Issue 498947 in chromium: Many Three.js apps crash Chrome on Nexus 6

[chro...@googlecode.com]

Status: Assigned
Owner: baj...@chromium.org
CC: k...@chromium.org, z...@chromium.org
Labels: Type-Bug Pri-1 Cr-Blink-WebGL OS-Android

New issue 498947 by baj...@chromium.org: Many Three.js apps crash Chrome
on Nexus 6
https://code.google.com/p/chromium/issues/detail?id=498947

Originally reported in the three.js issue tracker:
https://github.com/mrdoob/three.js/issues/6658

Version: 40.0.2214.89
OS: Android 5.1.1; Nexus 6 Build/LMY47Z

What steps will reproduce the problem?
1. Visit http://carvisualizer.plus360degrees.com/threejs/

What is the expected output? What do you see instead?
Browser crashes. Browser shouldn't crash.

Please use labels and text to provide additional information.
adb logcat provided the following crash stack:

Fatal signal 11 (SIGSEGV), code -6, fault addr 0x16e5 in tid 5980
(Chrome_InProcGp)
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build
fingerprint: 'google/shamu/shamu:5.1.1/LMY47Z/1860966:user/release-keys'
Revision: '33696'
ABI: 'arm'
pid: 5861, tid: 5980, name: Chrome_InProcGp >>> com.android.chrome <<<
signal 11 (SIGSEGV), code -6 (SI_TKILL), fault addr 0x4
r0 9a163a88 r1 9808f3c0 r2 00000007 r3 00000000
r4 9a163a88 r5 9a163a50 r6 9808f3c0 r7 ffff8000
r8 9a163a54 r9 9a163a78 sl 00000000 fp 00000002
ip aaaf0f34 sp 9a1639d0 lr aa91bf85 pc aa5f9b56 cpsr 60030030

backtrace:
#00 pc 001d5b56 /system/vendor/lib/libllvm-glnext.so
#01 pc 004f7f81 /system/vendor/lib/libllvm-glnext.so
(QGPUFastISel::QGPUSelectSamplerIntrinsic(llvm::IntrinsicInst const*)+2108)
#02 pc 004f89c5 /system/vendor/lib/libllvm-glnext.so
(QGPUFastISel::QGPUSelectIntrinsic(llvm::Instruction const*, unsigned int,
bool)+2372)
#03 pc 004f9887 /system/vendor/lib/libllvm-glnext.so
(QGPUFastISel::QGPUSelectCall(llvm::Instruction const*, unsigned int,
bool)+94)
#04 pc 004dfee7 /system/vendor/lib/libllvm-glnext.so
(QGPUFastISel::TargetSelectInstruction(llvm::Instruction const*)+278)
#05 pc 004ce76d /system/vendor/lib/libllvm-glnext.so
(llvm::QGPUFastISelBase::SelectInstruction(llvm::Instruction const*)+46)
#06 pc 00543471 /system/vendor/lib/libllvm-glnext.so
(QGPUInstructionSelector::runOnMachineFunction(llvm::MachineFunction&)+312)
#07 pc 0037d6bd /system/vendor/lib/libllvm-glnext.so
(llvm::MachineFunctionPass::runOnFunction(llvm::Function&)+80)
#08 pc 00244c41 /system/vendor/lib/libllvm-glnext.so
(llvm::FPPassManager::runOnFunction(llvm::Function&)+192)
#09 pc 00244d11 /system/vendor/lib/libllvm-glnext.so
(llvm::FunctionPassManagerImpl::run(llvm::Function&)+52)
#10 pc 00244dc5 /system/vendor/lib/libllvm-glnext.so
(llvm::FunctionPassManager::run(llvm::Function&)+120)
#11 pc 0049484b /system/vendor/lib/libllvm-glnext.so
(llvm::llclib::Compile(llvm::Module*, void* (*)(unsigned int), char**,
unsigned int&, llvm::Module*, llvm::CLPrintfInterpreter const*)+2254)
#12 pc 00553759 /system/vendor/lib/libllvm-glnext.so
(LLVMCompiler::compile()+588)
#13 pc 00559209 /system/vendor/lib/libllvm-glnext.so
(SOLinker::linkShaders(QGLC_LINKPROGRAM_DATA*,
QGLC_LINKPROGRAM_RESULT*)+2236)
#14 pc 0055599f /system/vendor/lib/libllvm-glnext.so
(CompilerContext::LinkProgram(unsigned int, QGLC_SRCSHADER_IRSHADER**,
QGLC_LINKPROGRAM_DATA*, QGLC_LINKPROGRAM_RESULT*)+274)
#15 pc 0010524b /system/vendor/lib/egl/libGLESv2_adreno.so
(EsxShaderCompiler::CompileProgram(EsxContext*, EsxProgram const*,
EsxLinkedList const*, EsxInfoLog*)+762)
#16 pc 000f9511 /system/vendor/lib/egl/libGLESv2_adreno.so
(EsxProgram::Link(EsxContext*)+360)
#17 pc 000c16ad /system/vendor/lib/egl/libGLESv2_adreno.so
(EsxContext::LinkProgram(EsxProgram*)+40)
#18 pc 000e62ed /system/vendor/lib/egl/libGLESv2_adreno.so
(EsxGlApiParamValidate::GlLinkProgram(EsxDispatch*, unsigned int)+40)
#19 pc 000aa8a1 /system/vendor/lib/egl/libGLESv2_adreno.so
(glLinkProgram+48)
#20 pc 001dbd51 /system/lib/libchrome.2214.89.so


This makes it pretty obvious that the crash is actually happening in the
driver on a call to glLinkProgram, so the ultimate fix is probably a driver
update. In the meantime, though, we can try to bisect the shader to find
what's causing the crash as see if there's a workaround for it.

--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

[chro...@googlecode.com]

Comment #3 on issue 498947 by d...@playcanvas.com: Many Three.js apps crash

Chrome on Nexus 6
https://code.google.com/p/chromium/issues/detail?id=498947

We have reports of similar crashes occurring for may PlayCanvas
applications as well. e.g. http://playcanv.as/p/RqJJ9oU9?overlay=false

[chro...@googlecode.com]

Comment #4 on issue 498947 by m...@playcanvas.com: Many Three.js apps crash

Chrome on Nexus 6
https://code.google.com/p/chromium/issues/detail?id=498947

Tested on Nexus 6, get Snag too.

[chro...@googlecode.com]

Comment #5 on issue 498947 by k...@chromium.org: Many Three.js apps crash

Chrome on Nexus 6
https://code.google.com/p/chromium/issues/detail?id=498947

Dave, Max: can you confirm that it's the compiling/linking of one of your
shader programs that provokes the crash? Could you provide the shader text
here?

[chro...@googlecode.com]

Comment #7 on issue 498947 by d...@playcanvas.com: Many Three.js apps crash

Chrome on Nexus 6
https://code.google.com/p/chromium/issues/detail?id=498947

There is definitely an issue with shader compilation, though I can't get
close enough in a debugger to completely confirm. However, this fragment
shader crashes out of Chrome on Nexus 6 and is compiled when we start up
the application:

precision lowp float;

uniform float camera_near;
uniform float camera_far;
vec4 packFloat(float depth)
{
const vec4 bit_shift = vec4(256.0 * 256.0 * 256.0, 256.0 * 256.0,
256.0, 1.0);
const vec4 bit_mask = vec4(0.0, 1.0 / 256.0, 1.0 / 256.0, 1.0 / 256.0);
vec4 res = mod(depth * bit_shift * vec4(255), vec4(256) ) / vec4(255);
res -= res.xxyz * bit_mask;
return res;
}

void main(void)
{
float depth = gl_FragCoord.z / gl_FragCoord.w;
gl_FragColor = packFloat(depth / camera_far);

[chro...@googlecode.com]

Comment #8 on issue 498947 by d...@playcanvas.com: Many Three.js apps crash

Chrome on Nexus 6
https://code.google.com/p/chromium/issues/detail?id=498947

Is there anymore information from Qualcomm about what is causing the
compilation crash? Some shaders clearly work, so if we can get more
information that allows us to work around this that would be great?

It's causing headaches for some of upcoming projects.

[chro...@googlecode.com]

Comment #9 on issue 498947 by d...@playcanvas.com: Many Three.js apps crash

Chrome on Nexus 6
https://code.google.com/p/chromium/issues/detail?id=498947

[apologies posted the wrong shader first time]

This vertex shader crashes Chrome on Nexus 6.

attribute vec3 vertex_position;
uniform mat4 matrix_model;
uniform mat4 matrix_viewProjection;

attribute vec4 vertex_boneWeights;
attribute vec4 vertex_boneIndices;

uniform sampler2D texture_poseMap;
uniform vec2 texture_poseMapSize;

mat4 getBoneMatrix(const in float i)
{
float j = i * 4.0;
float x = mod(j, float(texture_poseMapSize.x));
float y = floor(j / float(texture_poseMapSize.x));

float dx = 1.0 / float(texture_poseMapSize.x);
float dy = 1.0 / float(texture_poseMapSize.y);

y = dy * (y + 0.5);

vec4 v1 = texture2D(texture_poseMap, vec2(dx * (x + 0.5), y));
vec4 v2 = texture2D(texture_poseMap, vec2(dx * (x + 1.5), y));
vec4 v3 = texture2D(texture_poseMap, vec2(dx * (x + 2.5), y));
vec4 v4 = texture2D(texture_poseMap, vec2(dx * (x + 3.5), y));

mat4 bone = mat4(v1, v2, v3, v4);

return bone;
}

void main(void)
{
mat4 modelMatrix = vertex_boneWeights.x *
getBoneMatrix(vertex_boneIndices.x) +
vertex_boneWeights.y *
getBoneMatrix(vertex_boneIndices.y) +
vertex_boneWeights.z *
getBoneMatrix(vertex_boneIndices.z) +
vertex_boneWeights.w *
getBoneMatrix(vertex_boneIndices.w);

vec4 positionW = modelMatrix * vec4(vertex_position, 1.0);
gl_Position = matrix_viewProjection * positionW;

[chro...@googlecode.com]

Comment #10 on issue 498947 by w...@playcanvas.com: Many Three.js apps

crash Chrome on Nexus 6
https://code.google.com/p/chromium/issues/detail?id=498947

Can we get Qualcomm folks subscribed to this thread to explain:

- What to avoid (in terms of GLSL) in order to prevent these crashes?
- What the timeline for a rollout looks like?

[chro...@googlecode.com]

Comment #11 on issue 498947 by k...@chromium.org: Many Three.js apps crash

Chrome on Nexus 6
https://code.google.com/p/chromium/issues/detail?id=498947

For the record: this was filed as Google internal bug ID 21761770 .
Qualcomm claims this was fixed in "M6" of the Adreno ESX driver. I don't
personally know an ETA for a delivery vehicle for this revised driver.

Conformance tests are still needed for all of these crashing shaders.

[chro...@googlecode.com]

Comment #12 on issue 498947 by w...@playcanvas.com: Many Three.js apps

crash Chrome on Nexus 6
https://code.google.com/p/chromium/issues/detail?id=498947

This is interesting stuff, but what I'm really interested in is whether
there is any workaround whatsoever. I suspect only Qualcomm will know this?
Is there any possibility to draw a Qualcomm engineer onto this thread to
explain whether these crashes are in any way avoidable by patching code?

[chro...@googlecode.com]

Comment #15 on issue 498947 by d...@playcanvas.com: Many Three.js apps

crash Chrome on Nexus 6
https://code.google.com/p/chromium/issues/detail?id=498947

Update on the shader problem for the PlayCanvas shader. We managed to get
an update from Qualcomm on the bug in #9 above.

The crash was caused by doing a SCALAR * MATRIX multiplication. Changing
code to MATRIX * SCALAR does not crash.

We've updated the relevant shader and no longer crash :-D

[chro...@googlecode.com]

Updates:
Status: Fixed

Comment #17 on issue 498947 by baj...@chromium.org: Many Three.js apps

crash Chrome on Nexus 6
https://code.google.com/p/chromium/issues/detail?id=498947

Testing the various examples linked here on My Nexus 6 running Android M
shows that the crash is no longer occurring. I assume that recent Android
builds have included a updated and fixed Qualcomm driver.

If you're still experiencing this issue feel free to leave a comment with a
link to the site that reproduces the problem and make note of your OS
version. For now marking this as fixed.