b2g crashes in mozilla::layers::CompositorParent::GetIndirectShadowTree

RESOLVED INVALID

Status

Firefox OS
Stability
P1
blocker
RESOLVED INVALID
3 years ago
3 years ago

People

(Reporter: tkundu, Unassigned)

Tracking

({crash})

unspecified
ARM
Gonk (Firefox OS)
crash

Firefox Tracking Flags

(blocking-b2g:-)

Details

(Whiteboard: [CR 732983], crash signature)

Attachments

(2 attachments)

Created attachment 8502863 [details]
stack trace

We hitting this issue during stability testing on FFOS 2.0 and 256MB msm8610 device.
[Blocking Requested - why for this release]:
blocking-b2g: --- → 2.0?
Created attachment 8502865 [details]
.extra file logs
1)

 0  libxul.so!std::priv::_Rb_tree_node_base* std::priv::_Rb_tree<unsigned long long, std::less<unsigned long long>, std::pair<unsigned long long const, mozilla::RefPtr<mozilla::layers::AsyncTransactionTracker> >, std::priv::_Select1st<std::pair<unsigned long long const, mozilla::RefPtr<mozilla::layers::AsyncTransactionTracker> > >, std::priv::_MapTraitsT<std::pair<unsigned long long const, mozilla::RefPtr<mozilla::layers::AsyncTransactionTracker> > >, std::allocator<std::pair<unsigned long long const, mozilla::RefPtr<mozilla::layers::AsyncTransactionTracker> > > >::_M_find<unsigned long long>(unsigned long long const&) const [AsyncTransactionTracker.cpp : 199 + 0x4]
     r0 = 0xac6c17e0    r1 = 0xbe874220    r2 = 0x00000717    r3 = 0x5a5a5a6a
     r4 = 0x5a5a5a5a    r5 = 0x5a5a5a5a    r6 = 0x5a5a5a5a    r7 = 0xb6300a10
     r8 = 0x000e0034    r9 = 0x00000001   r10 = 0x00000000   r12 = 0xb626b9c4
     fp = 0x0000000f    sp = 0xbe87420c    lr = 0xb4db1e19    pc = 0xb4da7800
    Found by: given as instruction pointer in context
 1  libxul.so!mozilla::layers::CompositorParent::GetIndirectShadowTree(unsigned long long) [_tree.h : 543 + 0x5]
     r4 = 0xb6300a10    r5 = 0x00000000    r6 = 0xacc92340    r7 = 0xbe874360
     r8 = 0x000e0034    r9 = 0x00000001   r10 = 0x00000000    fp = 0x0000000f
     sp = 0xbe874220    pc = 0xb4db1e19

@sotaro: Could you please add additional log to confirm us why we are crashing inside 
gfx layer IPC transaction ? I already confirmed that system has enough memory when it happened.

2) I am seeing following logs in b2g-info just before crash happened:

[H[JEvery 5s: b2g-info                                          2014-10-01 07:57:03

                           |      megabytes     |
           NAME   PID PPID  CPU(s) NICE  USS  PSS  RSS SWAP VSIZE OOM_ADJ USER     
            b2g   232    1 11303.0    0 24.1 25.5 28.4 48.3 277.0       0 root     
         (Nuwa)  1057  232   225.9    0  0.3  0.4  1.1  7.5  53.8       0 root     
       FM Radio 24154 1057     6.8    1  1.2  1.4  2.2 14.1  80.6       2 u0_a24154
          Usage 25440 1057     2.0    1  5.9  7.5 10.7  8.7  67.4       2 u0_a25440
(Preallocated a 25702  232     1.2    1  4.9  6.1  8.9  4.2  63.8       2 u0_a25702
(Preallocated a 25800 1057     0.2   18  2.4  3.3  5.5  5.8  57.9       1 u0_a25800

@alive for commenting on this two foreground app issue. 

Full logcat logs and b2g-info logs :
https://drive.google.com/file/d/0B1cSMS8_GuAEQjFOcGlFaHBLam8/view?usp=sharing
Flags: needinfo?(sotaro.ikeda.g)
Flags: needinfo?(alive)
Whiteboard: [CR 732983]
We are seeing some page fault in kernel for b2g process when this crash happened. So I am withdrawing this CR till we complete that analysis.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Flags: needinfo?(sotaro.ikeda.g)
Flags: needinfo?(alive)
Resolution: --- → INVALID

Updated

3 years ago
blocking-b2g: 2.0? → -
This log has AsyncTransactionTracker in symbol names. But it seems incorrect symbol. The crash happened by CompositorParent::GetIndirectShadowTree().

The following seems correct one.

> typedef map<uint64_t, CompositorParent::LayerTreeState> LayerTreeMap;

http://mxr.mozilla.org/mozilla-central/source/gfx/layers/ipc/CompositorParent.cpp#1103
This might be caused by a similar cause of Bug 997367.
From the crash address, the code tried to dereference already deleted object.

> Crash reason:  SIGSEGV
> Crash address: 0x5a5a5a6a
Keywords: crash
You need to log in before you can comment on or make changes to this bug.