Closed Bug 604044 Opened 14 years ago Closed 13 years ago

Crash [@ GLContext::fDeleteTextures] on exit with GL layers

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
blocking2.0 --- -

People

(Reporter: bjacob, Assigned: bjacob)

References

Details

(Keywords: crash)

Crash Data

Attachments

(4 files)

preferred patch: check if GLContext already destroyed
908 bytes, patch
Details | Diff | Splinter Review
Alternative patch: don't mark GL context as destroyed in nsWindow::Destroy
1.21 KB, patch
Details | Diff | Splinter Review
remove HasTextures
2.62 KB, patch
Details | Diff | Splinter Review
set mTexture=0 at right place
1.27 KB, patch
vlad
: review-
Details | Diff | Splinter Review 
Steps to reproduce:
1. launch firefox on a webm video URL, e.g.
  firefox /path/to/foo.webm

2. quit firefox

You get a segfault, backtrace below, in GLContext::fDeleteTextures, at this line:

    mSymbols.fDeleteTextures(n, names);

It's crashing because the fDeleteTextures function pointer has already been nulled by GLContextSymbols::Zero().
#0  0x000000385bea6a6d in nanosleep () from /lib64/libc.so.6
#1  0x000000385bea68e0 in sleep () from /lib64/libc.so.6
#2  0x00007f58d97c5a48 in ah_crap_handler (signum=11)
    at /home/bjacob/mozilla-central/toolkit/xre/nsSigHandlers.cpp:132
#3  0x00007f58d97ca282 in nsProfileLock::FatalSignalHandler (signo=11, info=0x7fff198d9c30, 
    context=0x7fff198d9b00) at nsProfileLock.cpp:221
#4  <signal handler called>
#5  0x0000000000000000 in ?? ()
#6  0x00007f58d9e981ce in mozilla::gl::GLContext::fDeleteTextures (this=0x396e050, n=1, names=
    0x7f58b8385970) at ../../../dist/include/GLContext.h:1854
#7  0x00007f58daf7d033 in mozilla::layers::GLTexture::Release (this=0x7f58b8385968)
    at /home/bjacob/mozilla-central/gfx/layers/opengl/ImageLayerOGL.cpp:112
#8  0x00007f58daf7f7f4 in mozilla::layers::GLTexture::~GLTexture (this=0x7f58b8385968, 
    __in_chrg=<value optimized out>)
    at /home/bjacob/mozilla-central/gfx/layers/opengl/ImageLayerOGL.h:66
#9  0x00007f58daf8052f in nsTArrayElementTraits<mozilla::layers::GLTexture>::Destruct (e=
    0x7f58b8385968) at ../../dist/include/nsTArray.h:204
#10 0x00007f58daf8047b in nsTArray<mozilla::layers::GLTexture>::DestructRange (this=0x3bb1858, 
    start=0, count=2) at ../../dist/include/nsTArray.h:987
#11 0x00007f58daf80248 in nsTArray<mozilla::layers::GLTexture>::RemoveElementsAt (this=
    0x3bb1858, start=0, count=2) at ../../dist/include/nsTArray.h:718
#12 0x00007f58daf7fdd3 in nsTArray<mozilla::layers::GLTexture>::Clear (this=0x3bb1858)
    at ../../dist/include/nsTArray.h:729
#13 0x00007f58daf7fc68 in nsTArray<mozilla::layers::GLTexture>::~nsTArray (this=0x3bb1858, 
    __in_chrg=<value optimized out>) at ../../dist/include/nsTArray.h:274
#14 0x00007f58daf7f903 in mozilla::layers::RecycleBin::~RecycleBin (this=0x3bb1820, 
    __in_chrg=<value optimized out>)
    at /home/bjacob/mozilla-central/gfx/layers/opengl/ImageLayerOGL.h:96
#15 0x00007f58daf7f9c3 in mozilla::layers::RecycleBin::Release (this=0x3bb1820)
    at /home/bjacob/mozilla-central/gfx/layers/opengl/ImageLayerOGL.h:97
#16 0x00007f58daf7fedf in nsRefPtr<mozilla::layers::RecycleBin>::~nsRefPtr (this=0x3bb17e8, 
    __in_chrg=<value optimized out>) at ../../dist/include/nsAutoPtr.h:969
Assignee: nobody → bjacob
#17 0x00007f58daf7d6ea in mozilla::layers::ImageContainerOGL::~ImageContainerOGL (this=
    0x3bb17d0, __in_chrg=<value optimized out>)
    at /home/bjacob/mozilla-central/gfx/layers/opengl/ImageLayerOGL.cpp:201
#18 0x00007f58daf7d72e in mozilla::layers::ImageContainerOGL::~ImageContainerOGL (this=
    0x3bb17d0, __in_chrg=<value optimized out>)
    at /home/bjacob/mozilla-central/gfx/layers/opengl/ImageLayerOGL.cpp:201
#19 0x00007f58d9bb1e72 in mozilla::layers::ImageContainer::Release (this=0x3bb17d0)
    at ../../dist/include/ImageLayers.h:114
#20 0x00007f58d9bb2895 in nsRefPtr<mozilla::layers::ImageContainer>::~nsRefPtr (this=0x369b5e8, 
    __in_chrg=<value optimized out>) at ../../dist/include/nsAutoPtr.h:969
#21 0x00007f58d9f9b742 in nsHTMLMediaElement::~nsHTMLMediaElement (this=0x369b570, 
    __in_chrg=<value optimized out>)
    at /home/bjacob/mozilla-central/content/html/content/src/nsHTMLMediaElement.cpp:1328
#22 0x00007f58d9fa39d9 in nsHTMLVideoElement::~nsHTMLVideoElement (this=0x369b570, 
    __in_chrg=<value optimized out>)
    at /home/bjacob/mozilla-central/content/html/content/src/nsHTMLVideoElement.cpp:111
#23 0x00007f58d9fa3a10 in nsHTMLVideoElement::~nsHTMLVideoElement (this=0x369b570, 
    __in_chrg=<value optimized out>)
    at /home/bjacob/mozilla-central/content/html/content/src/nsHTMLVideoElement.cpp:111
#24 0x00007f58d9e175b6 in nsNodeUtils::LastRelease (aNode=0x369b570)
    at /home/bjacob/mozilla-central/content/base/src/nsNodeUtils.cpp:324
#25 0x00007f58d9e0028b in nsGenericElement::Release (this=0x369b570)
    at /home/bjacob/mozilla-central/content/base/src/nsGenericElement.cpp:4512
#26 0x00007f58d9f97de6 in nsHTMLMediaElement::Release (this=0x369b570)
    at /home/bjacob/mozilla-central/content/html/content/src/nsHTMLMediaElement.cpp:364
#27 0x00007f58d9fa349e in nsHTMLVideoElement::Release (this=0x369b570)
    at /home/bjacob/mozilla-central/content/html/content/src/nsHTMLVideoElement.cpp:72
#28 0x00007f58da653be8 in XPCWrappedNative::~XPCWrappedNative (this=0x3d07a40, 
    __in_chrg=<value optimized out>)
    at /home/bjacob/mozilla-central/js/src/xpconnect/src/xpcwrappednative.cpp:931
#29 0x00007f58da653c60 in XPCWrappedNative::~XPCWrappedNative (this=0x3d07a40, 
    __in_chrg=<value optimized out>)
Here is now the backtrace leading to this premature GLContextSymbols::Zero() call:

#0  mozilla::gl::GLContextSymbols::Zero (this=0x1b236e8)
    at /home/bjacob/mozilla-central/gfx/thebes/GLContextSymbols.h:67
#1  0x00007ffff690e80e in mozilla::gl::GLContext::MarkDestroyed (this=0x1b23680)
    at /home/bjacob/mozilla-central/gfx/thebes/GLContext.cpp:865
#2  0x00007ffff6462561 in nsWindow::Destroy (this=0xfad8e0)
    at /home/bjacob/mozilla-central/widget/src/gtk2/nsWindow.cpp:878
#3  0x00007ffff5a73e84 in nsView::~nsView (this=0xf9cd10, __in_chrg=<value optimized out>)
    at /home/bjacob/mozilla-central/view/src/nsView.cpp:289
#4  0x00007ffff5a73f32 in nsView::~nsView (this=0xf9cd10, __in_chrg=<value optimized out>)
    at /home/bjacob/mozilla-central/view/src/nsView.cpp:299
#5  0x00007ffff5a7408a in nsIView::Destroy (this=0xf9cd10)
    at /home/bjacob/mozilla-central/view/src/nsView.cpp:337
#6  0x00007ffff550b815 in nsFrame::DestroyFrom (this=0x10d40a8, aDestructRoot=0x10d40a8)
    at /home/bjacob/mozilla-central/layout/generic/nsFrame.cpp:462
#7  0x00007ffff558fd21 in nsSplittableFrame::DestroyFrom (this=0x10d40a8, aDestructRoot=
    0x10d40a8) at /home/bjacob/mozilla-central/layout/generic/nsSplittableFrame.cpp:75
#8  0x00007ffff5503ed6 in nsContainerFrame::DestroyFrom (this=0x10d40a8, aDestructRoot=
    0x10d40a8) at /home/bjacob/mozilla-central/layout/generic/nsContainerFrame.cpp:292
#9  0x00007ffff55b22ec in ViewportFrame::DestroyFrom (this=0x10d40a8, aDestructRoot=0x10d40a8)
    at /home/bjacob/mozilla-central/layout/generic/nsViewportFrame.cpp:73
#10 0x00007ffff541dbcc in nsIFrame::Destroy (this=0x10d40a8)
    at /home/bjacob/mozilla-central/layout/base/../generic/nsIFrame.h:538
#11 0x00007ffff54619af in nsFrameManager::Destroy (this=0xfadcc8)
    at /home/bjacob/mozilla-central/layout/base/nsFrameManager.cpp:257
#12 0x00007ffff5489229 in PresShell::Destroy (this=0xfadc90)
    at /home/bjacob/mozilla-central/layout/base/nsPresShell.cpp:2025
#13 0x00007ffff5459c75 in DocumentViewerImpl::DestroyPresShell (this=0xf9fce0)
    at /home/bjacob/mozilla-central/layout/base/nsDocumentViewer.cpp:4300
#14 0x00007ffff544f80e in DocumentViewerImpl::Destroy (this=0xf9fce0)
    at /home/bjacob/mozilla-central/layout/base/nsDocumentViewer.cpp:1619
#15 0x00007ffff610ea5d in nsDocShell::Destroy (this=0xdbc930)
    at /home/bjacob/mozilla-central/docshell/base/nsDocShell.cpp:4500
---Type <return> to continue, or q <return> to quit---
#16 0x00007ffff61cde10 in nsXULWindow::Destroy (this=0xdbac60)
    at /home/bjacob/mozilla-central/xpfe/appshell/src/nsXULWindow.cpp:528
#17 0x00007ffff61dc2aa in nsWebShellWindow::Destroy (this=0xdbac60)
    at /home/bjacob/mozilla-central/xpfe/appshell/src/nsWebShellWindow.cpp:832
#18 0x00007ffff61dac18 in nsWebShellWindow::HandleEvent (aEvent=0x7fffffffc7f0)
    at /home/bjacob/mozilla-central/xpfe/appshell/src/nsWebShellWindow.cpp:416
#19 0x00007ffff6461f78 in nsWindow::DispatchEvent (this=0xdbae20, aEvent=0x7fffffffc7f0, 
    aStatus=@0x7fffffffc84c) at /home/bjacob/mozilla-central/widget/src/gtk2/nsWindow.cpp:731
#20 0x00007ffff64668fe in nsWindow::OnDeleteEvent (this=0xdbae20, aWidget=0x6497f0 [GtkWindow], 
    aEvent=0xdbe660) at /home/bjacob/mozilla-central/widget/src/gtk2/nsWindow.cpp:2520
#21 0x00007ffff646f205 in delete_event_cb (widget=0x6497f0 [GtkWindow], event=0xdbe660)
    at /home/bjacob/mozilla-central/widget/src/gtk2/nsWindow.cpp:5693
#22 0x000000312f551003 in _gtk_marshal_BOOLEAN__BOXED (closure=0xdbabf0, return_value=
    0x7fffffffca60, n_param_values=<value optimized out>, param_values=0x17ef950, 
    invocation_hint=<value optimized out>, marshal_data=<value optimized out>)
    at gtkmarshalers.c:84
#23 0x0000003860e0b98e in IA__g_closure_invoke (closure=0xdbabf0, return_value=0x7fffffffca60, 
    n_param_values=2, param_values=0x17ef950, invocation_hint=0x7fffffffca20) at gclosure.c:767
#24 0x0000003860e1f947 in signal_emit_unlocked_R (node=<value optimized out>, detail=0, 
    instance=0x6497f0, emission_return=0x7fffffffcbb0, instance_and_params=0x17ef950)
    at gsignal.c:3248
#25 0x0000003860e20c29 in IA__g_signal_emit_valist (instance=<value optimized out>, 
    signal_id=<value optimized out>, detail=<value optimized out>, var_args=0x7fffffffcc10)
    at gsignal.c:2991
#26 0x0000003860e213a3 in IA__g_signal_emit (instance=<value optimized out>, 
    signal_id=<value optimized out>, detail=<value optimized out>) at gsignal.c:3038
#27 0x000000312f68190f in gtk_widget_event_internal (widget=0x6497f0 [GtkWindow], event=
    0xdbe660) at gtkwidget.c:4958
#28 0x000000312f5490e0 in IA__gtk_main_do_event (event=0xdbe660) at gtkmain.c:1549
#29 0x000000312fc6039c in gdk_event_dispatch (source=<value optimized out>, 
    callback=<value optimized out>, user_data=<value optimized out>) at gdkevents-x11.c:2372
#30 0x000000385f63bd02 in g_main_dispatch (context=0x64abe0) at gmain.c:1960
---Type <return> to continue, or q <return> to quit---
#31 IA__g_main_context_dispatch (context=0x64abe0) at gmain.c:2513
#32 0x000000385f63fae8 in g_main_context_iterate (context=0x64abe0, block=1, dispatch=1, 
    self=<value optimized out>) at gmain.c:2591
#33 0x000000385f63fc9c in IA__g_main_context_iteration (context=0x64abe0, may_block=1)
    at gmain.c:2654
#34 0x00007ffff64748d8 in nsAppShell::ProcessNextNativeEvent (this=0x6927e0, mayWait=1)
    at /home/bjacob/mozilla-central/widget/src/gtk2/nsAppShell.cpp:144
#35 0x00007ffff6499573 in nsBaseAppShell::DoProcessNextNativeEvent (this=0x6927e0, mayWait=1)
    at /home/bjacob/mozilla-central/widget/src/xpwidgets/nsBaseAppShell.cpp:161
#36 0x00007ffff649999a in nsBaseAppShell::OnProcessNextEvent (this=0x6927e0, thr=0x66d520, 
    mayWait=1, recursionDepth=0)
    at /home/bjacob/mozilla-central/widget/src/xpwidgets/nsBaseAppShell.cpp:317
#37 0x00007ffff67ee37f in nsThread::ProcessNextEvent (this=0x66d520, mayWait=1, result=
    0x7fffffffd03c) at /home/bjacob/mozilla-central/xpcom/threads/nsThread.cpp:517
#38 0x00007ffff677a7d4 in NS_ProcessNextEvent_P (thread=0x66d520, mayWait=1)
    at nsThreadUtils.cpp:250
#39 0x00007ffff65f4649 in mozilla::ipc::MessagePump::Run (this=0x67ed50, aDelegate=0x66d1e0)
    at /home/bjacob/mozilla-central/ipc/glue/MessagePump.cpp:134
#40 0x00007ffff6854b37 in MessageLoop::RunInternal (this=0x66d1e0)
    at /home/bjacob/mozilla-central/ipc/chromium/src/base/message_loop.cc:219
#41 0x00007ffff6854abc in MessageLoop::RunHandler (this=0x66d1e0)
    at /home/bjacob/mozilla-central/ipc/chromium/src/base/message_loop.cc:202
#42 0x00007ffff6854a4d in MessageLoop::Run (this=0x66d1e0)
    at /home/bjacob/mozilla-central/ipc/chromium/src/base/message_loop.cc:176
#43 0x00007ffff64995ff in nsBaseAppShell::Run (this=0x6927e0)
    at /home/bjacob/mozilla-central/widget/src/xpwidgets/nsBaseAppShell.cpp:180
#44 0x00007ffff61f2479 in nsAppStartup::Run (this=0xa64490)
    at /home/bjacob/mozilla-central/toolkit/components/startup/src/nsAppStartup.cpp:191
#45 0x00007ffff5176601 in XRE_main (argc=5, argv=0x7fffffffdc98, aAppData=0x6088a0)
    at /home/bjacob/mozilla-central/toolkit/xre/nsAppRunner.cpp:3670
#46 0x000000000040121f in main (argc=5, argv=0x7fffffffdc98)
    at /home/bjacob/mozilla-central/browser/app/nsBrowserApp.cpp:158
And here is now the full backtrace leading to the crash (ignore comments 1 and 2, they were truncated)

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00007ffff58571ce in mozilla::gl::GLContext::fDeleteTextures (this=0x1b23680, n=1, names=
    0x7fffc4014410) at ../../../dist/include/GLContext.h:1854
#2  0x00007ffff693c033 in mozilla::layers::GLTexture::Release (this=0x7fffc4014408)
    at /home/bjacob/mozilla-central/gfx/layers/opengl/ImageLayerOGL.cpp:112
#3  0x00007ffff693e7f4 in mozilla::layers::GLTexture::~GLTexture (this=0x7fffc4014408, 
    __in_chrg=<value optimized out>)
    at /home/bjacob/mozilla-central/gfx/layers/opengl/ImageLayerOGL.h:66
#4  0x00007ffff693f52f in nsTArrayElementTraits<mozilla::layers::GLTexture>::Destruct (e=
    0x7fffc4014408) at ../../dist/include/nsTArray.h:204
#5  0x00007ffff693f47b in nsTArray<mozilla::layers::GLTexture>::DestructRange (this=0x1cd9918, 
    start=0, count=2) at ../../dist/include/nsTArray.h:987
#6  0x00007ffff693f248 in nsTArray<mozilla::layers::GLTexture>::RemoveElementsAt (this=
    0x1cd9918, start=0, count=2) at ../../dist/include/nsTArray.h:718
#7  0x00007ffff693edd3 in nsTArray<mozilla::layers::GLTexture>::Clear (this=0x1cd9918)
    at ../../dist/include/nsTArray.h:729
#8  0x00007ffff693ec68 in nsTArray<mozilla::layers::GLTexture>::~nsTArray (this=0x1cd9918, 
    __in_chrg=<value optimized out>) at ../../dist/include/nsTArray.h:274
#9  0x00007ffff693e903 in mozilla::layers::RecycleBin::~RecycleBin (this=0x1cd98e0, 
    __in_chrg=<value optimized out>)
    at /home/bjacob/mozilla-central/gfx/layers/opengl/ImageLayerOGL.h:96
#10 0x00007ffff693e9c3 in mozilla::layers::RecycleBin::Release (this=0x1cd98e0)
    at /home/bjacob/mozilla-central/gfx/layers/opengl/ImageLayerOGL.h:97
#11 0x00007ffff693eedf in nsRefPtr<mozilla::layers::RecycleBin>::~nsRefPtr (this=0x1ce82f8, 
    __in_chrg=<value optimized out>) at ../../dist/include/nsAutoPtr.h:969
#12 0x00007ffff693c6ea in mozilla::layers::ImageContainerOGL::~ImageContainerOGL (this=
    0x1ce82e0, __in_chrg=<value optimized out>)
    at /home/bjacob/mozilla-central/gfx/layers/opengl/ImageLayerOGL.cpp:201
#13 0x00007ffff693c72e in mozilla::layers::ImageContainerOGL::~ImageContainerOGL (this=
    0x1ce82e0, __in_chrg=<value optimized out>)
    at /home/bjacob/mozilla-central/gfx/layers/opengl/ImageLayerOGL.cpp:201
#14 0x00007ffff5570e72 in mozilla::layers::ImageContainer::Release (this=0x1ce82e0)
---Type <return> to continue, or q <return> to quit---
    at ../../dist/include/ImageLayers.h:114
#15 0x00007ffff5571895 in nsRefPtr<mozilla::layers::ImageContainer>::~nsRefPtr (this=0xe69248, 
    __in_chrg=<value optimized out>) at ../../dist/include/nsAutoPtr.h:969
#16 0x00007ffff595a742 in nsHTMLMediaElement::~nsHTMLMediaElement (this=0xe691d0, 
    __in_chrg=<value optimized out>)
    at /home/bjacob/mozilla-central/content/html/content/src/nsHTMLMediaElement.cpp:1328
#17 0x00007ffff59629d9 in nsHTMLVideoElement::~nsHTMLVideoElement (this=0xe691d0, 
    __in_chrg=<value optimized out>)
    at /home/bjacob/mozilla-central/content/html/content/src/nsHTMLVideoElement.cpp:111
#18 0x00007ffff5962a10 in nsHTMLVideoElement::~nsHTMLVideoElement (this=0xe691d0, 
    __in_chrg=<value optimized out>)
    at /home/bjacob/mozilla-central/content/html/content/src/nsHTMLVideoElement.cpp:111
#19 0x00007ffff57d65b6 in nsNodeUtils::LastRelease (aNode=0xe691d0)
    at /home/bjacob/mozilla-central/content/base/src/nsNodeUtils.cpp:324
#20 0x00007ffff57bf28b in nsGenericElement::Release (this=0xe691d0)
    at /home/bjacob/mozilla-central/content/base/src/nsGenericElement.cpp:4512
#21 0x00007ffff5956de6 in nsHTMLMediaElement::Release (this=0xe691d0)
    at /home/bjacob/mozilla-central/content/html/content/src/nsHTMLMediaElement.cpp:364
#22 0x00007ffff596249e in nsHTMLVideoElement::Release (this=0xe691d0)
    at /home/bjacob/mozilla-central/content/html/content/src/nsHTMLVideoElement.cpp:72
#23 0x00007ffff6012be8 in XPCWrappedNative::~XPCWrappedNative (this=0x1e33b70, 
    __in_chrg=<value optimized out>)
    at /home/bjacob/mozilla-central/js/src/xpconnect/src/xpcwrappednative.cpp:931
#24 0x00007ffff6012c60 in XPCWrappedNative::~XPCWrappedNative (this=0x1e33b70, 
    __in_chrg=<value optimized out>)
    at /home/bjacob/mozilla-central/js/src/xpconnect/src/xpcwrappednative.cpp:934
#25 0x00007ffff6013df4 in XPCWrappedNative::Release (this=0x1e33b70)
    at /home/bjacob/mozilla-central/js/src/xpconnect/src/xpcwrappednative.cpp:1237
#26 0x00007ffff60141e7 in XPCWrappedNative::FlatJSObjectFinalized (this=0x1e33b70, cx=0x15095d0)
    at /home/bjacob/mozilla-central/js/src/xpconnect/src/xpcwrappednative.cpp:1402
#27 0x00007ffff602308e in XPC_WN_NoHelper_Finalize (cx=0x15095d0, obj=0x7fffe41822a0)
    at /home/bjacob/mozilla-central/js/src/xpconnect/src/xpcwrappednativejsops.cpp:671
---Type <return> to continue, or q <return> to quit---
#28 0x00007ffff6a1db2c in JSObject::finalize (this=0x7fffe41822a0, cx=0x15095d0, thingKind=0)
    at /home/bjacob/mozilla-central/js/src/jsobjinlines.h:134
#29 0x00007ffff6a1b3e4 in FinalizeArenaList<JSObject> (comp=0x1cf35a0, cx=0x15095d0, thingKind=
    0) at /home/bjacob/mozilla-central/js/src/jsgc.cpp:1990
#30 0x00007ffff6a19e3b in MarkAndSweep (cx=0x15095d0, gckind=GC_NORMAL)
    at /home/bjacob/mozilla-central/js/src/jsgc.cpp:2347
#31 0x00007ffff6a1a6c5 in GCUntilDone (cx=0x15095d0, gckind=GC_NORMAL)
    at /home/bjacob/mozilla-central/js/src/jsgc.cpp:2640
#32 0x00007ffff6a1a872 in js_GC (cx=0x15095d0, gckind=GC_NORMAL)
    at /home/bjacob/mozilla-central/js/src/jsgc.cpp:2698
#33 0x00007ffff6997239 in JS_GC (cx=0x15095d0)
    at /home/bjacob/mozilla-central/js/src/jsapi.cpp:2468
#34 0x00007ffff5fc32e7 in nsXPConnect::Collect (this=0x89cc30)
    at /home/bjacob/mozilla-central/js/src/xpconnect/src/nsXPConnect.cpp:397
#35 0x00007ffff68069fe in nsCycleCollector::Collect (this=0x692d90, aTryCollections=5, 
    aListener=0x0) at /home/bjacob/mozilla-central/xpcom/base/nsCycleCollector.cpp:2479
#36 0x00007ffff6806efe in nsCycleCollector::Shutdown (this=0x692d90)
    at /home/bjacob/mozilla-central/xpcom/base/nsCycleCollector.cpp:2726
#37 0x00007ffff6807195 in nsCycleCollector_shutdown ()
    at /home/bjacob/mozilla-central/xpcom/base/nsCycleCollector.cpp:3221
#38 0x00007ffff678593c in mozilla::ShutdownXPCOM (servMgr=0x0)
    at /home/bjacob/mozilla-central/xpcom/build/nsXPComInit.cpp:685
#39 0x00007ffff6785512 in NS_ShutdownXPCOM_P (servMgr=0x692bc8)
    at /home/bjacob/mozilla-central/xpcom/build/nsXPComInit.cpp:587
#40 0x00007ffff516deb4 in ScopedXPCOMStartup::~ScopedXPCOMStartup (this=0x7fffffffd5b0, 
    __in_chrg=<value optimized out>)
    at /home/bjacob/mozilla-central/toolkit/xre/nsAppRunner.cpp:1117
#41 0x00007ffff517674f in XRE_main (argc=5, argv=0x7fffffffdc98, aAppData=0x6088a0)
    at /home/bjacob/mozilla-central/toolkit/xre/nsAppRunner.cpp:3700
#42 0x000000000040121f in main (argc=5, argv=0x7fffffffdc98)
    at /home/bjacob/mozilla-central/browser/app/nsBrowserApp.cpp:158
Severity: normal → critical
Keywords: crash
Summary: Crash [GLContext::fDeleteTextures] on exit with GL layers → Crash [@ GLContext::fDeleteTextures] on exit with GL layers
Depends on: 574481
This patch lets GLTexture::Release check if the GLContext IsDestroyed() before trying to call fDeleteTextures.

In addition to fixing this crash, this also fixes the crash in bug 608391.
Attachment #492199 - Flags: review?(vladimir)
Not /really/ asking for review, just interested in your comments: this fixes the present crash, but contrary to the previous patch, doesn't also fix bug 608391.

Out of curiosity, why is nsWindow::Destroy calling GLContext::MarkDestroyed? It was my understanding that MarkDestroyed was only meant to be called in GLContext destructors. What was the rationale for this code?
Attachment #492201 - Flags: review?(vladimir)
Comment on attachment 492201 [details] [diff] [review]
Alternative patch: don't mark GL context as destroyed in nsWindow::Destroy

The issue is that once that window is gone, that GL context is invalid -- attempting to make it current can cause a crash, as can executing various methods on it.  Destroying the layer manager should have made destroyed everything oustanding, so we mark the GL context destroyed to get a quick notification if someone does try to make a GL call after that point.
(In reply to comment #7)
> Comment on attachment 492201 [details] [diff] [review]
> Alternative patch: don't mark GL context as destroyed in nsWindow::Destroy
> 
> The issue is that once that window is gone, that GL context is invalid --
> attempting to make it current can cause a crash, as can executing various
> methods on it.  Destroying the layer manager should have made destroyed
> everything oustanding, so we mark the GL context destroyed to get a quick
> notification if someone does try to make a GL call after that point.

Does the layer manager know all the GLTextures that should be destroyed together with it?

If yes, I guess that the right fix is to make sure that it does destroy these GLTextures.

If no, then I can't see a better way than my first patch above (checking if GL context already destroyed when destroying textures).
That's up to the layer manager to determine -- it's supposed to know about all resources that it needs to clean up at destroy time.  For example, LayerManagerOGL tells all ImageContainers to go away, and it calls Destroy() on the root layer, which should propagate to all child layers... which should in turn do things like delete/free TextureImages.

So it sounds like the issue here is that the image container isn't doing the right thing in response to SetLayerManager(nsnull) and/or isn't flagging things as destroyed for later.
This doesn't fix the crash, but wasn't this wrong? HasTextures meant " has all textures" but that's not what we needed to know.
Attachment #494824 - Flags: review?(vladimir)
This also doesn't fix the crash, but wasn't this wrong? If mTexture is set to 0 immediately and only later the main thread calls fDeleteTextures, that GL texture will never be deleted.
Attachment #494826 - Flags: review?(vladimir)
Another part of the code that confuses me: in GLTexture::Release(),

      nsCOMPtr<nsIRunnable> runnable =
        new TextureDeleter(mContext.forget(), mTexture);

Why are we forgetting the mContext here? Can that explain part of why the GL context dies too soon? I've had this crash happening from TextureDeleter::Run().
Comment on attachment 494824 [details] [diff] [review]
remove HasTextures

Hmm, confused:

># HG changeset patch
># Parent 1f53f85ddfb58ffe51330e52ca122cdcbc3e5222
>diff --git a/gfx/layers/opengl/ImageLayerOGL.cpp b/gfx/layers/opengl/ImageLayerOGL.cpp
>--- a/gfx/layers/opengl/ImageLayerOGL.cpp
>+++ b/gfx/layers/opengl/ImageLayerOGL.cpp
>@@ -382,18 +382,21 @@ ImageLayerOGL::RenderLayer(int,
> 
>   if (image->GetFormat() == Image::PLANAR_YCBCR) {
>     PlanarYCbCrImageOGL *yuvImage =
>       static_cast<PlanarYCbCrImageOGL*>(image.get());
> 
>     if (!yuvImage->HasData()) {
>       return;
>     }
>-    
>-    if (!yuvImage->HasTextures()) {
>+
>+    if (!yuvImage->mTextures[0].IsAllocated() ||
>+        !yuvImage->mTextures[1].IsAllocated() ||
>+        !yuvImage->mTextures[2].IsAllocated())
>+    {
>       yuvImage->AllocateTextures(gl());
>     }

  PRBool HasTextures()
  {
    return mTextures[0].IsAllocated() && mTextures[1].IsAllocated() &&
           mTextures[2].IsAllocated();
  }

isn't !HasTextures() the same as what you wrote?

>-  if (HasTextures()) {
>-    mRecycleBin->RecycleTexture(&mTextures[0], RecycleBin::TEXTURE_Y, mData.mYSize);
>-    mRecycleBin->RecycleTexture(&mTextures[1], RecycleBin::TEXTURE_C, mData.mCbCrSize);
>-    mRecycleBin->RecycleTexture(&mTextures[2], RecycleBin::TEXTURE_C, mData.mCbCrSize);
>-  }
>+  mRecycleBin->RecycleTexture(&mTextures[0], RecycleBin::TEXTURE_Y, mData.mYSize);
>+  mRecycleBin->RecycleTexture(&mTextures[1], RecycleBin::TEXTURE_C, mData.mCbCrSize);
>+  mRecycleBin->RecycleTexture(&mTextures[2], RecycleBin::TEXTURE_C, mData.mCbCrSize);
> }

Don't think this matters -- we only allocate all 3 textures at once I think, so they're either all allocated or none?
Comment on attachment 494826 [details] [diff] [review]
set mTexture=0 at right place

># HG changeset patch
># Parent 610a6d9542715c3d7daaebebfefc74a6472d0968
>diff --git a/gfx/layers/opengl/ImageLayerOGL.cpp b/gfx/layers/opengl/ImageLayerOGL.cpp
>--- a/gfx/layers/opengl/ImageLayerOGL.cpp
>+++ b/gfx/layers/opengl/ImageLayerOGL.cpp
>@@ -63,16 +63,17 @@ public:
>       : mContext(aContext), mTexture(aTexture)
>   {
>     NS_ASSERTION(aTexture, "TextureDeleter instantiated with nothing to do");
>   }
> 
>   NS_IMETHOD Run() {
>     mContext->MakeCurrent();
>     mContext->fDeleteTextures(1, &mTexture);
>+    mTexture = 0;

This mTexture is part of the TextureDeleter runnable

>   if (mTexture) {
>     if (NS_IsMainThread() || mContext->IsGlobalSharedContext()) {
>       mContext->MakeCurrent();
>       mContext->fDeleteTextures(1, &mTexture);
>+      mTexture = 0;
>     } else {
>       nsCOMPtr<nsIRunnable> runnable =
>         new TextureDeleter(mContext.forget(), mTexture);
>       NS_DispatchToMainThread(runnable);
>     }
>-
>-    mTexture = 0;

... and is not the same as this mTexture.  We pass the integer to new TextureDeleter, and then we set it to 0 unconditionally -- because it was either already deleted here, or it will be deleted in the future; destroying -this- object shouldn't try to delete mTexture again.
Attachment #494826 - Flags: review?(vladimir) → review-
(In reply to comment #12)
> Another part of the code that confuses me: in GLTexture::Release(),
> 
>       nsCOMPtr<nsIRunnable> runnable =
>         new TextureDeleter(mContext.forget(), mTexture);
> 
> Why are we forgetting the mContext here? Can that explain part of why the GL
> context dies too soon? I've had this crash happening from
> TextureDeleter::Run().

We're calling forget() since we just want to give up our reference, since we're going to be setting it to nsnull unconditinally later on anyway; TextureDeleter takes an already_AddRefed, so there's no refcount leak.
blocking2.0: --- → ?
This doesn't show up at all on crash-stats. I think we can release with this bug, despite its ugliness. I'll of course take the patch.
blocking2.0: ? → -
Doesn't seem to happen anymore (can't reproduce anymore)
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ GLContext::fDeleteTextures]
Attachment #492199 - Flags: review?(vladimir)
Attachment #492201 - Flags: review?(vladimir)
Attachment #494824 - Flags: review?(vladimir)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: