Closed Bug 776334 Opened 12 years ago Closed 12 years ago

crash in mozilla::gl::GLContextEGL::ReleaseSharedHandle on Honeycomb and above

Categories

(Core :: Graphics: Layers, defect)

Product:
Core
Component:
Graphics: Layers
Version:
15 Branch
Platform:
ARM
Android
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla17
Tracking Flags:
Tracking Status
firefox15 + fixed
firefox16 + fixed
firefox17 --- verified

People

(Reporter: scoobidiver, Assigned: snorp)

References

Details

(Keywords: crash, regression, topcrash, Whiteboard: [Testday 20120727][native-crash])

Crash Data

Attachments

(1 file)

Don't double free shared texture handles for Flash on Android
2.04 KB, patch
blassey
: review+
lsblakk
: approval-mozilla-aurora+
lsblakk
: approval-mozilla-beta+
Details | Diff | Splinter Review
It first appeared in 17.0a1/20120721041038. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=3a05d298599e&tochange=446b788ab99d It's likely a regression from bug 687267. Signature arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper More Reports Search UUID 7f5a0132-f186-451f-9f2e-cf5232120721 Date Processed 2012-07-21 13:30:50 Uptime 112 Last Crash 2.0 minutes before submission Install Age 39.2 minutes since version was first installed. Install Time 2012-07-21 12:51:26 Product FennecAndroid Version 17.0a1 Build ID 20120721041038 Release Channel nightly OS Linux OS Version 0.0.0 Linux 2.6.36.3 #1 SMP PREEMPT Thu Dec 1 09:13:52 KST 2011 armv7l Build Architecture arm Build Architecture Info Crash Reason SIGSEGV Crash Address 0x0 App Notes AdapterDescription: 'NVIDIA Corporation -- NVIDIA Tegra -- OpenGL ES 2.0 -- Model: GT-P7500, Product: GT-P7500, Manufacturer: samsung, Hardware: p3' EGL? EGL+ GL Context? GL Context+ GL Layers? GL Layers+ samsung GT-P7500 samsung/GT-P7500/GT-P7500:3.2/HTJ85B/UBKL1:user/release-keys EMCheckCompatibility True Adapter Vendor ID NVIDIA Corporation Adapter Device ID NVIDIA Tegra Frame Module Signature Source 0 libmozglue.so arena_dalloc memory/mozjemalloc/jemalloc.c:4634 1 libmozglue.so __wrap_free memory/mozjemalloc/jemalloc.c:6565 2 libmozalloc.so moz_free memory/mozalloc/mozalloc.cpp:48 3 libxul.so mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper mozalloc.h:224 4 libxul.so mozilla::gl::GLContextEGL::ReleaseSharedHandle gfx/gl/GLContextProviderEGL.cpp:979 5 libxul.so mozilla::layers::ShadowImageLayerOGL::Swap gfx/layers/opengl/ImageLayerOGL.cpp:783 6 libxul.so mozilla::layers::ShadowLayersParent::RecvUpdate gfx/layers/ipc/ShadowLayersParent.cpp:395 7 libxul.so mozilla::layers::PLayersParent::OnMessageReceived obj-firefox/ipc/ipdl/PLayersParent.cpp:431 8 libxul.so mozilla::layers::PCompositorParent::OnMessageReceived obj-firefox/ipc/ipdl/PCompositorParent.cpp:341 9 libxul.so mozilla::ipc::SyncChannel::OnDispatchMessage ipc/glue/SyncChannel.cpp:143 10 libxul.so mozilla::ipc::RPCChannel::OnMaybeDequeueOne ipc/glue/RPCChannel.cpp:400 11 libxul.so RunnableMethod<mozilla::ipc::RPCChannel, bool , Tuple0>::Run ipc/chromium/src/base/tuple.h:383 12 libxul.so mozilla::ipc::RPCChannel::DequeueTask::Run RPCChannel.h:430 13 libxul.so MessageLoop::RunTask ipc/chromium/src/base/message_loop.cc:326 14 libxul.so MessageLoop::DeferOrRunPendingTask ipc/chromium/src/base/message_loop.cc:334 15 libxul.so MessageLoop::DoWork ipc/chromium/src/base/message_loop.cc:434 16 libxul.so base::MessagePumpDefault::Run ipc/chromium/src/base/message_pump_default.cc:23 17 libxul.so MessageLoop::RunInternal ipc/chromium/src/base/message_loop.cc:208 18 libxul.so MessageLoop::Run ipc/chromium/src/base/message_loop.cc:201 19 libxul.so base::Thread::ThreadMain ipc/chromium/src/base/thread.cc:156 20 libxul.so ThreadFunc ipc/chromium/src/base/platform_thread_posix.cc:31 21 libc.so __thread_entry 22 libc.so pthread_create More reports at: https://crash-stats.mozilla.com/report/list?signature=arena_dalloc+|+__wrap_free+|+moz_free+|+mozilla%3A%3Agl%3A%3AEGLTextureWrapper%3A%3A~EGLTextureWrapper
There's a slightly different stack trace with the same signature: Frame Module Signature Source 0 libmozglue.so arena_dalloc memory/mozjemalloc/jemalloc.c:4634 1 libmozglue.so __wrap_free memory/mozjemalloc/jemalloc.c:6565 2 libmozalloc.so moz_free memory/mozalloc/mozalloc.cpp:48 3 libxul.so mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper mozalloc.h:224 4 libxul.so mozilla::gl::GLContextEGL::ReleaseSharedHandle gfx/gl/GLContextProviderEGL.cpp:979 5 libxul.so mozilla::layers::ShadowImageLayerOGL::CleanupResources gfx/layers/opengl/ImageLayerOGL.cpp:1015 6 libxul.so mozilla::layers::ShadowImageLayerOGL::Destroy gfx/layers/opengl/ImageLayerOGL.cpp:818 7 libxul.so mozilla::layers::ShadowImageLayerOGL::Disconnect gfx/layers/opengl/ImageLayerOGL.cpp:810 8 libxul.so mozilla::layers::ShadowLayerParent::ActorDestroy gfx/layers/ipc/ShadowLayerParent.cpp:60 9 libxul.so mozilla::layers::PLayerParent::DestroySubtree obj-firefox/ipc/ipdl/PLayerParent.cpp:315 10 libxul.so mozilla::layers::PLayerParent::OnMessageReceived obj-firefox/ipc/ipdl/PLayerParent.cpp:170 11 libxul.so mozilla::layers::PCompositorParent::OnMessageReceived obj-firefox/ipc/ipdl/PCompositorParent.cpp:291 12 libxul.so mozilla::ipc::AsyncChannel::OnDispatchMessage ipc/glue/AsyncChannel.cpp:473 13 libxul.so mozilla::ipc::RPCChannel::OnMaybeDequeueOne ipc/glue/RPCChannel.cpp:402 ... More reports also at: https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Alayers%3A%3AShadowImageLayerOGL%3A%3ASwap https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Agl%3A%3AGLContextEGL%3A%3AReleaseSharedHandle
Crash Signature: [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper] → [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper] [@ mozilla::layers::ShadowImageLayerOGL::Swap] [@ mozilla::gl::GLContextEGL::ReleaseSharedHandle]
Whiteboard: [native-crash]
More reports at: https://crash-stats.mozilla.com/report/list?signature=arena_dalloc+|+__wrap_free+|+JS_DHashFreeTable
Crash Signature: [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper] [@ mozilla::layers::ShadowImageLayerOGL::Swap] [@ mozilla::gl::GLContextEGL::ReleaseSharedHandle] → [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper] [@ arena_dalloc | __wrap_free | JS_DHashFreeTable] [@ mozilla::layers::ShadowImageLayerOGL::Swap] [@ mozilla::gl::GLContextEGL::ReleaseSharedHandle]
Summary: crash in mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper on Honeycomb → crash in mozilla::gl::GLContextEGL::ReleaseSharedHandle on Honeycomb
Summary: crash in mozilla::gl::GLContextEGL::ReleaseSharedHandle on Honeycomb → crash in mozilla::gl::GLContextEGL::ReleaseSharedHandle on Honeycomb and JB
I just experienced this crash signature with Mobile 15b2 on Galaxy Tab 10.1
Got to http://www.channelfireball.com/articles/channel-conley-avr-draft-7/ Click on one of the videos. They are each preceded by a video ad. There is a rotating ad for Lexus that seems to 'cause this crash when it completes. The other ads do not.
I can reproduce the bug in the same site using Firefox Beta and Galaxy Tab 10.1. I dont see any rotating ad though. Crashes ID's bp-8fe9a00b-fd6e-449c-a8c3-cbae62120728 bp-9710b8e2-1b25-483c-a890-4db8d2120728
Whiteboard: [native-crash] → [Testday 20120727][native-crash]
With combined signatures, it's #2 top crasher in 15.0b2 and #4 in 16.0a2 over the last 3 days.
tracking-fennec: --- → ?
Crash Signature: [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper] [@ arena_dalloc | __wrap_free | JS_DHashFreeTable] [@ mozilla::layers::ShadowImageLayerOGL::Swap] [@ mozilla::gl::GLContextEGL::ReleaseSharedHandle] → [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper] [@ arena_dalloc | __wrap_free | JS_DHashFreeTable] [@ arena_dalloc | __wrap_free | moz_free | TNotification<nsCaretAccessible nsISelection>::~TNotification] …
tracking-firefox15: --- → ?
tracking-firefox16: --- → ?
Keywords: topcrash
Version: 17 Branch → 15 Branch
Keywords: reproducible
Crash Signature: nsISelection>::~TNotification] [@ arena_dalloc | __wrap_free | moz_free | PL_DHashFreeTable | mozilla::gl::GLContextEGL::ReleaseSharedHandle] [@ mozilla::layers::ShadowImageLayerOGL::Swap] [@ mozilla::gl::GLContextEGL::ReleaseSharedHandle] → nsISelection>::~TNotification] [@ arena_dalloc | __wrap_free | moz_free | PL_DHashFreeTable | mozilla::gl::GLContextEGL::ReleaseSharedHandle] [@ mozilla::layers::ShadowImageLayerOGL::Swap] [@ mozilla::gl::GLContextEGL::ReleaseSharedHandle] [@ libmozgl…
Crash Signature: [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper] [@ arena_dalloc | __wrap_free | JS_DHashFreeTable] [@ arena_dalloc | __wrap_free | moz_free | TNotification<nsCaretAccessible nsISelection>::~TNotification] … → [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper ] [@ arena_dalloc | __wrap_free | JS_DHashFreeTable ] [@ arena_dalloc | __wrap_free | moz_free | TNotification<nsCaretAccessible nsISelection>::~TNotification …
Brad - do you know who would be in the best position to take a look at this for 15 release?
Assignee: nobody → blassey.bugs
tracking-firefox15: ?+
tracking-firefox16: ?+
I got this crash on the Asus TF101, using Honeycomb and the latest Aurora build with plugins enabled, then going to http://people.mozilla.org/~mwargers/tests/plugins/flash/crashwinopencloseembedsrc.html And then tapping on the button.
There are no crashes after 17.0a1/20120728. The working range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=2abd21593e57&tochange=29bff59d3bbe Can someone who is able to reproduce it narrow down the working range?
status-firefox15: --- → affected
status-firefox16: --- → affected
status-firefox17: --- → unaffected
Whiteboard: [Testday 20120727][native-crash] → [Testday 20120727][native-crash][workingwindow-wanted]
Assignee: blassey.bugs → snorp
(In reply to Scoobidiver from comment #9) > There are no crashes after 17.0a1/20120728. The working range is: > http://hg.mozilla.org/mozilla-central/ > pushloghtml?fromchange=2abd21593e57&tochange=29bff59d3bbe > Can someone who is able to reproduce it narrow down the working range? I think it's likely the bug is not fixed, but rather there just hasn't been enough activity on Honeycomb to create the crash.
It is also that the site listed earlier in the bug may have changed what ads display so that the Lexus add that triggered this from that site is no longer in the mix.
Oh also recent builds don;t seem to work at all well on honeycomb tablets such that on my Samsung Galaxy 8.9 I can not even reliably "click" on links because the touch event seems to somehow pick up the wrong coordinates and think I clicked on a completely different link. This makes it extremely hard to to the click to play to even get flash to run on my device. the last build where this worked correctly was the 7/28 nightly. I am currently doing an hg bisect trying to figure out which check-in caused this mess and then have 3 different regression bugs ready to file.
(In reply to Bill Gianopoulos [:WG9s] from comment #12) > Oh also recent builds don;t seem to work at all well on honeycomb tablets > such that on my Samsung Galaxy 8.9 I can not even reliably "click" on links > because the touch event seems to somehow pick up the wrong coordinates and > think I clicked on a completely different link. This makes it extremely > hard to to the click to play to even get flash to run on my device. the > last build where this worked correctly was the 7/28 nightly. > > I am currently doing an hg bisect trying to figure out which check-in caused > this mess and then have 3 different regression bugs ready to file. Looks like this was fixed in the 31 July Nightly, so I have abandoned trying to bisect.
Crashes are back in 17.0a1/20120731.
status-firefox17: unaffectedaffected
Whiteboard: [Testday 20120727][native-crash][workingwindow-wanted] → [Testday 20120727][native-crash]
Need to figure out if it's due to specific devices are OS; Some devices were unblocked recently.
(In reply to Naoki Hirata :nhirata from comment #15) > Need to figure out if it's due to specific devices are OS; Some devices were > unblocked recently. This particular bug will only occur on Honeycomb, and is not affected by the recent unblock of Tegra 2 Gingerbread/Froyo devices.
Crash Signature: mozilla::layers::ShadowImageLayerOGL::CleanupResources ] [@ libmozglue.so@0x8a2c ] → mozilla::layers::ShadowImageLayerOGL::CleanupResources ] [@ libmozglue.so@0x8a2c ] [@ arena_dalloc | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper]
It's #1 top crasher and accounts for 15.7% of all crashes in 15.0b3.
Has there been any reduction in crashes since the fix in bug 779019 landed?
(In reply to Jeff Gilbert [:jgilbert] from comment #18) > Has there been any reduction in crashes since the fix in bug 779019 landed? I wouldn't say that: crashes users 2012-07-31: 4 4 2012-08-01: 2 2 2012-08-02: 5 3 <-- bug 779019 lands 2012-08-03: 8 4 2012-08-04: 12 2
Crash Signature: nsISelection>::~TNotification ] [@ arena_dalloc | __wrap_free | moz_free | PL_DHashFreeTable | mozilla::gl::GLContextEGL::ReleaseSharedHandle ] [@ mozilla::layers::ShadowImageLayerOGL::Swap ] [@ mozilla::gl::GLContextEGL::ReleaseSharedHandle ] [@ mozi… → nsISelection>::~TNotification ] [@ arena_dalloc | __wrap_free | moz_free | PL_DHashFreeTable | mozilla::gl::GLContextEGL::ReleaseSharedHandle ] [@ mozilla::layers::ShadowImageLayerOGL::Swap ] [@ @0x0 | mozilla::layers::ShadowImageLayerOGL::Swap ] [@ m…
Do we have any progress on this bug? There are only 2 betas left in the cycle and I would really prefer to get a fix in beta 5 than 6.
I couldn't reproduce the bug in the newest beta using Android 3.1 and Galaxy Tab 10.1. I didn't see any rotating ad and the browser did not crash. However, after writing this comment (the above two lines), I went back to the site to try again and I found the browser completely frozen: it wouldn't respond at all, not even after closing it via the task killer several times. It closed but reopening the browser the same frozen site was displayed. I had to shut down the tablet and start it up again. I tried several times more and all worked fine: the browser didn't crash nor it froze.
There are crashes on ICS.
Keywords: reproducible
Summary: crash in mozilla::gl::GLContextEGL::ReleaseSharedHandle on Honeycomb and JB → crash in mozilla::gl::GLContextEGL::ReleaseSharedHandle on Honeycomb and above
Comment on attachment 651779 [details] [diff] [review] Don't double free shared texture handles for Flash on Android Review of attachment 651779 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/plugins/base/nsNPAPIPluginInstance.cpp @@ -88,5 @@ > public: > NS_INLINE_DECL_REFCOUNTING(SharedPluginTexture) > > - SharedPluginTexture() : > - mCurrentHandle(0), mNeedNewImage(false), mLock("SharedPluginTexture.mLock") why?
Attachment #651779 - Flags: review?(blassey.bugs) → review+
(In reply to Brad Lassey [:blassey] from comment #24) > Comment on attachment 651779 [details] [diff] [review] > Don't double free shared texture handles for Flash on Android > > Review of attachment 651779 [details] [diff] [review]: > ----------------------------------------------------------------- > > ::: dom/plugins/base/nsNPAPIPluginInstance.cpp > @@ -88,5 @@ > > public: > > NS_INLINE_DECL_REFCOUNTING(SharedPluginTexture) > > > > - SharedPluginTexture() : > > - mCurrentHandle(0), mNeedNewImage(false), mLock("SharedPluginTexture.mLock") > > why? As discussed, I removed mCurrentHandle and mNeedNewImage.
https://hg.mozilla.org/mozilla-central/rev/12c614d36e0b
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
Hmm, one problem we have there is that we want this fix on the next beta that's being built on Tuesday or so, but on trunk we have a rather small audience so it will be hard to confirm that the fix worked. How fast can we uplift, i.e. is the risk low enough to do that without too much verification by crash stats?
This bug is one of those that is in each Nightly build so there's no problem to check the fix (if it's built :(). To check potential side effects, a landing in Aurora would be required after one day of simmering in trunk.
It has been in builds from the 17th and later, but what I was saying meant that this is at such a low volume in Nightly that it takes multiple days to verify that it's gone and we only have until at most Tuesday to land anything on Beta that should go out with 15, so we are under pressure to get this uplifted.
That said, it looks like there's no crashes so far after the 16th (also not for bug 776329), so I think we should go requesting approval and landing this on Aurora and Beta ASAP.
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #31) > That said, it looks like there's no crashes so far after the 16th (also not > for bug 776329) Because 17.0a1/20120817 doesn't exist (see ftp://ftp.mozilla.org/pub/mobile/nightly/2012-08-17-03-05-55-mozilla-central-android/) so one more day is required.
Hrm, strange that 17th had no nightly - but there's one for 18th and 19th, and still so far no crashes with those signatures. :)
Status: RESOLVED → VERIFIED
status-firefox17: fixedverified
Comment on attachment 651779 [details] [diff] [review] Don't double free shared texture handles for Flash on Android [Approval Request Comment] Low risk, fixes top crash
Attachment #651779 - Flags: approval-mozilla-beta?
Attachment #651779 - Flags: approval-mozilla-aurora?
Comment on attachment 651779 [details] [diff] [review] Don't double free shared texture handles for Flash on Android Approving for branch uplift since it resolves our top 4 mobile 15 crashers. Please land before tomorrow's final Beta go to build.
Attachment #651779 - Flags: approval-mozilla-beta?
Attachment #651779 - Flags: approval-mozilla-beta+
Attachment #651779 - Flags: approval-mozilla-aurora?
Attachment #651779 - Flags: approval-mozilla-aurora+
tracking-fennec: ? → ---
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: