Last Comment Bug 776334 - crash in mozilla::gl::GLContextEGL::ReleaseSharedHandle on Honeycomb and above
: crash in mozilla::gl::GLContextEGL::ReleaseSharedHandle on Honeycomb and above
Status: VERIFIED FIXED
[Testday 20120727][native-crash]
: crash, regression, topcrash
Product: Core
Classification: Components
Component: Graphics: Layers (show other bugs)
: 15 Branch
: ARM Android
: -- critical (vote)
: mozilla17
Assigned To: James Willcox (:snorp) (jwillcox@mozilla.com)
:
Mentors:
Depends on:
Blocks: honeycomb-flash 776329
  Show dependency treegraph
 
Reported: 2012-07-22 00:48 PDT by Scoobidiver (away)
Modified: 2013-12-10 10:01 PST (History)
11 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
+
fixed
+
fixed
verified


Attachments
Don't double free shared texture handles for Flash on Android (2.04 KB, patch)
2012-08-14 08:21 PDT, James Willcox (:snorp) (jwillcox@mozilla.com)
blassey.bugs: review+
lukasblakk+bugs: approval‑mozilla‑aurora+
lukasblakk+bugs: approval‑mozilla‑beta+
Details | Diff | Review

Description Scoobidiver (away) 2012-07-22 00:48:34 PDT
It first appeared in 17.0a1/20120721041038. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=3a05d298599e&tochange=446b788ab99d
It's likely a regression from bug 687267.

Signature 	arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper More Reports Search
UUID	7f5a0132-f186-451f-9f2e-cf5232120721
Date Processed	2012-07-21 13:30:50
Uptime	112
Last Crash	2.0 minutes before submission
Install Age	39.2 minutes since version was first installed.
Install Time	2012-07-21 12:51:26
Product	FennecAndroid
Version	17.0a1
Build ID	20120721041038
Release Channel	nightly
OS	Linux
OS Version	0.0.0 Linux 2.6.36.3 #1 SMP PREEMPT Thu Dec 1 09:13:52 KST 2011 armv7l
Build Architecture	arm
Build Architecture Info	
Crash Reason	SIGSEGV
Crash Address	0x0
App Notes 	
AdapterDescription: 'NVIDIA Corporation -- NVIDIA Tegra -- OpenGL ES 2.0 -- Model: GT-P7500, Product: GT-P7500, Manufacturer: samsung, Hardware: p3'
EGL? EGL+ GL Context? GL Context+ GL Layers? GL Layers+ 
samsung GT-P7500
samsung/GT-P7500/GT-P7500:3.2/HTJ85B/UBKL1:user/release-keys
EMCheckCompatibility	True
Adapter Vendor ID	NVIDIA Corporation
Adapter Device ID	NVIDIA Tegra

Frame 	Module 	Signature 	Source
0 	libmozglue.so 	arena_dalloc 	memory/mozjemalloc/jemalloc.c:4634
1 	libmozglue.so 	__wrap_free 	memory/mozjemalloc/jemalloc.c:6565
2 	libmozalloc.so 	moz_free 	memory/mozalloc/mozalloc.cpp:48
3 	libxul.so 	mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper 	mozalloc.h:224
4 	libxul.so 	mozilla::gl::GLContextEGL::ReleaseSharedHandle 	gfx/gl/GLContextProviderEGL.cpp:979
5 	libxul.so 	mozilla::layers::ShadowImageLayerOGL::Swap 	gfx/layers/opengl/ImageLayerOGL.cpp:783
6 	libxul.so 	mozilla::layers::ShadowLayersParent::RecvUpdate 	gfx/layers/ipc/ShadowLayersParent.cpp:395
7 	libxul.so 	mozilla::layers::PLayersParent::OnMessageReceived 	obj-firefox/ipc/ipdl/PLayersParent.cpp:431
8 	libxul.so 	mozilla::layers::PCompositorParent::OnMessageReceived 	obj-firefox/ipc/ipdl/PCompositorParent.cpp:341
9 	libxul.so 	mozilla::ipc::SyncChannel::OnDispatchMessage 	ipc/glue/SyncChannel.cpp:143
10 	libxul.so 	mozilla::ipc::RPCChannel::OnMaybeDequeueOne 	ipc/glue/RPCChannel.cpp:400
11 	libxul.so 	RunnableMethod<mozilla::ipc::RPCChannel, bool , Tuple0>::Run 	ipc/chromium/src/base/tuple.h:383
12 	libxul.so 	mozilla::ipc::RPCChannel::DequeueTask::Run 	RPCChannel.h:430
13 	libxul.so 	MessageLoop::RunTask 	ipc/chromium/src/base/message_loop.cc:326
14 	libxul.so 	MessageLoop::DeferOrRunPendingTask 	ipc/chromium/src/base/message_loop.cc:334
15 	libxul.so 	MessageLoop::DoWork 	ipc/chromium/src/base/message_loop.cc:434
16 	libxul.so 	base::MessagePumpDefault::Run 	ipc/chromium/src/base/message_pump_default.cc:23
17 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:208
18 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:201
19 	libxul.so 	base::Thread::ThreadMain 	ipc/chromium/src/base/thread.cc:156
20 	libxul.so 	ThreadFunc 	ipc/chromium/src/base/platform_thread_posix.cc:31
21 	libc.so 	__thread_entry 	
22 	libc.so 	pthread_create

More reports at:
https://crash-stats.mozilla.com/report/list?signature=arena_dalloc+|+__wrap_free+|+moz_free+|+mozilla%3A%3Agl%3A%3AEGLTextureWrapper%3A%3A~EGLTextureWrapper
Comment 1 Scoobidiver (away) 2012-07-22 00:54:21 PDT
There's a slightly different stack trace with the same signature:
Frame 	Module 	Signature 	Source
0 	libmozglue.so 	arena_dalloc 	memory/mozjemalloc/jemalloc.c:4634
1 	libmozglue.so 	__wrap_free 	memory/mozjemalloc/jemalloc.c:6565
2 	libmozalloc.so 	moz_free 	memory/mozalloc/mozalloc.cpp:48
3 	libxul.so 	mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper 	mozalloc.h:224
4 	libxul.so 	mozilla::gl::GLContextEGL::ReleaseSharedHandle 	gfx/gl/GLContextProviderEGL.cpp:979
5 	libxul.so 	mozilla::layers::ShadowImageLayerOGL::CleanupResources 	gfx/layers/opengl/ImageLayerOGL.cpp:1015
6 	libxul.so 	mozilla::layers::ShadowImageLayerOGL::Destroy 	gfx/layers/opengl/ImageLayerOGL.cpp:818
7 	libxul.so 	mozilla::layers::ShadowImageLayerOGL::Disconnect 	gfx/layers/opengl/ImageLayerOGL.cpp:810
8 	libxul.so 	mozilla::layers::ShadowLayerParent::ActorDestroy 	gfx/layers/ipc/ShadowLayerParent.cpp:60
9 	libxul.so 	mozilla::layers::PLayerParent::DestroySubtree 	obj-firefox/ipc/ipdl/PLayerParent.cpp:315
10 	libxul.so 	mozilla::layers::PLayerParent::OnMessageReceived 	obj-firefox/ipc/ipdl/PLayerParent.cpp:170
11 	libxul.so 	mozilla::layers::PCompositorParent::OnMessageReceived 	obj-firefox/ipc/ipdl/PCompositorParent.cpp:291
12 	libxul.so 	mozilla::ipc::AsyncChannel::OnDispatchMessage 	ipc/glue/AsyncChannel.cpp:473
13 	libxul.so 	mozilla::ipc::RPCChannel::OnMaybeDequeueOne 	ipc/glue/RPCChannel.cpp:402
...

More reports also at:
https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Alayers%3A%3AShadowImageLayerOGL%3A%3ASwap
https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Agl%3A%3AGLContextEGL%3A%3AReleaseSharedHandle
Comment 3 Tracy Walker [:tracy] 2012-07-27 09:49:13 PDT
I just experienced this crash signature with Mobile 15b2 on Galaxy Tab 10.1
Comment 4 Tracy Walker [:tracy] 2012-07-27 10:07:28 PDT
Got to http://www.channelfireball.com/articles/channel-conley-avr-draft-7/

Click on one of the videos. They are each preceded by a video ad.
There is a rotating ad for Lexus that seems to 'cause this crash when it completes.  The other ads do not.
Comment 5 Gabriela [:gaby2300] 2012-07-27 18:57:01 PDT
I can reproduce the bug in the same site using Firefox Beta and Galaxy Tab 10.1. I dont see any rotating ad though.

Crashes ID's

bp-8fe9a00b-fd6e-449c-a8c3-cbae62120728

bp-9710b8e2-1b25-483c-a890-4db8d2120728
Comment 6 Scoobidiver (away) 2012-07-27 22:55:03 PDT
With combined signatures, it's #2 top crasher in 15.0b2 and #4 in 16.0a2 over the last 3 days.
Comment 7 Alex Keybl [:akeybl] 2012-07-30 09:53:55 PDT
Brad - do you know who would be in the best position to take a look at this for 15 release?
Comment 8 Martijn Wargers [:mwargers] (not working for Mozilla) 2012-07-30 15:37:13 PDT
I got this crash on the Asus TF101, using Honeycomb and the latest Aurora build with plugins enabled, then going to http://people.mozilla.org/~mwargers/tests/plugins/flash/crashwinopencloseembedsrc.html
And then tapping on the button.
Comment 9 Scoobidiver (away) 2012-07-31 14:48:15 PDT
There are no crashes after 17.0a1/20120728. The working range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=2abd21593e57&tochange=29bff59d3bbe
Can someone who is able to reproduce it narrow down the working range?
Comment 10 James Willcox (:snorp) (jwillcox@mozilla.com) 2012-07-31 15:23:58 PDT
(In reply to Scoobidiver from comment #9)
> There are no crashes after 17.0a1/20120728. The working range is:
> http://hg.mozilla.org/mozilla-central/
> pushloghtml?fromchange=2abd21593e57&tochange=29bff59d3bbe
> Can someone who is able to reproduce it narrow down the working range?

I think it's likely the bug is not fixed, but rather there just hasn't been enough activity on Honeycomb to create the crash.
Comment 11 Bill Gianopoulos [:WG9s] 2012-07-31 15:41:58 PDT
It is also that the site listed earlier in the bug may have changed what ads display so that the Lexus add that triggered this from that site is no longer in the mix.
Comment 12 Bill Gianopoulos [:WG9s] 2012-07-31 15:45:36 PDT
Oh also recent builds don;t seem to work at all well on honeycomb tablets such that on my Samsung Galaxy 8.9 I can not even reliably "click" on links because the touch event seems to somehow pick up the wrong coordinates and think I clicked on a completely different link.  This makes it extremely hard to to the click to play to even get flash to run on my device.  the last build where this worked correctly was the 7/28 nightly.

I am currently doing an hg bisect trying to figure out which check-in caused this mess and then have 3 different regression bugs ready to file.
Comment 13 Bill Gianopoulos [:WG9s] 2012-07-31 18:08:20 PDT
(In reply to Bill Gianopoulos [:WG9s] from comment #12)
> Oh also recent builds don;t seem to work at all well on honeycomb tablets
> such that on my Samsung Galaxy 8.9 I can not even reliably "click" on links
> because the touch event seems to somehow pick up the wrong coordinates and
> think I clicked on a completely different link.  This makes it extremely
> hard to to the click to play to even get flash to run on my device.  the
> last build where this worked correctly was the 7/28 nightly.
> 
> I am currently doing an hg bisect trying to figure out which check-in caused
> this mess and then have 3 different regression bugs ready to file.

Looks like this was fixed in the 31 July Nightly, so I have abandoned trying to bisect.
Comment 14 Scoobidiver (away) 2012-08-01 03:08:16 PDT
Crashes are back in 17.0a1/20120731.
Comment 15 Naoki Hirata :nhirata (please use needinfo instead of cc) 2012-08-01 09:44:00 PDT
Need to figure out if it's due to specific devices are OS; Some devices were unblocked recently.
Comment 16 James Willcox (:snorp) (jwillcox@mozilla.com) 2012-08-01 09:45:50 PDT
(In reply to Naoki Hirata :nhirata from comment #15)
> Need to figure out if it's due to specific devices are OS; Some devices were
> unblocked recently.

This particular bug will only occur on Honeycomb, and is not affected by the recent unblock of Tegra 2 Gingerbread/Froyo devices.
Comment 17 Scoobidiver (away) 2012-08-05 05:50:01 PDT
It's #1 top crasher and accounts for 15.7% of all crashes in 15.0b3.
Comment 18 Jeff Gilbert [:jgilbert] 2012-08-06 00:40:42 PDT
Has there been any reduction in crashes since the fix in bug 779019 landed?
Comment 19 Scoobidiver (away) 2012-08-06 01:20:29 PDT
(In reply to Jeff Gilbert [:jgilbert] from comment #18)
> Has there been any reduction in crashes since the fix in bug 779019 landed?
I wouldn't say that:
            crashes   users
2012-07-31:    4        4
2012-08-01:    2        2
2012-08-02:    5        3   <-- bug 779019 lands
2012-08-03:    8        4
2012-08-04:   12        2
Comment 20 Kevin Brosnan [:kbrosnan] 2012-08-13 10:51:16 PDT
Do we have any progress on this bug? There are only 2 betas left in the cycle and I would really prefer to get a fix in beta 5 than 6.
Comment 21 Gabriela [:gaby2300] 2012-08-13 12:57:32 PDT
I couldn't reproduce the bug in the newest beta using Android 3.1 and Galaxy Tab 10.1. I didn't see any rotating ad and the browser did not crash. However, after writing this comment (the above two lines), I went back to the site to try again and I found the browser completely frozen: it wouldn't respond at all, not even after closing it via the task killer several times. It closed but reopening the browser the same frozen site was displayed. I had to shut down the tablet and start it up again. I tried several times more and all worked fine: the browser didn't crash nor it froze.
Comment 22 Scoobidiver (away) 2012-08-13 13:40:59 PDT
There are crashes on ICS.
Comment 23 James Willcox (:snorp) (jwillcox@mozilla.com) 2012-08-14 08:21:27 PDT
Created attachment 651779 [details] [diff] [review]
Don't double free shared texture handles for Flash on Android
Comment 24 Brad Lassey [:blassey] (use needinfo?) 2012-08-15 14:29:43 PDT
Comment on attachment 651779 [details] [diff] [review]
Don't double free shared texture handles for Flash on Android

Review of attachment 651779 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/plugins/base/nsNPAPIPluginInstance.cpp
@@ -88,5 @@
>  public:
>    NS_INLINE_DECL_REFCOUNTING(SharedPluginTexture)
>  
> -  SharedPluginTexture() :
> -    mCurrentHandle(0), mNeedNewImage(false), mLock("SharedPluginTexture.mLock")

why?
Comment 25 James Willcox (:snorp) (jwillcox@mozilla.com) 2012-08-16 09:49:13 PDT
(In reply to Brad Lassey [:blassey] from comment #24)
> Comment on attachment 651779 [details] [diff] [review]
> Don't double free shared texture handles for Flash on Android
> 
> Review of attachment 651779 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> ::: dom/plugins/base/nsNPAPIPluginInstance.cpp
> @@ -88,5 @@
> >  public:
> >    NS_INLINE_DECL_REFCOUNTING(SharedPluginTexture)
> >  
> > -  SharedPluginTexture() :
> > -    mCurrentHandle(0), mNeedNewImage(false), mLock("SharedPluginTexture.mLock")
> 
> why?

As discussed, I removed mCurrentHandle and mNeedNewImage.
Comment 26 James Willcox (:snorp) (jwillcox@mozilla.com) 2012-08-16 09:49:54 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/12c614d36e0b
Comment 27 Ryan VanderMeulen [:RyanVM] 2012-08-16 17:57:36 PDT
https://hg.mozilla.org/mozilla-central/rev/12c614d36e0b
Comment 28 Robert Kaiser (not working on stability any more) 2012-08-17 07:57:18 PDT
Hmm, one problem we have there is that we want this fix on the next beta that's being built on Tuesday or so, but on trunk we have a rather small audience so it will be hard to confirm that the fix worked.

How fast can we uplift, i.e. is the risk low enough to do that without too much verification by crash stats?
Comment 29 Scoobidiver (away) 2012-08-17 10:49:33 PDT
This bug is one of those that is in each Nightly build so there's no problem to check the fix (if it's built :(). To check potential side effects, a landing in Aurora would be required after one day of simmering in trunk.
Comment 30 Robert Kaiser (not working on stability any more) 2012-08-18 07:12:59 PDT
It has been in builds from the 17th and later, but what I was saying meant that this is at such a low volume in Nightly that it takes multiple days to verify that it's gone and we only have until at most Tuesday to land anything on Beta that should go out with 15, so we are under pressure to get this uplifted.
Comment 31 Robert Kaiser (not working on stability any more) 2012-08-18 09:25:08 PDT
That said, it looks like there's no crashes so far after the 16th (also not for bug 776329), so I think we should go requesting approval and landing this on Aurora and Beta ASAP.
Comment 32 Scoobidiver (away) 2012-08-18 09:51:14 PDT
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #31)
> That said, it looks like there's no crashes so far after the 16th (also not
> for bug 776329)
Because 17.0a1/20120817 doesn't exist (see ftp://ftp.mozilla.org/pub/mobile/nightly/2012-08-17-03-05-55-mozilla-central-android/) so one more day is required.
Comment 33 Robert Kaiser (not working on stability any more) 2012-08-19 07:27:58 PDT
Hrm, strange that 17th had no nightly - but there's one for 18th and 19th, and still so far no crashes with those signatures. :)
Comment 34 James Willcox (:snorp) (jwillcox@mozilla.com) 2012-08-20 11:08:39 PDT
Comment on attachment 651779 [details] [diff] [review]
Don't double free shared texture handles for Flash on Android

[Approval Request Comment]
Low risk, fixes top crash
Comment 35 Lukas Blakk [:lsblakk] use ?needinfo 2012-08-20 11:32:44 PDT
Comment on attachment 651779 [details] [diff] [review]
Don't double free shared texture handles for Flash on Android

Approving for branch uplift since it resolves our top 4 mobile 15 crashers.  Please land before tomorrow's final Beta go to build.

Note You need to log in before you can comment on or make changes to this bug.