Open Bug 1795521 Opened 3 years ago Updated 3 years ago

test_offscreencanvas_toimagebitmap.html crashes in ~already_AddRefed() on Android+DEBUG m-gpu CI job

Categories

(Core :: Graphics: CanvasWebGL, defect, P3)

Product:
Core
Component:
Graphics: CanvasWebGL
Type:
defect

Tracking

()

People

(Reporter: jgilbert, Unassigned)

References

Details

I tried a couple things, but I think the most damning is that even this doesn't crash on non-DEBUG builds:

    RefPtr<nsIRunnable> forgettable = mRunnable;
    const auto res = GetCurrentSerialEventTarget()->DelayedDispatch(forgettable.forget(),
                                                   kDelayMS);
    if (NS_FAILED(res)) {
      nsCString name;
      GetErrorName(res, name);
      gfxCriticalError() << "DelayedDispatch() -> " << name.BeginReading();
      MOZ_CRASH("failed DelayedDispatch");
    }

The call appears to happen properly in non-debug builds, so either the object of DelayedDispatch is different in debug builds, or this would be successful in debug builds too. (or there's a race condition, RIP)
But we don't get to see if it's successful on debug builds, because we crash within that statement in ~already_AddRefed().

There's a section in AlreadyAddRefed.h that reads "WARNING: sketchiness ahead." before getting into details about trivial vs non-trivial move constructors. We might be falling afoul of some edge-case of that, but we aren't the only caller of this, surely!

That's all I have for now. Marking the test as skip-if=android&&debug for now.

Here's a crash stack:

[task 2022-10-15T01:09:51.142Z] 01:09:51     INFO -  TEST-OK | dom/canvas/test/test_bug1567544.html | took 1236ms
[task 2022-10-15T01:09:51.142Z] 01:09:51     INFO -  TEST-START | dom/canvas/test/test_offscreencanvas_toimagebitmap.html
[task 2022-10-15T01:10:11.286Z] 01:10:11     INFO -  wait for org.mozilla.geckoview.test_runner complete; top activity=com.android.launcher3
[task 2022-10-15T01:10:11.286Z] 01:10:11     INFO -  runtestsremote.py | Application ran for: 0:00:37.669883
[task 2022-10-15T01:10:11.365Z] 01:10:11     INFO -  mozcrash Copy/paste: /builds/worker/fetches/minidump-stackwalk/minidump-stackwalk --symbols-url=https://symbols.mozilla.org/ --human /tmp/tmp2qkbm30m/313c92ad-c881-27ce-da92-701cab0c8b71.dmp /builds/worker/workspace/build/symbols
[task 2022-10-15T01:10:16.520Z] 01:10:16     INFO -  mozcrash Saved minidump as /builds/worker/workspace/build/blobber_upload_dir/313c92ad-c881-27ce-da92-701cab0c8b71.dmp
[task 2022-10-15T01:10:16.520Z] 01:10:16     INFO -  mozcrash Saved app info as /builds/worker/workspace/build/blobber_upload_dir/313c92ad-c881-27ce-da92-701cab0c8b71.extra
[task 2022-10-15T01:10:16.523Z] 01:10:16  WARNING -  PROCESS-CRASH | dom/canvas/test/test_offscreencanvas_toimagebitmap.html | application crashed [@ already_AddRefed<nsIRunnable>::~already_AddRefed()]
[task 2022-10-15T01:10:16.523Z] 01:10:16     INFO -  Mozilla crash reason: MOZ_ASSERT(!mRawPtr)
[task 2022-10-15T01:10:16.523Z] 01:10:16     INFO -  Crash dump filename: /tmp/tmp2qkbm30m/313c92ad-c881-27ce-da92-701cab0c8b71.dmp
[task 2022-10-15T01:10:16.523Z] 01:10:16     INFO -  Operating system: Android
[task 2022-10-15T01:10:16.523Z] 01:10:16     INFO -                    0.0.0 Linux 3.10.0+ #260 SMP PREEMPT Fri May 19 12:48:14 PDT 2017 x86_64
[task 2022-10-15T01:10:16.523Z] 01:10:16     INFO -  CPU: amd64
[task 2022-10-15T01:10:16.523Z] 01:10:16     INFO -       family 6 model 6 stepping 3
[task 2022-10-15T01:10:16.523Z] 01:10:16     INFO -       4 CPUs
[task 2022-10-15T01:10:16.523Z] 01:10:16     INFO -  Crash reason:  SIGSEGV / SEGV_MAPERR
[task 2022-10-15T01:10:16.523Z] 01:10:16     INFO -  Crash address: 0x0
[task 2022-10-15T01:10:16.523Z] 01:10:16     INFO -  Process uptime: not available
[task 2022-10-15T01:10:16.524Z] 01:10:16     INFO -  Thread 32 DOM Worker (crashed)
[task 2022-10-15T01:10:16.524Z] 01:10:16     INFO -   0  libxul.so!already_AddRefed<nsIRunnable>::~already_AddRefed() [AlreadyAddRefed.h:d312de899de6a17d9b03ffeecc3b9809dd2da791 : 133 + 0x0]
[task 2022-10-15T01:10:16.524Z] 01:10:16     INFO -       rax = 0x000075b4c0b818cc    rdx = 0x0000000000000004
[task 2022-10-15T01:10:16.524Z] 01:10:16     INFO -       rcx = 0x000075b4c5a60d50    rbx = 0x000075b4b1c17a00
[task 2022-10-15T01:10:16.524Z] 01:10:16     INFO -       rsi = 0x000075b4b19fbce0    rdi = 0x000000000000001b
[task 2022-10-15T01:10:16.524Z] 01:10:16     INFO -       rbp = 0x000075b4b19fce00    rsp = 0x000075b4b19fce00
[task 2022-10-15T01:10:16.524Z] 01:10:16     INFO -        r8 = 0x000000000000ffff     r9 = 0x0000000000000000
[task 2022-10-15T01:10:16.524Z] 01:10:16     INFO -       r10 = 0x000075b4e01bc3d0    r11 = 0x0000000000000246
[task 2022-10-15T01:10:16.524Z] 01:10:16     INFO -       r12 = 0x000075b4b19fce20    r13 = 0x000075b4b1c25d38
[task 2022-10-15T01:10:16.525Z] 01:10:16     INFO -       r14 = 0x000075b4b1c93f00    r15 = 0x000075b4b19fce18
[task 2022-10-15T01:10:16.525Z] 01:10:16     INFO -       rip = 0x000075b4ba666f41
[task 2022-10-15T01:10:16.525Z] 01:10:16     INFO -      Found by: given as instruction pointer in context
[task 2022-10-15T01:10:16.525Z] 01:10:16     INFO -   1  libxul.so!mozilla::WebGLContextLossHandler::RunTimer() [WebGLContextLossHandler.cpp:d312de899de6a17d9b03ffeecc3b9809dd2da791 : 34 + 0x18]
[task 2022-10-15T01:10:16.525Z] 01:10:16     INFO -       rbx = 0x000075b4b1c17a00    rbp = 0x000075b4b19fce50
[task 2022-10-15T01:10:16.525Z] 01:10:16     INFO -       rsp = 0x000075b4b19fce10    r12 = 0x000075b4b19fce20
[task 2022-10-15T01:10:16.525Z] 01:10:16     INFO -       r13 = 0x000075b4b1c25d38    r14 = 0x000075b4b1c93f00
[task 2022-10-15T01:10:16.525Z] 01:10:16     INFO -       r15 = 0x000075b4b19fce18    rip = 0x000075b4bc2f59c4
[task 2022-10-15T01:10:16.525Z] 01:10:16     INFO -      Found by: call frame info
[task 2022-10-15T01:10:16.525Z] 01:10:16     INFO -   2  libxul.so!mozilla::WebGLContext::RunContextLossTimer() [WebGLContext.cpp:d312de899de6a17d9b03ffeecc3b9809dd2da791 : 1421]
[task 2022-10-15T01:10:16.525Z] 01:10:16     INFO -      Found by: inlining
[task 2022-10-15T01:10:16.526Z] 01:10:16     INFO -   3  libxul.so!mozilla::ValidateDraw(mozilla::WebGLContext*, unsigned int, unsigned int) [WebGLContextDraw.cpp:d312de899de6a17d9b03ffeecc3b9809dd2da791 : 574 + 0x8]
[task 2022-10-15T01:10:16.526Z] 01:10:16     INFO -       rbx = 0x000075b4c516a0f8    rbp = 0x000075b4b19fcef0
[task 2022-10-15T01:10:16.526Z] 01:10:16     INFO -       rsp = 0x000075b4b19fce60    r12 = 0x0000000000000001
[task 2022-10-15T01:10:16.526Z] 01:10:16     INFO -       r13 = 0x000075b4b1c25d38    r14 = 0x000075b4b1c25d50
[task 2022-10-15T01:10:16.526Z] 01:10:16     INFO -       r15 = 0x0000000000000001    rip = 0x000075b4bc2e2ab5
[task 2022-10-15T01:10:16.526Z] 01:10:16     INFO -      Found by: call frame info
[task 2022-10-15T01:10:16.526Z] 01:10:16     INFO -   4  libxul.so!mozilla::WebGLContext::DrawArraysInstanced(unsigned int, int, int, int) [WebGLContextDraw.cpp:d312de899de6a17d9b03ffeecc3b9809dd2da791 : 693 + 0x4]
[task 2022-10-15T01:10:16.526Z] 01:10:16     INFO -       rbx = 0x0000000000000000    rbp = 0x000075b4b19fd000
[task 2022-10-15T01:10:16.526Z] 01:10:16     INFO -       rsp = 0x000075b4b19fcf00    r12 = 0x0000000000000004
[task 2022-10-15T01:10:16.526Z] 01:10:16     INFO -       r13 = 0x000075b4b1c25a00    r14 = 0xaaaaaaaaaaaaaaaa
[task 2022-10-15T01:10:16.527Z] 01:10:16     INFO -       r15 = 0x0000000000000000    rip = 0x000075b4bc2e2fcc
[task 2022-10-15T01:10:16.527Z] 01:10:16     INFO -      Found by: call frame info
[task 2022-10-15T01:10:16.527Z] 01:10:16     INFO -   5  libxul.so!mozilla::ClientWebGLContext::Run<void (mozilla::HostWebGLContext::*)(unsigned int, int, int, int) const, &mozilla::HostWebGLContext(unsigned int, int, int, int)::DrawArraysInstanced const, unsigned int&, int&, int&, int&>(unsigned int&, int&, int&, int&) const [ClientWebGLContext.cpp:d312de899de6a17d9b03ffeecc3b9809dd2da791 : 350 + 0x11]
[task 2022-10-15T01:10:16.527Z] 01:10:16     INFO -       rbx = 0x000075b4b1c43100    rbp = 0x000075b4b19fd100
[task 2022-10-15T01:10:16.527Z] 01:10:16     INFO -       rsp = 0x000075b4b19fd010    r12 = 0x000075b4b19fd118
[task 2022-10-15T01:10:16.527Z] 01:10:16     INFO -       r13 = 0x000075b4b19fd11c    r14 = 0x000075b4b33dbc18
[task 2022-10-15T01:10:16.527Z] 01:10:16     INFO -       r15 = 0x000075b4b19fd200    rip = 0x000075b4bc2851be
[task 2022-10-15T01:10:16.527Z] 01:10:16     INFO -      Found by: call frame info
[task 2022-10-15T01:10:16.527Z] 01:10:16     INFO -   6  libxul.so!mozilla::ClientWebGLContext::DrawArraysInstanced(unsigned int, int, int, int, mozilla::FuncScopeId) [ClientWebGLContext.cpp:d312de899de6a17d9b03ffeecc3b9809dd2da791 : 4825 + 0x10]
[task 2022-10-15T01:10:16.528Z] 01:10:16     INFO -       rbx = 0x000075b4b1c43100    rbp = 0x000075b4b19fd130
[task 2022-10-15T01:10:16.528Z] 01:10:16     INFO -       rsp = 0x000075b4b19fd110    r12 = 0x000075b4b19fd154
[task 2022-10-15T01:10:16.528Z] 01:10:16     INFO -       r13 = 0x000000000000038e    r14 = 0x000075b4b1c43100
[task 2022-10-15T01:10:16.528Z] 01:10:16     INFO -       r15 = 0x000075b4b19fd200    rip = 0x000075b4bc285128
[task 2022-10-15T01:10:16.528Z] 01:10:16     INFO -      Found by: call frame info
[task 2022-10-15T01:10:16.528Z] 01:10:16     INFO -   7  libxul.so!mozilla::dom::WebGLRenderingContext_Binding::drawArrays(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) [WebGLRenderingContextBinding.cpp: : 17733 + 0x10]
[task 2022-10-15T01:10:16.528Z] 01:10:16     INFO -       rbx = 0x0000000000000001    rbp = 0x000075b4b19fd190
[task 2022-10-15T01:10:16.528Z] 01:10:16     INFO -       rsp = 0x000075b4b19fd140    r12 = 0x000075b4b19fd154
[task 2022-10-15T01:10:16.528Z] 01:10:16     INFO -       r13 = 0x000000000000038e    r14 = 0x000075b4b1c43100
[task 2022-10-15T01:10:16.528Z] 01:10:16     INFO -       r15 = 0x000075b4b19fd200    rip = 0x000075b4bbe48785
[task 2022-10-15T01:10:16.528Z] 01:10:16     INFO -      Found by: call frame info
Depends on: 1794956
You need to log in before you can comment on or make changes to this bug.