Fennec OpenGL layer crashes [@ShadowBufferOGL::Upload] [@ gfxContext::SetOperator ] in WebM video playback and in WebGL.




7 years ago
6 years ago


(Reporter: bjacob, Assigned: cjones)



Firefox Tracking Flags




(1 attachment)

Fennec crashes with the following backtrace when playing WebM videos on youtube/html5, and also on simple WebGL pages (spidergl.org demos).

#0  0x000000322d2a6a4d in nanosleep () at ../sysdeps/unix/syscall-template.S:82
#1  0x000000322d2a68c0 in __sleep (seconds=0) at ../sysdeps/unix/sysv/linux/sleep.c:138
#2  0x00007f9c016c39fc in ah_crap_handler (signum=11)
    at /home/bjacob/mozilla-central/toolkit/xre/nsSigHandlers.cpp:132
#3  0x00007f9c016c822e in nsProfileLock::FatalSignalHandler (signo=11, info=0x7ffff4567ab0, 
    context=0x7ffff4567980) at nsProfileLock.cpp:226
#4  <signal handler called>
#5  0x00007f9c02e71c05 in gfxContext::SetOperator (this=0x0, op=gfxContext::OPERATOR_SOURCE)
    at /home/bjacob/mozilla-central/gfx/thebes/gfxContext.cpp:554
#6  0x00007f9c02ee58ab in mozilla::layers::ShadowBufferOGL::Upload (this=0x351a2e0, aUpdate=
    0x2bc4fe0, aUpdated=..., aRect=..., aRotation=...)
    at /home/bjacob/mozilla-central/gfx/layers/opengl/ThebesLayerOGL.cpp:628
#7  0x00007f9c02ee5d62 in mozilla::layers::ShadowThebesLayerOGL::Swap (this=0x2b73e50, 
    aNewFront=..., aUpdatedRegion=..., aNewBack=0x7ffff4568070, aNewBackValidRegion=
    0x7ffff4568030, aNewXResolution=0x7ffff45680cc, aNewYResolution=0x7ffff45680c8, 
    aReadOnlyFront=0x7ffff4567ff0, aFrontUpdatedRegion=0x7ffff4567fb0)
    at /home/bjacob/mozilla-central/gfx/layers/opengl/ThebesLayerOGL.cpp:681
#8  0x00007f9c02eeed3c in mozilla::layers::ShadowLayersParent::RecvUpdate (this=0x34d1cd0, cset=
    ..., reply=0x7ffff4568890)
    at /home/bjacob/mozilla-central/gfx/layers/ipc/ShadowLayersParent.cpp:383
#9  0x00007f9c02bcae84 in mozilla::layers::PLayersParent::OnMessageReceived (this=0x34d1cd0, 
    __msg=..., __reply=@0x7ffff4568b78) at PLayersParent.cpp:221
#10 0x00007f9c02bbd8b3 in mozilla::dom::PContentParent::OnMessageReceived (this=0x2e76640, 
    __msg=..., __reply=@0x7ffff4568b78) at PContentParent.cpp:974
#11 0x00007f9c02b7d963 in mozilla::ipc::SyncChannel::OnDispatchMessage (this=0x2e76650, msg=...)
    at /home/bjacob/mozilla-central/ipc/glue/SyncChannel.cpp:169
#12 0x00007f9c02b7465b in mozilla::ipc::RPCChannel::OnMaybeDequeueOne (this=0x2e76650)
    at /home/bjacob/mozilla-central/ipc/glue/RPCChannel.cpp:436
#13 0x00007f9c02b7a5c6 in void DispatchToMethod<mozilla::ipc::RPCChannel, bool (mozilla::ipc::RPCChannel::*)()>(mozilla::ipc::RPCChannel*, bool (mozilla::ipc::RPCChannel::*)(), Tuple0 const&)
    () from /home/bjacob/build/firefoxmobile/dist/bin/libxul.so
---Type <return> to continue, or q <return> to quit---
#14 0x00007f9c02b7a516 in RunnableMethod<mozilla::ipc::RPCChannel, bool (mozilla::ipc::RPCChannel::*)(), Tuple0>::Run() () from /home/bjacob/build/firefoxmobile/dist/bin/libxul.so
#15 0x00007f9c02b75fe9 in mozilla::ipc::RPCChannel::RefCountedTask::Run() ()
   from /home/bjacob/build/firefoxmobile/dist/bin/libxul.so
#16 0x00007f9c02b760ec in mozilla::ipc::RPCChannel::DequeueTask::Run() ()
   from /home/bjacob/build/firefoxmobile/dist/bin/libxul.so
#17 0x00007f9c02dec288 in MessageLoop::RunTask (this=0x1cdacf0, task=0x7f9bf401b620)
    at /home/bjacob/mozilla-central/ipc/chromium/src/base/message_loop.cc:343
#18 0x00007f9c02dec2f8 in MessageLoop::DeferOrRunPendingTask (this=0x1cdacf0, pending_task=...)
    at /home/bjacob/mozilla-central/ipc/chromium/src/base/message_loop.cc:351
#19 0x00007f9c02dec6dc in MessageLoop::DoWork (this=0x1cdacf0)
    at /home/bjacob/mozilla-central/ipc/chromium/src/base/message_loop.cc:451
#20 0x00007f9c02b71e7f in mozilla::ipc::DoWorkRunnable::Run (this=0x1cdb340)
    at /home/bjacob/mozilla-central/ipc/glue/MessagePump.cpp:70
#21 0x00007f9c02d85499 in nsThread::ProcessNextEvent (this=0x1cecd30, mayWait=1, result=
    0x7ffff4568e8c) at /home/bjacob/mozilla-central/xpcom/threads/nsThread.cpp:610
#22 0x00007f9c02d11348 in NS_ProcessNextEvent_P (thread=0x1cecd30, mayWait=1)
    at nsThreadUtils.cpp:250
#23 0x00007f9c02b72229 in mozilla::ipc::MessagePump::Run (this=0x1cdaf60, aDelegate=0x1cdacf0)
    at /home/bjacob/mozilla-central/ipc/glue/MessagePump.cpp:134
#24 0x00007f9c02debd93 in MessageLoop::RunInternal (this=0x1cdacf0)
    at /home/bjacob/mozilla-central/ipc/chromium/src/base/message_loop.cc:219
#25 0x00007f9c02debd18 in MessageLoop::RunHandler (this=0x1cdacf0)
    at /home/bjacob/mozilla-central/ipc/chromium/src/base/message_loop.cc:202
#26 0x00007f9c02debca9 in MessageLoop::Run (this=0x1cdacf0)
    at /home/bjacob/mozilla-central/ipc/chromium/src/base/message_loop.cc:176
#27 0x00007f9c02a121d3 in nsBaseAppShell::Run (this=0x1d00040)
    at /home/bjacob/mozilla-central/widget/src/xpwidgets/nsBaseAppShell.cpp:181
#28 0x00007f9c02781a0d in nsAppStartup::Run (this=0x1ff8210)
    at /home/bjacob/mozilla-central/toolkit/components/startup/src/nsAppStartup.cpp:191
#29 0x00007f9c016b56bb in XRE_main (argc=4, argv=0x7ffff4569ae8, aAppData=0x1c76cd0)
---Type <return> to continue, or q <return> to quit---
    at /home/bjacob/mozilla-central/toolkit/xre/nsAppRunner.cpp:3682
#30 0x00000000004010ef in main (argc=4, argv=0x7ffff4569ae8)
    at /home/bjacob/mozilla-central/mobile/app/nsBrowserApp.cpp:155

Comment 1

7 years ago
This is crashing at ThebesLayerOGL.cpp:628:


because dest is null.

It was obtained just above at ThebesLayerOGL.cpp:626:

  nsRefPtr<gfxContext> dest = mTexImage->BeginUpdate(destRegion);

the console output says "update outside of image" which means that BeginUpdate returned null here at GLContext.cpp:572:

    nsIntSize rgnSize = mUpdateRect.Size();
    if (!nsIntRect(nsIntPoint(0, 0), mSize).Contains(mUpdateRect)) {
        NS_ERROR("update outside of image");
        return NULL;

in this frame (in BeginUpdate), just before it returns NULL here, just before it crashes, let's print some local variables:

(gdb) print mSize
$3 = {width = 523, height = 4}
(gdb) print mUpdateRect
$4 = {x = 0, y = 0, width = 640, height = 4, static kMaxSizedIntRect = {x = 0, y = 0, width = 
    2147483647, height = 2147483647, 
    static kMaxSizedIntRect = <same as static member of an already seen type>}}

Thus, mUpdateRect is 640x4, does not fit in the 523x4 rect.

Letting the the authors handle this as I don't want to hide a real bug by sweeping it under the carpet...
Not resizing texture images properly might be leading to drawing glitches, if that's what's going on here.

Comment 3

7 years ago
By the way. Since this NS_ERROR here cause a pointer, which is going to be dereferenced, to be null, shouldn't it be a fatal error? i.e. replace NS_ERROR by NS_ABORT ?

This sure would have made this bug easier to understand !
Blocks: 607684
Assignee: nobody → jones.chris.g
tracking-fennec: --- → ?
Summary: Fennec OpenGL layer crashes [@ShadowBufferOGL::Upload] in WebM video playback and in WebGL. → Fennec OpenGL layer crashes [@ShadowBufferOGL::Upload] [@ gfxContext::SetOperator ] in WebM video playback and in WebGL.

Comment 4

7 years ago
I'm hitting this crash repeatedly when I try to view a crash report with layers.accelerate-all enabled.
I can reliably reproduce a crash that looks a lot like this, on desktop, with

 (1) Load http://double.co.nz/video_test/test2.html
 (2) Resize fennec's window smaller
 (3) Press the "Play" button on the page

The crash happens almost instantly, and there's the "update out of range" assertion.

Doesn't happen on resizing larger.
Created attachment 496618 [details] [diff] [review]
Updates to thebes-layer textures must account for resolution

Comment in the patch describes the issue.

(After I finished the patch, I got sense of deja vu.  Did Matt already fix this somewhere else?)
Attachment #496618 - Flags: review?(matt.woodrow+bugzilla)
Attachment #496618 - Flags: review?(jmuizelaar)
This absolutely needs to block fennec beta4.  This bug cause both crashes and bad rendering glitches.
tracking-fennec: ? → 2.0b4+
Comment on attachment 496618 [details] [diff] [review]
Updates to thebes-layer textures must account for resolution

This looks good to me.
Attachment #496618 - Flags: review?(jmuizelaar) → review+
Last Resolved: 7 years ago
Resolution: --- → FIXED
Duplicate of this bug: 618261
Attachment #496618 - Flags: review?(matt.woodrow)
You need to log in before you can comment on or make changes to this bug.