Firefox goes away when running webgl shaders on htc one

NEW
Unassigned

Status

()

Core
Canvas: WebGL
4 years ago
4 years ago

People

(Reporter: mjrosenb, Unassigned)

Tracking

Trunk
ARM
Android
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

4 years ago
Created attachment 814257 [details]
output of adb logcat from around when firefox went away.

Note: I can only assume that firefox is actually crashing, however, it never displays the crash reporter, so the exact cause is a bit of a mystery.  I've verified that it works on several consecutive nightlies, and it also reproduces with the firefox currently in the play store.  My phone is still running android 4.1.2, htc sense 5, and according to wikipedia, it has an Qualcomm Snapdragon 600 APQ8064, which comes with an Adreno 320.
Which URL are you testing with? There's nothing really caught in that log.
(Reporter)

Comment 2

4 years ago
http://glsl.heroku.com/e#11388.3
bugzilla should really make the 'url' field more obvious.  I've missed it sooo many times.
Component: Graphics, Panning and Zooming → Canvas: WebGL
Product: Firefox for Android → Core
Version: Firefox 24 → Trunk
What could be of help here is a stack trace + registers, to at least evaluate security implications.
(Reporter)

Comment 4

4 years ago
Well, I got it under gdb.  one time when I ran it, I got a segv with this backtrace:
#0  0x75d028f8 in mozilla::LinkedList<mozilla::image::DiscardTracker::Node>::~LinkedList (
    this=0x7a0580e0 <mozilla::image::DiscardTracker::sDiscardableImages>, __in_chrg=<optimized out>) at ../../dist/include/mozilla/LinkedList.h:304
#1  0x6aeb3946 in ElfLoader::DestructorCaller::Call (this=0x6b108878) at /home/mjrosenb/src/central/central/mozglue/linker/ElfLoader.cpp:528
#2  0x6aeb38a6 in ElfLoader::__wrap_cxa_finalize (dso_handle=0x79fc9000 <__dso_handle>) at /home/mjrosenb/src/central/central/mozglue/linker/ElfLoader.cpp:517
#3  0x6aeaf57a in CustomElf::CallFunction (this=0x6b143100, ptr=0x75887294 <__on_dlclose>)
    at /home/mjrosenb/src/central/central/mozglue/linker/CustomElf.h:146
#4  0x6aeaee3c in CustomElf::CallFini (this=0x6b143100) at /home/mjrosenb/src/central/central/mozglue/linker/CustomElf.cpp:750
#5  0x6aead718 in CustomElf::~CustomElf (this=0x6b143100, __in_chrg=<optimized out>) at /home/mjrosenb/src/central/central/mozglue/linker/CustomElf.cpp:223
#6  0x6aead79a in CustomElf::~CustomElf (this=0x6b143100, __in_chrg=<optimized out>) at /home/mjrosenb/src/central/central/mozglue/linker/CustomElf.cpp:229
#7  0x6aeaf36a in mozilla::detail::RefCounted<LibHandle, (mozilla::detail::RefCountAtomicity)0>::Release (this=0x6b143104)
    at /home/mjrosenb/src/central/central/mozglue/linker/ElfLoader.h:231
#8  0x6aeb4ae4 in LibHandle::ReleaseDirectRef (this=0x6b143100) at /home/mjrosenb/src/central/central/mozglue/linker/ElfLoader.h:153
#9  0x6aeb3598 in ElfLoader::~ElfLoader (this=0x6af26478 <ElfLoader::Singleton>, __in_chrg=<optimized out>)
    at /home/mjrosenb/src/central/central/mozglue/linker/ElfLoader.cpp:456
#10 0x4022647a in __cxa_finalize () from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libc.so
#11 0x402267ae in exit () from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libc.so
#12 0x6b5834e8 in ?? () from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libsc-a3xx.so
#13 0x6b684eca in ?? () from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libsc-a3xx.so
#14 0x6b7c9e90 in ?? () from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libsc-a3xx.so
#15 0x6b7cb674 in ?? () from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libsc-a3xx.so
#16 0x6b7ca398 in ?? () from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libsc-a3xx.so
#17 0x6b6b7310 in ?? () from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libsc-a3xx.so
#18 0x6b7cad30 in ?? () from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libsc-a3xx.so
#19 0x6b6907e6 in ?? () from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libsc-a3xx.so
#20 0x6b5cb69e in ?? () from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libsc-a3xx.so
#21 0x6b5cb786 in ?? () from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libsc-a3xx.so
#22 0x6b5cb844 in ?? () from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libsc-a3xx.so
#23 0x6b76f0e2 in ?? () from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libsc-a3xx.so
#24 0x6b55d54c in ?? () from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libsc-a3xx.so
#25 0x6b5542fc in ?? () from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libsc-a3xx.so
#26 0x6b4f9c02 in ?? () from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libsc-a3xx.so
#27 0x6b4f9cf4 in ?? () from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libsc-a3xx.so
#28 0x6b4fa00c in ?? () from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libsc-a3xx.so
#29 0x6b4ef2f4 in ?? () from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libsc-a3xx.so
#30 0x6b4f0eec in ?? () from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libsc-a3xx.so
#31 0x6b4f07c6 in ?? () from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libsc-a3xx.so
#32 0x6b4f22aa in __link_shaders () from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libsc-a3xx.so
#33 0x6b05ee60 in ?? ()
#34 0x6b05ee60 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

not the most useful backtrace, but it would appear as if we're calling exit directly (on some code path)
I set a breakpoint on __link_shaders, and just printed out a backtrace when we hit it the last time before firefox went away.  This is what I got:
#0  0x6b4f218c in __link_shaders () from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libsc-a3xx.so
#1  0x6b05ee60 in qgl2DrvAPI_glLinkProgram () from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libGLESv2_adreno200.so
#2  0x6b04d9bc in glLinkProgram () from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libGLESv2_adreno200.so
#3  0x762c0f1c in mozilla::gl::GLContext::fLinkProgram (this=0x845c4000, program=4) at ../../../dist/include/GLContext.h:1253
#4  0x762b9cd2 in mozilla::WebGLContext::LinkProgram (this=0x7ea7ebb0, program=0x83909040)
    at /home/mjrosenb/src/central/central/content/canvas/src/WebGLContextGL.cpp:2029
#5  0x7779734c in mozilla::dom::WebGLRenderingContextBinding::linkProgram (cx=0x828fc4b0, obj=..., self=0x7ea7ebb0, args=...)
    at /home/mjrosenb/src/central/central/objs/android-dbg/dom/bindings/WebGLRenderingContextBinding.cpp:8812
#6  0x777a01b6 in mozilla::dom::WebGLRenderingContextBinding::genericMethod (cx=0x828fc4b0, argc=1, vp=0x7f733320)
    at /home/mjrosenb/src/central/central/objs/android-dbg/dom/bindings/WebGLRenderingContextBinding.cpp:11831
#7  0x7852a778 in js::CallJSNative (cx=0x828fc4b0, 
    native=0x777a0051 <mozilla::dom::WebGLRenderingContextBinding::genericMethod(JSContext*, unsigned int, JS::Value*)>, args=...)
    at ../../../../js/src/jscntxtinlines.h:218
#8  0x78516628 in js::Invoke (cx=0x828fc4b0, args=..., construct=js::NO_CONSTRUCT) at /home/mjrosenb/src/central/central/js/src/vm/Interpreter.cpp:460
#9  0x7851eb78 in Interpret (cx=0x828fc4b0, state=...) at /home/mjrosenb/src/central/central/js/src/vm/Interpreter.cpp:2462
#10 0x7851632a in js::RunScript (cx=0x828fc4b0, state=...) at /home/mjrosenb/src/central/central/js/src/vm/Interpreter.cpp:417
#11 0x78516718 in js::Invoke (cx=0x828fc4b0, args=..., construct=js::NO_CONSTRUCT) at /home/mjrosenb/src/central/central/js/src/vm/Interpreter.cpp:479
#12 0x786ded62 in js_fun_apply (cx=0x828fc4b0, argc=2, vp=0x7f733210) at /home/mjrosenb/src/central/central/js/src/jsfun.cpp:1030
#13 0x7852a778 in js::CallJSNative (cx=0x828fc4b0, native=0x786de66d <js_fun_apply(JSContext*, unsigned int, JS::Value*)>, args=...)
    at ../../../../js/src/jscntxtinlines.h:218
#14 0x78516628 in js::Invoke (cx=0x828fc4b0, args=..., construct=js::NO_CONSTRUCT) at /home/mjrosenb/src/central/central/js/src/vm/Interpreter.cpp:460
#15 0x7851eb78 in Interpret (cx=0x828fc4b0, state=...) at /home/mjrosenb/src/central/central/js/src/vm/Interpreter.cpp:2462
#16 0x7851632a in js::RunScript (cx=0x828fc4b0, state=...) at /home/mjrosenb/src/central/central/js/src/vm/Interpreter.cpp:417
#17 0x78516718 in js::Invoke (cx=0x828fc4b0, args=..., construct=js::NO_CONSTRUCT) at /home/mjrosenb/src/central/central/js/src/vm/Interpreter.cpp:479
#18 0x78516926 in js::Invoke (cx=0x828fc4b0, thisv=..., fval=..., argc=1, argv=0x6d35ee10, rval=...)
    at /home/mjrosenb/src/central/central/js/src/vm/Interpreter.cpp:510
#19 0x78686d30 in JS_CallFunctionValue (cx=0x828fc4b0, objArg=0x7f6aff70, fval=..., argc=1, argv=0x6d35ee10, rval=0x6d35ee98)
    at /home/mjrosenb/src/central/central/js/src/jsapi.cpp:5125
#20 0x7748cdba in mozilla::dom::EventHandlerNonNull::Call (this=0x88dd3cd0, cx=0x828fc4b0, aThisObj=..., event=..., aRv=...)
    at /home/mjrosenb/src/central/central/objs/android-dbg/dom/bindings/EventHandlerBinding.cpp:37
#21 0x7679083e in mozilla::dom::EventHandlerNonNull::Call<nsISupports*> (this=0x88dd3cd0, thisObj=@0x836512cc: 0x835c0620, event=..., aRv=..., 
    aExceptionHandling=mozilla::dom::CallbackObject::eReportExceptions) at ../../../dist/include/mozilla/dom/EventHandlerBinding.h:59
#22 0x7678f5d6 in nsJSEventListener::HandleEvent (this=0x836512c0, aEvent=0x7eeedee0)
    at /home/mjrosenb/src/central/central/dom/src/events/nsJSEventListener.cpp:247
#23 0x7635ee16 in nsEventListenerManager::HandleEventSubType (this=0x850b3880, aListenerStruct=0x850b38a0, aListener=..., aDOMEvent=0x7eeedee0, 
    aCurrentTarget=0x835c0620, aPusher=0x6d35f2d0) at /home/mjrosenb/src/central/central/content/events/src/nsEventListenerManager.cpp:955
#24 0x7635f002 in nsEventListenerManager::HandleEventInternal (this=0x850b3880, aPresContext=0x0, aEvent=0x82005100, aDOMEvent=0x6d35f310, 
    aCurrentTarget=0x835c0620, aEventStatus=0x6d35f314, aPusher=0x6d35f2d0)
    at /home/mjrosenb/src/central/central/content/events/src/nsEventListenerManager.cpp:1029
#25 0x7635a310 in nsEventListenerManager::HandleEvent (this=0x850b3880, aPresContext=0x0, aEvent=0x82005100, aDOMEvent=0x6d35f310, aCurrentTarget=0x835c0620, 
    aEventStatus=0x6d35f314, aPusher=0x6d35f2d0) at /home/mjrosenb/src/central/central/content/events/src/nsEventListenerManager.h:326
#26 0x7635a884 in nsEventTargetChainItem::HandleEvent (this=0x82475008, aVisitor=..., aCd=..., aPusher=0x6d35f2d0)
    at /home/mjrosenb/src/central/central/content/events/src/nsEventDispatcher.cpp:198
#27 0x7635840c in nsEventTargetChainItem::HandleEventTargetChain (aChain=..., aVisitor=..., aCallback=0x0, aCd=..., aPusher=0x6d35f2d0)
    at /home/mjrosenb/src/central/central/content/events/src/nsEventDispatcher.cpp:293
#28 0x76359416 in nsEventDispatcher::Dispatch (aTarget=0x835c0620, aPresContext=0x0, aEvent=0x82005100, aDOMEvent=0x7eeedee0, aEventStatus=0x0, 
    aCallback=0x0, aTargets=0x0) at /home/mjrosenb/src/central/central/content/events/src/nsEventDispatcher.cpp:610
#29 0x76359658 in nsEventDispatcher::DispatchDOMEvent (aTarget=0x835c0620, aEvent=0x0, aDOMEvent=0x7eeedee0, aPresContext=0x0, aEventStatus=0x0)
    at /home/mjrosenb/src/central/central/content/events/src/nsEventDispatcher.cpp:674
#30 0x7633cda8 in nsDOMEventTargetHelper::DispatchDOMEvent (this=0x835c0620, aEvent=0x0, aDOMEvent=0x7eeedee0, aPresContext=0x0, aEventStatus=0x0)
    at /home/mjrosenb/src/central/central/content/events/src/nsDOMEventTargetHelper.cpp:318
#31 0x762858e0 in nsXHREventTarget::DispatchDOMEvent (this=0x835c0620, aEvent=0x0, aDOMEvent=0x7eeedee0, aPresContext=0x0, aEventStatus=0x0)
    at /home/mjrosenb/src/central/central/content/base/src/nsXMLHttpRequest.h:114
#32 0x76286630 in nsXMLHttpRequest::DispatchDOMEvent (this=0x835c0620, aEvent=0x0, aDOMEvent=0x7eeedee0, aPresContext=0x0, aEventStatus=0x0)
    at /home/mjrosenb/src/central/central/content/base/src/nsXMLHttpRequest.h:272
#33 0x76282ed2 in nsXMLHttpRequest::ChangeState (this=0x835c0620, aState=16, aBroadcast=true)
    at /home/mjrosenb/src/central/central/content/base/src/nsXMLHttpRequest.cpp:3285
#34 0x7627f1d6 in nsXMLHttpRequest::ChangeStateToDone (this=0x835c0620) at /home/mjrosenb/src/central/central/content/base/src/nsXMLHttpRequest.cpp:2201
#35 0x7627f012 in nsXMLHttpRequest::OnStopRequest (this=0x835c0620, request=0x83640834, ctxt=0x0, status=NS_OK)
    at /home/mjrosenb/src/central/central/content/base/src/nsXMLHttpRequest.cpp:2168
#36 0x76187e06 in nsCORSListenerProxy::OnStopRequest (this=0x83647e70, aRequest=0x83640834, aContext=0x0, aStatusCode=NS_OK)
    at /home/mjrosenb/src/central/central/content/base/src/nsCrossSiteListenerProxy.cpp:577
#37 0x75a6b6f4 in nsHTTPCompressConv::OnStopRequest (this=0x81c9be80, request=0x83640834, aContext=0x0, aStatus=NS_OK)
    at /home/mjrosenb/src/central/central/netwerk/streamconv/converters/nsHTTPCompressConv.cpp:91
#38 0x75a3fd16 in nsStreamListenerTee::OnStopRequest (this=0x81c1c7c0, request=0x83640834, context=0x0, status=NS_OK)
    at /home/mjrosenb/src/central/central/netwerk/base/src/nsStreamListenerTee.cpp:53
#39 0x75b605de in mozilla::net::nsHttpChannel::OnStopRequest (this=0x83640800, request=0x828aa040, ctxt=0x0, status=NS_OK)
    at /home/mjrosenb/src/central/central/netwerk/protocol/http/nsHttpChannel.cpp:5161
#40 0x75a09a68 in nsInputStreamPump::OnStateStop (this=0x828aa040) at /home/mjrosenb/src/central/central/netwerk/base/src/nsInputStreamPump.cpp:700
#41 0x75a08ea4 in nsInputStreamPump::OnInputStreamReady (this=0x828aa040, stream=0x8321ecd0)
    at /home/mjrosenb/src/central/central/netwerk/base/src/nsInputStreamPump.cpp:435
#42 0x77891db2 in nsInputStreamReadyEvent::Run (this=0x81c19d60) at /home/mjrosenb/src/central/central/xpcom/io/nsStreamUtils.cpp:84
#43 0x778b1986 in nsThread::ProcessNextEvent (this=0x6b102390, mayWait=true, result=0x6d35f787)
    at /home/mjrosenb/src/central/central/xpcom/threads/nsThread.cpp:622
#44 0x7784463e in NS_ProcessNextEvent (thread=0x6b102390, mayWait=true) at /home/mjrosenb/src/central/central/xpcom/glue/nsThreadUtils.cpp:238
#45 0x770ce91e in mozilla::ipc::MessagePump::Run (this=0x6b101ca0, aDelegate=0x6b14a0c0) at /home/mjrosenb/src/central/central/ipc/glue/MessagePump.cpp:124
#46 0x77937ed0 in MessageLoop::RunInternal (this=0x6b14a0c0) at /home/mjrosenb/src/central/central/ipc/chromium/src/base/message_loop.cc:220
#47 0x77937e6a in MessageLoop::RunHandler (this=0x6b14a0c0) at /home/mjrosenb/src/central/central/ipc/chromium/src/base/message_loop.cc:213
#48 0x77937e12 in MessageLoop::Run (this=0x6b14a0c0) at /home/mjrosenb/src/central/central/ipc/chromium/src/base/message_loop.cc:187
#49 0x76fa1312 in nsBaseAppShell::Run (this=0x6b111240) at /home/mjrosenb/src/central/central/widget/xpwidgets/nsBaseAppShell.cpp:161
---Type <return> to continue, or q <return> to quit---
#50 0x76d76ab4 in nsAppStartup::Run (this=0x7eea45e0) at /home/mjrosenb/src/central/central/toolkit/components/startup/nsAppStartup.cpp:269
#51 0x7588c230 in XREMain::XRE_mainRun (this=0x6d35fac0) at /home/mjrosenb/src/central/central/toolkit/xre/nsAppRunner.cpp:3868
#52 0x7588c4de in XREMain::XRE_main (this=0x6d35fac0, argc=9, argv=0x6b135188, aAppData=0x6af24d90 <sAppData>)
    at /home/mjrosenb/src/central/central/toolkit/xre/nsAppRunner.cpp:3936
#53 0x7588c6b2 in XRE_main (argc=9, argv=0x6b135188, aAppData=0x6af24d90 <sAppData>, aFlags=0)
    at /home/mjrosenb/src/central/central/toolkit/xre/nsAppRunner.cpp:4138
#54 0x7587e74c in GeckoStart (data=0x6b14d1a0, appData=0x6af24d90 <sAppData>) at /home/mjrosenb/src/central/central/toolkit/xre/nsAndroidStartup.cpp:73
#55 0x6aeaa658 in Java_org_mozilla_gecko_mozglue_GeckoLoader_nativeRun (jenv=0x6c66dda8, jc=0x38100001, jargs=0x26c00005)
    at /home/mjrosenb/src/central/central/mozglue/android/APKOpen.cpp:379
#56 0x40975fb4 in dvmPlatformInvoke () from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libdvm.so
#57 0x409a90d6 in dvmCallJNIMethod(unsigned int const*, JValue*, Method const*, Thread*) ()
   from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libdvm.so
#58 0x409abab2 in dvmResolveNativeMethod(unsigned int const*, JValue*, Method const*, Thread*) ()
   from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libdvm.so
#59 0x4097f464 in dvmJitToInterpNoChain () from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libdvm.so
#60 0x4097f464 in dvmJitToInterpNoChain () from /home/mjrosenb/use/jimdb/lib/HT34NW912807/system/lib/libdvm.so
The first stack showing it's (equivalent to) calling exit() has at least the merit of showing that this is not a security bug. Given that, we're probably not going to blacklist anything.

The second stack shows exaclty one thing, that the exit() is under glLinkProgram in the adreno driver --- the stack leading up to that point only says one thing, that this glLinkProgram was called by WebGL.linkProgram.

If we want to debug this further, to understand what in this WebGL program is triggering this driver bug, probably the only way to proceed is to minimize the testcase.

That said, it's hardly a surprise that big shaders can cause pain in buggy shader compilers, and we tend to only pay attention when security is involved, which is not the case here (because exit).
We should reach out to our friends at Qualcomm to make sure that this is fixed -- should test this on Firefox OS as well.
(Reporter)

Comment 7

4 years ago
I tried this on my nexus-4 running Firefox OS, and a very recent build, and the demo ran fine.  Both phones have the Adreno-320 gpu.
(Reporter)

Comment 8

4 years ago
Ok, my phone just updated to 4.3, and it looks like this problem no longer manifests.
You need to log in before you can comment on or make changes to this bug.