Open Bug 1850271 Opened 9 months ago Updated 6 months ago

Crash in [@ st_ReadPixels]

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Type:
defect

Tracking

()

People

(Reporter: gsvelto, Unassigned)

References

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/81a450fd-46f0-41ef-bbe2-188f60230826

Reason: SIGSEGV / SEGV_MAPERR

Top 10 frames of crashing thread:

0  libgallium_dri.so  st_ReadPixels  /usr/src/debug/mesa-23.1.6-1.fc38.x86_64/src/mesa/state_tracker/st_cb_readpixels.c:440
1  libgallium_dri.so  <name omitted>  /usr/src/debug/mesa-23.1.6-1.fc38.x86_64/src/mesa/main/readpix.c:1195
1  libgallium_dri.so  _mesa_ReadnPixelsARB_no_error  /usr/src/debug/mesa-23.1.6-1.fc38.x86_64/src/mesa/main/readpix.c:1204
2  libgallium_dri.so  _mesa_ReadPixels_no_error  /usr/src/debug/mesa-23.1.6-1.fc38.x86_64/src/mesa/main/readpix.c:1219
3  libxul.so  mozilla::gl::GLContext::raw_fReadPixels  gfx/gl/GLContext.h:1561
4  libxul.so  mozilla::gl::GLContext::fReadPixels  gfx/gl/GLContext.cpp:2261
4  libxul.so  mozilla::WebGLContext::SnapshotInto  dom/canvas/WebGLContext.cpp:1349
5  libxul.so  mozilla::WebGLContext::PushRemoteTexture  dom/canvas/WebGLContext.cpp:1187
6  libxul.so  mozilla::WebGLContext::CopyToSwapChain  dom/canvas/WebGLContext.cpp
7  libxul.so  mozilla::HostWebGLContext::CopyToSwapChain const  dom/canvas/HostWebGLContext.h:177

I'm not sure in which graphics component this should go. This is a NULL pointer dereference happening here which indicates that this call returned NULL; i.e. the render buffer for the specified format was NULL.

Component: Graphics → Graphics: CanvasWebGL

Presumably this is a mesa bug, but have there been any remote texture changes which could have caused this to appear recently, Sotaro?

Severity: -- → S3
Flags: needinfo?(sotaro.ikeda.g)

There have been no recent changes around WebGL RemoteTexture, especially around readpixel.
And majority of the crash reports does not have WebGLContext::PushRemoteTexture() stack. Instead, they have WebGLParent::RecvReadPixels(). It seems not related to remote texture.

Change around readpixel related to RemoteTexture was Bug 1777426 . It is not recent.

:lsalzman, can you also comment to the bug?

Flags: needinfo?(sotaro.ikeda.g) → needinfo?(lsalzman)

(In reply to Sotaro Ikeda [:sotaro] from comment #3)

:lsalzman, can you also comment to the bug?

It seems like the common element here is that it is trying to look up an attachment on the current read framebuffer for ReadPixels, and that attachment/"renderbuffer" inside Mesa is coming up nullptr. That is definitely a Mesa bug. Most of these reports seems to be in Mesa 23.1 and above, though there were also a couple in older versions of Mesa. The code in question looks the same between that Mesa version and older versions, so I don't know if there is some new code in Mesa that introduced the bug or not.

Some of the reports are showing a GraphicsCriticalError of an incomplete framebuffer inside CopyToSwapChain, but others hit a ReadPixels directly through a WebGL RecvReadPixels. I wonder if the key here is that Mesa hits an incomplete framebuffer, and this induces the bug?

Either way, we might want to report this as an upstream Mesa bug?

Flags: needinfo?(lsalzman)

Pierre-Eric Pelloux-Prayer has merged a fix for this crash into Mesa now. So in coming releases I am guessing this crash should go away. So that would probably be Mesa 23.1.8, see release notes: https://docs.mesa3d.org/relnotes/23.1.8.html

Duplicate of this bug: 1856558

Copying crash signatures from duplicate bugs.

Crash Signature: [@ st_ReadPixels] → [@ st_ReadPixels] [@ __driDriverGetExtensions_d3d12]

This is currently spiking in 118 release.

Severity: S3 → S2
Crash Signature: [@ st_ReadPixels] [@ __driDriverGetExtensions_d3d12] → [@ st_ReadPixels] [@ __driDriverGetExtensions_d3d12]
No longer duplicate of this bug: 1856558
Crash Signature: [@ st_ReadPixels] [@ __driDriverGetExtensions_d3d12] → [@ st_ReadPixels]

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 5 desktop browser crashes on Linux on release

For more information, please visit BugBot documentation.

Keywords: topcrash
See Also: → 1856558

Mesa 23.0.4.0 is the top version where we're seeing this crash. So it seems like it could indeed be fixed upstream.

Severity: S2 → S3
See Also: → 1862039

(In reply to Jeff Muizelaar [:jrmuizel] from comment #11)

Mesa 23.0.4.0 is the top version where we're seeing this crash. So it seems like it could indeed be fixed upstream.

That is the version shipped with the current Ubuntu LTS. It is unlikely that they will upgrade the mesa drivers in a LTS version.

(In reply to Remo from comment #12)

(In reply to Jeff Muizelaar [:jrmuizel] from comment #11)

Mesa 23.0.4.0 is the top version where we're seeing this crash. So it seems like it could indeed be fixed upstream.

That is the version shipped with the current Ubuntu LTS. It is unlikely that they will upgrade the mesa drivers in a LTS version.

I was told an hardware enablement upgrade will happen including Mesa on 22.04 LTS: https://bugzilla.mozilla.org/show_bug.cgi?id=1859291#c30

Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.

For more information, please visit BugBot documentation.

Keywords: topcrash
You need to log in before you can comment on or make changes to this bug.