crash when opening google maps: DMABufSurfaceRGBA::CreateTexture
Categories
(Core :: Graphics: Canvas2D, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox130 | --- | fixed |
People
(Reporter: avg, Assigned: bradwerth)
Details
Attachments
(3 files)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Steps to reproduce:
Opened Google Maps.
Actual results:
Firefox crashed.
Stack trace (no debug symbols):
#0 thr_kill () at thr_kill.S:4
#1 0x0000309ac2978ff4 in __raise (s=11) at /usr/home/avg/devel/freebsd-src-new/machines/trant/lib/libc/gen/raise.c:50
#2 0x0000309af0640492 in nsProfileLock::FatalSignalHandler(int, __siginfo*, void*) () at /usr/local/lib/firefox/libxul.so
#3 0x0000309af10349f1 in WasmTrapHandler(int, __siginfo*, void*) () at /usr/local/lib/firefox/libxul.so
#4 0x0000309ac0c36480 in handle_signal (actp=actp@entry=0x309b3e293b40, sig=sig@entry=11, info=info@entry=0x309b3e293f30, ucp=ucp@entry=0x309b3e293bc0) at /usr/home/avg/devel/freebsd-src-new/machines/trant/lib/libthr/thread/thr_sig.c:298
#5 0x0000309ac0c35a78 in thr_sighandler (sig=11, info=0x309b3e293f30, _ucp=0x309b3e293bc0) at /usr/home/avg/devel/freebsd-src-new/machines/trant/lib/libthr/thread/thr_sig.c:243
#6 0x0000309abdfd82d3 in <signal handler called> ()
#7 0x0000000000000000 in ??? ()
#8 0x0000309aefc8083e in DMABufSurfaceRGBA::CreateTexture(mozilla::gl::GLContext*, int) () at /usr/local/lib/firefox/libxul.so
#9 0x0000309aed5253fc in mozilla::gl::SurfaceFactory_DMABUF::CanCreateSurface(mozilla::gl::GLContext&) () at /usr/local/lib/firefox/libxul.so
#10 0x0000309aed525132 in mozilla::gl::SurfaceFactory_DMABUF::Create(mozilla::gl::GLContext&) () at /usr/local/lib/firefox/libxul.so
#11 0x0000309aed552749 in mozilla::gl::SurfaceFactory::Create(mozilla::gl::GLContext*, mozilla::layers::TextureType) () at /usr/local/lib/firefox/libxul.so
#12 0x0000309aee8e4f6f in mozilla::InitSwapChain(mozilla::gl::GLContext&, mozilla::gl::SwapChain&, mozilla::layers::TextureType, bool) () at /usr/local/lib/firefox/libxul.so
#13 0x0000309aee8e515e in mozilla::WebGLContext::Present(mozilla::WebGLFramebuffer*, mozilla::layers::TextureType, bool, mozilla::webgl::SwapChainOptions const&) () at /usr/local/lib/firefox/libxul.so
#14 0x0000309aee9333d9 in auto mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 52ul, void (mozilla::HostWebGLContext::)(unsigned long, mozilla::layers::TextureType, bool, mozilla::webgl::SwapChainOptions const&) const, &(mozilla::HostWebGLContext::Present(unsigned long, mozilla::layers::TextureType, bool, mozilla::webgl::SwapChainOptions const&) const)>::DispatchCommandFuncById<mozilla::HostWebGLContext>(unsigned long)::{lambda(mozilla::HostWebGLContext&, mozilla::webgl::RangeConsumerView&)#1}::operator()(mozilla::HostWebGLContext&, mozilla::webgl::RangeConsumerView&) const::{lambda((auto:1&)...)#1}::operator()<unsigned long, mozilla::layers::TextureType, bool, mozilla::webgl::SwapChainOptions>(unsigned long&, mozilla::layers::TextureType&, bool&, mozilla::webgl::SwapChainOptions&) const () at /usr/local/lib/firefox/libxul.so
#15 0x0000309aee932f25 in mozilla::MethodDispatcher<mozilla::WebGLMethodDispatcher, 52ul, void (mozilla::HostWebGLContext::)(unsigned long, mozilla::layers::TextureType, bool, mozilla::webgl::SwapChainOptions const&) const, &(mozilla::HostWebGLContext::Present(unsigned long, mozilla::layers::TextureType, bool, mozilla::webgl::SwapChainOptions const&) const)>::DispatchCommandFuncById<mozilla::HostWebGLContext>(unsigned long)::{lambda(mozilla::HostWebGLContext&, mozilla::webgl::RangeConsumerView&)#1}::__invoke(mozilla::HostWebGLContext&, mozilla::webgl::RangeConsumerView&) () at /usr/local/lib/firefox/libxul.so
#16 0x0000309aee9181ed in mozilla::dom::WebGLParent::RecvDispatchCommands(mozilla::ipc::BigBuffer&&, unsigned long) () at /usr/local/lib/firefox/libxul.so
#17 0x0000309aee9898cd in mozilla::dom::PWebGLParent::OnMessageReceived(IPC::Message const&) () at /usr/local/lib/firefox/libxul.so
#18 0x0000309aed7f82f6 in mozilla::gfx::PCanvasManagerParent::OnMessageReceived(IPC::Message const&) () at /usr/local/lib/firefox/libxul.so
#19 0x0000309aed182d61 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) () at /usr/local/lib/firefox/libxul.so
#20 0x0000309aed181f78 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) () at /usr/local/lib/firefox/libxul.so
#21 0x0000309aed182307 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) () at /usr/local/lib/firefox/libxul.so
#22 0x0000309aed182784 in mozilla::ipc::MessageChannel::MessageTask::Run() () at /usr/local/lib/firefox/libxul.so
#23 0x0000309aecc29706 in nsThread::ProcessNextEvent(bool, bool*) () at /usr/local/lib/firefox/libxul.so
#24 0x0000309aecc2d9af in NS_ProcessNextEvent(nsIThread*, bool) () at /usr/local/lib/firefox/libxul.so
#25 0x0000309aed1859d8 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) () at /usr/local/lib/firefox/libxul.so
#26 0x0000309aed13f677 in MessageLoop::Run() () at /usr/local/lib/firefox/libxul.so
#27 0x0000309aecc270c8 in nsThread::ThreadFunc(void*) () at /usr/local/lib/firefox/libxul.so
#28 0x0000309af61984e9 in ??? () at /usr/local/lib/libnspr4.so
#29 0x0000309ac0c2ccb5 in thread_start (curthread=0x319860c66600) at /usr/home/avg/devel/freebsd-src-new/machines/trant/lib/libthr/thread/thr_create.c:28
Expected results:
No crash, obviously.
|
Reporter | |
Comment 1•1 year ago
|
||
My platform is actually FreeBSD.
Firefox has been installed from FreeBSD packages.
The crash seems to be related to graphics.
|
|
Reporter | |
Updated•1 year ago
|
|
|
Reporter | |
Comment 2•1 year ago
|
||
My GPU is nvidia:
WebGL 1 Driver Renderer NVIDIA Corporation -- NVIDIA GeForce GTX 1660/PCIe/SSE2
WebGL 1 Driver Version 4.6.0 NVIDIA 550.54.14
|
||
Comment 3•1 year ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Graphics: Canvas2D' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
||
Comment 4•1 year ago
|
||
- Can you type about:support in your address bar and paste its contents to this bug
- If you type about:config in your address bar, and set hte following pref : "gfx.canvas.accelerated" to False. Then restart your browser. Does that fix the crash for you?
|
|
Reporter | |
Comment 5•1 year ago
|
||
|
|
Reporter | |
Comment 6•1 year ago
|
||
(In reply to Mayank Bansal from comment #4)
- If you type about:config in your address bar, and set hte following pref : "gfx.canvas.accelerated" to False. Then restart your browser. Does that fix the crash for you?
gfx.canvas.accelerated was already false, so apparently no.
|
Assignee | |
Comment 7•1 year ago
|
||
A strange one. Looks like a null-deref in DMABufSurfaceRGBA::CreateTexture which seems to have sufficient protections against such a thing, except for one spot. If mEgl is NULL, we don't check that. It looks like the only way that could happen is if it was set to NULL on construction, via a call to GLContextEGL::CreateGLContext, but all of those calls look like they provide non-NULL values.
Kelsey, what do you see here?
|
|
Reporter | |
Comment 8•1 year ago
|
||
FWIW, the machine code at the crash site looks like this:
0x00000629e8280830 <+3584>: mov $0xde1,%edi
0x00000629e8280835 <+3589>: mov %r15,%rsi
0x00000629e8280838 <+3592>: call *0x728(%rbx)
=> 0x00000629e828083e <+3598>: cmpb $0x0,0xb1(%rbx)
And
(gdb) x/a $rbx + 0x728
0x2389aee06b28: 0x0
So apparently there is a NULL function pointer at offset 0x728 in some object.
And 0xde1 (3553) is passed as the first argument to it, perhaps a line number?
I am building Firefox with debug symbols, so I should have better information soon.
|
|
Reporter | |
Comment 9•1 year ago
|
||
So, here is the stack trace with debug symbols:
#7 0x0000000000000000 in ??? ()
#8 0x0000389972df0533 in mozilla::gl::GLContext::fEGLImageTargetTexture2D (this=0x39f6e0a06000, target=3553, image=0x39f63d00b601) at /wrkdirs/usr/ports/www/firefox/work/.build/dist/include/GLContext.h:2480
#9 DMABufSurfaceRGBA::CreateTexture (this=0x39f63d052c00, aGLContext=0x39f6e0a06000, aPlane=<optimized out>) at /wrkdirs/usr/ports/www/firefox/work/firefox-128.0/widget/gtk/DMABufSurface.cpp:708
It looks that the crash is because mSymbols.fEGLImageTargetTexture2D is NULL.
|
|
Reporter | |
Comment 10•1 year ago
|
||
|
|
Assignee | |
Comment 11•1 year ago
|
||
Great; good investigation. So perhaps within DMABufSurfaceRGBA::CreateTexture we need to return false if not IsExtensionSupported(OES_EGL_image). I can build a patch that does that, put the review to Kelsey, and we'll figure it out in review.
|
|
Assignee | |
Comment 12•1 year ago
|
||
|
||
Updated•1 year ago
|
|
|
Reporter | |
Comment 13•1 year ago
|
||
I'll test the patch, but a quick note that OES_EGL_image seems to be supported by the hardware and driver:
EGL_CLIENT_APIS: OpenGL_ES OpenGL
GL_VENDOR: NVIDIA Corporation
GL_VERSION: OpenGL ES 3.2 NVIDIA 550.54.14
GL_SHADING_LANGUAGE_VERSION: OpenGL ES GLSL ES 3.20
GL_RENDERER: NVIDIA GeForce GTX 1660/PCIe/SSE2
GL_EXTENSIONS:
...
GL_OES_primitive_bounding_box, GL_OES_EGL_image,
GL_OES_EGL_image_external, GL_OES_EGL_image_external_essl3,
...
|
|
Reporter | |
Comment 14•1 year ago
|
||
However, the extension is not reported by either eglinfo or glxinfo, it's only reported by es2_info.
There is an interesting and heated discussion on how to "properly" query GL_OES_EGL_image here https://github.com/obsproject/obs-studio/issues/6722
Not sure if it has any relevance.
|
|
Reporter | |
Comment 15•1 year ago
|
||
(In reply to Brad Werth [:bradwerth] from comment #11)
Great; good investigation. So perhaps within
DMABufSurfaceRGBA::CreateTexturewe need to return false if notIsExtensionSupported(OES_EGL_image). I can build a patch that does that, put the review to Kelsey, and we'll figure it out in review.
The patch does fix the crash.
|
||
Comment 16•1 year ago
|
||
|
||
Comment 17•1 year ago
|
||
| bugherder | ||
|
|
Reporter | |
Comment 18•1 year ago
|
||
Thank you very much for the fix.
I am just curious if you know or have a guess which change between 127.2 and 128 could be a trigger for the crash.
I could not find anything relevant in gfx/gl.
|
|
Reporter | |
Comment 19•1 year ago
|
||
Oh, I guess it could be changeset 822050:b6cf3feff964 for bug 1898894
https://hg.mozilla.org/mozilla-central/rev/b6cf3feff964
|
|
Reporter | |
Comment 20•1 year ago
|
||
Just to confirm.
Using MOZ_LOG="Dmabuf:5,DmabufRef:5" I don't see much related to DMABuf with 127.2:
[Child 26407: Main Thread]: D/Dmabuf DMABufDevice::IsDMABufWebGLEnabled: UseDMABuf 0 sUseWebGLDmabufBackend 1 widget_dmabuf_webgl_enabled 1
[Child 26407: Main Thread]: D/Dmabuf DMABufDevice::IsDMABufWebGLEnabled: UseDMABuf 0 sUseWebGLDmabufBackend 1 widget_dmabuf_webgl_enabled 1
JavaScript warning: , line 0: WebGL warning: texSubImage: Texture has not been initialized prior to a partial upload, forcing the browser to clear it. This may be slow.
JavaScript warning: , line 0: WebGL warning: texSubImage: Tex image TEXTURE_2D level 0 is incurring lazy initialization.
With 128 there is quite a bit more:
[Parent 26418: Main Thread]: D/Dmabuf DMABufDevice::Configure()
[Parent 26418: Main Thread]: D/Dmabuf Loading DMABuf system library libgbm.so.1 ...
[Parent 26418: Main Thread]: D/Dmabuf Using DRM device /dev/dri/renderD128
[Parent 26418: Main Thread]: D/Dmabuf DMABuf is enabled
...
[Child 26436: Main Thread]: D/Dmabuf DMABufDevice::IsDMABufWebGLEnabled: UseDMABuf 1 sUseWebGLDmabufBackend 1 widget_dmabuf_webgl_enabled 1
[Parent 26418: CanvasRenderer]: D/Dmabuf DMABufDevice::IsDMABufWebGLEnabled: UseDMABuf 1 sUseWebGLDmabufBackend 1 widget_dmabuf_webgl_enabled 1
[Parent 26418: CanvasRenderer]: D/Dmabuf DMABufDevice::IsDMABufWebGLEnabled: UseDMABuf 1 sUseWebGLDmabufBackend 1 widget_dmabuf_webgl_enabled 1
[Parent 26418: CanvasRenderer]: D/Dmabuf DMABufSurfaceRGBA::Create() from EGLImage UID = 1
[Parent 26418: CanvasRenderer]: D/Dmabuf imported size 1 x 1 format 34324241 planes 1 modifiers 300000000606010
[Parent 26418: CanvasRenderer]: D/Dmabuf DMABufSurfaceRGBA::Serialize() UID 1
[Parent 26418: CanvasRenderer]: D/Dmabuf DMABufSurfaceRGBA::ImportSurfaceDescriptor() UID 1 size 1 x 1
[Parent 26418: CanvasRenderer]: D/Dmabuf imported size 1 x 1 format 34324241 planes 1
[Parent 26418: CanvasRenderer]: D/Dmabuf DMABufSurfaceRGBA::CreateTexture() UID 1
[Parent 26418: CanvasRenderer]: D/Dmabuf DMABufSurfaceRGBA::CreateTexture(): no OES_EGL_image.
[Parent 26418: CanvasRenderer]: D/Dmabuf SurfaceFactory_DMABUF::CanCreateSurface() failed to create texture over surface.
[Parent 26418: CanvasRenderer]: D/Dmabuf DMABufSurfaceRGBA::ReleaseTextures() UID 1
[Parent 26418: CanvasRenderer]: D/Dmabuf DMABufSurface::ReleaseDMABuf() UID 1
[Parent 26418: CanvasRenderer]: D/Dmabuf DMABufSurfaceRGBA::ReleaseTextures() UID 1
[Parent 26418: CanvasRenderer]: D/Dmabuf DMABufSurfaceRGBA::ReleaseTextures() UID 1
[Parent 26418: CanvasRenderer]: D/Dmabuf DMABufSurface::ReleaseDMABuf() UID 1
[Parent 26418: CanvasRenderer]: D/Dmabuf SurfaceFactory_DMABUF::Create() failed, fallback to SW buffers.
[Child 26436: Main Thread]: D/Dmabuf DMABufDevice::IsDMABufWebGLEnabled: UseDMABuf 1 sUseWebGLDmabufBackend 1 widget_dmabuf_webgl_enabled 1
JavaScript warning: , line 0: WebGL warning: texSubImage: Texture has not been initialized prior to a partial upload, forcing the browser to clear it. This may be slow.
JavaScript warning: , line 0: WebGL warning: texSubImage: Tex image TEXTURE_2D level 0 is incurring lazy initialization.
|
|
Reporter | |
Comment 21•1 year ago
|
||
With 128 there is quite a bit more:
That is, with 128 plus the fix.
|
||
Updated•1 year ago
|
Description
•