Closed Bug 904483 Opened 11 years ago Closed 11 years ago

crash in GrTextureStripAtlas::unlockRow

Categories

(Core :: Graphics, defect)

25 Branch
ARM
Android
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla28
blocking-b2g koi+
Tracking Status
firefox24 --- unaffected
firefox25 --- wontfix
firefox26 --- wontfix
firefox27 --- fixed
firefox28 --- fixed
b2g-v1.2 --- fixed

People

(Reporter: scoobidiver, Assigned: gw280)

References

Details

(Keywords: crash, regression, reproducible, Whiteboard: [native-crash])

Crash Data

Attachments

(1 file)

It first showed up in 25.0a1/20130724222711 but is discontinuous across builds.

Signature 	GrTextureStripAtlas::unlockRow(int) More Reports Search
UUID 	e9af271a-4942-432e-9694-247d32130813
Date Processed	2013-08-13 00:03:50.380619
Uptime	36
Last Crash	58 seconds before submission
Install Age 	176 since version was first installed.
Install Time 	2013-08-13 00:00:27
Product 	FennecAndroid
Version 	26.0a1
Build ID 	20130812030209
Release Channel 	nightly
OS 	Android
OS Version 	0.0.0 Linux 3.0.31-950286 #2 SMP PREEMPT Thu Feb 14 18:33:54 KST 2013 armv7l samsung/codinatmo/codin
Build Architecture 	arm
Build Architecture Info 	ARMv0 | 2
Crash Reason 	SIGSEGV
Crash Address 	0x4
App Notes 	
AdapterDescription: 'ARM -- Mali-400 MP -- OpenGL ES 2.0 -- Model: SGH-T599, Product: codinatmo, Manufacturer: samsung, Hardware: samsungcodina'
GL Layers! EGL? EGL+ GL Context? GL Context+ GL Layers+ Stagefright? Stagefright+ 
samsung SGH-T599
samsung/codinatmo/codinatmo:4.1.2/JZO54K/T599UVAMB5:user/release-keys

Frame 	Module 	Signature 	Source
0 	libxul.so 	GrTextureStripAtlas::unlockRow(int) 	gfx/skia/src/gpu/effects/GrTextureStripAtlas.cpp
1 	libxul.so 	GrGradientEffect::~GrGradientEffect() 	gfx/skia/src/effects/gradients/SkGradientShader.cpp
2 	libxul.so 	GrLinearGradient::~GrLinearGradient() 	gfx/skia/src/effects/gradients/SkLinearGradient.cpp
3 	libxul.so 	GrLinearGradient::~GrLinearGradient() 	gfx/skia/src/effects/gradients/SkLinearGradient.cpp
4 	libxul.so 	DeleteCompiler(TCompiler*) 	gfx/angle/src/compiler/CodeGenGLSL.cpp
5 	libxul.so 	GrEffectRef::~GrEffectRef() 	gfx/skia/include/core/SkRefCnt.h
6 	libxul.so 	GrEffectRef::~GrEffectRef() 	gfx/skia/src/gpu/GrEffect.cpp
7 	libxul.so 	DeleteCompiler(TCompiler*) 	gfx/angle/src/compiler/CodeGenGLSL.cpp
8 	libxul.so 	SkPixelRef::globalUnref() 	gfx/skia/include/core/SkRefCnt.h
9 	libxul.so 	GrEffectStage::setEffect(GrEffectRef const*) 	gfx/skia/include/gpu/GrEffectStage.h
10 	libxul.so 	GrDrawState::disableStages() 	gfx/skia/src/gpu/GrDrawState.h
11 	libxul.so 	GrDrawState::~GrDrawState() 	gfx/skia/src/gpu/GrDrawState.h
12 	libxul.so 	GrInOrderDrawBuffer::flush() 	gfx/skia/src/gpu/GrInOrderDrawBuffer.cpp
13 	libxul.so 	GrContext::flush(int) 	gfx/skia/src/gpu/GrContext.cpp
14 	libxul.so 	GrContext::~GrContext() 	gfx/skia/src/gpu/GrContext.cpp
15 	libxul.so 	GrContext::~GrContext() 	gfx/skia/src/gpu/GrContext.cpp
16 	libxul.so 	DeleteCompiler(TCompiler*) 	gfx/angle/src/compiler/CodeGenGLSL.cpp
17 	libxul.so 	SkPixelRef::globalUnref() 	gfx/skia/include/core/SkRefCnt.h
18 	libxul.so 	mozilla::gfx::DrawTargetSkia::~DrawTargetSkia() 	obj-firefox/dist/include/skia/SkRefCnt.h
19 	libxul.so 	mozilla::gfx::DrawTargetSkia::~DrawTargetSkia() 	gfx/2d/DrawTargetSkia.cpp
20 	libxul.so 	mozilla::detail::RefCounted<imgDecoderObserver, (mozilla::detail::RefCountAtomicity)1>::Release() 	obj-firefox/dist/include/mozilla/RefPtr.h
21 	libxul.so 	mozilla::RefPtr<mozilla::gfx::DrawTarget>::assign(mozilla::gfx::DrawTarget*) 	obj-firefox/dist/include/mozilla/RefPtr.h
22 	libxul.so 	mozilla::dom::CanvasRenderingContext2D::Reset() 	obj-firefox/dist/include/mozilla/RefPtr.h
23 	libxul.so 	mozilla::dom::CanvasRenderingContext2D::ClearTarget() 	content/canvas/src/CanvasRenderingContext2D.cpp
24 	libxul.so 	mozilla::dom::CanvasRenderingContext2D::SetDimensions(int, int) 	content/canvas/src/CanvasRenderingContext2D.cpp
25 	libxul.so 	mozilla::dom::HTMLCanvasElement::UpdateContext(JSContext*, JS::Handle<JS::Value>) 	content/html/content/src/HTMLCanvasElement.cpp
26 	libxul.so 	mozilla::dom::Element::SetAttr(int, nsIAtom*, nsAString_internal const&, bool) 	obj-firefox/dist/include/mozilla/dom/Element.h
27 	libxul.so 	nsGenericHTMLElement::SetHTMLAttr(nsIAtom*, nsAString_internal const&, mozilla::ErrorResult&) 	content/html/content/src/nsGenericHTMLElement.h
28 	libxul.so 	nsGenericHTMLElement::SetUnsignedIntAttr(nsIAtom*, unsigned int, mozilla::ErrorResult&) 	content/html/content/src/nsGenericHTMLElement.h
29 	libxul.so 	mozilla::dom::HTMLCanvasElementBinding::set_width 	obj-firefox/dist/include/mozilla/dom/HTMLCanvasElement.h
30 	libxul.so 	mozilla::dom::HTMLCanvasElementBinding::genericSetter 	obj-firefox/dom/bindings/HTMLCanvasElementBinding.cpp
31 	libxul.so 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/jscntxtinlines.h
32 	libxul.so 	js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
33 	libxul.so 	js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
34 	libxul.so 	js::Shape::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, bool, JS::MutableHandle<JS::Value>) 	js/src/vm/Shape-inl.h
35 	libxul.so 	js::baseops::SetPropertyHelper(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<int>, unsigned int, JS::MutableHandle<JS::Value>, bool) 	js/src/jsobj.cpp
36 	libxul.so 	bool js::SetProperty<false>(JSContext*, JS::Handle<JSObject*>, JS::Handle<int>, JS::Value const&) 	js/src/jsobj.h
37 	libxul.so 	js::ion::DoSetPropFallback 	js/src/jit/BaselineIC.cpp
38 		@0x535fc5de

More reports at:
https://crash-stats.mozilla.com/report/list?product=FennecAndroid&signature=GrTextureStripAtlas%3A%3AunlockRow%28int%29
This should be fixed by the patch from upstream https://codereview.chromium.org/33203002/. I will prepare it and test it.
Attached patch grcontext.patchSplinter Review
Fix an out of order GrContext destruction bug. Taken directly from https://codereview.chromium.org/33203002/
Attachment #8338160 - Flags: review?(snorp)
Attachment #8338160 - Flags: review?(snorp) → review?(matt.woodrow)
Attachment #8338160 - Flags: review?(matt.woodrow) → review+
See the dupe - this blocks a target partner app.
blocking-b2g: --- → koi?
Keywords: reproducible
blocking-b2g: koi? → koi+
https://hg.mozilla.org/mozilla-central/rev/2d96212a0921
Assignee: nobody → gwright
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Flags: needinfo?(gwright)
I would say yes, because it fixes a relatively common crasher and the risk is minimal.
Flags: needinfo?(gwright)
Comment on attachment 8338160 [details] [diff] [review]
grcontext.patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 848491
User impact if declined: Browser can crash when using <canvas>
Testing completed (on m-c, etc.): m-c full test run
Risk to taking this patch (and alternatives if risky): Very low
String or IDL/UUID changes made by this patch: None
Attachment #8338160 - Flags: approval-mozilla-aurora?
Attachment #8338160 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Ivan, Vance, could you check with ZTE and TCL to make sure they have this in their 1.2 builds please?
Flags: needinfo?(vchang)
Flags: needinfo?(itsay)
Hi Naoki,

Please see my email for the information. Thanks.
Flags: needinfo?(itsay)
Clear the needinfo, I don't think it's for me.
Flags: needinfo?(vchang)
(In reply to Naoki Hirata :nhirata (please use needinfo instead of cc) from comment #12)
> Ivan, Vance, could you check with ZTE and TCL to make sure they have this in
> their 1.2 builds please?

Hi Vance,

I think Naoki meant to ni? you in this bug.
Flags: needinfo?(vchen)
remove my ni since TCL won't have any 1.2 devices
Flags: needinfo?(vchen)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: