Closed Bug 1015863 Opened 10 years ago Closed 10 years ago

[dolphin][monkey test] monkey test crash at libxul.so!imgFrame::~imgFrame() [imgFrame.cpp : 169 + 0x0]

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Version:
30 Branch
Platform:
Other
Other
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1003893

People

(Reporter: angelc04, Unassigned)

Details

(Keywords: crash, Whiteboard: [sprd314460][partner-blocker][b2g-crash]) 

Operating system: Android
                  0.0.0 Linux 3.10.17 #1 PREEMPT Thu May 15 06:16:48 CST 2014 armv7l Spreadtrum/scx15_sp7715gaplus/scx15_sp7715ga:4.4.2/KOT49H/96:userdebug/test-keys
CPU: arm
     1 CPU

Crash reason:  SIGSEGV
Crash address: 0x5a5a5a8a

Thread 0 (crashed)
 0  libxul.so!imgFrame::~imgFrame() [imgFrame.cpp : 169 + 0x0]
     r4 = 0x5a5a5a5a    r5 = 0x00000000    r6 = 0xb3cb60e8    r7 = 0x00000001
     r8 = 0xb6cbb8f4    r9 = 0xb3cb6060   r10 = 0x6207f7c4    fp = 0xbed8f85c
     sp = 0xbed8ecf8    lr = 0xb59c7091    pc = 0xb59d0d80
    Found by: given as instruction pointer in context
 1  libxul.so!nsAutoPtr<imgFrame>::assign(imgFrame*) [nsAutoPtr.h : 45 + 0x5]
     r4 = 0x5a5a5a5a    r5 = 0x00000000    r6 = 0xb3cb60e8    r7 = 0x00000001
     r8 = 0xb6cbb8f4    r9 = 0xb3cb6060   r10 = 0x6207f7c4    fp = 0xbed8f85c
     sp = 0xbed8ed00    pc = 0xb59c7091
    Found by: call frame info
 2  libxul.so!mozilla::image::RasterImage::Discard(bool) [nsAutoPtr.h : 115 + 0x3]
     r4 = 0xffffffff    r5 = 0x00000000    r6 = 0xb3cb6000    r7 = 0x00000001
     r8 = 0xb6cbb8f4    r9 = 0xb3cb6060   r10 = 0x6207f7c4    fp = 0xbed8f85c
     sp = 0xbed8ed18    pc = 0xb59c7141
    Found by: call frame info
Whiteboard: [sprd314460][partner-blocker]
Hi Alphan,

Mind if you can take a look this crash. Thanks!
Flags: needinfo?(alchen)
Hi Boris,
it seems that this bug is similar to Bug 1003893.
Could you have a look?
Thanks.
Flags: needinfo?(alchen) → needinfo?(boris.chiou)
Flags: needinfo?(boris.chiou)
Yes, I think they may be the same problem. We got an invalid address (0x5a5a5a5a, poison memory) and try to free it. Bug 1003893 can reproduce it in Gallery app on Open C.

poison memory: ex. http://dxr.mozilla.org/mozilla-central/source/memory/mozjemalloc/jemalloc.c#4544

(In reply to Alphan Chen[:Alphan] from comment #3)
> Hi Boris,
> it seems that this bug is similar to Bug 1003893.
> Could you have a look?
> Thanks.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
blocking-b2g: --- → 1.4?
See https://bugzilla.mozilla.org/show_bug.cgi?id=1003893#c28
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Component: General → Graphics
Keywords: crash
Product: Firefox OS → Core
Whiteboard: [sprd314460][partner-blocker] → [sprd314460][partner-blocker][b2g-crash]
Version: unspecified → 30 Branch
Hi Boris,

Please help to double check Jason's question in comment 6.
Flags: needinfo?(boris.chiou)
Is this actionable or not?
(In reply to Ivan Tsay (:ITsay) from comment #7)
> Hi Boris,
> 
> Please help to double check Jason's question in comment 6.

The call stacks of these two bugs look similar:
 0  libxul.so!imgFrame::~imgFrame() [imgFrame.cpp : 169 + 0x0]
 1  libxul.so!nsAutoPtr<imgFrame>::assign(imgFrame*) [nsAutoPtr.h : 45 + 0x5]
 2  libxul.so!mozilla::image::RasterImage::Discard(bool) [nsAutoPtr.h : 115 + 0x3]

Bug 1003893 can be reproduced on Open C and I am trying to fix it now. However, I don't know the reproduction steps of this Bug and only can check the call stack which Spreadtrum gave. Crash address is 0x5a5a5a5a means it may be a double free problem in imgFrame. I didn't test Bug 1003893 in 1.4, and need more information about this bug. Thanks.
Flags: needinfo?(boris.chiou)
By the way, this bug also happened in Gallery app, right?
According to your log: URL=app://gallery.gaiamobile.org/manifest.webapp

Bug 1003893 also happened in Gallery app.

(In reply to Boris Chiou [:boris] from comment #9)
> (In reply to Ivan Tsay (:ITsay) from comment #7)
> > Hi Boris,
> > 
> > Please help to double check Jason's question in comment 6.
> 
> The call stacks of these two bugs look similar:
>  0  libxul.so!imgFrame::~imgFrame() [imgFrame.cpp : 169 + 0x0]
>  1  libxul.so!nsAutoPtr<imgFrame>::assign(imgFrame*) [nsAutoPtr.h : 45 + 0x5]
>  2  libxul.so!mozilla::image::RasterImage::Discard(bool) [nsAutoPtr.h : 115
> + 0x3]
> 
> Bug 1003893 can be reproduced on Open C and I am trying to fix it now.
> However, I don't know the reproduction steps of this Bug and only can check
> the call stack which Spreadtrum gave. Crash address is 0x5a5a5a5a means it
> may be a double free problem in imgFrame. I didn't test Bug 1003893 in 1.4,
> and need more information about this bug. Thanks.
Talking in triage, we think Boris's comments conclude that this is indeed a dupe. I'll + the dupe.
Status: REOPENED → RESOLVED
Closed: 10 years ago10 years ago
Resolution: --- → DUPLICATE
blocking-b2g: 1.4? → ---
You need to log in before you can comment on or make changes to this bug.