Closed
Bug 1028814
Opened 10 years ago
Closed 10 years ago
[dolphin] monkey test crash at libxul.so!mozilla::layers::Axis::EndTouch() [Axis.cpp : 137 + 0x0]
Categories
(Core :: Panning and Zooming, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1039159
| Tracking | Status | |
|---|---|---|
| b2g-v1.4 | --- | affected |
People
(Reporter: angelc04, Unassigned)
Details
(Keywords: crash, Whiteboard: [sprd324414][partner-blocker][b2g-crash])
Attachments
(1 file)
|
127.06 KB,
text/plain
|
Details |
Operating system: Android
0.0.0 Linux 3.10.17-00005-g52d04fb #1 PREEMPT Sat Jun 14 06:33:54 CST 2014 armv7l Spreadtrum/scx15_sp7715gaplus/scx15_sp7715ga:4.4.2/KOT49H/187:userdebug/test-keys
CPU: arm
1 CPU
Crash reason: SIGSEGV
Crash address: 0x5a5a5a00
Thread 0 (crashed)
0 libxul.so!mozilla::layers::Axis::EndTouch() [Axis.cpp : 137 + 0x0]
r4 = 0xa8f50374 r5 = 0xbede4bf4 r6 = 0xa8f50000 r7 = 0xbede4c08
r8 = 0xbede4d28 r9 = 0xbede4fc0 r10 = 0xb618c5a4 fp = 0xb6544dbe
sp = 0xbede4be0 lr = 0xb51cd7e3 pc = 0xb51cee5e
Found by: given as instruction pointer in context
1 libxul.so!mozilla::layers::AsyncPanZoomController::OnTouchEnd(mozilla::MultiTouchInput const&) [AsyncPanZoomController.cpp : 774 + 0x7]
r4 = 0xa8f50000 r5 = 0xbede4bf4 r6 = 0xa8f50000 r7 = 0xbede4c08
r8 = 0xbede4d28 r9 = 0xbede4fc0 r10 = 0xb618c5a4 fp = 0xb6544dbe
sp = 0xbede4bf0 pc = 0xb51cd7e3
Found by: call frame info
2 libxul.so!mozilla::layers::AsyncPanZoomController::HandleInputEvent(mozilla::InputData const&) [AsyncPanZoomController.cpp : 591 + 0x7]
r4 = 0x00000000 r5 = 0xbede4c2c r6 = 0xa8f50000 r7 = 0xbede4c08
r8 = 0xbede4d28 r9 = 0xbede4fc0 r10 = 0xb618c5a4 fp = 0xb6544dbe
sp = 0xbede4c08 pc = 0xb51cda73
Found by: call frame info
3 libxul.so!mozilla::layers::APZCTreeManager::ProcessTouchEvent(mozilla::WidgetTouchEvent&, mozilla::layers::ScrollableLayerGuid*) [APZCTreeManager.cpp : 495 + 0x7]
r4 = 0x00000001 r5 = 0x0000001c r6 = 0xb113f4c0 r7 = 0xbede5010
r8 = 0xbede4d28 r9 = 0xbede4fc0 r10 = 0xb618c5a4 fp = 0xb6544dbe
sp = 0xbede4c28 pc = 0xb51bf99b
Found by: call frame info
4 libxul.so!mozilla::dom::TabParent::SendRealTouchEvent(mozilla::WidgetTouchEvent&) [TabParent.cpp : 842 + 0x3]
r4 = 0x00000000 r5 = 0x00000000 r6 = 0xacd45da0 r7 = 0xbede5010
r8 = 0x00000000 r9 = 0xbede4fc0 r10 = 0xb618c5a4 fp = 0xb6544dbe
sp = 0xbede4d18 pc = 0xb53ecd9d
Found by: call frame info
5 libxul.so!nsEventStateManager::HandleCrossProcessEvent(mozilla::WidgetEvent*, nsIFrame*, nsEventStatus*) [nsEventStateManager.cpp : 1778 + 0xb]
r4 = 0x00000000 r5 = 0xbede5010 r6 = 0x00000000 r7 = 0xace2e6a0
r8 = 0xafd95c90 r9 = 0xbede4fc0 r10 = 0xb618c5a4 fp = 0xb6544dbe
sp = 0xbede4d58 pc = 0xb54dc777
Found by: call frame info
6 libxul.so!nsEventStateManager::PostHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsEventStatus*) [nsEventStateManager.cpp : 3191 + 0x3]
r4 = 0xbede5010 r5 = 0xb64c97f4 r6 = 0xafd95c90 r7 = 0xb180b2b8
r8 = 0xafd95cb4 r9 = 0xbede4fc0 r10 = 0xb02ea400 fp = 0xb6544dbe
sp = 0xbede4d98 pc = 0xb54dc82d
Found by: call frame info
7 libxul.so!PresShell::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*) [nsPresShell.cpp : 7273 + 0x15]
r4 = 0xbede5010 r5 = 0xafde6d20 r6 = 0xb02ea400 r7 = 0xafd95c90
r8 = 0xbede4fc0 r9 = 0x00000000 r10 = 0xb654a428 fp = 0xb6544dbe
sp = 0xbede4e80 pc = 0xb57b8ffb
Found by: call frame info
8 libxul.so!PresShell::HandlePositionedEvent(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*) [nsPresShell.cpp : 6990 + 0x9]
r4 = 0xafde6d20 r5 = 0xbede4ef0 r6 = 0xb180b2b8 r7 = 0xbede5010
r8 = 0xbede4fc0 r9 = 0xb580bc2f r10 = 0xbede5010 fp = 0xb654a428
sp = 0xbede4ef0 pc = 0xb57b9115
Found by: call frame info
9 libxul.so!PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) [nsPresShell.cpp : 6790 + 0xb]
r4 = 0xbede5010 r5 = 0xb4044900 r6 = 0xb180b2b8 r7 = 0xafde6d20
r8 = 0xbede4fc0 r9 = 0xafd95c90 r10 = 0xbede5010 fp = 0xb654a428
sp = 0xbede4f18 pc = 0xb57b973f
Found by: call frame info
10 libxul.so!nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) [nsViewManager.cpp : 788 + 0xf]
r4 = 0xbede5010 r5 = 0xb57b9151 r6 = 0xb180b2b8 r7 = 0xbede4fc0
r8 = 0x00000001 r9 = 0x00000000 r10 = 0x00000001 fp = 0x00000000
sp = 0xbede4f98 pc = 0xb55a88ff
Found by: call frame info
11 libxul.so!nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) [nsView.cpp : 1093 + 0xb]
r4 = 0xb1ef0920 r5 = 0xbede5010 r6 = 0xb55a7d77 r7 = 0xbede5090
r8 = 0x00001452 r9 = 0x00000000 r10 = 0x00000001 fp = 0x00000000
sp = 0xbede4fc0 pc = 0xb55a7daf
Found by: call frame info
12 libxul.so!nsWindow::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) [nsWindow.cpp : 462 + 0x9]
r4 = 0xb2873880 r5 = 0xbede4fec r6 = 0xb55a7d77 r7 = 0xbede5090
r8 = 0x00001452 r9 = 0x00000000 r10 = 0x00000001 fp = 0x00000000
sp = 0xbede4fd8 pc = 0xb5402e89
Found by: call frame info
13 libxul.so!nsWindow::DispatchInputEvent(mozilla::WidgetGUIEvent&, bool*) [nsWindow.cpp : 270 + 0x11]
r4 = 0xbede500b r5 = 0xbede5010 r6 = 0xb6541188 r7 = 0xbede5090
r8 = 0x00001452 r9 = 0x00000000 r10 = 0x00000001 fp = 0x00000000
sp = 0xbede4fe8 pc = 0xb5403687
Found by: call frame info
14 libxul.so!GeckoInputDispatcher::dispatchOnce() [nsAppShell.cpp : 263 + 0x9]
r4 = 0x03723bda r5 = 0x00000000 r6 = 0xbede5010 r7 = 0xbede5090
r8 = 0x00001452 r9 = 0x00000000 r10 = 0x00000001 fp = 0x00000000
sp = 0xbede5000 pc = 0xb540231b
Found by: call frame info
15 libxul.so!nsAppShell::ProcessNextNativeEvent(bool) [nsAppShell.cpp : 1009 + 0x5]
r4 = 0xb3464fa0 r5 = 0x00000001 r6 = 0x00000001 r7 = 0xb5401297
r8 = 0x00000048 r9 = 0x00000000 r10 = 0x00000001 fp = 0x00000000
sp = 0xbede5558 pc = 0xb5401787
Found by: call frame info
16 libxul.so!nsBaseAppShell::DoProcessNextNativeEvent(bool, unsigned int) [nsBaseAppShell.cpp : 140 + 0x9]
r4 = 0xb3464fa0 r5 = 0x00000000 r6 = 0x00000001 r7 = 0x00000000
r8 = 0x00000014 r9 = 0x00000000 r10 = 0x00000001 fp = 0x00000000
sp = 0xbede5678 pc = 0xb5409aad
Found by: call frame info
17 libxul.so!nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal*, bool, unsigned int) [nsBaseAppShell.cpp : 298 + 0x5]
r4 = 0xb3464fa0 r5 = 0xb6b02550 r6 = 0x03723bd6 r7 = 0x00000000
r8 = 0x00000014 r9 = 0x00000000 r10 = 0x00000001 fp = 0x00000000
sp = 0xbede5690 pc = 0xb5409b79
Found by: call frame info
18 libxul.so!nsThread::ProcessNextEvent(bool, bool*) [nsThread.cpp : 667 + 0xd]
r4 = 0xb6b02550 r5 = 0x00000001 r6 = 0xbede56cc r7 = 0xbede56ff
r8 = 0x00000000 r9 = 0x00000001 r10 = 0x00000001 fp = 0x00000000
sp = 0xbede56b8 pc = 0xb4e83b65
Found by: call frame info
19 libxul.so!NS_ProcessNextEvent(nsIThread*, bool) [nsThreadUtils.cpp : 263 + 0xb]
r4 = 0x00000001 r5 = 0xb6b441a0 r6 = 0xb6b01e30 r7 = 0x00000000
r8 = 0xbede5798 r9 = 0xbede5788 r10 = 0x00000000 fp = 0x00000000
sp = 0xbede56f8 pc = 0xb4e5772b
Found by: call frame info
20 libxul.so!mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) [MessagePump.cpp : 136 + 0x7]
r4 = 0xb6b01e20 r5 = 0xb6b441a0 r6 = 0xb6b01e30 r7 = 0x00000000
r8 = 0xbede5798 r9 = 0xbede5788 r10 = 0x00000000 fp = 0x00000000
sp = 0xbede5708 pc = 0xb4fb9f2f
Found by: call frame info
21 libxul.so!MessageLoop::RunInternal() [message_loop.cc : 226 + 0x5]
r4 = 0xb6b441a0 r5 = 0xb3464fa0 r6 = 0xb6b02550 r7 = 0xbede5955
r8 = 0xbede5798 r9 = 0xbede5788 r10 = 0x00000000 fp = 0x00000000
sp = 0xbede5730 pc = 0xb4fae8a7
Found by: call frame info
22 libxul.so!MessageLoop::Run() [message_loop.cc : 219 + 0x5]
r4 = 0xb6b441a0 r5 = 0xb3464fa0 r6 = 0xb6b02550 r7 = 0xbede5955
r8 = 0xbede5798 r9 = 0xbede5788 r10 = 0x00000000 fp = 0x00000000
sp = 0xbede5738 pc = 0xb4fae959
Found by: call frame info
23 libxul.so!nsBaseAppShell::Run() [nsBaseAppShell.cpp : 164 + 0x7]
r4 = 0x00000000 r5 = 0xb3464fa0 r6 = 0xb6b02550 r7 = 0xbede5955
r8 = 0xbede5798 r9 = 0xbede5788 r10 = 0x00000000 fp = 0x00000000
sp = 0xbede5750 pc = 0xb54095fb
Found by: call frame info
24 libxul.so!nsAppStartup::Run() [nsAppStartup.cpp : 276 + 0x5]
r4 = 0xb40b5550 r5 = 0xbede5864 r6 = 0xb4e6f245 r7 = 0xbede5955
r8 = 0xbede5798 r9 = 0xbede5788 r10 = 0x00000000 fp = 0x00000000
sp = 0xbede5760 pc = 0xb59fe27f
Found by: call frame info
25 libxul.so!XREMain::XRE_mainRun() [nsAppRunner.cpp : 4010 + 0x5]
r4 = 0xbede57a0 r5 = 0xbede5864 r6 = 0xb4e6f245 r7 = 0xbede5955
r8 = 0xbede5798 r9 = 0xbede5788 r10 = 0x00000000 fp = 0x00000000
sp = 0xbede5768 pc = 0xb59da54d
Found by: call frame info
26 libxul.so!XREMain::XRE_main(int, char**, nsXREAppData const*) [nsAppRunner.cpp : 4079 + 0x5]
r4 = 0xbede5864 r5 = 0x00000000 r6 = 0x00000000 r7 = 0x00000000
r8 = 0x00000000 r9 = 0x00000000 r10 = 0x00000000 fp = 0xbede7a0c
sp = 0xbede5840 pc = 0xb59db857
Found by: call frame info
27 libxul.so!XRE_main [nsAppRunner.cpp : 4291 + 0x3]
r4 = 0x00000000 r5 = 0x00024918 r6 = 0xbede7a14 r7 = 0x00000001
r8 = 0x00000000 r9 = 0x00000000 r10 = 0x00000000 fp = 0xbede7a0c
sp = 0xbede5860 pc = 0xb59db9ad
Found by: call frame info
28 b2g!main [nsBrowserApp.cpp : 163 + 0xf]
r4 = 0xbede7a14 r5 = 0x00000001 r6 = 0xb59db96d r7 = 0xbede69c8
r8 = 0x00000000 r9 = 0x00000000 r10 = 0x00000000 fp = 0xbede7a0c
sp = 0xbede5970 pc = 0x0000a279
Found by: call frame info
29 libc.so!__libc_init [libc_init_dynamic.cpp : 112 + 0x7]
r4 = 0xbede7a14 r5 = 0xbede7a1c r6 = 0x00000001 r7 = 0xb6f6bfd8
r8 = 0x0000a07d r9 = 0x00000000 r10 = 0x00000000 fp = 0xbede7a0c
sp = 0xbede79e0 pc = 0xb6f303fd
Found by: call frame info
30 b2g + 0x1fea
r4 = 0x00000000 r5 = 0x00000000 r6 = 0x00000000 r7 = 0x00000000
r8 = 0x00000000 r9 = 0x00000000 r10 = 0x00000000 fp = 0xbede7a0c
sp = 0xbede79f8 pc = 0x00009fec
Found by: call frame info
31 linker!set_soinfo_pool_protection [linker.cpp : 291 + 0xb]
sp = 0xbede7a10 pc = 0xb6fc6885
Found by: stack scanning
32 0xbede7b35
r4 = 0xbede7b27 r5 = 0x00000000 sp = 0xbede7a20 pc = 0xbede7b37
Found by: call frame info
Please see attached call stack.
|
Reporter | |
Comment 1•10 years ago
|
||
For more slog, please find it here: https://www.dropbox.com/s/gsod5umsb36r4mm/1028814.tar.bz2
Whiteboard: [sprd324414][partner-blocker]
|
||
Updated•10 years ago
|
Severity: normal → critical
Component: General → Panning and Zooming
Keywords: crash
Product: Firefox OS → Core
Whiteboard: [sprd324414][partner-blocker] → [sprd324414][partner-blocker][b2g-crash]
Version: unspecified → 30 Branch
|
||
Updated•10 years ago
|
status-b2g-v1.4:
--- → affected
|
|
||
Comment 3•10 years ago
|
||
Gecko revision is 6215f7443f85ae4e9a23a44962f60711194a61ae Gaia revision is 164644d91290708a71436dfdf4301e33b92e2c77 Is it the same as bug 1013025 ?
|
||
Comment 4•10 years ago
|
||
Quite possibly the same underlying issue, yeah. The fact that the crash address is at 0x5a5a5a00 means it's trying to access memory that has already been freed by jemalloc. The crash happens on a line trying to access mVelocityQueue, which seems to imply that the Axis object itself is garbage, which would mean that the AsyncPanZoomController object holding it is also garbage. However the call site in APZCTreeManager is holding that AsyncPanZoomController using a refptr so I don't see how that could happen; the AsyncPanZoomController instances are refcounted and there's no way to delete one out-of-band.
|
|
||
Comment 6•10 years ago
|
||
I think it's the same as bug 1013025, Peipei, do you agree?
|
|
||
Comment 7•10 years ago
|
||
This (and bug 1013025) are likely the same issue as bug 1039159. Jerry realized that mVelocityQueue is accessed from two different threads without locking which is probably the root cause here.
You need to log in
before you can comment on or make changes to this bug.
Description
•