Closed
Bug 1080919
Opened 10 years ago
Closed 10 years ago
b2g crashes in mozilla::layers::CompositorParent::GetIndirectShadowTree
Categories
(Firefox OS Graveyard :: Stability, defect, P1)
Tracking
(blocking-b2g:-)
RESOLVED
INVALID
blocking-b2g | - |
People
(Reporter: tkundu, Unassigned)
References
Details
(Keywords: crash, Whiteboard: [CR 732983])
Crash Data
Attachments
(2 files)
We hitting this issue during stability testing on FFOS 2.0 and 256MB msm8610 device.
Reporter | ||
Comment 1•10 years ago
|
||
[Blocking Requested - why for this release]:
blocking-b2g: --- → 2.0?
Reporter | ||
Comment 2•10 years ago
|
||
Reporter | ||
Comment 3•10 years ago
|
||
1)
0 libxul.so!std::priv::_Rb_tree_node_base* std::priv::_Rb_tree<unsigned long long, std::less<unsigned long long>, std::pair<unsigned long long const, mozilla::RefPtr<mozilla::layers::AsyncTransactionTracker> >, std::priv::_Select1st<std::pair<unsigned long long const, mozilla::RefPtr<mozilla::layers::AsyncTransactionTracker> > >, std::priv::_MapTraitsT<std::pair<unsigned long long const, mozilla::RefPtr<mozilla::layers::AsyncTransactionTracker> > >, std::allocator<std::pair<unsigned long long const, mozilla::RefPtr<mozilla::layers::AsyncTransactionTracker> > > >::_M_find<unsigned long long>(unsigned long long const&) const [AsyncTransactionTracker.cpp : 199 + 0x4]
r0 = 0xac6c17e0 r1 = 0xbe874220 r2 = 0x00000717 r3 = 0x5a5a5a6a
r4 = 0x5a5a5a5a r5 = 0x5a5a5a5a r6 = 0x5a5a5a5a r7 = 0xb6300a10
r8 = 0x000e0034 r9 = 0x00000001 r10 = 0x00000000 r12 = 0xb626b9c4
fp = 0x0000000f sp = 0xbe87420c lr = 0xb4db1e19 pc = 0xb4da7800
Found by: given as instruction pointer in context
1 libxul.so!mozilla::layers::CompositorParent::GetIndirectShadowTree(unsigned long long) [_tree.h : 543 + 0x5]
r4 = 0xb6300a10 r5 = 0x00000000 r6 = 0xacc92340 r7 = 0xbe874360
r8 = 0x000e0034 r9 = 0x00000001 r10 = 0x00000000 fp = 0x0000000f
sp = 0xbe874220 pc = 0xb4db1e19
@sotaro: Could you please add additional log to confirm us why we are crashing inside
gfx layer IPC transaction ? I already confirmed that system has enough memory when it happened.
2) I am seeing following logs in b2g-info just before crash happened:
[H[JEvery 5s: b2g-info 2014-10-01 07:57:03
| megabytes |
NAME PID PPID CPU(s) NICE USS PSS RSS SWAP VSIZE OOM_ADJ USER
b2g 232 1 11303.0 0 24.1 25.5 28.4 48.3 277.0 0 root
(Nuwa) 1057 232 225.9 0 0.3 0.4 1.1 7.5 53.8 0 root
FM Radio 24154 1057 6.8 1 1.2 1.4 2.2 14.1 80.6 2 u0_a24154
Usage 25440 1057 2.0 1 5.9 7.5 10.7 8.7 67.4 2 u0_a25440
(Preallocated a 25702 232 1.2 1 4.9 6.1 8.9 4.2 63.8 2 u0_a25702
(Preallocated a 25800 1057 0.2 18 2.4 3.3 5.5 5.8 57.9 1 u0_a25800
@alive for commenting on this two foreground app issue.
Full logcat logs and b2g-info logs :
https://drive.google.com/file/d/0B1cSMS8_GuAEQjFOcGlFaHBLam8/view?usp=sharing
Flags: needinfo?(sotaro.ikeda.g)
Flags: needinfo?(alive)
Reporter | ||
Updated•10 years ago
|
Whiteboard: [CR 732983]
Reporter | ||
Comment 4•10 years ago
|
||
We are seeing some page fault in kernel for b2g process when this crash happened. So I am withdrawing this CR till we complete that analysis.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(sotaro.ikeda.g)
Flags: needinfo?(alive)
Resolution: --- → INVALID
Updated•10 years ago
|
blocking-b2g: 2.0? → -
Comment 5•10 years ago
|
||
This log has AsyncTransactionTracker in symbol names. But it seems incorrect symbol. The crash happened by CompositorParent::GetIndirectShadowTree().
The following seems correct one.
> typedef map<uint64_t, CompositorParent::LayerTreeState> LayerTreeMap;
http://mxr.mozilla.org/mozilla-central/source/gfx/layers/ipc/CompositorParent.cpp#1103
Comment 6•10 years ago
|
||
This might be caused by a similar cause of Bug 997367.
Comment 7•10 years ago
|
||
From the crash address, the code tried to dereference already deleted object.
> Crash reason: SIGSEGV
> Crash address: 0x5a5a5a6a
You need to log in
before you can comment on or make changes to this bug.
Description
•