656215 - Crash when creating a too-large WebGL canvas, and perhaps also too-large 2D canvas with GL layers

Status: VERIFIED FIXED

(Core :: Graphics: CanvasWebGL, defect)

Description

[Virtual_ManPL [:Virtual] 🇵🇱 - (please needinfo? me - so I will see your comment/reply/question/etc.)]

User-Agent:       Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:6.0a1) Gecko/20110510 Firefox/6.0a1
Build Identifier: 

Crashlog:
https://crash-stats.mozilla.com/report/index/bp-c87f488e-22ab-4d24-b7de-966c32110511
https://crash-stats.mozilla.com/report/index/bp-6ad1289c-1e28-44ec-8ed7-095852110511
https://crash-stats.mozilla.com/report/index/bp-92cd67fe-61fc-42e2-b28e-4cd6b2110511
https://crash-stats.mozilla.com/report/index/bp-e2f2976c-4de2-4960-a3d5-54a9d2110510



Graphic info
Adapter Description - NVIDIA GeForce 8600 GT
Vendor ID - 10de
Device ID - 0402
Adapter RAM - 256
Adapter Drivers - nvd3dumx,nvwgf2umx,nvwgf2umx nvd3dum,nvwgf2um,nvwgf2um
Driver Version - 8.17.12.7061
Driver Date - 4-7-2011
Direct2D Enabled - true
DirectWrite Enabled - true (6.1.7601.17563)
WebGL Renderer - NVIDIA Corporation -- GeForce 8600 GT/PCI/SSE2 -- 3.3.0
GPU Accelerated Windows - 1/1 Direct3D 10

Reproducible: Always

Comment 1

[Mike]

Mozilla/5.0 (X11; Linux i686; rv:6.0a1) Gecko/20110511 Firefox/6.0a1 also crash.
http://crash-stats.mozilla.com/report/index/bp-f6b11faa-cdbc-4734-acf5-88abb2110511

Comment 2

[Benoit Jacob [:bjacob] (mostly away)]

@ Mike: interesting crash, but different from the one originally reported here. Please file a separate bug.

Comment 3

[Benoit Jacob [:bjacob] (mostly away)]

0 	xul.dll 	mozilla::WebGLContext::GetCanvasLayer 	content/canvas/src/WebGLContext.cpp:682
1 	xul.dll 	nsRefPtr<nsPresContext>::~nsRefPtr<nsPresContext> 	obj-firefox/dist/include/nsAutoPtr.h:969
2 	xul.dll 	nsHTMLCanvasElement::GetWidthHeight 	content/html/content/src/nsHTMLCanvasElement.cpp:118
3 	xul.dll 	nsHTMLCanvasElement::GetCanvasLayer 	content/html/content/src/nsHTMLCanvasElement.cpp:722

This stack is messed up. Frame 2, in nsHTMLCanvasElement::GetWidthHeight, certainly can't lead to Frame 0, in WebGLContext::GetCanvasLayer.

If Frame 2 is correct, see bug 653419 comment 25 for a discussion of what can have happened. This code was written back when we were using CVS so I don't know who knows it. Roc?

If Frame 0 is correct, that would mean that we again have a null gl pointer here as in bug 653419. Also, you still get "WebGL+ WebGL-" in AppNotes as if the patch from that bug wasn't working for you. I'm confused.

Can you use a debugger? If not I'll try to reproduce here but I'm busy at the moment.

Comment 4

[Virtual_ManPL [:Virtual] 🇵🇱 - (please needinfo? me - so I will see your comment/reply/question/etc.)]

I do some tests before debugging.
Firstly I open Fx in SafeMode, no crash.
Secondly I disable HW Acc, no crash
Thirdly  I enable only layers with D2D disabled, no crash.
Fourthly I enable only D2D with layers disabled, no crash.
In the end I enabled HW Acc, so all settings was the same like before, still no crash.
Odd, but Fx not crashing now. ;p



Also I get in this test that info:

This test ensures WebGL implementations correctly implement drawingbufferWidth/Height.

On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".

FAIL successfullyParsed should be true. Threw exception ReferenceError: successfullyParsed is not defined

TEST COMPLETE

Comment 5

[Benoit Jacob [:bjacob] (mostly away)]

> FAIL successfullyParsed should be true. Threw exception ReferenceError:
> successfullyParsed is not defined
> 
> TEST COMPLETE

Can you check in the JS error console (Ctrl+Shift+J) if you have an error/exception there?

Comment 6

[Virtual_ManPL [:Virtual] 🇵🇱 - (please needinfo? me - so I will see your comment/reply/question/etc.)]

Error: create3DContext is not defined
Source File: https://cvs.khronos.org/svn/repos/registry/trunk/public/webgl/sdk/tests/conformance/drawingbuffer-test.html
Line: 35

Comment 7

[Benoit Jacob [:bjacob] (mostly away)]

Holy #@$!

The link actually crashed me on linux x86-64.

WARNING: Allocation too large (would overflow)!: file /home/bjacob/mozilla-central/gfx/thebes/gfxASurface.cpp, line 386

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff4ed5784 in gfxASurface::CairoSurface (this=0x0) at ../../dist/include/gfxASurface.h:118
118             NS_ASSERTION(mSurface != nsnull, "gfxASurface::CairoSurface called with mSurface == nsnull!");
(gdb) bt
#0  0x00007ffff4ed5784 in gfxASurface::CairoSurface (this=0x0)
    at ../../dist/include/gfxASurface.h:118
#1  0x00007ffff62b2756 in gfxPattern (this=0x17526a0, surface=0x0)
    at /home/bjacob/mozilla-central/gfx/thebes/gfxPattern.cpp:58
#2  0x00007ffff62ed24c in mozilla::layers::BasicCanvasLayer::PaintWithOpacity (this=0x1691610, 
    aContext=0x166bf10, aOpacity=1)
    at /home/bjacob/mozilla-central/gfx/layers/basic/BasicLayers.cpp:1009
#3  0x00007ffff62ed18d in mozilla::layers::BasicCanvasLayer::Paint (this=0x1691610, 
    aContext=0x166bf10) at /home/bjacob/mozilla-central/gfx/layers/basic/BasicLayers.cpp:999
#4  0x00007ffff62f09e2 in mozilla::layers::BasicShadowableCanvasLayer::Paint (this=0x1691610, 
    aContext=0x166bf10) at /home/bjacob/mozilla-central/gfx/layers/basic/BasicLayers.cpp:2132
#5  0x00007ffff62ef070 in mozilla::layers::BasicLayerManager::PaintLayer (this=0x1848b10, 
    aLayer=0x1691610, 
    aCallback=0x7ffff4d49d0c <mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*)>, aCallbackData=0x7fffffffbaf0, 
    aReadback=0x7fffffffb410)
    at /home/bjacob/mozilla-central/gfx/layers/basic/BasicLayers.cpp:1504
#6  0x00007ffff62ef0ed in mozilla::layers::BasicLayerManager::PaintLayer (this=0x1848b10, 
    aLayer=0x1217ae0, 
    aCallback=0x7ffff4d49d0c <mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*)>, aCallbackData=0x7fffffffbaf0, 
    aReadback=0x7fffffffb610)
    at /home/bjacob/mozilla-central/gfx/layers/basic/BasicLayers.cpp:1515
#7  0x00007ffff62ef0ed in mozilla::layers::BasicLayerManager::PaintLayer (this=0x1848b10, 
    aLayer=0x1849950, 
    aCallback=0x7ffff4d49d0c <mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*)>, aCallbackData=0x7fffffffbaf0, 
    aReadback=0x0) at /home/bjacob/mozilla-central/gfx/layers/basic/BasicLayers.cpp:1515
---Type <return> to continue, or q <return> to quit---
#8  0x00007ffff62ee80b in mozilla::layers::BasicLayerManager::EndTransactionInternal (
    this=0x1848b10, 
    aCallback=0x7ffff4d49d0c <mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*)>, aCallbackData=0x7fffffffbaf0)
    at /home/bjacob/mozilla-central/gfx/layers/basic/BasicLayers.cpp:1367
#9  0x00007ffff62ee433 in mozilla::layers::BasicLayerManager::EndTransaction (this=0x1848b10, 
    aCallback=0x7ffff4d49d0c <mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*)>, aCallbackData=0x7fffffffbaf0)
    at /home/bjacob/mozilla-central/gfx/layers/basic/BasicLayers.cpp:1324
#10 0x00007ffff62f2415 in mozilla::layers::BasicShadowLayerManager::EndTransaction (
    this=0x1848b10, 
    aCallback=0x7ffff4d49d0c <mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*)>, aCallbackData=0x7fffffffbaf0)
    at /home/bjacob/mozilla-central/gfx/layers/basic/BasicLayers.cpp:2777
#11 0x00007ffff4d9ac83 in nsDisplayList::PaintForFrame (this=0x7fffffffc0a0, 
    aBuilder=0x7fffffffbaf0, aCtx=0x0, aForFrame=0xfb3480, aFlags=5)
    at /home/bjacob/mozilla-central/layout/base/nsDisplayList.cpp:607
#12 0x00007ffff4d9a6e4 in nsDisplayList::PaintRoot (this=0x7fffffffc0a0, aBuilder=0x7fffffffbaf0, 
    aCtx=0x0, aFlags=5) at /home/bjacob/mozilla-central/layout/base/nsDisplayList.cpp:515
#13 0x00007ffff4dcd339 in nsLayoutUtils::PaintFrame (aRenderingContext=0x0, aFrame=0xfb3480, 
    aDirtyRegion=..., aBackstop=4294967295, aFlags=260)
    at /home/bjacob/mozilla-central/layout/base/nsLayoutUtils.cpp:1633
#14 0x00007ffff4df565f in PresShell::Paint (this=0xe6e1e0, aViewToPaint=0xe5ed50, 
    aWidgetToPaint=0xe6def0, aDirtyRegion=..., aIntDirtyRegion=..., aPaintDefaultBackground=0, 
    aWillSendDidPaint=0) at /home/bjacob/mozilla-central/layout/base/nsPresShell.cpp:6051
#15 0x00007ffff5427713 in nsViewManager::RenderViews (this=0xe6f0c0, aView=0xe5ed50, 
    aWidget=0xe6def0, aRegion=..., aIntRegion=..., aPaintDefaultBackground=0, aWillSendDidPaint=0)
    at /home/bjacob/mozilla-central/view/src/nsViewManager.cpp:449
---Type <return> to continue, or q <return> to quit---
#16 0x00007ffff54275d6 in nsViewManager::Refresh (this=0xe6f0c0, aView=0xe5ed50, 
    aWidget=0xe6def0, aRegion=..., aUpdateFlags=1)
    at /home/bjacob/mozilla-central/view/src/nsViewManager.cpp:424
#17 0x00007ffff5428cdf in nsViewManager::DispatchEvent (this=0xe6f0c0, aEvent=0x7fffffffc810, 
    aView=0xe5ed50, aStatus=0x7fffffffc724)
    at /home/bjacob/mozilla-central/view/src/nsViewManager.cpp:930
#18 0x00007ffff5422a1c in HandleEvent (aEvent=0x7fffffffc810)
    at /home/bjacob/mozilla-central/view/src/nsView.cpp:160
#19 0x00007ffff5e6d64c in nsWindow::DispatchEvent (this=0xe6def0, aEvent=0x7fffffffc810, 
    aStatus=@0x7fffffffc9dc) at /home/bjacob/mozilla-central/widget/src/gtk2/nsWindow.cpp:590
#20 0x00007ffff5e71799 in nsWindow::OnExposeEvent (this=0xe6def0, aWidget=0x96fa20, 
    aEvent=0x7fffffffd040) at /home/bjacob/mozilla-central/widget/src/gtk2/nsWindow.cpp:2284
#21 0x00007ffff5e7a7b5 in expose_event_cb (widget=0x96fa20, event=0x7fffffffd040)
    at /home/bjacob/mozilla-central/widget/src/gtk2/nsWindow.cpp:5548
#22 0x00007fffef422c78 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#23 0x00007fffefff247e in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#24 0x00007ffff00083f7 in ?? () from /usr/lib/libgobject-2.0.so.0
#25 0x00007ffff00098bd in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#26 0x00007ffff0009fc3 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#27 0x00007fffef538f7f in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#28 0x00007fffef41c3a1 in gtk_main_do_event () from /usr/lib/libgtk-x11-2.0.so.0
#29 0x00007fffeee567b2 in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#30 0x00007fffeee5326b in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#31 0x00007fffeee550e1 in gdk_window_process_all_updates () from /usr/lib/libgdk-x11-2.0.so.0
#32 0x00007fffeee55149 in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#33 0x00007fffeee31d26 in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#34 0x00007fffef9406f2 in g_main_context_dispatch () from /lib/libglib-2.0.so.0
#35 0x00007fffef944568 in ?? () from /lib/libglib-2.0.so.0

Comment 8

[Benoit Jacob [:bjacob] (mostly away)]

And here's a stack leading to the warning about too big allocation:

#0  gfxASurface::CheckSurfaceSize (sz=..., limit=0)
    at /home/bjacob/mozilla-central/gfx/thebes/gfxASurface.cpp:386
#1  0x00007ffff629744d in gfxImageSurface (this=0x177b870, size=..., 
    format=gfxASurface::ImageFormatARGB32)
    at /home/bjacob/mozilla-central/gfx/thebes/gfxImageSurface.cpp:123
#2  0x00007ffff62ecf0b in mozilla::layers::BasicCanvasLayer::UpdateSurface (this=0x7fffdc2564a0)
    at /home/bjacob/mozilla-central/gfx/layers/basic/BasicLayers.cpp:951
#3  0x00007ffff62ed157 in mozilla::layers::BasicCanvasLayer::Paint (this=0x7fffdc2564a0, 
    aContext=0x1a4fb80) at /home/bjacob/mozilla-central/gfx/layers/basic/BasicLayers.cpp:997
#4  0x00007ffff62f09e2 in mozilla::layers::BasicShadowableCanvasLayer::Paint (
    this=0x7fffdc2564a0, aContext=0x1a4fb80)
    at /home/bjacob/mozilla-central/gfx/layers/basic/BasicLayers.cpp:2132
#5  0x00007ffff62ef070 in mozilla::layers::BasicLayerManager::PaintLayer (this=0x17be7a0, 
    aLayer=0x7fffdc2564a0, 
    aCallback=0x7ffff4d49d0c <mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*)>, aCallbackData=0x7fffffffbaf0, 
    aReadback=0x7fffffffb410)
    at /home/bjacob/mozilla-central/gfx/layers/basic/BasicLayers.cpp:1504
#6  0x00007ffff62ef0ed in mozilla::layers::BasicLayerManager::PaintLayer (this=0x17be7a0, 
    aLayer=0x7fffdc257a40, 
    aCallback=0x7ffff4d49d0c <mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*)>, aCallbackData=0x7fffffffbaf0, 
    aReadback=0x7fffffffb610)
    at /home/bjacob/mozilla-central/gfx/layers/basic/BasicLayers.cpp:1515
#7  0x00007ffff62ef0ed in mozilla::layers::BasicLayerManager::PaintLayer (this=0x17be7a0, 
    aLayer=0x11eb770, 
    aCallback=0x7ffff4d49d0c <mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*)>, aCallbackData=0x7fffffffbaf0, 
---Type <return> to continue, or q <return> to quit---
    aReadback=0x0) at /home/bjacob/mozilla-central/gfx/layers/basic/BasicLayers.cpp:1515
#8  0x00007ffff62ee80b in mozilla::layers::BasicLayerManager::EndTransactionInternal (
    this=0x17be7a0, 
    aCallback=0x7ffff4d49d0c <mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*)>, aCallbackData=0x7fffffffbaf0)
    at /home/bjacob/mozilla-central/gfx/layers/basic/BasicLayers.cpp:1367
#9  0x00007ffff62ee433 in mozilla::layers::BasicLayerManager::EndTransaction (this=0x17be7a0, 
    aCallback=0x7ffff4d49d0c <mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*)>, aCallbackData=0x7fffffffbaf0)
    at /home/bjacob/mozilla-central/gfx/layers/basic/BasicLayers.cpp:1324
#10 0x00007ffff62f2415 in mozilla::layers::BasicShadowLayerManager::EndTransaction (
    this=0x17be7a0, 
    aCallback=0x7ffff4d49d0c <mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*)>, aCallbackData=0x7fffffffbaf0)
    at /home/bjacob/mozilla-central/gfx/layers/basic/BasicLayers.cpp:2777
#11 0x00007ffff4d9ac83 in nsDisplayList::PaintForFrame (this=0x7fffffffc0a0, 
    aBuilder=0x7fffffffbaf0, aCtx=0x0, aForFrame=0xfb2e00, aFlags=5)
    at /home/bjacob/mozilla-central/layout/base/nsDisplayList.cpp:607
#12 0x00007ffff4d9a6e4 in nsDisplayList::PaintRoot (this=0x7fffffffc0a0, aBuilder=0x7fffffffbaf0, 
    aCtx=0x0, aFlags=5) at /home/bjacob/mozilla-central/layout/base/nsDisplayList.cpp:515
#13 0x00007ffff4dcd339 in nsLayoutUtils::PaintFrame (aRenderingContext=0x0, aFrame=0xfb2e00, 
    aDirtyRegion=..., aBackstop=4294967295, aFlags=260)
    at /home/bjacob/mozilla-central/layout/base/nsLayoutUtils.cpp:1633
#14 0x00007ffff4df565f in PresShell::Paint (this=0xe6dba0, aViewToPaint=0xe5e710, 
    aWidgetToPaint=0xe6d8b0, aDirtyRegion=..., aIntDirtyRegion=..., aPaintDefaultBackground=0, 
    aWillSendDidPaint=0) at /home/bjacob/mozilla-central/layout/base/nsPresShell.cpp:6051
#15 0x00007ffff5427713 in nsViewManager::RenderViews (this=0xe6ea80, aView=0xe5e710, 
    aWidget=0xe6d8b0, aRegion=..., aIntRegion=..., aPaintDefaultBackground=0, aWillSendDidPaint=0)
---Type <return> to continue, or q <return> to quit---
    at /home/bjacob/mozilla-central/view/src/nsViewManager.cpp:449
#16 0x00007ffff54275d6 in nsViewManager::Refresh (this=0xe6ea80, aView=0xe5e710, 
    aWidget=0xe6d8b0, aRegion=..., aUpdateFlags=1)
    at /home/bjacob/mozilla-central/view/src/nsViewManager.cpp:424
#17 0x00007ffff5428cdf in nsViewManager::DispatchEvent (this=0xe6ea80, aEvent=0x7fffffffc810, 
    aView=0xe5e710, aStatus=0x7fffffffc724)
    at /home/bjacob/mozilla-central/view/src/nsViewManager.cpp:930
#18 0x00007ffff5422a1c in HandleEvent (aEvent=0x7fffffffc810)
    at /home/bjacob/mozilla-central/view/src/nsView.cpp:160
#19 0x00007ffff5e6d64c in nsWindow::DispatchEvent (this=0xe6d8b0, aEvent=0x7fffffffc810, 
    aStatus=@0x7fffffffc9dc) at /home/bjacob/mozilla-central/widget/src/gtk2/nsWindow.cpp:590
#20 0x00007ffff5e71799 in nsWindow::OnExposeEvent (this=0xe6d8b0, aWidget=0x96fa20, 
    aEvent=0x7fffffffd040) at /home/bjacob/mozilla-central/widget/src/gtk2/nsWindow.cpp:2284
#21 0x00007ffff5e7a7b5 in expose_event_cb (widget=0x96fa20, event=0x7fffffffd040)
    at /home/bjacob/mozilla-central/widget/src/gtk2/nsWindow.cpp:5548
#22 0x00007fffef422c78 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#23 0x00007fffefff247e in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#24 0x00007ffff00083f7 in ?? () from /usr/lib/libgobject-2.0.so.0
#25 0x00007ffff00098bd in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#26 0x00007ffff0009fc3 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#27 0x00007fffef538f7f in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#28 0x00007fffef41c3a1 in gtk_main_do_event () from /usr/lib/libgtk-x11-2.0.so.0
#29 0x00007fffeee567b2 in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#30 0x00007fffeee5326b in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#31 0x00007fffeee550e1 in gdk_window_process_all_updates () from /usr/lib/libgdk-x11-2.0.so.0
#32 0x00007fffeee55149 in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#33 0x00007fffeee31d26 in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#34 0x00007fffef9406f2 in g_main_context_dispatch () from /lib/libglib-2.0.so.0

Comment 9

[Benoit Jacob [:bjacob] (mostly away)]

Here were are in gfxASurface::CheckSurfaceSize with a size of 32768x32768.

The warning is that 32768*32768*4 overflows as a 32bit integer.

Comment 10

[Benoit Jacob [:bjacob] (mostly away)]

So, this test resizes the canvas with size 32768, which results in WebGLContext::SetDimensions calls, which does

if (gl &&
    gl->ResizeOffscreen(gfxIntSize(width, height)))
{
    // everything's good, we're done here
    mWidth = width;
    mHeight = height;
    mResetLayer = PR_TRUE;
    return NS_OK;
}

The bug is that ResizeOffScreen doesn't check for GL errors. Both glTexImage2D and glRenderbufferStorage calls inside of it are producing GL_INVALID_VALUE errors because of the too large size, and it's ignoring them.

Comment 11

[Benoit Jacob [:bjacob] (mostly away)]

Attachment: check max size for textures and renderbuffers

This patch fixes this bug, but now I get the other bug that you were reporting:


JavaScript warning: https://cvs.khronos.org/svn/repos/registry/trunk/public/webgl/sdk/tests/conformance/drawingbuffer-test.html, line 54: WebGL: Can't get a usable WebGL context
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005: file /home/bjacob/mozilla-central/content/html/content/src/nsHTMLCanvasElement.cpp, line 144
JavaScript error: , line 0: uncaught exception: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMHTMLCanvasElement.width]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: https://cvs.khronos.org/svn/repos/registry/trunk/public/webgl/sdk/tests/conformance/drawingbuffer-test.html :: <TOP_LEVEL> :: line 54"  data: no]
###!!! ASSERTION: You can't dereference a NULL nsRefPtr with operator->().: 'mRawPtr != 0', file ../../../dist/include/nsAutoPtr.h, line 1117

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff51dde8a in mozilla::WebGLContext::GetCanvasLayer (this=0x1414e70, 
    aBuilder=0x7fffffffbaf0, aOldLayer=0x0, aManager=0x104a080)
    at /home/bjacob/mozilla-central/content/canvas/src/WebGLContext.cpp:698
698         void* native_surface = gl->GetNativeData(gl::GLContext::NativeImageSurface);
(gdb) bt
#0  0x00007ffff51dde8a in mozilla::WebGLContext::GetCanvasLayer (this=0x1414e70, 
    aBuilder=0x7fffffffbaf0, aOldLayer=0x0, aManager=0x104a080)
    at /home/bjacob/mozilla-central/content/canvas/src/WebGLContext.cpp:698
#1  0x00007ffff5290675 in nsHTMLCanvasElement::GetCanvasLayer (this=0x1449240, 
    aBuilder=0x7fffffffbaf0, aOldLayer=0x0, aManager=0x104a080)
    at /home/bjacob/mozilla-central/content/html/content/src/nsHTMLCanvasElement.cpp:722
#2  0x00007ffff4ea195f in nsHTMLCanvasFrame::BuildLayer (this=0x16d6ef0, aBuilder=0x7fffffffbaf0, 
    aManager=0x104a080, aItem=0x16e4b50)
    at /home/bjacob/mozilla-central/layout/generic/nsHTMLCanvasFrame.cpp:278
#3  0x00007ffff4ea2330 in nsDisplayCanvas::BuildLayer (this=0x16e4b50, aBuilder=0x7fffffffbaf0, 
    aManager=0x104a080) at /home/bjacob/mozilla-central/layout/generic/nsHTMLCanvasFrame.cpp:103
#4  0x00007ffff4d4719c in ProcessDisplayItems (this=0x7fffffffaf20, aList=..., aClip=...)
    at /home/bjacob/mozilla-central/layout/base/FrameLayerBuilder.cpp:1342
#5  0x00007ffff4d46f05 in ProcessDisplayItems (this=0x7fffffffaf20, aList=..., aClip=...)
    at /home/bjacob/mozilla-central/layout/base/FrameLayerBuilder.cpp:1295
#6  0x00007ffff4d48638 in mozilla::FrameLayerBuilder::BuildContainerLayerFor (
    this=0x7fffffffbaf0, aBuilder=0x7fffffffbaf0, aManager=0x104a080, 
    aContainerFrame=0x7fffcc0f8668, aContainerItem=0x16e4d00, aChildren=...)
    at /home/bjacob/mozilla-central/layout/base/FrameLayerBuilder.cpp:1645
#7  0x00007ffff4d9df91 in nsDisplayOwnLayer::BuildLayer (this=0x16e4d00, aBuilder=0x7fffffffbaf0, 
    aManager=0x104a080) at /home/bjacob/mozilla-central/layout/base/nsDisplayList.cpp:1772
#8  0x00007ffff4d4719c in ProcessDisplayItems (this=0x7fffffffb6c0, aList=..., aClip=...)
    at /home/bjacob/mozilla-central/layout/base/FrameLayerBuilder.cpp:1342

Comment 12

[Benoit Jacob [:bjacob] (mostly away)]

Attachment: part 1: check max size for textures and renderbuffers

Updated. By putting the check there, we catch all GLContextProviderXxx::CreateOffscreen failures.

Comment 13

[Benoit Jacob [:bjacob] (mostly away)]

Attachment: part 2: null out failed contexts

The second part of the bug, apparently, was that when nsHTMLCanvasElement::UpdateContext() calls SetDimensions and that fails, we weren't remembering that mCurrentContext was bad.

This patch just sets mCurrentContext as null if any failure happens in UpdateContext.

That fixes the crash. Is that OK?

Comment 14

[Robert O'Callahan (:roc) (email my personal email if necessary)]

Don't use goto here. Either replicate the mCurrentContext = nsnull or write nested ifs with NS_SUCCEEDED and an early return if everything succeeds.

Comment 15

[Benoit Jacob [:bjacob] (mostly away)]

Attachment: part 2: null out failed contexts

Here you go.

Comment 16

[Robert O'Callahan (:roc) (email my personal email if necessary)]

Comment on attachment 532723 [details] [diff] [review]
part 2: null out failed contexts

Review of attachment 532723 [details] [diff] [review]:
-----------------------------------------------------------------

Comment 17

[Benoit Jacob [:bjacob] (mostly away)]

I would like to be allowed to land this for Firefox 5 for the following reasons:
 * it's happening on all platforms
 * it might not be limited to WebGL, it might also affect 2D canvases with GL layers
 * it's easy to reproduce, just use an exceedingly large canvas
 * it's exposed by the trunk version of the WebGL test suite, which make it quite visible and embarrassed me as I can no longer point people to it.

Comment 18

[Joe Drew (not getting mail)]

Comment on attachment 531679 [details] [diff] [review]
part 1: check max size for textures and renderbuffers

Review of attachment 531679 [details] [diff] [review]:
-----------------------------------------------------------------

::: gfx/thebes/GLContext.cpp
@@ +703,5 @@
>  PRBool
>  GLContext::ResizeOffscreenFBO(const gfxIntSize& aSize)
>  {
> +    if (!IsOffscreenSizeAllowed(aSize))
> +        return PR_FALSE;

Do we correctly handle dynamic failures, i.e., "out of video memory"-type failures? Just being within the limits isn't necessarily enough.

::: gfx/thebes/GLContext.h
@@ +974,5 @@
>              new BasicTextureImage(aTexture, aSize, aWrapMode, aContentType, aContext));
>          return teximage.forget();
>      }
>  
> +    PRBool IsOffscreenSizeAllowed(const gfxIntSize& aSize) const {

you can just use bool here, if you want.

@@ +976,5 @@
>      }
>  
> +    PRBool IsOffscreenSizeAllowed(const gfxIntSize& aSize) const {
> +        PRInt32 biggerDimension = PR_MAX(aSize.width, aSize.height);
> +        PRInt32 maxAllowed = PR_MIN(mMaxRenderbufferSize, mMaxTextureSize);

plz to use NS_MIN/NS_MAX instead of PR_*.

Comment 19

[Benoit Jacob [:bjacob] (mostly away)]

(In reply to comment #18)
> Comment on attachment 531679 [details] [diff] [review] [review]
> part 1: check max size for textures and renderbuffers
> 
> Review of attachment 531679 [details] [diff] [review] [review]:
> -----------------------------------------------------------------
> 
> ::: gfx/thebes/GLContext.cpp
> @@ +703,5 @@
> >  PRBool
> >  GLContext::ResizeOffscreenFBO(const gfxIntSize& aSize)
> >  {
> > +    if (!IsOffscreenSizeAllowed(aSize))
> > +        return PR_FALSE;
> 
> Do we correctly handle dynamic failures, i.e., "out of video memory"-type
> failures? Just being within the limits isn't necessarily enough.

Good point: as far as I can see, we don't handle that. I just filed bug 658563 as a follow-up about that.

Applying the rest of your review comments.

Comment 20

[Benoit Jacob [:bjacob] (mostly away)]

http://hg.mozilla.org/mozilla-central/rev/e0395d46d14d
http://hg.mozilla.org/mozilla-central/rev/693555498d57

Comment 21

[Virtual_ManPL [:Virtual] 🇵🇱 - (please needinfo? me - so I will see your comment/reply/question/etc.)]

Looks good, no crash.

FYI I now got this info:

This test ensures WebGL implementations correctly implement drawingbufferWidth/Height.

On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".

PASS context exists

Checking drawingBufferWidth/drawingBufferHeight
FAIL gl.drawingBufferWidth should be 300 (of type number). Was undefined (of type undefined).
FAIL gl.drawingBufferHeight should be 150 (of type number). Was undefined (of type undefined).
PASS maxSize[0] > 0 is true
PASS maxSize[1] > 0 is true
MAX_VIEWPORT_DIMS = 8192x8192
FAIL successfullyParsed should be true. Threw exception ReferenceError: successfullyParsed is not defined

TEST COMPLETE



In error console got this:

Warning: WebGL: Can't get a usable WebGL context
Source File: https://cvs.khronos.org/svn/repos/registry/trunk/public/webgl/sdk/tests/conformance/drawingbuffer-test.html
Line: 55

and

Error: uncaught exception: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMHTMLCanvasElement.height]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: https://cvs.khronos.org/svn/repos/registry/trunk/public/webgl/sdk/tests/conformance/drawingbuffer-test.html :: <TOP_LEVEL> :: line 55"  data: no]

Comment 22

[Benoit Jacob [:bjacob] (mostly away)]

Could you file a new bug about that? With the graphics section of your about:support please.