Last Comment Bug 715916 - Crash [@ mozilla::gl::GLContext::UploadSurfaceToTexture ][@ XUL@0xf6ea2a ]
: Crash [@ mozilla::gl::GLContext::UploadSurfaceToTexture ][@ XUL@0xf6ea2a ]
Status: VERIFIED FIXED
[qa!]
: crash, regression, topcrash, verified-beta
Product: Core
Classification: Components
Component: Graphics (show other bugs)
: 10 Branch
: All All
: -- critical (vote)
: mozilla12
Assigned To: Matt Woodrow (:mattwoodrow) (PTO until 27 June)
:
Mentors:
: 700732 (view as bug list)
Depends on:
Blocks: 695275
  Show dependency treegraph
 
Reported: 2012-01-06 08:20 PST by Scoobidiver (away)
Modified: 2012-02-24 08:24 PST (History)
17 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
+
verified
+
verified
-
verified


Attachments
Check the result of GetFrame (1.03 KB, patch)
2012-01-10 13:58 PST, Matt Woodrow (:mattwoodrow) (PTO until 27 June)
joe: review+
akeybl: approval‑mozilla‑aurora+
akeybl: approval‑mozilla‑beta+
Details | Diff | Review
Check the result of GetFrame - mozilla-beta version (1.17 KB, patch)
2012-01-16 15:42 PST, Matt Woodrow (:mattwoodrow) (PTO until 27 June)
joe: review+
akeybl: approval‑mozilla‑beta+
Details | Diff | Review

Description Scoobidiver (away) 2012-01-06 08:20:46 PST
It's #7 top crasher in 10.0b2 on Mac OS X.
Comment 1 Benoit Jacob [:bjacob] (mostly away) 2012-01-06 08:22:43 PST
Can you please post a crash link?
Comment 2 Scoobidiver (away) 2012-01-06 08:29:40 PST
One comment says:
"User Comments	crashes every time I try to acces the website ultipro.com"

There are two kinds of stack traces:
* Firefox 10.0beta:
Frame 	Module 	Signature [Expand] 	Source
0 	XUL 	mozilla::gl::GLContext::UploadSurfaceToTexture 	gfx/thebes/GLContext.cpp:1910
1 	XUL 	mozilla::layers::CairoImageOGL::SetData 	gfx/layers/opengl/ImageLayerOGL.cpp:800
2 	XUL 	nsImageFrame::GetContainer 	layout/generic/nsImageFrame.cpp:1277
3 	XUL 	nsDisplayImage::GetContainer 	layout/generic/nsImageFrame.cpp:1216
4 	XUL 	mozilla::::ContainerState::PopThebesLayerData 	layout/base/FrameLayerBuilder.cpp:952
5 	XUL 	mozilla::::ContainerState::Finish 	layout/base/FrameLayerBuilder.cpp:1601
6 	XUL 	mozilla::FrameLayerBuilder::BuildContainerLayerFor 	layout/base/FrameLayerBuilder.cpp:1806
7 	XUL 	nsDisplayOwnLayer::BuildLayer 	layout/base/nsDisplayList.cpp:1860
8 	XUL 	mozilla::::ContainerState::ProcessDisplayItems 	layout/base/FrameLayerBuilder.cpp:1379
9 	XUL 	mozilla::::ContainerState::ProcessDisplayItems 	layout/base/FrameLayerBuilder.cpp:1331
10 	XUL 	mozilla::::ContainerState::ProcessDisplayItems 	layout/base/FrameLayerBuilder.cpp:1331
11 	XUL 	mozilla::FrameLayerBuilder::BuildContainerLayerFor 	layout/base/FrameLayerBuilder.cpp:1800
12 	XUL 	nsDisplayList::PaintForFrame 	layout/base/nsDisplayList.cpp:598
13 	XUL 	nsLayoutUtils::PaintFrame 	layout/base/nsLayoutUtils.cpp:1700
14 	XUL 	PresShell::Paint 	layout/base/nsPresShell.cpp:5475
...

* Firefox 11.0a2 and 12.0a1:
Frame 	Module 	Signature [Expand] 	Source
0 	XUL 	mozilla::gl::GLContext::UploadSurfaceToTexture 	gfx/gl/GLContext.cpp:1946
1 	XUL 	mozilla::layers::CairoImageOGL::SetData 	gfx/layers/opengl/ImageLayerOGL.cpp:800
2 	XUL 	mozilla::imagelib::RasterImage::GetImageContainer 	image/src/RasterImage.cpp:966
3 	XUL 	nsDisplayImage::GetContainer 	layout/generic/nsImageFrame.cpp:1222
4 	XUL 	mozilla::::ContainerState::PopThebesLayerData 	layout/base/FrameLayerBuilder.cpp:976
5 	XUL 	mozilla::FrameLayerBuilder::BuildContainerLayerFor 	layout/base/FrameLayerBuilder.cpp:1626
6 	XUL 	nsDisplayOwnLayer::BuildLayer 	layout/base/nsDisplayList.cpp:1864
7 	XUL 	mozilla::::ContainerState::ProcessDisplayItems 	layout/base/FrameLayerBuilder.cpp:1404
8 	XUL 	mozilla::::ContainerState::ProcessDisplayItems 	layout/base/FrameLayerBuilder.cpp:1355
9 	XUL 	mozilla::::ContainerState::ProcessDisplayItems 	layout/base/FrameLayerBuilder.cpp:1355
10 	XUL 	mozilla::FrameLayerBuilder::BuildContainerLayerFor 	layout/base/FrameLayerBuilder.cpp:1836
11 	XUL 	nsDisplayList::PaintForFrame 	layout/base/nsDisplayList.cpp:602
12 	XUL 	nsLayoutUtils::PaintFrame 	layout/base/nsLayoutUtils.cpp:1714
13 	XUL 	PresShell::Paint 	layout/base/nsPresShell.cpp:5511
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Agl%3A%3AGLContext%3A%3AUploadSurfaceToTexture
Comment 3 Matt Woodrow (:mattwoodrow) (PTO until 27 June) 2012-01-09 15:51:39 PST
I can't reproduce this on a nightly with OSX 10.7 - AMD Radeon 6770M
Comment 4 Jeff Muizelaar [:jrmuizel] 2012-01-09 15:59:31 PST
Some things that could help diagnosing this:
- a correlation report on the GPU and version of OS X
- a time when we started seeing these crashes

I don't know how to get either of these pieces of information out socorro.
Comment 5 Sheila Mooney 2012-01-09 16:36:27 PST
Technically the signature has been around since we shipped 4.0 but very low volume. I found only 2 of these crashes (4.0 and 5.0.1) in the month of Sept. I checked Oct and we only had 4 from (2011/10/09 through 2011/11/09). It increases to 21 in the 2 week period between (2011/11/09 and 2011/11/23). Looking more closely most of the crashes from that period are in 11.0a1 and 10.0a2 so it might be something that was checked into the trunk just before the cutover? The oldest build I during that period with the crash is the 11.0a1 - 20111111031514 and it's consistently higher in volume after that.

Let me check on a correlation report.
Comment 6 Jeff Muizelaar [:jrmuizel] 2012-01-09 17:25:44 PST
The based on that the best guess I have for a change that could cause this would be bug 697990. "Clean up GLES-specific workarounds for GL_UNPACK_ROW_LENGTH."
Comment 7 Henrik Skupin (:whimboo) 2012-01-10 03:33:44 PST
I'm able to reproduce this crash now when loading http://www.sdge.com/index.shtml on OS X 10.6.8. I will come up with more details soon.
Comment 8 Henrik Skupin (:whimboo) 2012-01-10 04:05:13 PST
The site sdge.com doesn't always crash for me. The crash is better reproducible with the URL as mentioned in comment 0. So here are my steps:

1. Create a fresh profile or delete the cache via the CRH dialog
2. Make sure Flash is enabled (I have 10.2.153.1 installed)
3. Open ultipro.com

After step 3 the browser always crashes for me. But only if the cache has been cleared before or we restore a session after a crash.

The regression for me starts between Firefox 9.0.1 and Firefox 10b1. Even we have reports for 9.0.1 listed on crash-stats I can't reproduce it with this version. It could be something different.

I will now work on the regression range.
Comment 9 Henrik Skupin (:whimboo) 2012-01-10 04:27:50 PST
(In reply to Jeff Muizelaar [:jrmuizel] from comment #6)
> The based on that the best guess I have for a change that could cause this
> would be bug 697990. "Clean up GLES-specific workarounds for
> GL_UNPACK_ROW_LENGTH."

I don't think so. I have tested a build from Nov 7th, 8th, and 9th, and all three are showing this crash. Interestingly the crash signature is not the same for Nightly builds. In my case it's changing to 'XUL@0xf6ea2a'

Nightly crash report: bp-bfb1e9a0-84fd-42aa-b0b7-120712120110
Comment 10 Henrik Skupin (:whimboo) 2012-01-10 04:45:30 PST
Regressed between the builds 2011-10-26-03 and 2011-10-27-03:

WORKS: http://hg.mozilla.org/mozilla-central/rev/cc66accc8181
FAILS: http://hg.mozilla.org/mozilla-central/rev/4bb7c983d589

Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=cc66accc8181&tochange=4bb7c983d589

Given that it highly correlates to the cache, I would assume that bug 689008 is related for this regression. CC'ing some parties who worked on that bug.
Comment 11 Henrik Skupin (:whimboo) 2012-01-10 04:52:33 PST
The crash also happens for Aurora and Nightly builds, so we should track it on all branches.
Comment 12 Henrik Skupin (:whimboo) 2012-01-10 05:00:10 PST
I have tried to run a debug tinderbox build but a build like the one below doesn't even start on 10.6.8. :/

http://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-macosx64-debug/1326186259/
Comment 13 Scoobidiver (away) 2012-01-10 05:00:29 PST
(In reply to Henrik Skupin (:whimboo) from comment #9)
> In my case it's changing to 'XUL@0xf6ea2a'
This crash signature happens in 10.0a1/20111107031104. As this kind of signatures changes with each build, if you want to track it in Socorro, you need to add a bunch of XUL crash signatures.
Comment 14 Ali Juma [:ajuma] 2012-01-10 07:03:56 PST
(In reply to Henrik Skupin (:whimboo) from comment #10)
> Regressed between the builds 2011-10-26-03 and 2011-10-27-03:
> 
> WORKS: http://hg.mozilla.org/mozilla-central/rev/cc66accc8181
> FAILS: http://hg.mozilla.org/mozilla-central/rev/4bb7c983d589
> 
> Pushlog:
> http://hg.mozilla.org/mozilla-central/
> pushloghtml?fromchange=cc66accc8181&tochange=4bb7c983d589

Looking at the stacks, this crash is happening when aSurface is null in GLContext::UploadSurfaceToTexture. In the given regression range, my best guess is Bug 695275.
Comment 15 Matt Woodrow (:mattwoodrow) (PTO until 27 June) 2012-01-10 13:58:00 PST
Created attachment 587461 [details] [diff] [review]
Check the result of GetFrame

I still can't reproduce this unfortunately.

This should fix the issue though.
Comment 16 Joe Drew (not getting mail) 2012-01-10 16:24:45 PST
Comment on attachment 587461 [details] [diff] [review]
Check the result of GetFrame

I haven't checked whether the GetImageContainer callers handle failure, but this is obviously correct.
Comment 17 Matt Woodrow (:mattwoodrow) (PTO until 27 June) 2012-01-10 16:34:20 PST
https://hg.mozilla.org/integration/mozilla-inbound/rev/c16d6dc44101
Comment 18 Henrik Skupin (:whimboo) 2012-01-11 04:26:44 PST
(In reply to Matt Woodrow (:mattwoodrow) from comment #15)
> I still can't reproduce this unfortunately.
> 
> This should fix the issue though.

Not sure if it is related but I also can't reproduce the crash with a debug build of Firefox build on 10.6.8. Once a build with the patch is included has been made available I will run a test against it.
Comment 19 Ed Morley [:emorley] 2012-01-11 18:19:17 PST
https://hg.mozilla.org/mozilla-central/rev/c16d6dc44101
Comment 20 Henrik Skupin (:whimboo) 2012-01-12 22:17:56 PST
Verified fixed with Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0a1) Gecko/20120112 Firefox/12.0a1

Alex, this is a top crasher for us for Firefox 10. It would be great to see backports to Aurora and Beta.
Comment 21 JP Rosevear [:jpr] 2012-01-13 07:24:03 PST
Comment on attachment 587461 [details] [diff] [review]
Check the result of GetFrame

[Approval Request Comment]
Regression caused by (bug #): 
User impact if declined: 
Testing completed (on m-c, etc.): 
Risk to taking this patch (and alternatives if risky):
Comment 22 JP Rosevear [:jpr] 2012-01-13 07:24:57 PST
Matt, can you do the assessment in #21?
Comment 23 Matt Woodrow (:mattwoodrow) (PTO until 27 June) 2012-01-13 13:27:09 PST
[Approval Request Comment]
Regression caused by (bug #): Bug 695275
User impact if declined: Frequent crashes.
Testing completed (on m-c, etc.): Baked on m-c for 2 days
Risk to taking this patch (and alternatives if risky): Very low risk, just checks for an error condition within imagelib, and reverts to the previous codepath if ti finds one.
Comment 24 Alex Keybl [:akeybl] 2012-01-16 12:44:11 PST
Comment on attachment 587461 [details] [diff] [review]
Check the result of GetFrame

[Triage Comment]
Deemed very low risk, and resolves a top crasher. Approved for Aurora/Beta.
Comment 25 Matt Woodrow (:mattwoodrow) (PTO until 27 June) 2012-01-16 15:42:17 PST
Created attachment 589052 [details] [diff] [review]
Check the result of GetFrame - mozilla-beta version

The existing patch doesn't apply on mozilla-beta because some code was moved. This is the equivalent patch, but in the old location.
Comment 26 Matt Woodrow (:mattwoodrow) (PTO until 27 June) 2012-01-16 15:42:53 PST
https://hg.mozilla.org/releases/mozilla-aurora/rev/2a3d24eab103
Comment 27 Alex Keybl [:akeybl] 2012-01-17 09:49:22 PST
Comment on attachment 589052 [details] [diff] [review]
Check the result of GetFrame - mozilla-beta version

[Triage Comment]
Approved for beta - please land ASAP so that this get's into today's build of beta 5.
Comment 28 Joe Drew (not getting mail) 2012-01-17 12:37:22 PST
*** Bug 700732 has been marked as a duplicate of this bug. ***
Comment 29 Matt Woodrow (:mattwoodrow) (PTO until 27 June) 2012-01-17 12:56:54 PST
https://hg.mozilla.org/releases/mozilla-beta/rev/4e02e7bfd700
Comment 30 Henrik Skupin (:whimboo) 2012-01-17 22:06:27 PST
(In reply to Matt Woodrow (:mattwoodrow) from comment #29)
> https://hg.mozilla.org/releases/mozilla-beta/rev/4e02e7bfd700

Matt, please also update the tracking flag once the patch has been landed. Thanks.
Comment 31 Simona B [:simonab] 2012-01-26 04:25:39 PST
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0) Gecko/20100101 Firefox/10.0
Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0
Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/10.0

Verfied Fixed on Firefox 10b6 with a clean profile using the page mentioned in Comment 7(http://www.sdge.com/index.shtml). The page from Comment 2 doesn't load for me. 

I also looked in Socorro and I did not find any crashes on Firefox 10 beta after the fix has landed (the last crashes are on Firefox 10b4).

Is there another page I can use to verify this fix, so that I could mark this as verified on beta?
Comment 32 Henrik Skupin (:whimboo) 2012-01-26 05:04:25 PST
Both websites have been changed and I can't get Firefox to crash. So lets assume this is fixed. Thanks Simona.
Comment 33 Simona B [:simonab] 2012-02-24 07:14:22 PST
When trying to verify this on Firefox 11 beta 6 I found 4 crash-stats with the signature: [@ mozilla::layers::SurfaceToTexture ]
 
https://crash-stats.mozilla.com/report/index/4957bfc5-c6b0-4ed3-94dc-12a372120209
https://crash-stats.mozilla.com/report/index/42fd982a-31ed-4fc3-9752-ee8f92120217
https://crash-stats.mozilla.com/report/index/61723033-0e17-4094-b5d9-917fc2120221
https://crash-stats.mozilla.com/report/index/616c56f2-cb4c-4f5a-bcb9-32bd42120221

Do you think these crashes could be triggered by another bug or should this bug be reopened?
Comment 34 Scoobidiver (away) 2012-02-24 07:20:33 PST
(In reply to Simona B [QA] from comment #33)
> Do you think these crashes could be triggered by another bug or should this
> bug be reopened?
File a new bug because the stack is different.
Comment 35 Simona B [:simonab] 2012-02-24 07:42:21 PST
(In reply to Scoobidiver from comment #34)
> (In reply to Simona B [QA] from comment #33)
> > Do you think these crashes could be triggered by another bug or should this
> > bug be reopened?
> File a new bug because the stack is different.

Where can I find the stack for a crash report in the Socorro interface?
Comment 36 Scoobidiver (away) 2012-02-24 07:54:29 PST
(In reply to Simona B [QA] from comment #35)
> Where can I find the stack for a crash report in the Socorro interface?
It's named Crashing Thread. Compare it to the ones in comment 2. They are different.
Comment 37 Simona B [:simonab] 2012-02-24 08:24:51 PST
Filled Bug 730314.
Based on Comment 34 marking this as verified on Firefox 11 beta 4.

Thanks Scoobidiver for the guidance!

Note You need to log in before you can comment on or make changes to this bug.