Closed Bug 1015863 Opened 12 years ago Closed 12 years ago

[dolphin][monkey test] monkey test crash at libxul.so!imgFrame::~imgFrame() [imgFrame.cpp : 169 + 0x0]

Categories

(Core :: Graphics, defect)

30 Branch
Other
Other
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1003893

People

(Reporter: angelc04, Unassigned)

Details

(Keywords: crash, Whiteboard: [sprd314460][partner-blocker][b2g-crash])

Operating system: Android 0.0.0 Linux 3.10.17 #1 PREEMPT Thu May 15 06:16:48 CST 2014 armv7l Spreadtrum/scx15_sp7715gaplus/scx15_sp7715ga:4.4.2/KOT49H/96:userdebug/test-keys CPU: arm 1 CPU Crash reason: SIGSEGV Crash address: 0x5a5a5a8a Thread 0 (crashed) 0 libxul.so!imgFrame::~imgFrame() [imgFrame.cpp : 169 + 0x0] r4 = 0x5a5a5a5a r5 = 0x00000000 r6 = 0xb3cb60e8 r7 = 0x00000001 r8 = 0xb6cbb8f4 r9 = 0xb3cb6060 r10 = 0x6207f7c4 fp = 0xbed8f85c sp = 0xbed8ecf8 lr = 0xb59c7091 pc = 0xb59d0d80 Found by: given as instruction pointer in context 1 libxul.so!nsAutoPtr<imgFrame>::assign(imgFrame*) [nsAutoPtr.h : 45 + 0x5] r4 = 0x5a5a5a5a r5 = 0x00000000 r6 = 0xb3cb60e8 r7 = 0x00000001 r8 = 0xb6cbb8f4 r9 = 0xb3cb6060 r10 = 0x6207f7c4 fp = 0xbed8f85c sp = 0xbed8ed00 pc = 0xb59c7091 Found by: call frame info 2 libxul.so!mozilla::image::RasterImage::Discard(bool) [nsAutoPtr.h : 115 + 0x3] r4 = 0xffffffff r5 = 0x00000000 r6 = 0xb3cb6000 r7 = 0x00000001 r8 = 0xb6cbb8f4 r9 = 0xb3cb6060 r10 = 0x6207f7c4 fp = 0xbed8f85c sp = 0xbed8ed18 pc = 0xb59c7141 Found by: call frame info
Whiteboard: [sprd314460][partner-blocker]
Hi Alphan, Mind if you can take a look this crash. Thanks!
Flags: needinfo?(alchen)
Hi Boris, it seems that this bug is similar to Bug 1003893. Could you have a look? Thanks.
Flags: needinfo?(alchen) → needinfo?(boris.chiou)
Flags: needinfo?(boris.chiou)
Yes, I think they may be the same problem. We got an invalid address (0x5a5a5a5a, poison memory) and try to free it. Bug 1003893 can reproduce it in Gallery app on Open C. poison memory: ex. http://dxr.mozilla.org/mozilla-central/source/memory/mozjemalloc/jemalloc.c#4544 (In reply to Alphan Chen[:Alphan] from comment #3) > Hi Boris, > it seems that this bug is similar to Bug 1003893. > Could you have a look? > Thanks.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
blocking-b2g: --- → 1.4?
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Component: General → Graphics
Keywords: crash
Product: Firefox OS → Core
Whiteboard: [sprd314460][partner-blocker] → [sprd314460][partner-blocker][b2g-crash]
Version: unspecified → 30 Branch
Hi Boris, Please help to double check Jason's question in comment 6.
Flags: needinfo?(boris.chiou)
Is this actionable or not?
(In reply to Ivan Tsay (:ITsay) from comment #7) > Hi Boris, > > Please help to double check Jason's question in comment 6. The call stacks of these two bugs look similar: 0 libxul.so!imgFrame::~imgFrame() [imgFrame.cpp : 169 + 0x0] 1 libxul.so!nsAutoPtr<imgFrame>::assign(imgFrame*) [nsAutoPtr.h : 45 + 0x5] 2 libxul.so!mozilla::image::RasterImage::Discard(bool) [nsAutoPtr.h : 115 + 0x3] Bug 1003893 can be reproduced on Open C and I am trying to fix it now. However, I don't know the reproduction steps of this Bug and only can check the call stack which Spreadtrum gave. Crash address is 0x5a5a5a5a means it may be a double free problem in imgFrame. I didn't test Bug 1003893 in 1.4, and need more information about this bug. Thanks.
Flags: needinfo?(boris.chiou)
By the way, this bug also happened in Gallery app, right? According to your log: URL=app://gallery.gaiamobile.org/manifest.webapp Bug 1003893 also happened in Gallery app. (In reply to Boris Chiou [:boris] from comment #9) > (In reply to Ivan Tsay (:ITsay) from comment #7) > > Hi Boris, > > > > Please help to double check Jason's question in comment 6. > > The call stacks of these two bugs look similar: > 0 libxul.so!imgFrame::~imgFrame() [imgFrame.cpp : 169 + 0x0] > 1 libxul.so!nsAutoPtr<imgFrame>::assign(imgFrame*) [nsAutoPtr.h : 45 + 0x5] > 2 libxul.so!mozilla::image::RasterImage::Discard(bool) [nsAutoPtr.h : 115 > + 0x3] > > Bug 1003893 can be reproduced on Open C and I am trying to fix it now. > However, I don't know the reproduction steps of this Bug and only can check > the call stack which Spreadtrum gave. Crash address is 0x5a5a5a5a means it > may be a double free problem in imgFrame. I didn't test Bug 1003893 in 1.4, > and need more information about this bug. Thanks.
Talking in triage, we think Boris's comments conclude that this is indeed a dupe. I'll + the dupe.
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: --- → DUPLICATE
blocking-b2g: 1.4? → ---
You need to log in before you can comment on or make changes to this bug.