Open Spectrascade WebGL demo: http://www.jeshua.me/spectrascade/sc You should see a small gray 3D cube with a stream of particles around it. In FF16, there are no particles but the rest of the demo is OK. Mozregression range: m-c 2012-05-24 2012-05-25 http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=f43e8d300f21&tochange=1dd0c5c6d9fd m-i 2012-05-23 2012-05-24 http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=59ec4eabd9ce&tochange=1865549541b7
I don't see any particles on FF 15 or 16 on Win7. I do see what looks like five duplicate warnings in the Error Console per frame: "bufferSubData: negative offset." (at least, until it hits the 32-warning limit we added)
You also seem to be triggering a SetDimensions every frame. Are you setting the width and height to the same thing every frame, or something?
Regression window(m-i) Good: http://hg.mozilla.org/integration/mozilla-inbound/rev/7ae630f43357 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/15.0 Firefox/15.0a1 ID:20120523083523 Bad: http://hg.mozilla.org/integration/mozilla-inbound/rev/5f14275bb276 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/15.0 Firefox/15.0a1 ID:20120523093244 Pushlog: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=7ae630f43357&tochange=5f14275bb276 Inlocal build Last Good: 7ffffcb45b94 First Bad: dd6c4f6a2448 Triggered by: dd6c4f6a2448 Benoit Jacob — Bug 757526 - Use stdint instead of PRInt types in WebGL implementation - r=Ms2ger
Wow! Thanks a lot for this bisecting. Looking.
The demo generates a lot of these: [11:23:36.160] Error: WebGL: bufferSubData: negative offset @ http://www.jeshua.me/spectrascade/js/spidergl.js:4748 Together with the fact that it's a regression from Bug 757526, it's quite clear what's happening there.
Here's the bufferSubData change made in bug 757526: https://hg.mozilla.org/mozilla-central/rev/dd6c4f6a2448#l2.65 -WebGLContext::BufferSubData(PRInt32 target, PRInt32 offset, const JS::Value& data, JSContext *cx) +WebGLContext::BufferSubData(WebGLenum target, WebGLintptr offset, const JS::Value& data, JSContext *cx) This is indeed a functional change, but as far as I can see, it is fixing a conformance bug, not introducing one. Need further debugging, but at the moment it looks as if the demo is doing invalid bufferSubData calls. Not yet sure though that that is related to the rendering issue.
So the second argument being passed in is an object. Specifically, a WebGLBuffer. This lands in xpc::ValueToInt64, which converts it to a double. It gets back NaN. Per spec this _should_ get turned into 0, but xpc::ValueToInt64 does static_cast<int64_t>(doubleval), which gets us 0x8000000000000000 (the bit-pattern of the NaN), but treated as a signed 64-bit int. I have no idea why it does that, bit-pattern thing, exactly. In any case, that's a negative value, treated as a signed 64-bit int, and things break. Now the page is of course totally broken in terms of what it passes to that second argument. But we need to fix the bug in xpc::ValueToInt64.
Created attachment 635655 [details] [diff] [review] Make IDL conversions to 64-bit ints treat NaN and Infinity as 0 instead of whatever the compiler decides to do in that undefined-behavior case. Benoit, what's a good way of testing this? Should be easy to reproduce by just passing NaN to any WebGL method that takes signed 64-bit ints and requires them to be nonnegative, without this patch
Oh, I was just going to add this to our tree. There is no general "DOM/JS bindings test suite" yet, though I'm hoping there will be one at some point...
Created attachment 635862 [details] [diff] [review] Now with test
Comment on attachment 635862 [details] [diff] [review] Now with test [Approval Request Comment] Bug caused by (feature/regressing bug #): 757526 User impact if declined: Some WebGL things apparently won't work correctly Testing completed (on m-c, etc.): Page that shows this bug Risk to taking this patch (and alternatives if risky): Low-risk: just converts NaN to 0 when converting to int, as the spec requires, instead of converting to garbage. Only affects conversion to 64-bit ints, which are very rare in IDL. String or UUID changes made by this patch: None.
And https://hg.mozilla.org/integration/mozilla-inbound/rev/421b653f33dc to deal with the Mac 10.5 bustage due to it not supporting WebGL.
Comment on attachment 635862 [details] [diff] [review] Now with test [Triage Comment] Low risk fix that brings us closer to spec. Approved for Aurora 15.
http://hg.mozilla.org/releases/mozilla-aurora/rev/c697cdebddc9 for the roll-up patch.
Able to see the issue on Nightly 2012-06-01. The particles are seen on Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0b2. Verified fixed.