RenderDocument for entire page of timecube.com OOMs due to CreateSamplingRestrictedDrawable

VERIFIED FIXED in Firefox 14

Status

()

Core
Layout
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: blassey, Assigned: vlad)

Tracking

({mobile})

unspecified
mozilla15
x86
Mac OS X
mobile
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(firefox14 verified, blocking-fennec1.0 +)

Details

Attachments

(2 attachments)

when we take our screenshot (here: https://mxr.mozilla.org/mozilla-central/source/widget/android/AndroidBridge.cpp#2176) on timecube.com, Android's OOM killer kills Fennec.
(Reporter)

Updated

5 years ago
blocking-fennec1.0: --- → ?

Updated

5 years ago
Assignee: nobody → blassey.bugs
blocking-fennec1.0: ? → +
Very easy to reproduce: just load the page.

Updated

5 years ago
Keywords: mobile
Assignee: blassey.bugs → vladimir
We've got a couple of huge mallocs happening along the way:

I/GeckoApp(12054): Got message: DOMContentLoaded
I/Gecko-Memory(12054): huge_malloc: 7077888 bytes
I/Gecko-Memory(12054): huge_malloc: 13125208 bytes
...
I/GeckoAppShell(12054): Taking whole-screen screenshot, viewport: ImmutableViewportMetrics v=(0.0,0.0,720.0,1038.0) p=(2091.0,72642.0) z=0.734694
I/Gecko-Memory(12054): huge_malloc: 1105732 bytes
I/Gecko-Memory(12054): huge_malloc: 2097152 bytes
I/Gecko-Memory(12054): huge_malloc: 562785116 bytes

It's that last malloc of half a gig that's understandably killing us off :)
Oh, how I've missed EXTEND_PAD-related fun!  This is happening because we need to tile a 198x198 background image into the background, which happens to be very large (~2846 x 98873), but with a noninteger scale along the way.  We end up hitting the CreateSamplingRestrictedDrawable path, which wants to create the full resolution pre-tiled image so that we can get padding/etc. right... and we end up trying to allocate a 2846*98873*2 buffer to hold this temporary image.

Here's the relevant backtrace and some variables:

#0  huge_malloc (size=562785116, zero=false) at memory/jemalloc/jemalloc.c:4978
#1  0x5af9ef52 in imalloc (size=562785116) at memory/jemalloc/jemalloc.c:4194
#2  0x5af9ef6a in __wrap_malloc (size=562785116) at memory/jemalloc/jemalloc.c:6281
#3  0x5bec36b6 in moz_malloc (size=562785116) at memory/mozalloc/mozalloc.cpp:97
#4  0x623439e2 in TryAllocAlignedBytes (aSize=<optimized out>) at gfx/thebes/gfxImageSurface.cpp:122
#5  gfxImageSurface::gfxImageSurface (this=0x63e11400, size=..., format=gfxASurface::ImageFormatRGB16_565, aClear=true) at gfx/thebes/gfxImageSurface.cpp:139
#6  0x623571e8 in gfxAndroidPlatform::CreateOffscreenSurface (this=<optimized out>, size=..., contentType=<optimized out>) at gfx/thebes/gfxAndroidPlatform.cpp:89
#7  0x62354d52 in CreateSamplingRestrictedDrawable (aFormat=<optimized out>, aSubimage=<optimized out>, aSourceRect=<optimized out>, aUserSpaceToImageSpace=<optimized out>, aContext=<optimized out>, aDrawable=<optimized out>) at gfx/thebes/gfxUtils.cpp:322

aFormat = gfxASurface::ImageFormatRGB24
aSourceRect = { x = 0, y = 0, width = 2846.0000240205554, height = 98872.997137164668}
aSubimage = {x = 0, y = 0, width = 2846, height = 98874 }
aUserSpaceToImageSpace = 9 = (const gfxMatrix &) {xx = 5.5585937969151473, yx = 0, xy = 0, yy = 48.277830633381186, x0 = 0, y0 = 0}

needed = { x = 0, y = 0, width = 2846, height = 98873 }
2846 * 98873 * 2 (RGB16) = 562785116 bytes

#8  gfxUtils::DrawPixelSnapped (aContext=0x64369820, aDrawable=0x65b5d290, aUserSpaceToImageSpace=<optimized out>, aSubimage=<optimized out>, aSourceRect=..., aImageRect=..., aFill=..., aFormat=gfxASurface::ImageFormatRGB24, aFilter=gfxPattern::FILTER_GOOD, aImageFlags=1) at gfx/thebes/gfxUtils.cpp:524
#9  0x61cea022 in imgFrame::Draw (this=0x64b04ef0, aContext=0x64369820, aFilter=<optimized out>, aUserSpaceToImageSpace=<optimized out>, aFill=<optimized out>, aPadding=..., aSubimage=..., aImageFlags=1) at image/src/imgFrame.cpp:506

doTile = true!

*this = mImageSurface = {mRawPtr = 0x0}, mOptSurface = {mRawPtr = 0x5e5e6940}, 
  mSize = {<mozilla::gfx::BaseSize<int, nsIntSize>> = {width = 198, height = 198}, <No data fields>}, 
  mOffset = {<mozilla::gfx::BasePoint<int, nsIntPoint>> = {x = 0, y = 0}, <No data fields>}, 
  mDecoded = {<mozilla::gfx::BaseRect<int, nsIntRect, nsIntPoint, nsIntSize, nsIntMargin>> = {x = 0, y = 0, 
      width = 198, height = 198}, 
    static kMaxSizedIntRect = {<mozilla::gfx::BaseRect<int, nsIntRect, nsIntPoint, nsIntSize, nsIntMargin>> = {
        x = 0, y = 0, width = 2147483647, height = 2147483647}, 
      static kMaxSizedIntRect = <same as static member of an already seen type>}}, mPalettedImageData = 0x0, 
  mSinglePixelColor = {r = 0, g = 0, b = 0, a = 0}, mTimeout = 0, mDisposalMethod = 0, 
  mFormat = gfxASurface::ImageFormatRGB24, mPaletteDepth = 0 '\000', mBlendMethod = 1 '\001', 
  mSinglePixel = false, mNeverUseDeviceSurface = false, mFormatChanged = false, mCompositingFailed = false, 
  mNonPremult = false, mLocked = false, mInformedDiscardTracker = true}

#10 0x61ce720e in mozilla::image::RasterImage::Draw (this=0x657fc940, aContext=0x64369820, aFilter=gfxPattern::FILTER_GOOD, aUserSpaceToImageSpace=..., aFill=..., aSubimage=..., aFlags=1) at image/src/RasterImage.cpp:2636

aSubimage = {x = 0, y = 0, width = 2846, height = 98874 }
aUserSpaceToImageSpace = 9 = (const gfxMatrix &) {xx = 5.5585937969151473, yx = 0, xy = 0, yy = 48.277830633381186, x0 = 0, y0 = 0}

#11 0x61d28e78 in DrawImageInternal (aRenderingContext=<optimized out>, aImage=0x657fc940, aGraphicsFilter=gfxPattern::FILTER_GOOD, aDest=<optimized out>, aFill=..., aAnchor=..., aDirty=..., aImageSize=..., aImageFlags=1) at layout/base/nsLayoutUtils.cpp:3611
#12 0x61d2b7d0 in nsLayoutUtils::DrawBackgroundImage (aRenderingContext=0x65bd2240, aImage=0x657fc940, aImageSize=..., aGraphicsFilter=gfxPattern::FILTER_GOOD, aDest=..., aFill=..., aAnchor=..., aDirty=..., aImageFlags=1) at layout/base/nsLayoutUtils.cpp:3778
#13 0x61d14e56 in nsImageRenderer::Draw (this=0x5ec50ec0, aPresContext=<optimized out>, aRenderingContext=..., aDest=..., aFill=..., aAnchor=..., aDirty=...) at layout/base/nsCSSRendering.cpp:4092
Created attachment 623198 [details]
background tiling testcase

The attached testcase reproduces this without timecube being involved; it's just a simple 198x198 image as a background of a large page.
Summary: RenderDocument for entire page of timecube.com OOMs on Galaxy Nexus → RenderDocument for entire page of timecube.com OOMs due to CreateSamplingRestrictedDrawable
Created attachment 623213 [details] [diff] [review]
bandaid "fix"

Let's just not call CreateSamplingRestrictedDrawable on mobile.  Fixes the problem for me; waiting on a try server run to see which reftests fail.  Fallout is some rendering artifacts on the edges of some tiled images, and can maybe make some things slower; jrmuizel is working on a patch to make things faster when CSRD is disabled.
Blocks: 752368
Depends on: 754364
I don't know how this is possible, but this didn't cause any Android reftests to fail.   There was one orange in the run, but it was a known intermittent failure...
Comment on attachment 623213 [details] [diff] [review]
bandaid "fix"

This seems ready to go then.
Attachment #623213 - Flags: review?(jmuizelaar)
Comment on attachment 623213 [details] [diff] [review]
bandaid "fix"

Works for me.
Attachment #623213 - Flags: review?(jmuizelaar) → review+
Pushed to mozilla-inbound, https://tbpl.mozilla.org/?tree=Mozilla-Inbound&rev=14a96dac6074
https://hg.mozilla.org/mozilla-central/rev/14a96dac6074

I guess this is fixed? Please reopen if there's more to be done here.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Flags: in-testsuite-
Resolution: --- → FIXED
Target Milestone: --- → mozilla15
Verified fix on:
Build: Nightly 15.0a1 2012-05-17
Device: HTC Desire Z/HTC Deire
OS: Android 2.3.3/Android 2.2

Can load timecube.com and the test case attached in the bug without the device crashing.
Status: RESOLVED → VERIFIED
Comment on attachment 623213 [details] [diff] [review]
bandaid "fix"

[Approval Request Comment]
User impact if declined: excessive memory usage; OOM crashes
Testing completed (on m-c, etc.): on m-c
Attachment #623213 - Flags: approval-mozilla-aurora?

Updated

5 years ago
status-firefox14: --- → affected
Attachment #623213 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/8a6bb72f1882

Updated

5 years ago
status-firefox14: affected → fixed
No longer blocks: 752368
Blocks: 752368
Verified fixed on: 
Aurora 14.0a2 (2012-05-24)
Beta 14.0b3

Samsung Galaxy SII (Android 2.3.4)
status-firefox14: fixed → verified
You need to log in before you can comment on or make changes to this bug.