1025824 - MOZ_ASSERT(i < Length(), "invalid array index");

Status: RESOLVED FIXED

(Core :: Graphics, defect)

Description

[Gregor Wagner [:gwagner]]

On B2G flame, current trunk. Seen when entering task manager

[Parent 1170] ###!!! ASSERTION: Unexpected layers id in ContentReceivedTouch; dropping message...: 'Error', file ../../../gecko/layout/ipc/RenderFrameParent.cpp, line 1138
[Child 1601] WARNING: Transparent content with displayports can be expensive.: file ../../../gecko/layout/base/nsDisplayList.cpp, line 1383
[Child 1601] WARNING: Transparent content with displayports can be expensive.: file ../../../gecko/layout/base/nsDisplayList.cpp, line 1383
[Child 1601] WARNING: Transparent content with displayports can be expensive.: file ../../../gecko/layout/base/nsDisplayList.cpp, line 1383

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1170.1376]
0xb2e8c2d6 in nsTArray_Impl<mozilla::layers::LayerComposite*, nsTArrayInfallibleAllocator>::ElementAt (this=0xa8501af4, i=0) at ../../dist/include/nsTArray.h:881
881	    MOZ_ASSERT(i < Length(), "invalid array index");
(gdb) bt
#0  0xb2e8c2d6 in nsTArray_Impl<mozilla::layers::LayerComposite*, nsTArrayInfallibleAllocator>::ElementAt (this=0xa8501af4, i=0) at ../../dist/include/nsTArray.h:881
#1  0xb2e8bf16 in nsTArray_Impl<mozilla::layers::LayerComposite*, nsTArrayInfallibleAllocator>::operator[] (this=0xa8501af4, i=0) at ../../dist/include/nsTArray.h:914
#2  0xb2e8b832 in mozilla::HwcComposer2D::Commit (this=0xa8501ab0) at ../../../gecko/widget/gonk/HwcComposer2D.cpp:686
#3  0xb2e8b4fc in mozilla::HwcComposer2D::Render (this=0xa8501ab0, dpy=0x1, sur=0xae5a7d00) at ../../../gecko/widget/gonk/HwcComposer2D.cpp:639
#4  0xb268401a in mozilla::gl::GLContextEGL::SwapBuffers (this=0xa77b6000) at ../../../gecko/gfx/gl/GLContextProviderEGL.cpp:477
#5  0xb279e464 in mozilla::layers::CompositorOGL::EndFrame (this=0xa71c1280) at ../../../gecko/gfx/layers/opengl/CompositorOGL.cpp:1317
#6  0xb276c742 in mozilla::layers::LayerManagerComposite::Render (this=0xa622e4c0) at ../../../gecko/gfx/layers/composite/LayerManagerComposite.cpp:475
#7  0xb276b9e4 in mozilla::layers::LayerManagerComposite::EndTransaction (this=0xa622e4c0, aCallback=0, aCallbackData=0x0, 
    aFlags=mozilla::layers::LayerManager::END_DEFAULT) at ../../../gecko/gfx/layers/composite/LayerManagerComposite.cpp:248
#8  0xb276b748 in mozilla::layers::LayerManagerComposite::EndEmptyTransaction (this=0xa622e4c0, aFlags=mozilla::layers::LayerManager::END_DEFAULT)
    at ../../../gecko/gfx/layers/composite/LayerManagerComposite.cpp:198
#9  0xb277b05a in mozilla::layers::CompositorParent::CompositeToTarget (this=0xa77ef800, aTarget=0x0, aRect=0x0)
    at ../../../gecko/gfx/layers/ipc/CompositorParent.cpp:639
#10 0xb277ada0 in mozilla::layers::CompositorParent::CompositeCallback (this=0xa77ef800) at ../../../gecko/gfx/layers/ipc/CompositorParent.cpp:575
#11 0xb1da567c in DispatchToMethod<FdWatcher, void (FdWatcher::*)()> (obj=0xa77ef800, method=
    (void (FdWatcher::*)(FdWatcher * const)) 0xb277ad81 <mozilla::layers::CompositorParent::CompositeCallback()>, arg=...)
    at ../../../gecko/ipc/chromium/src/base/tuple.h:383
#12 0xb1da55f0 in RunnableMethod<FdWatcher, void (FdWatcher::*)(), Tuple0>::Run (this=0xa7dae180) at ../../../gecko/ipc/chromium/src/base/task.h:307
#13 0xb215e97c in MessageLoop::RunTask (this=0xa81ffdd4, task=0xa7dae180) at ../../../gecko/ipc/chromium/src/base/message_loop.cc:357
#14 0xb215e9d8 in MessageLoop::DeferOrRunPendingTask (this=0xa81ffdd4, pending_task=...) at ../../../gecko/ipc/chromium/src/base/message_loop.cc:365
#15 0xb215ee4a in MessageLoop::DoDelayedWork (this=0xa81ffdd4, next_delayed_work_time=0xa859fc90) at ../../../gecko/ipc/chromium/src/base/message_loop.cc:470
#16 0xb216299e in base::MessagePumpDefault::Run (this=0xa859fc80, delegate=0xa81ffdd4) at ../../../gecko/ipc/chromium/src/base/message_pump_default.cc:39
#17 0xb215e598 in MessageLoop::RunInternal (this=0xa81ffdd4) at ../../../gecko/ipc/chromium/src/base/message_loop.cc:229
#18 0xb215e532 in MessageLoop::RunHandler (this=0xa81ffdd4) at ../../../gecko/ipc/chromium/src/base/message_loop.cc:222
#19 0xb215e512 in MessageLoop::Run (this=0xa81ffdd4) at ../../../gecko/ipc/chromium/src/base/message_loop.cc:196
---Type <return> to continue, or q <return> to quit---
#20 0xb216852a in base::Thread::ThreadMain (this=0xa85a1220) at ../../../gecko/ipc/chromium/src/base/thread.cc:168
#21 0xb214652a in ThreadFunc (closure=0xa85a1220) at ../../../gecko/ipc/chromium/src/base/platform_thread_posix.cc:39
#22 0xb6eaab64 in ?? () from /Volumes/disc2/code/debFlame/B2G/out/target/product/flame/symbols/system/lib/libc.so
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) p i
$1 = 0
(gdb) p this
$2 = (nsTArray_Impl<mozilla::layers::LayerComposite*, nsTArrayInfallibleAllocator> * const) 0xa8501af4
(gdb) p *this
$3 = {<nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>> = {
    mHdr = 0xb62083ac}, <nsTArray_TypedBase<mozilla::layers::LayerComposite*, nsTArray_Impl<mozilla::layers::LayerComposite*, nsTArrayInfallibleAllocator> >> = {<nsTArray_SafeElementAtHelper<mozilla::layers::LayerComposite*, nsTArray_Impl<mozilla::layers::LayerComposite*, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>}, static NoIndex = <optimized out>}



(gdb) up
#2  0xb2e8b832 in mozilla::HwcComposer2D::Commit (this=0xa8501ab0) at ../../../gecko/widget/gonk/HwcComposer2D.cpp:686
686	        if (!mHwcLayerMap[j] ||
(gdb) p this
$5 = (mozilla::HwcComposer2D * const) 0xa8501ab0
(gdb) p *this
$6 = {<mozilla::layers::Composer2D> = {_vptr.Composer2D = 0xb60844d8, mRefCnt = {static isThreadSafe = false, mValue = 3}, _mOwningThread = {mThread = 0xa859c180}}, 
  mHwc = 0xb6a0a800, mList = 0xa7d55400, mDpy = 0x1, mSur = 0xae5a7d00, 
  mScreenRect = {<mozilla::gfx::BaseRect<int, nsIntRect, nsIntPoint, nsIntSize, nsIntMargin>> = {x = 0, y = 0, width = 480, height = 854}, <No data fields>}, 
  mMaxLayerCount = 10, mColorFill = true, mRBSwapSupport = true, 
  mVisibleRegions = {<std::priv::_List_base<std::vector<hwc_rect, std::allocator<hwc_rect> >, std::allocator<std::vector<hwc_rect, std::allocator<hwc_rect> > > >> = {
      _M_node = {<std::allocator<std::priv::_List_node<std::vector<hwc_rect, std::allocator<hwc_rect> > > >> = {<std::__stlport_class<std::allocator<std::priv::_List_node<std::vector<hwc_rect, std::allocator<hwc_rect> > > > >> = {<No data fields>}, <No data fields>}, _M_data = {_M_next = 0xa8501ae4, 
          _M_prev = 0xa8501ae4}}}, <No data fields>}, mPrevRetireFence = {m_ptr = 0xa4b4b180}, mPrevDisplayFence = {m_ptr = 0xa4b4b540}, 
  mHwcLayerMap = {<nsTArray_Impl<mozilla::layers::LayerComposite*, nsTArrayInfallibleAllocator>> = {<nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>> = {
        mHdr = 0xb62083ac}, <nsTArray_TypedBase<mozilla::layers::LayerComposite*, nsTArray_Impl<mozilla::layers::LayerComposite*, nsTArrayInfallibleAllocator> >> = {<nsTArray_SafeElementAtHelper<mozilla::layers::LayerComposite*, nsTArray_Impl<mozilla::layers::LayerComposite*, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>}, static NoIndex = <optimized out>}, <No data fields>}, mPrepared = true}

Comment 1

[Sotaro Ikeda [:sotaro]]

The crash by ASSERT. This crash seems to happen only on Debug build. nsTArray usage's limitation is strict than I thought.

Comment 2

[Sotaro Ikeda [:sotaro]]

Nominate to b2g-1.4+, because Bug 1024144 is nominating to b2g-1.4+.

Comment 3

[Sotaro Ikeda [:sotaro]]

Attachment: patch - Add nsTArray size check

Comment 4

[Sushil]

Comment on attachment 8440699 [details] [diff] [review]
patch - Add nsTArray size check

Sotaro,

Let's fix the root cause, instead of adding a check. What's the scenario when this crash happened? Is it GPU or partial HWC Composition? Can you dump the values of j, mHwcLayerMap.Length() and mList->numHwLayers, when crash happens?

Comment 5

[Sushil]

In Comment 0, I see it has crashed at index 0. So the check at http://mxr.mozilla.org/mozilla-central/source/widget/gonk/HwcComposer2D.cpp#686: "!mHwcLayerMap[j]"

should be replaced with: "mHwcLayerMap.IsEmpty()"

Comment 6

[Sushil]

And we need to add "mHwcLayerMap.Clear()" at: http://mxr.mozilla.org/mozilla-central/source/widget/gonk/HwcComposer2D.cpp#796

Comment 7

[Sotaro Ikeda [:sotaro]]

By the debugging, I confirmed the following.

- When mPrepared was false in HwcComposer2D::Render(), mHwcLayerMap should be cleared() before calling Commit(). But it is not cleared. Therefore mHwcLayerMap has stale value in this situation.

http://mxr.mozilla.org/mozilla-central/source/widget/gonk/HwcComposer2D.cpp#606

Comment 8

[Sotaro Ikeda [:sotaro]]

(In reply to Sushil from comment #6)
> And we need to add "mHwcLayerMap.Clear()" at:
> http://mxr.mozilla.org/mozilla-central/source/widget/gonk/HwcComposer2D.
> cpp#796

yes.

Comment 9

[Sotaro Ikeda [:sotaro]]

Attachment: patch - Fix mHwcLayerMap handling

Apply the comments.

Comment 10

[Sotaro Ikeda [:sotaro]]

 https://hg.mozilla.org/integration/mozilla-inbound/rev/d708e1144a92

Comment 11

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/d708e1144a92

Comment 12

[Sandip Kamat]

recommend 1.4+, based on comment2

Comment 13

[bhavana bajaj [:bajaj]]

(In reply to Sandip Kamat from comment #12)
> recommend 1.4+, based on comment2

Will wait till we have more information in https://bugzilla.mozilla.org/show_bug.cgi?id=1024144 as that's not on 1.4 yet

Comment 14

[Preeti Raghunath(:Preeti)]

I'm moving this to backlog please re-nom if needed.

Comment 15

[Sotaro Ikeda [:sotaro]]

Nominate to "b2g-v2.0+". Blocking bug(bug 1024144) is nominated to v2.0+.

Comment 16

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-aurora/rev/272e865ade29