Closed Bug 776334 Opened 8 years ago Closed 8 years ago

crash in mozilla::gl::GLContextEGL::ReleaseSharedHandle on Honeycomb and above

Categories

(Core :: Graphics: Layers, defect, critical)

15 Branch
ARM
Android
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla17
Tracking Status
firefox15 + fixed
firefox16 + fixed
firefox17 --- verified

People

(Reporter: scoobidiver, Assigned: snorp)

References

Details

(Keywords: crash, regression, topcrash, Whiteboard: [Testday 20120727][native-crash])

Crash Data

Attachments

(1 file)

It first appeared in 17.0a1/20120721041038. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=3a05d298599e&tochange=446b788ab99d
It's likely a regression from bug 687267.

Signature 	arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper More Reports Search
UUID	7f5a0132-f186-451f-9f2e-cf5232120721
Date Processed	2012-07-21 13:30:50
Uptime	112
Last Crash	2.0 minutes before submission
Install Age	39.2 minutes since version was first installed.
Install Time	2012-07-21 12:51:26
Product	FennecAndroid
Version	17.0a1
Build ID	20120721041038
Release Channel	nightly
OS	Linux
OS Version	0.0.0 Linux 2.6.36.3 #1 SMP PREEMPT Thu Dec 1 09:13:52 KST 2011 armv7l
Build Architecture	arm
Build Architecture Info	
Crash Reason	SIGSEGV
Crash Address	0x0
App Notes 	
AdapterDescription: 'NVIDIA Corporation -- NVIDIA Tegra -- OpenGL ES 2.0 -- Model: GT-P7500, Product: GT-P7500, Manufacturer: samsung, Hardware: p3'
EGL? EGL+ GL Context? GL Context+ GL Layers? GL Layers+ 
samsung GT-P7500
samsung/GT-P7500/GT-P7500:3.2/HTJ85B/UBKL1:user/release-keys
EMCheckCompatibility	True
Adapter Vendor ID	NVIDIA Corporation
Adapter Device ID	NVIDIA Tegra

Frame 	Module 	Signature 	Source
0 	libmozglue.so 	arena_dalloc 	memory/mozjemalloc/jemalloc.c:4634
1 	libmozglue.so 	__wrap_free 	memory/mozjemalloc/jemalloc.c:6565
2 	libmozalloc.so 	moz_free 	memory/mozalloc/mozalloc.cpp:48
3 	libxul.so 	mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper 	mozalloc.h:224
4 	libxul.so 	mozilla::gl::GLContextEGL::ReleaseSharedHandle 	gfx/gl/GLContextProviderEGL.cpp:979
5 	libxul.so 	mozilla::layers::ShadowImageLayerOGL::Swap 	gfx/layers/opengl/ImageLayerOGL.cpp:783
6 	libxul.so 	mozilla::layers::ShadowLayersParent::RecvUpdate 	gfx/layers/ipc/ShadowLayersParent.cpp:395
7 	libxul.so 	mozilla::layers::PLayersParent::OnMessageReceived 	obj-firefox/ipc/ipdl/PLayersParent.cpp:431
8 	libxul.so 	mozilla::layers::PCompositorParent::OnMessageReceived 	obj-firefox/ipc/ipdl/PCompositorParent.cpp:341
9 	libxul.so 	mozilla::ipc::SyncChannel::OnDispatchMessage 	ipc/glue/SyncChannel.cpp:143
10 	libxul.so 	mozilla::ipc::RPCChannel::OnMaybeDequeueOne 	ipc/glue/RPCChannel.cpp:400
11 	libxul.so 	RunnableMethod<mozilla::ipc::RPCChannel, bool , Tuple0>::Run 	ipc/chromium/src/base/tuple.h:383
12 	libxul.so 	mozilla::ipc::RPCChannel::DequeueTask::Run 	RPCChannel.h:430
13 	libxul.so 	MessageLoop::RunTask 	ipc/chromium/src/base/message_loop.cc:326
14 	libxul.so 	MessageLoop::DeferOrRunPendingTask 	ipc/chromium/src/base/message_loop.cc:334
15 	libxul.so 	MessageLoop::DoWork 	ipc/chromium/src/base/message_loop.cc:434
16 	libxul.so 	base::MessagePumpDefault::Run 	ipc/chromium/src/base/message_pump_default.cc:23
17 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:208
18 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:201
19 	libxul.so 	base::Thread::ThreadMain 	ipc/chromium/src/base/thread.cc:156
20 	libxul.so 	ThreadFunc 	ipc/chromium/src/base/platform_thread_posix.cc:31
21 	libc.so 	__thread_entry 	
22 	libc.so 	pthread_create

More reports at:
https://crash-stats.mozilla.com/report/list?signature=arena_dalloc+|+__wrap_free+|+moz_free+|+mozilla%3A%3Agl%3A%3AEGLTextureWrapper%3A%3A~EGLTextureWrapper
There's a slightly different stack trace with the same signature:
Frame 	Module 	Signature 	Source
0 	libmozglue.so 	arena_dalloc 	memory/mozjemalloc/jemalloc.c:4634
1 	libmozglue.so 	__wrap_free 	memory/mozjemalloc/jemalloc.c:6565
2 	libmozalloc.so 	moz_free 	memory/mozalloc/mozalloc.cpp:48
3 	libxul.so 	mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper 	mozalloc.h:224
4 	libxul.so 	mozilla::gl::GLContextEGL::ReleaseSharedHandle 	gfx/gl/GLContextProviderEGL.cpp:979
5 	libxul.so 	mozilla::layers::ShadowImageLayerOGL::CleanupResources 	gfx/layers/opengl/ImageLayerOGL.cpp:1015
6 	libxul.so 	mozilla::layers::ShadowImageLayerOGL::Destroy 	gfx/layers/opengl/ImageLayerOGL.cpp:818
7 	libxul.so 	mozilla::layers::ShadowImageLayerOGL::Disconnect 	gfx/layers/opengl/ImageLayerOGL.cpp:810
8 	libxul.so 	mozilla::layers::ShadowLayerParent::ActorDestroy 	gfx/layers/ipc/ShadowLayerParent.cpp:60
9 	libxul.so 	mozilla::layers::PLayerParent::DestroySubtree 	obj-firefox/ipc/ipdl/PLayerParent.cpp:315
10 	libxul.so 	mozilla::layers::PLayerParent::OnMessageReceived 	obj-firefox/ipc/ipdl/PLayerParent.cpp:170
11 	libxul.so 	mozilla::layers::PCompositorParent::OnMessageReceived 	obj-firefox/ipc/ipdl/PCompositorParent.cpp:291
12 	libxul.so 	mozilla::ipc::AsyncChannel::OnDispatchMessage 	ipc/glue/AsyncChannel.cpp:473
13 	libxul.so 	mozilla::ipc::RPCChannel::OnMaybeDequeueOne 	ipc/glue/RPCChannel.cpp:402
...

More reports also at:
https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Alayers%3A%3AShadowImageLayerOGL%3A%3ASwap
https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Agl%3A%3AGLContextEGL%3A%3AReleaseSharedHandle
Crash Signature: [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper] → [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper] [@ mozilla::layers::ShadowImageLayerOGL::Swap] [@ mozilla::gl::GLContextEGL::ReleaseSharedHandle]
Whiteboard: [native-crash]
More reports at:
https://crash-stats.mozilla.com/report/list?signature=arena_dalloc+|+__wrap_free+|+JS_DHashFreeTable
Crash Signature: [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper] [@ mozilla::layers::ShadowImageLayerOGL::Swap] [@ mozilla::gl::GLContextEGL::ReleaseSharedHandle] → [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper] [@ arena_dalloc | __wrap_free | JS_DHashFreeTable] [@ mozilla::layers::ShadowImageLayerOGL::Swap] [@ mozilla::gl::GLContextEGL::ReleaseSharedHandle]
Summary: crash in mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper on Honeycomb → crash in mozilla::gl::GLContextEGL::ReleaseSharedHandle on Honeycomb
Summary: crash in mozilla::gl::GLContextEGL::ReleaseSharedHandle on Honeycomb → crash in mozilla::gl::GLContextEGL::ReleaseSharedHandle on Honeycomb and JB
I just experienced this crash signature with Mobile 15b2 on Galaxy Tab 10.1
Got to http://www.channelfireball.com/articles/channel-conley-avr-draft-7/

Click on one of the videos. They are each preceded by a video ad.
There is a rotating ad for Lexus that seems to 'cause this crash when it completes.  The other ads do not.
I can reproduce the bug in the same site using Firefox Beta and Galaxy Tab 10.1. I dont see any rotating ad though.

Crashes ID's

bp-8fe9a00b-fd6e-449c-a8c3-cbae62120728

bp-9710b8e2-1b25-483c-a890-4db8d2120728
Whiteboard: [native-crash] → [Testday 20120727][native-crash]
With combined signatures, it's #2 top crasher in 15.0b2 and #4 in 16.0a2 over the last 3 days.
tracking-fennec: --- → ?
Crash Signature: [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper] [@ arena_dalloc | __wrap_free | JS_DHashFreeTable] [@ mozilla::layers::ShadowImageLayerOGL::Swap] [@ mozilla::gl::GLContextEGL::ReleaseSharedHandle] → [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper] [@ arena_dalloc | __wrap_free | JS_DHashFreeTable] [@ arena_dalloc | __wrap_free | moz_free | TNotification<nsCaretAccessible nsISelection>::~TNotification] …
Keywords: topcrash
Version: 17 Branch → 15 Branch
Keywords: reproducible
Crash Signature: nsISelection>::~TNotification] [@ arena_dalloc | __wrap_free | moz_free | PL_DHashFreeTable | mozilla::gl::GLContextEGL::ReleaseSharedHandle] [@ mozilla::layers::ShadowImageLayerOGL::Swap] [@ mozilla::gl::GLContextEGL::ReleaseSharedHandle] → nsISelection>::~TNotification] [@ arena_dalloc | __wrap_free | moz_free | PL_DHashFreeTable | mozilla::gl::GLContextEGL::ReleaseSharedHandle] [@ mozilla::layers::ShadowImageLayerOGL::Swap] [@ mozilla::gl::GLContextEGL::ReleaseSharedHandle] [@ libmozgl…
Crash Signature: [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper] [@ arena_dalloc | __wrap_free | JS_DHashFreeTable] [@ arena_dalloc | __wrap_free | moz_free | TNotification<nsCaretAccessible nsISelection>::~TNotification] … → [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper ] [@ arena_dalloc | __wrap_free | JS_DHashFreeTable ] [@ arena_dalloc | __wrap_free | moz_free | TNotification<nsCaretAccessible nsISelection>::~TNotification …
Brad - do you know who would be in the best position to take a look at this for 15 release?
Assignee: nobody → blassey.bugs
I got this crash on the Asus TF101, using Honeycomb and the latest Aurora build with plugins enabled, then going to http://people.mozilla.org/~mwargers/tests/plugins/flash/crashwinopencloseembedsrc.html
And then tapping on the button.
There are no crashes after 17.0a1/20120728. The working range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=2abd21593e57&tochange=29bff59d3bbe
Can someone who is able to reproduce it narrow down the working range?
Whiteboard: [Testday 20120727][native-crash] → [Testday 20120727][native-crash][workingwindow-wanted]
Assignee: blassey.bugs → snorp
(In reply to Scoobidiver from comment #9)
> There are no crashes after 17.0a1/20120728. The working range is:
> http://hg.mozilla.org/mozilla-central/
> pushloghtml?fromchange=2abd21593e57&tochange=29bff59d3bbe
> Can someone who is able to reproduce it narrow down the working range?

I think it's likely the bug is not fixed, but rather there just hasn't been enough activity on Honeycomb to create the crash.
It is also that the site listed earlier in the bug may have changed what ads display so that the Lexus add that triggered this from that site is no longer in the mix.
Oh also recent builds don;t seem to work at all well on honeycomb tablets such that on my Samsung Galaxy 8.9 I can not even reliably "click" on links because the touch event seems to somehow pick up the wrong coordinates and think I clicked on a completely different link.  This makes it extremely hard to to the click to play to even get flash to run on my device.  the last build where this worked correctly was the 7/28 nightly.

I am currently doing an hg bisect trying to figure out which check-in caused this mess and then have 3 different regression bugs ready to file.
(In reply to Bill Gianopoulos [:WG9s] from comment #12)
> Oh also recent builds don;t seem to work at all well on honeycomb tablets
> such that on my Samsung Galaxy 8.9 I can not even reliably "click" on links
> because the touch event seems to somehow pick up the wrong coordinates and
> think I clicked on a completely different link.  This makes it extremely
> hard to to the click to play to even get flash to run on my device.  the
> last build where this worked correctly was the 7/28 nightly.
> 
> I am currently doing an hg bisect trying to figure out which check-in caused
> this mess and then have 3 different regression bugs ready to file.

Looks like this was fixed in the 31 July Nightly, so I have abandoned trying to bisect.
Crashes are back in 17.0a1/20120731.
Whiteboard: [Testday 20120727][native-crash][workingwindow-wanted] → [Testday 20120727][native-crash]
Need to figure out if it's due to specific devices are OS; Some devices were unblocked recently.
(In reply to Naoki Hirata :nhirata from comment #15)
> Need to figure out if it's due to specific devices are OS; Some devices were
> unblocked recently.

This particular bug will only occur on Honeycomb, and is not affected by the recent unblock of Tegra 2 Gingerbread/Froyo devices.
Crash Signature: mozilla::layers::ShadowImageLayerOGL::CleanupResources ] [@ libmozglue.so@0x8a2c ] → mozilla::layers::ShadowImageLayerOGL::CleanupResources ] [@ libmozglue.so@0x8a2c ] [@ arena_dalloc | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper]
It's #1 top crasher and accounts for 15.7% of all crashes in 15.0b3.
Has there been any reduction in crashes since the fix in bug 779019 landed?
(In reply to Jeff Gilbert [:jgilbert] from comment #18)
> Has there been any reduction in crashes since the fix in bug 779019 landed?
I wouldn't say that:
            crashes   users
2012-07-31:    4        4
2012-08-01:    2        2
2012-08-02:    5        3   <-- bug 779019 lands
2012-08-03:    8        4
2012-08-04:   12        2
Crash Signature: nsISelection>::~TNotification ] [@ arena_dalloc | __wrap_free | moz_free | PL_DHashFreeTable | mozilla::gl::GLContextEGL::ReleaseSharedHandle ] [@ mozilla::layers::ShadowImageLayerOGL::Swap ] [@ mozilla::gl::GLContextEGL::ReleaseSharedHandle ] [@ mozi… → nsISelection>::~TNotification ] [@ arena_dalloc | __wrap_free | moz_free | PL_DHashFreeTable | mozilla::gl::GLContextEGL::ReleaseSharedHandle ] [@ mozilla::layers::ShadowImageLayerOGL::Swap ] [@ @0x0 | mozilla::layers::ShadowImageLayerOGL::Swap ] [@ m…
Do we have any progress on this bug? There are only 2 betas left in the cycle and I would really prefer to get a fix in beta 5 than 6.
I couldn't reproduce the bug in the newest beta using Android 3.1 and Galaxy Tab 10.1. I didn't see any rotating ad and the browser did not crash. However, after writing this comment (the above two lines), I went back to the site to try again and I found the browser completely frozen: it wouldn't respond at all, not even after closing it via the task killer several times. It closed but reopening the browser the same frozen site was displayed. I had to shut down the tablet and start it up again. I tried several times more and all worked fine: the browser didn't crash nor it froze.
There are crashes on ICS.
Keywords: reproducible
Summary: crash in mozilla::gl::GLContextEGL::ReleaseSharedHandle on Honeycomb and JB → crash in mozilla::gl::GLContextEGL::ReleaseSharedHandle on Honeycomb and above
Comment on attachment 651779 [details] [diff] [review]
Don't double free shared texture handles for Flash on Android

Review of attachment 651779 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/plugins/base/nsNPAPIPluginInstance.cpp
@@ -88,5 @@
>  public:
>    NS_INLINE_DECL_REFCOUNTING(SharedPluginTexture)
>  
> -  SharedPluginTexture() :
> -    mCurrentHandle(0), mNeedNewImage(false), mLock("SharedPluginTexture.mLock")

why?
Attachment #651779 - Flags: review?(blassey.bugs) → review+
(In reply to Brad Lassey [:blassey] from comment #24)
> Comment on attachment 651779 [details] [diff] [review]
> Don't double free shared texture handles for Flash on Android
> 
> Review of attachment 651779 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> ::: dom/plugins/base/nsNPAPIPluginInstance.cpp
> @@ -88,5 @@
> >  public:
> >    NS_INLINE_DECL_REFCOUNTING(SharedPluginTexture)
> >  
> > -  SharedPluginTexture() :
> > -    mCurrentHandle(0), mNeedNewImage(false), mLock("SharedPluginTexture.mLock")
> 
> why?

As discussed, I removed mCurrentHandle and mNeedNewImage.
https://hg.mozilla.org/mozilla-central/rev/12c614d36e0b
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
Hmm, one problem we have there is that we want this fix on the next beta that's being built on Tuesday or so, but on trunk we have a rather small audience so it will be hard to confirm that the fix worked.

How fast can we uplift, i.e. is the risk low enough to do that without too much verification by crash stats?
This bug is one of those that is in each Nightly build so there's no problem to check the fix (if it's built :(). To check potential side effects, a landing in Aurora would be required after one day of simmering in trunk.
It has been in builds from the 17th and later, but what I was saying meant that this is at such a low volume in Nightly that it takes multiple days to verify that it's gone and we only have until at most Tuesday to land anything on Beta that should go out with 15, so we are under pressure to get this uplifted.
That said, it looks like there's no crashes so far after the 16th (also not for bug 776329), so I think we should go requesting approval and landing this on Aurora and Beta ASAP.
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #31)
> That said, it looks like there's no crashes so far after the 16th (also not
> for bug 776329)
Because 17.0a1/20120817 doesn't exist (see ftp://ftp.mozilla.org/pub/mobile/nightly/2012-08-17-03-05-55-mozilla-central-android/) so one more day is required.
Hrm, strange that 17th had no nightly - but there's one for 18th and 19th, and still so far no crashes with those signatures. :)
Status: RESOLVED → VERIFIED
Comment on attachment 651779 [details] [diff] [review]
Don't double free shared texture handles for Flash on Android

[Approval Request Comment]
Low risk, fixes top crash
Attachment #651779 - Flags: approval-mozilla-beta?
Attachment #651779 - Flags: approval-mozilla-aurora?
Comment on attachment 651779 [details] [diff] [review]
Don't double free shared texture handles for Flash on Android

Approving for branch uplift since it resolves our top 4 mobile 15 crashers.  Please land before tomorrow's final Beta go to build.
Attachment #651779 - Flags: approval-mozilla-beta?
Attachment #651779 - Flags: approval-mozilla-beta+
Attachment #651779 - Flags: approval-mozilla-aurora?
Attachment #651779 - Flags: approval-mozilla-aurora+
tracking-fennec: ? → ---
You need to log in before you can comment on or make changes to this bug.