bug 1349067 - Make gl as current at WebGL2 ReadBuffer();

Review commit: https://reviewboard.mozilla.org/r/124042/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/124042/

Comment 3

[Ethan Lin[:ethlin]]

Comment on attachment 8851842 [details]
Bug 1349067 - Make gl as current at WebGL2 ReadBuffer();

https://reviewboard.mozilla.org/r/124042/#review126612

::: gfx/gl/GLScreenBuffer.cpp:695
(Diff revision 1)
>  
>  void
>  GLScreenBuffer::SetReadBuffer(GLenum mode)
>  {
>      MOZ_ASSERT(mGL->IsSupported(gl::GLFeature::read_buffer));
> +#ifdef DEBUG

I think it would be clearer if the DEBUG scope embraces MOZ_ASSERT.

Comment 4

[Daosheng Mu[:daoshengmu]]

Comment on attachment 8851842 [details]
Bug 1349067 - Make gl as current at WebGL2 ReadBuffer();

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/124042/diff/1-2/

Comment 5

[Daosheng Mu[:daoshengmu]]

Comment on attachment 8851842 [details]
Bug 1349067 - Make gl as current at WebGL2 ReadBuffer();

https://reviewboard.mozilla.org/r/124042/#review126612

> I think it would be clearer if the DEBUG scope embraces MOZ_ASSERT.

Got it, thanks

Comment 6

[Kelsey Gilbert [:jgilbert]]

Comment on attachment 8851842 [details]
Bug 1349067 - Make gl as current at WebGL2 ReadBuffer();

https://reviewboard.mozilla.org/r/124042/#review127028

WebGL2Context::ReadBuffer should MakeCurrent.

Comment 7

[Daosheng Mu[:daoshengmu]]

Comment on attachment 8851842 [details]
Bug 1349067 - Make gl as current at WebGL2 ReadBuffer();

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/124042/diff/2-3/

Comment 8

[Daosheng Mu[:daoshengmu]]

(In reply to Jeff Gilbert [:jgilbert] from comment #6)
> Comment on attachment 8851842 [details]
> Bug 1349067 - Make gl as current at WebGL2 ReadBuffer();
> 
> https://reviewboard.mozilla.org/r/124042/#review127028
> 
> WebGL2Context::ReadBuffer should MakeCurrent.

Thanks for comment. I will update it at my next version of patch.

Comment 9

[Christoph Diehl [:posidron]]

Any updates? It's a bit blocking WebGL fuzzing cause it appears so often during fuzzing.

Comment 10

[Kelsey Gilbert [:jgilbert]]

(In reply to Christoph Diehl [:posidron] from comment #9)
> Any updates? It's a bit blocking WebGL fuzzing cause it appears so often
> during fuzzing.

This code will be gone in a week. I'll take a look if that doesn't happen.

Comment 11

[Daosheng Mu[:daoshengmu]]

I think it has been resolved. Please feel free to open it if it has crash again.

Comment 12

[Daosheng Mu[:daoshengmu]]

Well, my mistake... I forget I disable hardware compositor on my local Mac machine. After enable hardware compositor, it is still happened, and my patch can solve this crash. Let's keep reviewing it.

Comment 13

[Kelsey Gilbert [:jgilbert]]

Comment on attachment 8851842 [details]
Bug 1349067 - Make gl as current at WebGL2 ReadBuffer();

https://reviewboard.mozilla.org/r/124042/#review193388

Comment 14

[Pulsebot]

Pushed by dmu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/38aba5843d79
Make gl as current at WebGL2 ReadBuffer(); r=ethlin,jgilbert

Comment 15

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/38aba5843d79

Comment 16

[Pulsebot]

Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/cff25b185511
Add crashtest. r=me

Comment 17

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/cff25b185511