Closed
Bug 1015863
Opened 12 years ago
Closed 12 years ago
[dolphin][monkey test] monkey test crash at libxul.so!imgFrame::~imgFrame() [imgFrame.cpp : 169 + 0x0]
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1003893
People
(Reporter: angelc04, Unassigned)
Details
(Keywords: crash, Whiteboard: [sprd314460][partner-blocker][b2g-crash])
Operating system: Android
0.0.0 Linux 3.10.17 #1 PREEMPT Thu May 15 06:16:48 CST 2014 armv7l Spreadtrum/scx15_sp7715gaplus/scx15_sp7715ga:4.4.2/KOT49H/96:userdebug/test-keys
CPU: arm
1 CPU
Crash reason: SIGSEGV
Crash address: 0x5a5a5a8a
Thread 0 (crashed)
0 libxul.so!imgFrame::~imgFrame() [imgFrame.cpp : 169 + 0x0]
r4 = 0x5a5a5a5a r5 = 0x00000000 r6 = 0xb3cb60e8 r7 = 0x00000001
r8 = 0xb6cbb8f4 r9 = 0xb3cb6060 r10 = 0x6207f7c4 fp = 0xbed8f85c
sp = 0xbed8ecf8 lr = 0xb59c7091 pc = 0xb59d0d80
Found by: given as instruction pointer in context
1 libxul.so!nsAutoPtr<imgFrame>::assign(imgFrame*) [nsAutoPtr.h : 45 + 0x5]
r4 = 0x5a5a5a5a r5 = 0x00000000 r6 = 0xb3cb60e8 r7 = 0x00000001
r8 = 0xb6cbb8f4 r9 = 0xb3cb6060 r10 = 0x6207f7c4 fp = 0xbed8f85c
sp = 0xbed8ed00 pc = 0xb59c7091
Found by: call frame info
2 libxul.so!mozilla::image::RasterImage::Discard(bool) [nsAutoPtr.h : 115 + 0x3]
r4 = 0xffffffff r5 = 0x00000000 r6 = 0xb3cb6000 r7 = 0x00000001
r8 = 0xb6cbb8f4 r9 = 0xb3cb6060 r10 = 0x6207f7c4 fp = 0xbed8f85c
sp = 0xbed8ed18 pc = 0xb59c7141
Found by: call frame info
| Reporter | ||
Updated•12 years ago
|
Whiteboard: [sprd314460][partner-blocker]
| Reporter | ||
Comment 1•12 years ago
|
||
Here is the log: https://www.dropbox.com/s/c6kbolsq5go7l1k/1015863.zip
Comment 2•12 years ago
|
||
Hi Alphan,
Mind if you can take a look this crash. Thanks!
Flags: needinfo?(alchen)
Comment 3•12 years ago
|
||
Hi Boris,
it seems that this bug is similar to Bug 1003893.
Could you have a look?
Thanks.
Flags: needinfo?(alchen) → needinfo?(boris.chiou)
Updated•12 years ago
|
Flags: needinfo?(boris.chiou)
Comment 4•12 years ago
|
||
Yes, I think they may be the same problem. We got an invalid address (0x5a5a5a5a, poison memory) and try to free it. Bug 1003893 can reproduce it in Gallery app on Open C.
poison memory: ex. http://dxr.mozilla.org/mozilla-central/source/memory/mozjemalloc/jemalloc.c#4544
(In reply to Alphan Chen[:Alphan] from comment #3)
> Hi Boris,
> it seems that this bug is similar to Bug 1003893.
> Could you have a look?
> Thanks.
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
| Reporter | ||
Updated•12 years ago
|
blocking-b2g: --- → 1.4?
Comment 6•12 years ago
|
||
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Updated•12 years ago
|
Component: General → Graphics
Keywords: crash
Product: Firefox OS → Core
Whiteboard: [sprd314460][partner-blocker] → [sprd314460][partner-blocker][b2g-crash]
Version: unspecified → 30 Branch
Comment 7•12 years ago
|
||
Hi Boris,
Please help to double check Jason's question in comment 6.
Flags: needinfo?(boris.chiou)
Comment 8•12 years ago
|
||
Is this actionable or not?
Comment 9•12 years ago
|
||
(In reply to Ivan Tsay (:ITsay) from comment #7)
> Hi Boris,
>
> Please help to double check Jason's question in comment 6.
The call stacks of these two bugs look similar:
0 libxul.so!imgFrame::~imgFrame() [imgFrame.cpp : 169 + 0x0]
1 libxul.so!nsAutoPtr<imgFrame>::assign(imgFrame*) [nsAutoPtr.h : 45 + 0x5]
2 libxul.so!mozilla::image::RasterImage::Discard(bool) [nsAutoPtr.h : 115 + 0x3]
Bug 1003893 can be reproduced on Open C and I am trying to fix it now. However, I don't know the reproduction steps of this Bug and only can check the call stack which Spreadtrum gave. Crash address is 0x5a5a5a5a means it may be a double free problem in imgFrame. I didn't test Bug 1003893 in 1.4, and need more information about this bug. Thanks.
Flags: needinfo?(boris.chiou)
Comment 10•12 years ago
|
||
By the way, this bug also happened in Gallery app, right?
According to your log: URL=app://gallery.gaiamobile.org/manifest.webapp
Bug 1003893 also happened in Gallery app.
(In reply to Boris Chiou [:boris] from comment #9)
> (In reply to Ivan Tsay (:ITsay) from comment #7)
> > Hi Boris,
> >
> > Please help to double check Jason's question in comment 6.
>
> The call stacks of these two bugs look similar:
> 0 libxul.so!imgFrame::~imgFrame() [imgFrame.cpp : 169 + 0x0]
> 1 libxul.so!nsAutoPtr<imgFrame>::assign(imgFrame*) [nsAutoPtr.h : 45 + 0x5]
> 2 libxul.so!mozilla::image::RasterImage::Discard(bool) [nsAutoPtr.h : 115
> + 0x3]
>
> Bug 1003893 can be reproduced on Open C and I am trying to fix it now.
> However, I don't know the reproduction steps of this Bug and only can check
> the call stack which Spreadtrum gave. Crash address is 0x5a5a5a5a means it
> may be a double free problem in imgFrame. I didn't test Bug 1003893 in 1.4,
> and need more information about this bug. Thanks.
Comment 11•12 years ago
|
||
Talking in triage, we think Boris's comments conclude that this is indeed a dupe. I'll + the dupe.
Status: REOPENED → RESOLVED
Closed: 12 years ago → 12 years ago
Resolution: --- → DUPLICATE
Updated•12 years ago
|
blocking-b2g: 1.4? → ---
You need to log in
before you can comment on or make changes to this bug.
Description
•