New issue
Advanced search Search tips

Issue 733018 link

Starred by 1 user
Status: WontFix
Owner:
boliu@chromium.org
Closed: Jun 2017
Cc:
torne@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 3
Type: Bug



Sign in to add a comment

WebView crashes natively on Samsung S8

Project Member Reported by ian...@chromium.org, Jun 13 2017 
Chrome Version: 58.0.3029.83
OS: Android 7.0
Device: SM-G955U, Samsung Galaxy S8 plus

What steps will reproduce the problem?
(1) load http://www.transformersmovie.com/CallingAllAutobots/ on Snapchat either in discover channel or in chat
(2) Play with the autobot in page for a while
(3) Native crash will happen

The crash stack is:



06-13 15:55:11.720  9289  9289 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
06-13 15:55:11.720  9289  9289 F DEBUG   : Build fingerprint: 'samsung/dream2qltesq/dream2qltesq:7.0/NRD90M/G955USQU1AQC8:user/release-keys'
06-13 15:55:11.720  9289  9289 F DEBUG   : Revision: '12'
06-13 15:55:11.720  9289  9289 F DEBUG   : ABI: 'arm'
06-13 15:55:11.721  9289  9289 F DEBUG   : pid: 7581, tid: 8775, name: Chrome_InProcGp  >>> com.snapchat.android.debug <<<
06-13 15:55:11.721  9289  9289 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x30
06-13 15:55:11.721  9289  9289 F DEBUG   :     r0 00000014  r1 00000004  r2 00000000  r3 6677fc88
06-13 15:55:11.721  9289  9289 F DEBUG   :     r4 00000000  r5 904eda64  r6 904eda6c  r7 00000000
06-13 15:55:11.721  9289  9289 F DEBUG   :     r8 af1c4800  r9 af1c4800  sl 000022e0  fp af1c497c
06-13 15:55:11.721  9289  9289 F DEBUG   :     ip 00000008  sp 90900d50  lr b703a8f7  pc b703b44a  cpsr 80030030
06-13 15:55:11.722  1146  2072 E LocSvc_ApiV02: I/<--- void globalEventCb(locClientHandleType, uint32_t, const locClientEventIndUnionType, void *) line 129 QMI_LOC_EVENT_GNSS_SV_INFO_IND_V02
06-13 15:55:11.722  1146  3018 E LocSvc_libulp: I/int ulp_brain_process_gnss_sv_report(const GnssSvStatus *), gnss sv report cnt = 499, gnss pos report cnt = 60,strong sv cnt = 0
06-13 15:55:11.722  1146  2069 E LocSvc_eng: E/Calling gnss_sv_status_cb
06-13 15:55:11.723  1146  2069 D GnssLocationProvider_ex: SV Count : 4      (PRN, Constellation, SNR, Elevation, Azimuth, Used)
06-13 15:55:11.723  1146  2069 D GnssLocationProvider_ex: (2, GPS, 19.3, 85.0, 33.0, 1) (5, GPS, 18.8, 23.0, 153.0, 1) (18, GLONASS, 18.8, 52.0, 303.0, 1) (17, GLONASS, 19.0, 40.0, 23.0, 1) 
06-13 15:55:11.731  1146  2072 E LocSvc_ApiV02: I/<--- void globalEventCb(locClientHandleType, uint32_t, const locClientEventIndUnionType, void *) line 129 QMI_LOC_EVENT_ENGINE_STATE_IND_V02
06-13 15:55:11.731  1146  2069 D IzatProviderEngine_jni: onStatusChangedJNI :: status : 5
06-13 15:55:11.732  1146  2069 D GnssLocationProvider: reportStatus status: 4
06-13 15:55:11.733  9289  9289 F DEBUG   : 
06-13 15:55:11.733  9289  9289 F DEBUG   : backtrace:
06-13 15:55:11.734  9289  9289 F DEBUG   :     #00 pc 0012144a  /system/vendor/lib/egl/libGLESv2_adreno.so (_ZN15EsxRenderBucket20AddUnbucketedEntriesE13EsxCmdBufTypej+125)
06-13 15:55:11.734  9289  9289 F DEBUG   :     #01 pc 001208f3  /system/vendor/lib/egl/libGLESv2_adreno.so (_ZN15EsxRenderBucket19BucketRenderingCmdsEP21EsxRenderBucketParams+518)
06-13 15:55:11.734  9289  9289 F DEBUG   :     #02 pc 0014a901  /system/vendor/lib/egl/libGLESv2_adreno.so (_ZN10EsxContext19BucketRenderingCmdsEi+948)
06-13 15:55:11.734  9289  9289 F DEBUG   :     #03 pc 001756f9  /system/vendor/lib/egl/libGLESv2_adreno.so (_ZN9EsxCmdMgr5FlushE14EsxFlushReason+444)
06-13 15:55:11.734  9289  9289 F DEBUG   :     #04 pc 00149457  /system/vendor/lib/egl/libGLESv2_adreno.so (_ZN10EsxContext13CreateSyncObjEPP11gsl_syncobj+74)
06-13 15:55:11.734  9289  9289 F DEBUG   :     #05 pc 00157821  /system/vendor/lib/egl/libGLESv2_adreno.so (_ZN12EglFenceSync4InitEPKi+124)
06-13 15:55:11.734  9289  9289 F DEBUG   :     #06 pc 0015775f  /system/vendor/lib/egl/libGLESv2_adreno.so (_ZN12EglFenceSync6CreateEP10EglDisplayPKi+54)
06-13 15:55:11.734  9289  9289 F DEBUG   :     #07 pc 0014fe75  /system/vendor/lib/egl/libGLESv2_adreno.so (_ZN6EglApi10CreateSyncEPvjPKi+176)
06-13 15:55:11.734  9289  9289 F DEBUG   :     #08 pc 0000d60b  /system/lib/libEGL.so (eglCreateSyncKHR+66)
06-13 15:55:11.734  9289  9289 F DEBUG   :     #09 pc 00cc0fdb  /data/app/com.android.chrome-2/base.apk (offset 0x47db000)





This crash might be related to TextureManager cannot allocate memory, which happens in the logcat. The more comprehensive logcat is pasted here: https://pastebin.com/B9LeHEBW

The chrome://GPU page is here:




Graphics Feature Status
Canvas: Hardware accelerated
Flash: Hardware accelerated
Flash Stage3D: Hardware accelerated
Flash Stage3D Baseline profile: Hardware accelerated
Compositing: Hardware accelerated
Multiple Raster Threads: Disabled
Native GpuMemoryBuffers: Software only. Hardware acceleration disabled
Rasterization: Hardware accelerated
Video Decode: Hardware accelerated
Video Encode: Software only, hardware acceleration unavailable
VPx Video Decode: Hardware accelerated
WebGL: Hardware accelerated
WebGL2: Hardware accelerated
Driver Bug Workarounds
broken_egl_image_ref_counting
clear_uniforms_before_first_program_use
disable_framebuffer_cmaa
disable_program_caching_for_transform_feedback
disable_program_disk_cache
force_cube_map_positive_x_allocation
max_copy_texture_chromium_size_1048576
max_texture_size_limit_4096
scalarize_vec_and_mat_constructor_args
unbind_egl_context_to_flush_driver_caches
use_virtualized_gl_contexts
wake_up_gpu_before_drawing
Problems Detected
MediaCodec is still too buggy to use for encoding (b/11536167): 615108
Disabled Features: accelerated_video_encode
Non-virtual contexts on Qualcomm sometimes cause out-of-order frames: 289461
Applied Workarounds: use_virtualized_gl_contexts
The first draw operation from an idle state is slow: 309734
Applied Workarounds: wake_up_gpu_before_drawing
Clear uniforms before first program use on all platforms: 124764, 349137
Applied Workarounds: clear_uniforms_before_first_program_use
Always rewrite vec/mat constructors to be consistent: 398694
Applied Workarounds: scalarize_vec_and_mat_constructor_args
glFinish doesn't clear caches on Android: 509727
Applied Workarounds: unbind_egl_context_to_flush_driver_caches
Android Adreno crashes on binding incomplete cube map texture to FBO: 518889
Applied Workarounds: force_cube_map_positive_x_allocation
CHROMIUM_copy_texture with 1MB copy per flush to avoid unwanted cache growth on Adreno: 542478
Applied Workarounds: max_copy_texture_chromium_size_1048576
EGLImage ref counting across EGLContext/threads is broken: 585250
Applied Workarounds: broken_egl_image_ref_counting
Limit max texure size to 4096 on all of Android
Applied Workarounds: max_texture_size_limit_4096
Limited enabling of Chromium GL_INTEL_framebuffer_CMAA: 535198
Applied Workarounds: disable_framebuffer_cmaa
Disable KHR_blend_equation_advanced until cc shaders are updated: 661715
Program binaries don't contain transform feedback varyings on Qualcomm GPUs: 658074
Applied Workarounds: disable_program_caching_for_transform_feedback
Certain Adreno 4xx and 5xx drivers often crash in glProgramBinary.: 699122
Applied Workarounds: disable_program_disk_cache
Raster is using a single thread.
Disabled Features: multiple_raster_threads
Native GpuMemoryBuffers have been disabled, either via about:flags or command line.
Disabled Features: native_gpu_memory_buffers
Version Information
Data exported	6/13/2017, 4:17:01 PM
Chrome version	Chrome/58.0.3029.83
Operating system	Android 7.0.0
Software rendering list version	12.20
Driver bug list version	9.36
ANGLE commit id	461d9a3060e3
2D graphics backend	Skia/58 4c81ba6ba3a3270db809bf7d4c3bc782694a56a4
Command Line Args	--use-mobile-user-agent --top-controls-show-threshold=0.5 --top-controls-hide-threshold=0.5 --use-mobile-user-agent --enable-pinch --enable-viewport --enable-overlay-scrollbar --validate-input-event-stream --enable-longpress-drag-selection --touch-selection-strategy=direction --disable-gpu-process-crash-limit --main-frame-resizes-are-orientation-changes --disable-composited-antialiasing --ui-prioritize-in-gpu-process --profiler-timing=0 --prerender-from-omnibox=enabled --enable-dom-distiller --flag-switches-begin --flag-switches-end
Driver Information
Initialization time	165
In-process GPU	false
Passthrough Command Decoder	false
Sandboxed	false
GPU0	VENDOR = 0x0000 [Qualcomm], DEVICE= 0x0000 [Adreno (TM) 540]
Optimus	false
Optimus	false
AMD switchable	false
Driver vendor	
Driver version	197.0
Driver date	
Pixel shader version	3.20
Vertex shader version	3.20
Max. MSAA samples	4
Machine model name	SM-G955U
Machine model version	
GL_VENDOR	Qualcomm
GL_RENDERER	Adreno (TM) 540
GL_VERSION	OpenGL ES 3.2 V@197.0 (GIT@802eb12, Iecac51b709) (Date:02/14/17)
GL_EXTENSIONS	GL_OES_EGL_image GL_OES_EGL_image_external GL_OES_EGL_sync GL_OES_vertex_half_float GL_OES_framebuffer_object GL_OES_rgb8_rgba8 GL_OES_compressed_ETC1_RGB8_texture GL_AMD_compressed_ATC_texture GL_KHR_texture_compression_astc_ldr GL_KHR_texture_compression_astc_hdr GL_OES_texture_compression_astc GL_OES_texture_npot GL_EXT_texture_filter_anisotropic GL_EXT_texture_format_BGRA8888 GL_OES_texture_3D GL_EXT_color_buffer_float GL_EXT_color_buffer_half_float GL_QCOM_alpha_test GL_OES_depth24 GL_OES_packed_depth_stencil GL_OES_depth_texture GL_OES_depth_texture_cube_map GL_EXT_sRGB GL_OES_texture_float GL_OES_texture_float_linear GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_EXT_texture_type_2_10_10_10_REV GL_EXT_texture_sRGB_decode GL_OES_element_index_uint GL_EXT_copy_image GL_EXT_geometry_shader GL_EXT_tessellation_shader GL_OES_texture_stencil8 GL_EXT_shader_io_blocks GL_OES_shader_image_atomic GL_OES_sample_variables GL_EXT_texture_border_clamp GL_EXT_multisampled_render_to_texture GL_OES_shader_multisample_interpolation GL_EXT_texture_cube_map_array GL_EXT_draw_buffers_indexed GL_EXT_gpu_shader5 GL_EXT_robustness GL_EXT_texture_buffer GL_EXT_shader_framebuffer_fetch GL_ARM_shader_framebuffer_fetch_depth_stencil GL_OES_texture_storage_multisample_2d_array GL_OES_sample_shading GL_OES_get_program_binary GL_EXT_debug_label GL_KHR_blend_equation_advanced GL_KHR_blend_equation_advanced_coherent GL_QCOM_tiled_rendering GL_ANDROID_extension_pack_es31a GL_EXT_primitive_bounding_box GL_OES_standard_derivatives GL_OES_vertex_array_object GL_EXT_disjoint_timer_query GL_KHR_debug GL_EXT_YUV_target GL_EXT_sRGB_write_control GL_EXT_texture_norm16 GL_EXT_discard_framebuffer GL_OES_surfaceless_context GL_OVR_multiview GL_OVR_multiview2 GL_EXT_texture_sRGB_R8 GL_ARB_texture_barrier GL_KHR_no_error GL_EXT_debug_marker GL_OES_EGL_image_external_essl3 GL_OVR_multiview_multisampled_render_to_texture GL_EXT_buffer_storage GL_EXT_blit_framebuffer_params GL_EXT_clip_cull_distance GL_EXT_protected_textures GL_EXT_shader_non_constant_global_initializers
Disabled Extensions	GL_KHR_blend_equation_advanced GL_KHR_blend_equation_advanced_coherent
Window system binding vendor	
Window system binding version	
Window system binding extensions	
Direct rendering	Yes
Reset notification strategy	0x8252
GPU process crash count	0
Compositor Information
Tile Update Mode	One-copy
Partial Raster	Enabled
GpuMemoryBuffers Status
ATC	Software only
ATCIA	Software only
DXT1	Software only
DXT5	Software only
ETC1	Software only
R_8	Software only
RG_88	Software only
BGR_565	Software only
RGBA_4444	Software only
RGBX_8888	Software only
RGBA_8888	Software only
BGRX_8888	Software only
BGRA_8888	Software only
YVU_420	Software only
YUV_420_BIPLANAR	Software only
UYVY_422	Software only

Comment 1 by boliu@chromium.org, Jun 14 2017

Labels: -Pri-1 Pri-3
Status: WontFix (was: Assigned)
Looks like driver not responding well to oom (or running out of address space). I dunno if microdump captures memory map info, but even if does, I don't know how to dig that out.

maybe there's a memory leak from the page. log shows webgl is being used, and page certainly can leak loads of memory if it doesn't use webgl properly.

not worth looking into imo

Comment 2 by sgu...@chromium.org, Jun 14 2017 

how can it run out of address space? is this thing 32 bit... himm, snapchat shows the abi=arm..

Comment 3 by boliu@chromium.org, Jun 14 2017 

yeah it's 32bit

Comment 4 by torne@chromium.org, Jun 14 2017 

The device is 64-bit, but the current app is a 32-bit process (because snapchat includes only 32-bit native code).

The address space info is this line:
06-13 15:55:11.311  9288  8775 F google-breakpad: H 00400000 FFFF1000 03E2 0A241000 1DFCE000 0C:FF 0D:83 0E:6B 0F:36 10:23 11:2E 12:5B 13:AF 14:2B 15:16 16:09 18:01 1B:01

0A241000 is the largest contiguous block of address space: 162MB
1DFCE000 is the total amount of free address space: 479MB

That's not a lot, but it's not nothing. However, this is after everything has already failed, and what we've seen before is that a bunch of stuff actually gets freed in the course of this eventually crashing, so by the time we look at the address space map generating the microdump there might be more space available than there was at the point where the original OOM occurred (since that OOM might not have been immediately fatal).


(when interpreting this line on an actual 32-bit device you need to be careful because the way we analyse the address space map doesn't allow for the kernel address space, so it will look like there is 1GB more free than there really is, but on a 64-bit device a 32-bit app really does get all 4GB of address space and the numbers are correct).

Sign in to add a comment