crash [@ TOutputGLSLBase::visitConstantUnion] on Galaxy S II (Mali-400 MP GPU)

RESOLVED WORKSFORME

Status

()

Core
Canvas: WebGL
--
critical
RESOLVED WORKSFORME
7 years ago
6 years ago

People

(Reporter: nhirata, Unassigned)

Tracking

({crash})

Trunk
ARM
Android
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [mobile-crash], crash signature)

This bug was filed from the Socorro interface and is 
report bp-ac9a2f5a-da3b-4c38-9691-f77d32110916 .
============================================================= 
Frame 	Module 	Signature [Expand] 	Source
0 	libmozutils.so 	arena_dalloc 	memory/jemalloc/jemalloc.c:4306
1 	libmozutils.so 	__wrap_free 	memory/jemalloc/jemalloc.c:6260
2 	libmozalloc.so 	moz_free 	memory/mozalloc/mozalloc.cpp:98
3 	libxul.so 	std::__node_alloc::deallocate 	mozalloc.h:253
4 	libxul.so 	std::priv::_String_base<char, std::allocator<char> >::_M_deallocate_block 	_string_base.h:102
5 	libxul.so 	std::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_append 	_string_base.h:160
6 	libxul.so 	TOutputGLSLBase::writeConstantUnion 	_string_base.h:156
7 	libxul.so 	TOutputGLSLBase::visitConstantUnion 	gfx/angle/src/compiler/OutputGLSLBase.cpp:208
8 	libxul.so 	TIntermConstantUnion::traverse 	gfx/angle/src/compiler/IntermTraverse.cpp:34
9 	libxul.so 	TIntermBinary::traverse 	gfx/angle/src/compiler/IntermTraverse.cpp:82
10 	libxul.so 	TIntermAggregate::traverse 	gfx/angle/src/compiler/IntermTraverse.cpp:163
11 	libxul.so 	TIntermBinary::traverse 	gfx/angle/src/compiler/intermediate.h:537
12 	libxul.so 	TOutputGLSLBase::visitAggregate 	gfx/angle/src/compiler/OutputGLSLBase.cpp:454
13 	libxul.so 	TIntermAggregate::traverse 	gfx/angle/src/compiler/IntermTraverse.cpp:135
14 	libxul.so 	TOutputGLSLBase::visitCodeBlock 	gfx/angle/src/compiler/OutputGLSLBase.cpp:707
15 	libxul.so 	TOutputGLSLBase::visitAggregate 	gfx/angle/src/compiler/intermediate.h:537
16 	libxul.so 	TIntermAggregate::traverse 	gfx/angle/src/compiler/IntermTraverse.cpp:135
17 	libxul.so 	TOutputGLSLBase::visitAggregate 	gfx/angle/src/compiler/OutputGLSLBase.cpp:454
18 	libxul.so 	TIntermAggregate::traverse 	gfx/angle/src/compiler/IntermTraverse.cpp:135
19 	libxul.so 	TranslatorESSL::translate 	gfx/angle/src/compiler/OutputGLSLBase.h:17
20 	libxul.so 	TCompiler::compile 	gfx/angle/src/compiler/Compiler.cpp:181
21 	libxul.so 	ShCompile 	gfx/angle/src/compiler/ShaderLang.cpp:169
22 	libxul.so 	mozilla::WebGLContext::CompileShader 	content/canvas/src/WebGLContextGL.cpp:4015
23 	libxul.so 	nsIDOMWebGLRenderingContext_CompileShader 	obj-firefox/js/src/xpconnect/src/dom_quickstubs.cpp:29817
24 	libxul.so 	js::Interpret 	js/src/jscntxtinlines.h:305
25 	libxul.so 	UncachedInlineCall 	js/src/vm/Stack.h:1259
26 	libxul.so 	js::mjit::stubs::UncachedCallHelper 	js/src/methodjit/InvokeHelpers.cpp:480
27 	libxul.so 	js::mjit::ic::Call 	js/src/methodjit/MethodJIT.h:347
28 	libxul.so 	libxul.so@0xbdc43e 	
29 	libxul.so 	js::mjit::ic::Call 	js/src/methodjit/MonoIC.cpp:1141
30 	libxul.so 	js::mjit::JaegerShot 	js/src/vm/Stack.h:1410
31 	libxul.so 	js::RunScript 	js/src/jsinterp.cpp:611
32 	libxul.so 	js::Invoke 	js/src/vm/Stack.h:1002
33 	libxul.so 	JS_CallFunctionValue 	js/src/jscntxt.h:1302
34 	libxul.so 	nsJSContext::CallEventHandler 	dom/base/nsJSEnvironment.cpp:1928
35 	libxul.so 	nsGlobalWindow::RunTimeout 	nsCOMPtr.h:863
36 	libxul.so 	nsGlobalWindow::TimerCallback 	nsAutoPtr.h:907
37 	libxul.so 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:425
38 	libxul.so 	nsTimerEvent::Run 	nsAutoPtr.h:907
39 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:631
40 	libxul.so 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:245
41 	libxul.so 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:111
42 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:230
43 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:209
44 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:487
45 	libxul.so 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:191
46 	libxul.so 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp:677
47 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:222
48 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:209
49 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:487
50 	libxul.so 	XRE_InitChildProcess 	nsAutoPtr.h:155
51 	libmozutils.so 	ChildProcessInit 	other-licenses/android/APKOpen.cpp:778
52 	plugin-container 	main 	ipc/app/MozillaRuntimeMainAndroid.cpp:69
53 	libc.so 	libc.so@0xd412

More reports : https://crash-stats.mozilla.com/report/list?range_value=7&range_unit=days&date=2011-09-19%2009%3A00%3A00&signature=arena_dalloc%20%7C%20__wrap_free%20%7C%20moz_free%20%7C%20std%3A%3A__node_alloc%3A%3Adeallocate&version=Fennec%3A9.0a1
Whiteboard: [mobile-crash],
Whiteboard: [mobile-crash]
STR: 
1. Visit http://www.ro.me/

Expected: no content crash
Actual: Error in console : Browser.selectedTab.browser.__SS_data is undefined
Source File: chrome://browser/content/browser.js Line: 2602
and content crash.

Most likely a dup of bug 689022?  Same crashing but different crash signature?
See also https://crash-stats.mozilla.com/report/index/bp-ca064039-fb96-4e22-89f0-5ef802111007 .

I've only seen crashes like this on the Galaxy S II (Exynos 4210 chipset w/ Mali-400 MP GPU), but on there I can reproduce this crash 100%.  It also appears on http://media.tojicode.com/q3bsp/ .  This crash also shows up on many other WebGL demos.
Component: Graphics → Canvas: WebGL
QA Contact: thebes → canvas.webgl
Summary: crash [@ TOutputGLSLBase::visitConstantUnion] → crash [@ TOutputGLSLBase::visitConstantUnion] on Galaxy S II (Mali-400 MP GPU)
I had the opportunity to poke at this for a few minutes a couple of weeks ago.  I noticed two things

 - this crash *doesn't* happen with the dirt-simple shaders in the B2G home screen (webgl version)

 - the crash is 100% reproducible on http://media.tojicode.com/q3bsp/, which has much more interesting shaders.

 - the crash appears to be a mismatched allocator problem when (reallocing?) data.  I forget the details.  At the time, it made me think that the bug was dependent on the string length of the shader.

 - this is STL code inside ANGLE, using stlport

This all makes me suspect it might be a problem with our build/link/something that happens to appear on the sgs2.  Maybe not an ANGLE bug (except possibly in our usage).

Valgrind would nail this down quickly, I suspect.
Blocks: 715782
I was sorta hoping this would be fixed by bug 709947 ... do these crashes still happen?
wfm in the native-fennec nightly.  Will file another bug if I repro.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.