Closed Bug 727614 Opened 8 years ago Closed 8 years ago

WebGL crash in "004 Glass" demo on sgs2: double free in ANGLE ESSL back-end, or allocator mismatch?

Categories

(Core :: Canvas: WebGL, defect)

All
Gonk (Firefox OS)
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla13

People

(Reporter: cjones, Assigned: bjacob)

References

()

Details

Attachments

(1 file)

See attached URL.

I don't have a backtrace from the crash.  Just got it working very very late last night.

I have a small standalone version of the demo that crashes on my sgs2.  It seems to crash similarly on the akami.  Not sure about copyright here but can mail privately.
This doesn't crash in the latest fennec nightly on my non-b2g Galaxy S II.  (Though it performs like crap.)  Iiiiinteresting...
(gdb) bt
#0  arena_dalloc (ptr=0xb0370, offset=721776) at /home/cjones/mozilla/b2g/gecko/memory/jemalloc/jemalloc.c:4615
#1  0x800054a2 in __wrap_free (ptr=0xb0370) at /home/cjones/mozilla/b2g/gecko/memory/jemalloc/jemalloc.c:6580
#2  0x82d61854 in moz_free (ptr=0xb0370) at /home/cjones/mozilla/b2g/gecko/memory/mozalloc/mozalloc.cpp:97
#3  0x82219d40 in operator delete (__p=0xb0370, __n=721776) at ../../dist/include/mozilla/mozalloc.h:253
#4  __stl_delete (__p=0xb0370, __n=721776) at /home/cjones/mozilla/b2g/glue/gonk/ndk/sources/cxx-stl/stlport/stlport/stl/_new.h:135
#5  std::__node_alloc::deallocate (__p=0xb0370, __n=721776) at /home/cjones/mozilla/b2g/glue/gonk/ndk/sources/cxx-stl/stlport/stlport/stl/_alloc.h:161
#6  0x8221a152 in deallocate (this=0x576d8, __in_chrg=<value optimized out>) at /home/cjones/mozilla/b2g/glue/gonk/ndk/sources/cxx-stl/stlport/stlport/stl/_alloc.h:323
#7  _M_deallocate_block (this=0x576d8, __in_chrg=<value optimized out>) at /home/cjones/mozilla/b2g/glue/gonk/ndk/sources/cxx-stl/stlport/stlport/stl/_string_base.h:97
#8  ~_String_base (this=0x576d8, __in_chrg=<value optimized out>) at /home/cjones/mozilla/b2g/glue/gonk/ndk/sources/cxx-stl/stlport/stlport/stl/_string_base.h:156
#9  std::basic_string<char, std::char_traits<char>, std::allocator<char> >::~basic_string (this=0x576d8, __in_chrg=<value optimized out>) at /home/cjones/mozilla/b2g/glue/gonk/ndk/sources/cxx-stl/stlport/stlport/stl/_string_fwd.h:32
#10 0x82b0f972 in ~TInfoSinkBase (this=0x576a8, __in_chrg=<value optimized out>) at /home/cjones/mozilla/b2g/gecko/gfx/angle/src/compiler/InfoSink.h:38
#11 TInfoSink::~TInfoSink (this=0x576a8, __in_chrg=<value optimized out>) at /home/cjones/mozilla/b2g/gecko/gfx/angle/src/compiler/InfoSink.h:108
#12 0x82b0fc3a in TCompiler::~TCompiler (this=0x57620, __in_chrg=<value optimized out>) at /home/cjones/mozilla/b2g/gecko/gfx/angle/src/compiler/Compiler.cpp:101
#13 0x82b296aa in TranslatorESSL::~TranslatorESSL (this=0xb0370, __in_chrg=<value optimized out>) at /home/cjones/mozilla/b2g/gecko/gfx/angle/src/compiler/TranslatorESSL.h:12
#14 0x82b296be in TranslatorESSL::~TranslatorESSL (this=0xb0370, __in_chrg=<value optimized out>) at /home/cjones/mozilla/b2g/gecko/gfx/angle/src/compiler/TranslatorESSL.h:12
#15 0x82225070 in ns_if_addref<nsISupports*> (expr=0xb0370) at ../../../dist/include/nsISupportsUtils.h:94
#16 0x82b1bb80 in ShDestruct (handle=0x57620) at /home/cjones/mozilla/b2g/gecko/gfx/angle/src/compiler/ShaderLang.cpp:160
#17 0x824b8494 in mozilla::WebGLContext::CompileShader (this=0x4150a140, sobj=<value optimized out>) at /home/cjones/mozilla/b2g/gecko/content/canvas/src/WebGLContextGL.cpp:4453
#18 0x8279d03c in nsIDOMWebGLRenderingContext_CompileShader (cx=0x402d5e00, argc=1, vp=0x40e00378) at /home/cjones/mozilla/b2g/gecko/objdir-prof-gonk/js/xpconnect/src/dom_quickstubs.cpp:22784
#19 0x82b8bc0e in CallJSNative (cx=0x402d5e00, entryFrame=<value optimized out>, interpMode=<value optimized out>) at /home/cjones/mozilla/b2g/gecko/js/src/jscntxtinlines.h:311

static inline void
arena_dalloc(void *ptr, size_t offset)
{
	arena_chunk_t *chunk;
	arena_t *arena;
	size_t pageind;
	arena_chunk_map_t *mapelm;

	assert(ptr != NULL);
	assert(offset != 0);
	assert(CHUNK_ADDR2OFFSET(ptr) == offset);

	chunk = (arena_chunk_t *) ((uintptr_t)ptr - offset);
	arena = chunk->arena;

(gdb) printf "%s", (char*)ptr
struct lightSource{
mediump int type;
highp vec3 direction;
highp vec3 color;
highp vec3 position;
} ;
[...]

Looks like a joyous mismatched allocator problem :/.
Summary: WebGL crash in "004 Glass" demo on sgs2 → WebGL crash in "004 Glass" demo on sgs2: double free in ANGLE ESSL back-end
Component: Graphics → Canvas: WebGL
QA Contact: thebes → canvas.webgl
The first thing that I don't understand is why we are using the ESSL back-end of ANGLE here (see frame 14 in comment 2). We used to, but had unexplained crashes and decided to switch back to the GLSL back-end on Android: see bug 709947.

(If you ask why we can use the GLSL back-end on a mobile device that only does ES, it's simple: since WebGL shaders are already ESSL, theoretically on ES devices we only need to validate them, we don't actually need the translation, we can just pass the original ES source to the GL. Well, that will stop being true with long identifier shortening (bug 676071) but that's a separate issue).

Here is the code that decides which back-end to use, in WebGLContext::CompileShader:

http://hg.mozilla.org/mozilla-central/file/6989376471f7/content/canvas/src/WebGLContextGL.cpp#l4378

  4378         compiler = ShConstructCompiler((ShShaderType) shader->ShaderType(),
  4379                                        SH_WEBGL_SPEC,
  4380 #ifdef MOZ_WIDGET_ANDROID
  4381                                        SH_GLSL_OUTPUT,
  4382 #else
  4383                                        gl->IsGLES2() ? SH_ESSL_OUTPUT : SH_GLSL_OUTPUT,
  4384 #endif
  4385                                        &resources);

Is MOZ_WIDGET_ANDROID not defined on B2G? Should we use ANDROID instead?
This patch will avoid the crash if MOZ_WIDGET_ANDROID is not defined on B2G.
Attachment #597787 - Flags: review?(joe)
> Looks like a joyous mismatched allocator problem :/.

Hah! Care to explain more how you see that? Maybe I concluded too fast that it was a double free. Holding off filing ANGLE bug for now.
Summary: WebGL crash in "004 Glass" demo on sgs2: double free in ANGLE ESSL back-end → WebGL crash in "004 Glass" demo on sgs2: double free in ANGLE ESSL back-end, or allocator mismatch?
This is vaguely disturbing but thanks for the quick turnaround! :)
Comment on attachment 597787 [details] [diff] [review]
use ANDROID instead of MOZ_WIDGET_ANDROID to decide which ANGLE backend to use

Will test, but this looks good & correct, and it did fix lots and lots of crashes on Android before.
Attachment #597787 - Flags: review?(joe) → review+
https://hg.mozilla.org/mozilla-central/rev/d2a3daf5c3c0
Assignee: nobody → bjacob
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla13
You need to log in before you can comment on or make changes to this bug.