This bug was filed from the Socorro interface and is report bp-ac9a2f5a-da3b-4c38-9691-f77d32110916 . ============================================================= Frame Module Signature [Expand] Source 0 libmozutils.so arena_dalloc memory/jemalloc/jemalloc.c:4306 1 libmozutils.so __wrap_free memory/jemalloc/jemalloc.c:6260 2 libmozalloc.so moz_free memory/mozalloc/mozalloc.cpp:98 3 libxul.so std::__node_alloc::deallocate mozalloc.h:253 4 libxul.so std::priv::_String_base<char, std::allocator<char> >::_M_deallocate_block _string_base.h:102 5 libxul.so std::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_append _string_base.h:160 6 libxul.so TOutputGLSLBase::writeConstantUnion _string_base.h:156 7 libxul.so TOutputGLSLBase::visitConstantUnion gfx/angle/src/compiler/OutputGLSLBase.cpp:208 8 libxul.so TIntermConstantUnion::traverse gfx/angle/src/compiler/IntermTraverse.cpp:34 9 libxul.so TIntermBinary::traverse gfx/angle/src/compiler/IntermTraverse.cpp:82 10 libxul.so TIntermAggregate::traverse gfx/angle/src/compiler/IntermTraverse.cpp:163 11 libxul.so TIntermBinary::traverse gfx/angle/src/compiler/intermediate.h:537 12 libxul.so TOutputGLSLBase::visitAggregate gfx/angle/src/compiler/OutputGLSLBase.cpp:454 13 libxul.so TIntermAggregate::traverse gfx/angle/src/compiler/IntermTraverse.cpp:135 14 libxul.so TOutputGLSLBase::visitCodeBlock gfx/angle/src/compiler/OutputGLSLBase.cpp:707 15 libxul.so TOutputGLSLBase::visitAggregate gfx/angle/src/compiler/intermediate.h:537 16 libxul.so TIntermAggregate::traverse gfx/angle/src/compiler/IntermTraverse.cpp:135 17 libxul.so TOutputGLSLBase::visitAggregate gfx/angle/src/compiler/OutputGLSLBase.cpp:454 18 libxul.so TIntermAggregate::traverse gfx/angle/src/compiler/IntermTraverse.cpp:135 19 libxul.so TranslatorESSL::translate gfx/angle/src/compiler/OutputGLSLBase.h:17 20 libxul.so TCompiler::compile gfx/angle/src/compiler/Compiler.cpp:181 21 libxul.so ShCompile gfx/angle/src/compiler/ShaderLang.cpp:169 22 libxul.so mozilla::WebGLContext::CompileShader content/canvas/src/WebGLContextGL.cpp:4015 23 libxul.so nsIDOMWebGLRenderingContext_CompileShader obj-firefox/js/src/xpconnect/src/dom_quickstubs.cpp:29817 24 libxul.so js::Interpret js/src/jscntxtinlines.h:305 25 libxul.so UncachedInlineCall js/src/vm/Stack.h:1259 26 libxul.so js::mjit::stubs::UncachedCallHelper js/src/methodjit/InvokeHelpers.cpp:480 27 libxul.so js::mjit::ic::Call js/src/methodjit/MethodJIT.h:347 28 libxul.so libxul.so@0xbdc43e 29 libxul.so js::mjit::ic::Call js/src/methodjit/MonoIC.cpp:1141 30 libxul.so js::mjit::JaegerShot js/src/vm/Stack.h:1410 31 libxul.so js::RunScript js/src/jsinterp.cpp:611 32 libxul.so js::Invoke js/src/vm/Stack.h:1002 33 libxul.so JS_CallFunctionValue js/src/jscntxt.h:1302 34 libxul.so nsJSContext::CallEventHandler dom/base/nsJSEnvironment.cpp:1928 35 libxul.so nsGlobalWindow::RunTimeout nsCOMPtr.h:863 36 libxul.so nsGlobalWindow::TimerCallback nsAutoPtr.h:907 37 libxul.so nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:425 38 libxul.so nsTimerEvent::Run nsAutoPtr.h:907 39 libxul.so nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:631 40 libxul.so NS_ProcessNextEvent_P obj-firefox/xpcom/build/nsThreadUtils.cpp:245 41 libxul.so mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:111 42 libxul.so mozilla::ipc::MessagePumpForChildProcess::Run ipc/glue/MessagePump.cpp:230 43 libxul.so MessageLoop::RunInternal ipc/chromium/src/base/message_loop.cc:209 44 libxul.so MessageLoop::Run ipc/chromium/src/base/message_loop.cc:487 45 libxul.so nsBaseAppShell::Run widget/src/xpwidgets/nsBaseAppShell.cpp:191 46 libxul.so XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp:677 47 libxul.so mozilla::ipc::MessagePumpForChildProcess::Run ipc/glue/MessagePump.cpp:222 48 libxul.so MessageLoop::RunInternal ipc/chromium/src/base/message_loop.cc:209 49 libxul.so MessageLoop::Run ipc/chromium/src/base/message_loop.cc:487 50 libxul.so XRE_InitChildProcess nsAutoPtr.h:155 51 libmozutils.so ChildProcessInit other-licenses/android/APKOpen.cpp:778 52 plugin-container main ipc/app/MozillaRuntimeMainAndroid.cpp:69 53 libc.so libc.so@0xd412 More reports : https://crash-stats.mozilla.com/report/list?range_value=7&range_unit=days&date=2011-09-19%2009%3A00%3A00&signature=arena_dalloc%20%7C%20__wrap_free%20%7C%20moz_free%20%7C%20std%3A%3A__node_alloc%3A%3Adeallocate&version=Fennec%3A9.0a1

Not sure if this is the same crash; it looks similar: https://crash-stats.mozilla.com/report/index/d2fd220e-41e1-42c4-814e-aa8a52110924 More of the same: https://crash-stats.mozilla.com/report/list?range_value=7&range_unit=days&date=2011-09-26%2011%3A00%3A00&signature=arena_dalloc%20|%20__wrap_free%20|%20moz_free%20|%20std%3A%3A__node_alloc%3A%3Adeallocate&version=Fennec%3A9.0a1

STR: 1. Visit http://www.ro.me/ Expected: no content crash Actual: Error in console : Browser.selectedTab.browser.__SS_data is undefined Source File: chrome://browser/content/browser.js Line: 2602 and content crash. Most likely a dup of bug 689022? Same crashing but different crash signature?

See also https://crash-stats.mozilla.com/report/index/bp-ca064039-fb96-4e22-89f0-5ef802111007 . I've only seen crashes like this on the Galaxy S II (Exynos 4210 chipset w/ Mali-400 MP GPU), but on there I can reproduce this crash 100%. It also appears on http://media.tojicode.com/q3bsp/ . This crash also shows up on many other WebGL demos.

Filed http://code.google.com/p/angleproject/issues/detail?id=231

I had the opportunity to poke at this for a few minutes a couple of weeks ago. I noticed two things - this crash *doesn't* happen with the dirt-simple shaders in the B2G home screen (webgl version) - the crash is 100% reproducible on http://media.tojicode.com/q3bsp/, which has much more interesting shaders. - the crash appears to be a mismatched allocator problem when (reallocing?) data. I forget the details. At the time, it made me think that the bug was dependent on the string length of the shader. - this is STL code inside ANGLE, using stlport This all makes me suspect it might be a problem with our build/link/something that happens to appear on the sgs2. Maybe not an ANGLE bug (except possibly in our usage). Valgrind would nail this down quickly, I suspect.

I was sorta hoping this would be fixed by bug 709947 ... do these crashes still happen?

wfm in the native-fennec nightly. Will file another bug if I repro.