Crash in mozilla::ScopedDrawHelper::ScopedDrawHelper

RESOLVED FIXED in Firefox 56

Status

()

Core
Canvas: WebGL
P3
critical
RESOLVED FIXED
7 months ago
6 months ago

People

(Reporter: marcia, Assigned: jerry)

Tracking

(Blocks: 1 bug, {crash})

Trunk
mozilla57
x86
Windows 10
crash
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox55 unaffected, firefox56 fixed, firefox57 fixed)

Details

(Whiteboard: gfx-noted, crash signature)

MozReview Requests

()

Submitter Diff Changes Open Issues Last Updated
Loading...
Error loading review requests:

Attachments

(4 attachments)

This bug was filed from the Socorro interface and is 
report bp-c1230620-8679-42fa-a151-c969d0170710.
=============================================================

Seen while looking at crash stats - crashes started using 20170708030206: http://bit.ly/2u9WwSu

Possible regression range based on Build ID: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a0b5515b13ebfd3220a06fd1cd31f98a9557f031&tochange=06c1a0dc0fd8719ffa2d9aa2de75f32de5657102
All the crash reasons are EXCEPTION_ACCESS_VIOLATION_READ with small address 0x3C, this crash might be caused by null accessing to attribData in [1].

[1] https://hg.mozilla.org/mozilla-central/annotate/06c1a0dc0fd8/dom/canvas/WebGLContextDraw.cpp#l431
Has Regression Range: --- → yes
Has STR: --- → no
Priority: -- → P3
Whiteboard: gfx-noted
Duplicate of this bug: 1379939
There is a STR in Bug 1379939 comment 0 .
Has STR: no → yes
(Assignee)

Updated

6 months ago
Blocks: 1388995
(Assignee)

Updated

6 months ago
Assignee: nobody → hshih
Status: NEW → ASSIGNED
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)
(Assignee)

Updated

6 months ago
Attachment #8900233 - Attachment is obsolete: true
Attachment #8900233 - Flags: review?(jgilbert)
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)

Comment 9

6 months ago
mozreview-review
Comment on attachment 8900233 [details]
Bug 1379995 - reset the mBufferFetchingIsVerified flag after the webgl deleteBuffer call.

https://reviewboard.mozilla.org/r/171608/#review177242
Attachment #8900233 - Flags: review?(jgilbert) → review+

Comment 10

6 months ago
mozreview-review
Comment on attachment 8900234 [details]
Bug 1379995 - test case for webgl drawArray() call.

https://reviewboard.mozilla.org/r/171610/#review177244
Attachment #8900234 - Flags: review?(jgilbert) → review+

Comment 11

6 months ago
Pushed by hshih@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a36632b95683
reset the mBufferFetchingIsVerified flag after the webgl deleteBuffer call. r=jgilbert
https://hg.mozilla.org/integration/autoland/rev/8d1350135a04
test case for webgl drawArray() call. r=jgilbert
https://hg.mozilla.org/mozilla-central/rev/a36632b95683
https://hg.mozilla.org/mozilla-central/rev/8d1350135a04
Status: ASSIGNED → RESOLVED
Last Resolved: 6 months ago
status-firefox57: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
Please request Beta approval on this when you get a chance.
status-firefox55: --- → unaffected
status-firefox-esr52: --- → unaffected
Flags: needinfo?(hshih)
(Assignee)

Comment 14

6 months ago
Comment on attachment 8900233 [details]
Bug 1379995 - reset the mBufferFetchingIsVerified flag after the webgl deleteBuffer call.

request for attachment 8900233 [details] and attachment 8900234 [details]

Approval Request Comment
[Feature/Bug causing the regression]:
It's a user reported bug.

[User impact if declined]:
We can write a "simple webgl code" to "crash" the firefox.

[Is this code covered by automated tests?]:
Yes, it pass our gl mochitest.

[Has the fix been verified in Nightly?]:
Yes, I can't reproduce the issue with user's bug STR.

[Needs manual test from QE? If yes, steps to reproduce]: 
no.

[List of other uplifts needed for the feature/fix]:
none.

[Is the change risky?]:
low risky.

[Why is the change risky/not risky?]:
It just clear one flag to make webgl context to check the buffer status again when we delete buffer.

[String changes made/needed]:
none.
Flags: needinfo?(hshih)
Attachment #8900233 - Flags: approval-mozilla-beta?

Comment 15

6 months ago
After this change, the theme "Compact Dark" no longer changes the colour of developer panel. Just wanted to confirm if it is intentional behavior because the bug title looks like fixing a crash issue.
Flags: needinfo?(hshih)
(Assignee)

Comment 16

6 months ago
No, that will be a regression. Could you please show how to reproduce the issue? If you could also provide the picture comparison, that will be wonderful.
Flags: needinfo?(hshih) → needinfo?(61.1p57)
(Assignee)

Comment 17

6 months ago
Comment on attachment 8900233 [details]
Bug 1379995 - reset the mBufferFetchingIsVerified flag after the webgl deleteBuffer call.

I would like to pending the beta uplift request. There might be a regression with this fix. Please check comment 15.

Comment 18

6 months ago
Created attachment 8901655 [details]
screenshot.png

STR:
1. Go to about:addons, themes
2. Open dev panel
3. Change theme to dark
Flags: needinfo?(61.1p57)
(Assignee)

Comment 19

6 months ago
I try to remove my patch locally(attachment 8900233 [details]), but I still can't see the color changing for the theme "Compact Dark". So, I think this is not related to this fix.
Flags: needinfo?(61.1p57)
(Assignee)

Comment 20

6 months ago
I create Bug 1394315 for comment 15 and 18.

Comment 21

6 months ago
Created attachment 8901702 [details]
mozregression.png

Wired, I just used mozregression and it pointed to this bug
Flags: needinfo?(61.1p57)
(Assignee)

Comment 22

6 months ago
Here is a branch which remove the fix in this bug. If you could build firefox locally, you can try this.

https://github.com/JerryShih/gecko-dev/tree/test-theme
Flags: needinfo?(61.1p57)

Comment 23

6 months ago
Well, for reason I can't tell mozregression stopped bisection at mozilla-central and pointed to this bug. I will try it again after updating to a newer version.
Flags: needinfo?(61.1p57)
Comment on attachment 8900233 [details]
Bug 1379995 - reset the mBufferFetchingIsVerified flag after the webgl deleteBuffer call.

Let's uplift the fix. It's not a high volume crash on beta, but I also don't see how this could cause problems with the theme. So let's give this a try.
Attachment #8900233 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.