Note: There are a few cases of duplicates in user autocompletion which are being worked on.

crash in mozilla::gl::GLContextEGL::ReleaseSharedHandle on Honeycomb and above

VERIFIED FIXED in Firefox 15

Status

()

Core
Graphics: Layers
--
critical
VERIFIED FIXED
5 years ago
4 years ago

People

(Reporter: Scoobidiver (away), Assigned: snorp)

Tracking

({crash, regression, topcrash})

15 Branch
mozilla17
ARM
Android
crash, regression, topcrash
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox15+ fixed, firefox16+ fixed, firefox17 verified)

Details

(Whiteboard: [Testday 20120727][native-crash], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
It first appeared in 17.0a1/20120721041038. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=3a05d298599e&tochange=446b788ab99d
It's likely a regression from bug 687267.

Signature 	arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper More Reports Search
UUID	7f5a0132-f186-451f-9f2e-cf5232120721
Date Processed	2012-07-21 13:30:50
Uptime	112
Last Crash	2.0 minutes before submission
Install Age	39.2 minutes since version was first installed.
Install Time	2012-07-21 12:51:26
Product	FennecAndroid
Version	17.0a1
Build ID	20120721041038
Release Channel	nightly
OS	Linux
OS Version	0.0.0 Linux 2.6.36.3 #1 SMP PREEMPT Thu Dec 1 09:13:52 KST 2011 armv7l
Build Architecture	arm
Build Architecture Info	
Crash Reason	SIGSEGV
Crash Address	0x0
App Notes 	
AdapterDescription: 'NVIDIA Corporation -- NVIDIA Tegra -- OpenGL ES 2.0 -- Model: GT-P7500, Product: GT-P7500, Manufacturer: samsung, Hardware: p3'
EGL? EGL+ GL Context? GL Context+ GL Layers? GL Layers+ 
samsung GT-P7500
samsung/GT-P7500/GT-P7500:3.2/HTJ85B/UBKL1:user/release-keys
EMCheckCompatibility	True
Adapter Vendor ID	NVIDIA Corporation
Adapter Device ID	NVIDIA Tegra

Frame 	Module 	Signature 	Source
0 	libmozglue.so 	arena_dalloc 	memory/mozjemalloc/jemalloc.c:4634
1 	libmozglue.so 	__wrap_free 	memory/mozjemalloc/jemalloc.c:6565
2 	libmozalloc.so 	moz_free 	memory/mozalloc/mozalloc.cpp:48
3 	libxul.so 	mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper 	mozalloc.h:224
4 	libxul.so 	mozilla::gl::GLContextEGL::ReleaseSharedHandle 	gfx/gl/GLContextProviderEGL.cpp:979
5 	libxul.so 	mozilla::layers::ShadowImageLayerOGL::Swap 	gfx/layers/opengl/ImageLayerOGL.cpp:783
6 	libxul.so 	mozilla::layers::ShadowLayersParent::RecvUpdate 	gfx/layers/ipc/ShadowLayersParent.cpp:395
7 	libxul.so 	mozilla::layers::PLayersParent::OnMessageReceived 	obj-firefox/ipc/ipdl/PLayersParent.cpp:431
8 	libxul.so 	mozilla::layers::PCompositorParent::OnMessageReceived 	obj-firefox/ipc/ipdl/PCompositorParent.cpp:341
9 	libxul.so 	mozilla::ipc::SyncChannel::OnDispatchMessage 	ipc/glue/SyncChannel.cpp:143
10 	libxul.so 	mozilla::ipc::RPCChannel::OnMaybeDequeueOne 	ipc/glue/RPCChannel.cpp:400
11 	libxul.so 	RunnableMethod<mozilla::ipc::RPCChannel, bool , Tuple0>::Run 	ipc/chromium/src/base/tuple.h:383
12 	libxul.so 	mozilla::ipc::RPCChannel::DequeueTask::Run 	RPCChannel.h:430
13 	libxul.so 	MessageLoop::RunTask 	ipc/chromium/src/base/message_loop.cc:326
14 	libxul.so 	MessageLoop::DeferOrRunPendingTask 	ipc/chromium/src/base/message_loop.cc:334
15 	libxul.so 	MessageLoop::DoWork 	ipc/chromium/src/base/message_loop.cc:434
16 	libxul.so 	base::MessagePumpDefault::Run 	ipc/chromium/src/base/message_pump_default.cc:23
17 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:208
18 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:201
19 	libxul.so 	base::Thread::ThreadMain 	ipc/chromium/src/base/thread.cc:156
20 	libxul.so 	ThreadFunc 	ipc/chromium/src/base/platform_thread_posix.cc:31
21 	libc.so 	__thread_entry 	
22 	libc.so 	pthread_create

More reports at:
https://crash-stats.mozilla.com/report/list?signature=arena_dalloc+|+__wrap_free+|+moz_free+|+mozilla%3A%3Agl%3A%3AEGLTextureWrapper%3A%3A~EGLTextureWrapper
(Reporter)

Comment 1

5 years ago
There's a slightly different stack trace with the same signature:
Frame 	Module 	Signature 	Source
0 	libmozglue.so 	arena_dalloc 	memory/mozjemalloc/jemalloc.c:4634
1 	libmozglue.so 	__wrap_free 	memory/mozjemalloc/jemalloc.c:6565
2 	libmozalloc.so 	moz_free 	memory/mozalloc/mozalloc.cpp:48
3 	libxul.so 	mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper 	mozalloc.h:224
4 	libxul.so 	mozilla::gl::GLContextEGL::ReleaseSharedHandle 	gfx/gl/GLContextProviderEGL.cpp:979
5 	libxul.so 	mozilla::layers::ShadowImageLayerOGL::CleanupResources 	gfx/layers/opengl/ImageLayerOGL.cpp:1015
6 	libxul.so 	mozilla::layers::ShadowImageLayerOGL::Destroy 	gfx/layers/opengl/ImageLayerOGL.cpp:818
7 	libxul.so 	mozilla::layers::ShadowImageLayerOGL::Disconnect 	gfx/layers/opengl/ImageLayerOGL.cpp:810
8 	libxul.so 	mozilla::layers::ShadowLayerParent::ActorDestroy 	gfx/layers/ipc/ShadowLayerParent.cpp:60
9 	libxul.so 	mozilla::layers::PLayerParent::DestroySubtree 	obj-firefox/ipc/ipdl/PLayerParent.cpp:315
10 	libxul.so 	mozilla::layers::PLayerParent::OnMessageReceived 	obj-firefox/ipc/ipdl/PLayerParent.cpp:170
11 	libxul.so 	mozilla::layers::PCompositorParent::OnMessageReceived 	obj-firefox/ipc/ipdl/PCompositorParent.cpp:291
12 	libxul.so 	mozilla::ipc::AsyncChannel::OnDispatchMessage 	ipc/glue/AsyncChannel.cpp:473
13 	libxul.so 	mozilla::ipc::RPCChannel::OnMaybeDequeueOne 	ipc/glue/RPCChannel.cpp:402
...

More reports also at:
https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Alayers%3A%3AShadowImageLayerOGL%3A%3ASwap
https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Agl%3A%3AGLContextEGL%3A%3AReleaseSharedHandle
Crash Signature: [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper] → [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper] [@ mozilla::layers::ShadowImageLayerOGL::Swap] [@ mozilla::gl::GLContextEGL::ReleaseSharedHandle]
(Reporter)

Updated

5 years ago
Whiteboard: [native-crash]
(Reporter)

Comment 2

5 years ago
More reports at:
https://crash-stats.mozilla.com/report/list?signature=arena_dalloc+|+__wrap_free+|+JS_DHashFreeTable
Crash Signature: [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper] [@ mozilla::layers::ShadowImageLayerOGL::Swap] [@ mozilla::gl::GLContextEGL::ReleaseSharedHandle] → [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper] [@ arena_dalloc | __wrap_free | JS_DHashFreeTable] [@ mozilla::layers::ShadowImageLayerOGL::Swap] [@ mozilla::gl::GLContextEGL::ReleaseSharedHandle]
Summary: crash in mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper on Honeycomb → crash in mozilla::gl::GLContextEGL::ReleaseSharedHandle on Honeycomb
(Reporter)

Updated

5 years ago
Summary: crash in mozilla::gl::GLContextEGL::ReleaseSharedHandle on Honeycomb → crash in mozilla::gl::GLContextEGL::ReleaseSharedHandle on Honeycomb and JB
I just experienced this crash signature with Mobile 15b2 on Galaxy Tab 10.1
Got to http://www.channelfireball.com/articles/channel-conley-avr-draft-7/

Click on one of the videos. They are each preceded by a video ad.
There is a rotating ad for Lexus that seems to 'cause this crash when it completes.  The other ads do not.

Comment 5

5 years ago
I can reproduce the bug in the same site using Firefox Beta and Galaxy Tab 10.1. I dont see any rotating ad though.

Crashes ID's

bp-8fe9a00b-fd6e-449c-a8c3-cbae62120728

bp-9710b8e2-1b25-483c-a890-4db8d2120728

Updated

5 years ago
Whiteboard: [native-crash] → [Testday 20120727][native-crash]
(Reporter)

Comment 6

5 years ago
With combined signatures, it's #2 top crasher in 15.0b2 and #4 in 16.0a2 over the last 3 days.
tracking-fennec: --- → ?
Crash Signature: [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper] [@ arena_dalloc | __wrap_free | JS_DHashFreeTable] [@ mozilla::layers::ShadowImageLayerOGL::Swap] [@ mozilla::gl::GLContextEGL::ReleaseSharedHandle] → [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper] [@ arena_dalloc | __wrap_free | JS_DHashFreeTable] [@ arena_dalloc | __wrap_free | moz_free | TNotification<nsCaretAccessible nsISelection>::~TNotifica&hellip;
tracking-firefox15: --- → ?
tracking-firefox16: --- → ?
Keywords: topcrash
Version: 17 Branch → 15 Branch
(Reporter)

Updated

5 years ago
Keywords: reproducible
(Reporter)

Updated

5 years ago
Crash Signature: [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper] [@ arena_dalloc | __wrap_free | JS_DHashFreeTable] [@ arena_dalloc | __wrap_free | moz_free | TNotification<nsCaretAccessible nsISelection>::~TNotifica&hellip; → [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper] [@ arena_dalloc | __wrap_free | JS_DHashFreeTable] [@ arena_dalloc | __wrap_free | moz_free | TNotification<nsCaretAccessible nsISelection>::~TNotifica&hellip;
(Reporter)

Updated

5 years ago
Crash Signature: [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper] [@ arena_dalloc | __wrap_free | JS_DHashFreeTable] [@ arena_dalloc | __wrap_free | moz_free | TNotification<nsCaretAccessible nsISelection>::~TNotifica&hellip; → [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper ] [@ arena_dalloc | __wrap_free | JS_DHashFreeTable ] [@ arena_dalloc | __wrap_free | moz_free | TNotification<nsCaretAccessible nsISelection>::~TNotifi&hellip;

Comment 7

5 years ago
Brad - do you know who would be in the best position to take a look at this for 15 release?
Assignee: nobody → blassey.bugs
tracking-firefox15: ? → +
tracking-firefox16: ? → +
I got this crash on the Asus TF101, using Honeycomb and the latest Aurora build with plugins enabled, then going to http://people.mozilla.org/~mwargers/tests/plugins/flash/crashwinopencloseembedsrc.html
And then tapping on the button.
(Reporter)

Comment 9

5 years ago
There are no crashes after 17.0a1/20120728. The working range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=2abd21593e57&tochange=29bff59d3bbe
Can someone who is able to reproduce it narrow down the working range?
status-firefox15: --- → affected
status-firefox16: --- → affected
status-firefox17: --- → unaffected
Whiteboard: [Testday 20120727][native-crash] → [Testday 20120727][native-crash][workingwindow-wanted]
Assignee: blassey.bugs → snorp
(In reply to Scoobidiver from comment #9)
> There are no crashes after 17.0a1/20120728. The working range is:
> http://hg.mozilla.org/mozilla-central/
> pushloghtml?fromchange=2abd21593e57&tochange=29bff59d3bbe
> Can someone who is able to reproduce it narrow down the working range?

I think it's likely the bug is not fixed, but rather there just hasn't been enough activity on Honeycomb to create the crash.
It is also that the site listed earlier in the bug may have changed what ads display so that the Lexus add that triggered this from that site is no longer in the mix.
Oh also recent builds don;t seem to work at all well on honeycomb tablets such that on my Samsung Galaxy 8.9 I can not even reliably "click" on links because the touch event seems to somehow pick up the wrong coordinates and think I clicked on a completely different link.  This makes it extremely hard to to the click to play to even get flash to run on my device.  the last build where this worked correctly was the 7/28 nightly.

I am currently doing an hg bisect trying to figure out which check-in caused this mess and then have 3 different regression bugs ready to file.
(In reply to Bill Gianopoulos [:WG9s] from comment #12)
> Oh also recent builds don;t seem to work at all well on honeycomb tablets
> such that on my Samsung Galaxy 8.9 I can not even reliably "click" on links
> because the touch event seems to somehow pick up the wrong coordinates and
> think I clicked on a completely different link.  This makes it extremely
> hard to to the click to play to even get flash to run on my device.  the
> last build where this worked correctly was the 7/28 nightly.
> 
> I am currently doing an hg bisect trying to figure out which check-in caused
> this mess and then have 3 different regression bugs ready to file.

Looks like this was fixed in the 31 July Nightly, so I have abandoned trying to bisect.
(Reporter)

Comment 14

5 years ago
Crashes are back in 17.0a1/20120731.
status-firefox17: unaffected → affected
Whiteboard: [Testday 20120727][native-crash][workingwindow-wanted] → [Testday 20120727][native-crash]
Need to figure out if it's due to specific devices are OS; Some devices were unblocked recently.
(In reply to Naoki Hirata :nhirata from comment #15)
> Need to figure out if it's due to specific devices are OS; Some devices were
> unblocked recently.

This particular bug will only occur on Honeycomb, and is not affected by the recent unblock of Tegra 2 Gingerbread/Froyo devices.
(Reporter)

Updated

5 years ago
Crash Signature: [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper ] [@ arena_dalloc | __wrap_free | JS_DHashFreeTable ] [@ arena_dalloc | __wrap_free | moz_free | TNotification<nsCaretAccessible nsISelection>::~TNotifi&hellip; → [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper ] [@ arena_dalloc | __wrap_free | JS_DHashFreeTable ] [@ arena_dalloc | __wrap_free | moz_free | TNotification<nsCaretAccessible nsISelection>::~TNotifi&hellip;
(Reporter)

Comment 17

5 years ago
It's #1 top crasher and accounts for 15.7% of all crashes in 15.0b3.
Has there been any reduction in crashes since the fix in bug 779019 landed?
(Reporter)

Comment 19

5 years ago
(In reply to Jeff Gilbert [:jgilbert] from comment #18)
> Has there been any reduction in crashes since the fix in bug 779019 landed?
I wouldn't say that:
            crashes   users
2012-07-31:    4        4
2012-08-01:    2        2
2012-08-02:    5        3   <-- bug 779019 lands
2012-08-03:    8        4
2012-08-04:   12        2
Crash Signature: [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper ] [@ arena_dalloc | __wrap_free | JS_DHashFreeTable ] [@ arena_dalloc | __wrap_free | moz_free | TNotification<nsCaretAccessible nsISelection>::~TNotifi&hellip; → [@ arena_dalloc | __wrap_free | moz_free | mozilla::gl::EGLTextureWrapper::~EGLTextureWrapper ] [@ arena_dalloc | __wrap_free | JS_DHashFreeTable ] [@ arena_dalloc | __wrap_free | moz_free | TNotification<nsCaretAccessible nsISelection>::~TNotifi&hellip;
Do we have any progress on this bug? There are only 2 betas left in the cycle and I would really prefer to get a fix in beta 5 than 6.
I couldn't reproduce the bug in the newest beta using Android 3.1 and Galaxy Tab 10.1. I didn't see any rotating ad and the browser did not crash. However, after writing this comment (the above two lines), I went back to the site to try again and I found the browser completely frozen: it wouldn't respond at all, not even after closing it via the task killer several times. It closed but reopening the browser the same frozen site was displayed. I had to shut down the tablet and start it up again. I tried several times more and all worked fine: the browser didn't crash nor it froze.
(Reporter)

Comment 22

5 years ago
There are crashes on ICS.
Keywords: reproducible
Summary: crash in mozilla::gl::GLContextEGL::ReleaseSharedHandle on Honeycomb and JB → crash in mozilla::gl::GLContextEGL::ReleaseSharedHandle on Honeycomb and above
Created attachment 651779 [details] [diff] [review]
Don't double free shared texture handles for Flash on Android
Attachment #651779 - Flags: review?(blassey.bugs)
Comment on attachment 651779 [details] [diff] [review]
Don't double free shared texture handles for Flash on Android

Review of attachment 651779 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/plugins/base/nsNPAPIPluginInstance.cpp
@@ -88,5 @@
>  public:
>    NS_INLINE_DECL_REFCOUNTING(SharedPluginTexture)
>  
> -  SharedPluginTexture() :
> -    mCurrentHandle(0), mNeedNewImage(false), mLock("SharedPluginTexture.mLock")

why?
Attachment #651779 - Flags: review?(blassey.bugs) → review+
(In reply to Brad Lassey [:blassey] from comment #24)
> Comment on attachment 651779 [details] [diff] [review]
> Don't double free shared texture handles for Flash on Android
> 
> Review of attachment 651779 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> ::: dom/plugins/base/nsNPAPIPluginInstance.cpp
> @@ -88,5 @@
> >  public:
> >    NS_INLINE_DECL_REFCOUNTING(SharedPluginTexture)
> >  
> > -  SharedPluginTexture() :
> > -    mCurrentHandle(0), mNeedNewImage(false), mLock("SharedPluginTexture.mLock")
> 
> why?

As discussed, I removed mCurrentHandle and mNeedNewImage.
https://hg.mozilla.org/integration/mozilla-inbound/rev/12c614d36e0b
https://hg.mozilla.org/mozilla-central/rev/12c614d36e0b
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
Blocks: 776329
(Reporter)

Updated

5 years ago
status-firefox17: affected → fixed

Comment 28

5 years ago
Hmm, one problem we have there is that we want this fix on the next beta that's being built on Tuesday or so, but on trunk we have a rather small audience so it will be hard to confirm that the fix worked.

How fast can we uplift, i.e. is the risk low enough to do that without too much verification by crash stats?
(Reporter)

Comment 29

5 years ago
This bug is one of those that is in each Nightly build so there's no problem to check the fix (if it's built :(). To check potential side effects, a landing in Aurora would be required after one day of simmering in trunk.

Comment 30

5 years ago
It has been in builds from the 17th and later, but what I was saying meant that this is at such a low volume in Nightly that it takes multiple days to verify that it's gone and we only have until at most Tuesday to land anything on Beta that should go out with 15, so we are under pressure to get this uplifted.

Comment 31

5 years ago
That said, it looks like there's no crashes so far after the 16th (also not for bug 776329), so I think we should go requesting approval and landing this on Aurora and Beta ASAP.
(Reporter)

Comment 32

5 years ago
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #31)
> That said, it looks like there's no crashes so far after the 16th (also not
> for bug 776329)
Because 17.0a1/20120817 doesn't exist (see ftp://ftp.mozilla.org/pub/mobile/nightly/2012-08-17-03-05-55-mozilla-central-android/) so one more day is required.

Comment 33

5 years ago
Hrm, strange that 17th had no nightly - but there's one for 18th and 19th, and still so far no crashes with those signatures. :)
(Reporter)

Updated

5 years ago
Status: RESOLVED → VERIFIED
status-firefox17: fixed → verified
Comment on attachment 651779 [details] [diff] [review]
Don't double free shared texture handles for Flash on Android

[Approval Request Comment]
Low risk, fixes top crash
Attachment #651779 - Flags: approval-mozilla-beta?
Attachment #651779 - Flags: approval-mozilla-aurora?
Comment on attachment 651779 [details] [diff] [review]
Don't double free shared texture handles for Flash on Android

Approving for branch uplift since it resolves our top 4 mobile 15 crashers.  Please land before tomorrow's final Beta go to build.
Attachment #651779 - Flags: approval-mozilla-beta?
Attachment #651779 - Flags: approval-mozilla-beta+
Attachment #651779 - Flags: approval-mozilla-aurora?
Attachment #651779 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-beta/rev/b244e09137cc
https://hg.mozilla.org/releases/mozilla-aurora/rev/1a741adbdcd3
status-firefox15: affected → fixed
status-firefox16: affected → fixed
tracking-fennec: ? → ---
You need to log in before you can comment on or make changes to this bug.