Closed Bug 1080919 Opened 10 years ago Closed 10 years ago

b2g crashes in mozilla::layers::CompositorParent::GetIndirectShadowTree

Categories

(Firefox OS Graveyard :: Stability, defect, P1)

ARM
Gonk (Firefox OS)
defect

Tracking

(blocking-b2g:-)

RESOLVED INVALID
blocking-b2g -

People

(Reporter: tkundu, Unassigned)

References

Details

(Keywords: crash, Whiteboard: [CR 732983])

Crash Data

Attachments

(2 files)

Attached file stack trace
We hitting this issue during stability testing on FFOS 2.0 and 256MB msm8610 device.
[Blocking Requested - why for this release]:
blocking-b2g: --- → 2.0?
1)

 0  libxul.so!std::priv::_Rb_tree_node_base* std::priv::_Rb_tree<unsigned long long, std::less<unsigned long long>, std::pair<unsigned long long const, mozilla::RefPtr<mozilla::layers::AsyncTransactionTracker> >, std::priv::_Select1st<std::pair<unsigned long long const, mozilla::RefPtr<mozilla::layers::AsyncTransactionTracker> > >, std::priv::_MapTraitsT<std::pair<unsigned long long const, mozilla::RefPtr<mozilla::layers::AsyncTransactionTracker> > >, std::allocator<std::pair<unsigned long long const, mozilla::RefPtr<mozilla::layers::AsyncTransactionTracker> > > >::_M_find<unsigned long long>(unsigned long long const&) const [AsyncTransactionTracker.cpp : 199 + 0x4]
     r0 = 0xac6c17e0    r1 = 0xbe874220    r2 = 0x00000717    r3 = 0x5a5a5a6a
     r4 = 0x5a5a5a5a    r5 = 0x5a5a5a5a    r6 = 0x5a5a5a5a    r7 = 0xb6300a10
     r8 = 0x000e0034    r9 = 0x00000001   r10 = 0x00000000   r12 = 0xb626b9c4
     fp = 0x0000000f    sp = 0xbe87420c    lr = 0xb4db1e19    pc = 0xb4da7800
    Found by: given as instruction pointer in context
 1  libxul.so!mozilla::layers::CompositorParent::GetIndirectShadowTree(unsigned long long) [_tree.h : 543 + 0x5]
     r4 = 0xb6300a10    r5 = 0x00000000    r6 = 0xacc92340    r7 = 0xbe874360
     r8 = 0x000e0034    r9 = 0x00000001   r10 = 0x00000000    fp = 0x0000000f
     sp = 0xbe874220    pc = 0xb4db1e19

@sotaro: Could you please add additional log to confirm us why we are crashing inside 
gfx layer IPC transaction ? I already confirmed that system has enough memory when it happened.

2) I am seeing following logs in b2g-info just before crash happened:

[H[JEvery 5s: b2g-info                                          2014-10-01 07:57:03

                           |      megabytes     |
           NAME   PID PPID  CPU(s) NICE  USS  PSS  RSS SWAP VSIZE OOM_ADJ USER     
            b2g   232    1 11303.0    0 24.1 25.5 28.4 48.3 277.0       0 root     
         (Nuwa)  1057  232   225.9    0  0.3  0.4  1.1  7.5  53.8       0 root     
       FM Radio 24154 1057     6.8    1  1.2  1.4  2.2 14.1  80.6       2 u0_a24154
          Usage 25440 1057     2.0    1  5.9  7.5 10.7  8.7  67.4       2 u0_a25440
(Preallocated a 25702  232     1.2    1  4.9  6.1  8.9  4.2  63.8       2 u0_a25702
(Preallocated a 25800 1057     0.2   18  2.4  3.3  5.5  5.8  57.9       1 u0_a25800

@alive for commenting on this two foreground app issue. 

Full logcat logs and b2g-info logs :
https://drive.google.com/file/d/0B1cSMS8_GuAEQjFOcGlFaHBLam8/view?usp=sharing
Flags: needinfo?(sotaro.ikeda.g)
Flags: needinfo?(alive)
Whiteboard: [CR 732983]
We are seeing some page fault in kernel for b2g process when this crash happened. So I am withdrawing this CR till we complete that analysis.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(sotaro.ikeda.g)
Flags: needinfo?(alive)
Resolution: --- → INVALID
blocking-b2g: 2.0? → -
This log has AsyncTransactionTracker in symbol names. But it seems incorrect symbol. The crash happened by CompositorParent::GetIndirectShadowTree().

The following seems correct one.

> typedef map<uint64_t, CompositorParent::LayerTreeState> LayerTreeMap;

http://mxr.mozilla.org/mozilla-central/source/gfx/layers/ipc/CompositorParent.cpp#1103
This might be caused by a similar cause of Bug 997367.
From the crash address, the code tried to dereference already deleted object.

> Crash reason:  SIGSEGV
> Crash address: 0x5a5a5a6a
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: