Closed Bug 653419 Opened 14 years ago Closed 14 years ago

WebGL crash [@ mozilla::WebGLContext::GetCanvasLayer(nsDisplayListBuilder*, mozilla::layers::CanvasLayer*, mozilla::layers::LayerManager*) ]

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Version:
2.0 Branch
Platform:
All
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox5 --- fixed

People

(Reporter: Virtual, Assigned: bjacob)

References

(
URL
)

Details

(Keywords: nightly-community)

Crash Data

Attachments

(3 files, 1 obsolete file)

handle null gl pointer
1017 bytes, patch
joe
: review-
Details | Diff | Splinter Review
correctly mark WebGL context creation as successful
1.38 KB, patch
joe
: review+
asa
: approval-mozilla-aurora+
dveditz
: approval2.0-
Details | Diff | Splinter Review
check for null gl ptr in SetDimensions NOP path
804 bytes, patch
joe
: review+
asa
: approval-mozilla-aurora+
dveditz
: approval2.0-
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:6.0a1) Gecko/20110427 Firefox/6.0a1 Build Identifier: Crashlogs: https://crash-stats.mozilla.com/report/index/551ae92e-7c08-4a77-ad99-c3bc62110428 https://crash-stats.mozilla.com/report/index/d53c4e0b-232f-4202-bbb2-971e52110428 https://crash-stats.mozilla.com/report/index/ceabb40e-799a-4271-9aa9-110d52110428 https://crash-stats.mozilla.com/report/index/fc63c5ef-f2aa-466a-b4c1-cf5c82110428 Graphic info Adapter Description - NVIDIA GeForce 8600 GT Vendor ID - 10de Device ID - 0402 Adapter RAM - 256 Adapter Drivers - nvd3dumx,nvwgf2umx,nvwgf2umx nvd3dum,nvwgf2um,nvwgf2um Driver Version - 8.17.12.7061 Driver Date - 4-7-2011 Direct2D Enabled - true DirectWrite Enabled - true (6.1.7601.17563) WebGL Renderer - NVIDIA Corporation -- GeForce 8600 GT/PCI/SSE2 -- 3.3.0 GPU Accelerated Windows - 1/1 Direct3D 10 Reproducible: Always
Attached patch handle null gl pointer β€” β€” Splinter Review
Attachment #528837 - Flags: review?(joe)
Attachment #528838 - Flags: review?(joe)
Attachment #528838 - Attachment is obsolete: true
Attachment #528838 - Flags: review?(joe)
Attachment #528846 - Flags: review?(joe)
OK, I don't fully understand this bug, here's what I know. There are at least 2 bugs here. 1) The first bug is the crash. It is a read at address 0 at this line of code: void* native_surface = gl->GetNativeData(gl::GLContext::NativeImageSurface); Since GetNativeData is a virtual method, that crash almost certainly means that the gl pointer is null. The 'handle null gl pointer' patch is a bruteforce fix for it, the 'check for null gl ptr in SetDimensions NOP path' patch is an attempt at a smart fix (see below). 2) The second bug is that the AppNotes entries for WebGL are unreliable because of a bug, which is fixed by the 'correctly mark WebGL context creation as successful' patch. So in any case I would like this patch to go it, it will at least allow us to get accurate crash reports. Here's what I don't know: The AppNotes say: AdapterVendorID: 10de, AdapterDeviceID: 0402, AdapterDriverVersion: 8.17.12.7061 D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ WebGL? EGL? EGL- WGL? GL Context? GL Context+ WGL+ WebGL+ WebGL- There are 2 ways to interprete that. 1) one way is to say that the last WebGL- is produced by the above-discussed bug i.e. there never was a WebGL context creation failure, there just was a SetDimensions call that returned early here: if (mWidth == width && mHeight == height) return NS_OK; The bug (null gl pointer) could the be explained in the scenario of a race condition between destroying and resizing a WebGL context. 2) another way is to take the WebGL- seriously, despite the above-discussed bug which can produce bogus WebGL-. One thing that pleads for this is the EGL-. Something is really wrong on this machine: despite using a recent NVIDIA driver, it failed to create a ANGLE EGL context. So it tried WGL as fallback. That worked once and, under this hypothesis, failed the second time. It is still not clear how we ended up calling GetCanvasLayer on a failed WebGL context object.
Ah! Didn't see that this is a 64bit build. That explains why EGL fails. I suggest taking the 2nd and 3rd patch; perhaps we can pass on the 1st patch for now.
@ Virtual_ManPL: 64bit builds on Windows are not supported yet.
Summary: WebGL crash [@ mozilla::WebGLContext::GetCanvasLayer(nsDisplayListBuilder*, mozilla::layers::CanvasLayer*, mozilla::layers::LayerManager*) ] → WebGL Win64 crash [@ mozilla::WebGLContext::GetCanvasLayer(nsDisplayListBuilder*, mozilla::layers::CanvasLayer*, mozilla::layers::LayerManager*) ]
(In reply to comment #7) > @ Virtual_ManPL: 64bit builds on Windows are not supported yet. I know that "officially" 64bit builds of Firefox for Windows aren't supported yet, but someone need to test them and report bugs, so you guys will have less job to do in the future and we will have fewer bugs :)
Confirm this bug. Tested in Firefox 4 in default profile. My reports: https://crash-stats.mozilla.com/report/index/bp-05197bea-07b7-4e1e-a05e-eb0152110428 https://crash-stats.mozilla.com/report/index/1a3aac84-4f87-4c72-9a2f-ec2442110428 Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 ID:20110318052756 Graphics: Descrierea adaptorului NVIDIA GeForce 8600 GT ID furnizor 10de ID dispozitiv 0402 RAM pentru adaptor 512 Drivere pentru adaptor nvd3dum nvwgf2um,nvwgf2um Versiune driver 8.17.12.6724 Dată driver 2-23-2011 Direct2D activat true DirectWrite activa ttrue (6.1.7601.17563, font cache n/a) Motor de afișare WebGL Google Inc. -- ANGLE -- OpenGL ES 2.0 (ANGLE 0.0.0.541) Accelerare GPU Windows 1/1 Direct3D 10 My addons: Abduction! 3.0.10 About startup 0.1.5 about:me 0.5 about:response 0.1 Add-on Collector 2.0.1 Add-on Compatibility Reporter 0.8.3 AddonFox 1.1.7 Adobe Acrobat 10.0.1.434 Adobe Contribute Toolbar 6.0 [DISABLED] Blog Comment Autofill British English Dictionary 1.19.1 Bugzilla Tweaks 1.10 ChatZilla 0.9.86.1 Converter 1.0.9 Crash Report Helper 1.2 [DISABLED] Default 4.0 [DISABLED] Dicționar romÒnesc de corectare ortografică. 1.11 Download Statusbar 0.9.8 DownloadHelper 4.8.6 DownThemAll! 2.0.2 F1 by Mozilla Labs 0.8.3 FFixer 2.3.1 FileList V3 fireblur 1260925626 Firefox 4 Menu Button with icon+(Tabs in Titlebar) Firefox B 1260925626 [DISABLED] Flagfox 4.1.2 FlashGames Maximizer 3.1.3.86 [DISABLED] FlashGot 1.2.9.3 FoxTab 1.4.2 German Dictionary 2.0.2 Google Earth Plugin 1.0.0.1 Google Shortcuts 2.1.6 Google Talk Plugin 1.9.2.0 Google Talk Plugin Video Accelerator 0.1.43.5 Google Update 1.3.21.53 Greasefire 1.0.4 [DISABLED] Greasemonkey 0.9.2 Hard blockers counter 1.0.1 [DISABLED] IE Tab 2 (FF 3.6+) 2.12.21.1 IE Tab Plug-in 2.2.0.1 ImTranslator 4.01 Java Deployment Toolkit 6.0.240.7 6.0.240.7 Java(TM) Platform SE 6 U24 6.0.240.7 Massive Extender 1.0b5 Microsoft Office 2010 14.0.4730.1010 Microsoft Office 2010 14.0.4761.1000 Minefield - Better Add-on Bar/Status Bar [DISABLED] Movie Torrent Search Linker (for IMDB, Rotten Tomatoes and Yahoo Movies) 0.3.7.9 Mozilla Labs: Prospector - Home Dash 10 [DISABLED] Mozilla QA Companion 1.2.3 MozMill Crowd 0.1.2 Nightly and Aurora 1303328422 [DISABLED] Nightly Tester Tools 3.1.6 NoScript 2.1.0.2 NVIDIA 3D Vision 7.17.12.6099 NVIDIA 3D VISION 7.17.12.6099 Personas 1.6.2 Picasa 3.0.0.0 Power Twitter 1.60 Prism for Firefox 1.0b4 [DISABLED] Puppy Dogs... 1291695684 [DISABLED] QuickTime Plug-in 7.6.9 7.6.9.0 Read It Later 2.1.1 RealJukebox NS Plugin 12.0.1.647 RealNetworks(tm) RealPlayer Chrome Background Extension Plug-In (32-bit) 12.0.1.647 RealPlayer Version Plugin 12.0.1.647 RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit) 12.0.1.647 RealPlayer(tm) HTML5VideoShim Plug-In (32-bit) 12.0.1.647 ReminderFox 1.9.9.3.1 Sage 1.4.10 Shockwave Flash 10.2.159.1 Shockwave for Director 11.5.9.620 Show Just Image 2 2.5.3 Silverlight Plug-In 5.0.60401.0 startup.service 0.2 Status-4-Evar 2011.04.06.18 StumbleUpon 3.81 Stylish 1.1.2 Test Pilot 1.1 TortoiseSVN Menu 0.2.5 Ubiquity 0.6 [DISABLED] URL Fixer 2.0.3 Userscripts Updater Windows Live Photo Gallery 15.4.3508.1109 WiseStamp 2.2.1 Yahoo Application State Plugin 1.0.0.7 Yoono 7.6.5 YouTube Enhancer 2010-12-18
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, crashreportid
Hardware: x86_64 → All
Raul: this seems like a separate bug, it would be a good idea to file it separately. Indeed your Firefox survives the line that's crashy in the original report here. That means that gl!=null in your case. The line that's crashy for you is HRESULT hr = mTexture->Map(0, D3D10_MAP_WRITE_DISCARD, 0, &map); in CanvasLayerD3D10::Updated(). Could well be that the mTexture pointer was null.
Also confirmed in Nightly. Mozilla/5.0 (Windows NT 6.1; rv:6.0a1) Gecko/20110428 Firefox/6.0a1 ID:20110428030557 Crash reports: https://crash-stats.mozilla.com/report/index/8257dd4e-5e84-4b40-8707-5053d2110428 https://crash-stats.mozilla.com/report/index/aaf756f6-7d42-48b8-8f48-8697e2110428
(In reply to comment #10) > Raul: this seems like a separate bug, it would be a good idea to file it > separately. Indeed your Firefox survives the line that's crashy in the original > report here. That means that gl!=null in your case. The line that's crashy for > you is > HRESULT hr = mTexture->Map(0, D3D10_MAP_WRITE_DISCARD, 0, &map); > in CanvasLayerD3D10::Updated(). Could well be that the mTexture pointer was > null. Oh! Not same bug? Sorry.
And also, crash report for my Nighlty is different bug?
I was the one that had problems originally on this and reported on MozillaZine. Here are my crash reports. Had earlier updated it to Catalyst 11.4 drivers. https://crash-stats.mozilla.com/report/index/bp-41306687-9555-4e25-acfc-d77b72110427 https://crash-stats.mozilla.com/report/index/bp-6bcabeaf-8ada-48f7-9309-c1e222110428
Definitely want to fix this, but Firefox 5 isn't supported on win64, so this doesn't need tracking-firefox5
tracking-firefox5: ?-
Comment on attachment 528837 [details] [diff] [review] handle null gl pointer Review of attachment 528837 [details] [diff] [review]: I'm not really in favour of adding null checks at seemingly arbitrary points in the code, and, as Benoit says in comment 6, we probably don't need this patch.
Attachment #528837 - Flags: review?(joe) → review-
Attachment #528846 - Flags: review?(joe) → review+
Attachment #528847 - Flags: review?(joe) → review+
Attachment #528846 - Flags: approval2.0?
Attachment #528846 - Flags: approval-mozilla-aurora?
Comment on attachment 528847 [details] [diff] [review] check for null gl ptr in SetDimensions NOP path These two patches are low-risk; one fixes a serious crasher (not just on Win64), the other one improves the quality of crash reports. Recommending for both Firefox 4 and Aurora/5.
Attachment #528847 - Flags: approval2.0?
Attachment #528847 - Flags: approval-mozilla-aurora?
Verified on Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:6.0a1) Gecko/20110507 Firefox/6.0a1 But now I get other crash. bug #655589
Blocks: 655589
Status: RESOLVED → VERIFIED
Summary: WebGL Win64 crash [@ mozilla::WebGLContext::GetCanvasLayer(nsDisplayListBuilder*, mozilla::layers::CanvasLayer*, mozilla::layers::LayerManager*) ] → WebGL crash [@ mozilla::WebGLContext::GetCanvasLayer(nsDisplayListBuilder*, mozilla::layers::CanvasLayer*, mozilla::layers::LayerManager*) ]
Replying on bug 655589: it seems that you're still not using a build of Firefox that has these fixes.
Can you please go to about:buildconfig and paste the "built from" link?
Looks like a separate bug, though it could have caused the first bug that we fixed here. You're crashing at: if ((value = GetParsedAttr(nsGkAtoms::height)) && value->Type() == nsAttrValue::eInteger) { size.height = value->GetIntegerValue(); // <-- crash, deref null } If that crash were caused by value being null, then you should have crashed above, at value->Type() already. Indeed, neither of the methods here is virtual. So I rather think that GetIntegerValue() was inlined here (you're running an optimized build) and you're crashing inside of it: inline PRInt32 nsAttrValue::GetIntegerValue() const { NS_PRECONDITION(Type() == eInteger, "wrong type"); return (BaseType() == eIntegerBase) ? GetIntInternal() : GetMiscContainer()->mInteger; } The crash could well be explained if for example GetMiscContainer() were returning null. In any case please file this as a separate bug, against Canvas:2D, and please CC me.
Well, you can file as Canvas:WebGL if you want. I dont know what component is appropriate for generic HTMLCanvasElement code.
Attachment #528846 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Attachment #528847 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Please land for Aurora by Monday May 16 or the approval will potentially be lost. Please mark as status-firefox5 fixed when you do.
Assignee: nobody → bjacob
Attachment #528846 - Flags: approval2.0? → approval2.0-
Comment on attachment 528847 [details] [diff] [review] check for null gl ptr in SetDimensions NOP path Since we don't plan another 2.0-based release I assume you don't still want these approvals
Attachment #528847 - Flags: approval2.0? → approval2.0-
Crash Signature: [@ mozilla::WebGLContext::GetCanvasLayer(nsDisplayListBuilder*, mozilla::layers::CanvasLayer*, mozilla::layers::LayerManager*) ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: