[7715ea_v2.1][dolphin]monkey test crash at libxul.so!mozilla::layers::TouchBlockState::AddEvent(mozilla::MultiTouchInput const&) [nsTArray.h : 1276 + 0x4]

RESOLVED DUPLICATE of bug 1119120

Status

Firefox OS
Stability
--
critical
RESOLVED DUPLICATE of bug 1119120
3 years ago
3 years ago

People

(Reporter: yaoyao.wu, Unassigned, NeedInfo)

Tracking

unspecified
x86_64
Linux

Firefox Tracking Flags

(blocking-b2g:2.1S+)

Details

(Whiteboard: [sprd=396326](22times_2rd))

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
Operating system: Android
                  0.0.0 Linux 3.10.17 #2 PREEMPT Mon Dec 15 16:24:02 CST 2014 armv7l
CPU: arm
     1 CPU

Crash reason:  SIGSEGV
Crash address: 0x5a5a5a5a

Thread 0 (crashed)
 0  libxul.so!mozilla::layers::TouchBlockState::AddEvent(mozilla::MultiTouchInput const&) [nsTArray.h : 1276 + 0x4]
     r4 = 0xac619ca0    r5 = 0xac619cb0    r6 = 0xbeb79310    r7 = 0x00000002
     r8 = 0xbeb79468    r9 = 0xbeb7961f   r10 = 0x0000001c    fp = 0xb6865a90
     sp = 0xbeb792c8    lr = 0xb5404e83    pc = 0xb5406418
    Found by: given as instruction pointer in context
 1  libxul.so!mozilla::layers::AsyncPanZoomController::ReceiveInputEvent(mozilla::InputData const&) [AsyncPanZoomController.cpp : 926 + 0x7]
     r4 = 0xa9cb4800    r5 = 0xac619ca0    r6 = 0xbeb79310    r7 = 0x00000002
     r8 = 0xbeb79468    r9 = 0xbeb7961f   r10 = 0x0000001c    fp = 0xb6865a90
     sp = 0xbeb792d8    pc = 0xb5404e83
    Found by: call frame info
 2  libxul.so!mozilla::layers::APZCTreeManager::ProcessTouchInput(mozilla::MultiTouchInput&, mozilla::layers::ScrollableLayerGuid*) [APZCTreeManager.cpp : 675 + 0x7]
     r4 = 0x00000001    r5 = 0x0000001c    r6 = 0xb0f87e20    r7 = 0xbeb79418
     r8 = 0xbeb79468    r9 = 0xbeb7961f   r10 = 0x0000001c    fp = 0xb6865a90
     sp = 0xbeb79300    pc = 0xb53ff1b3
    Found by: call frame info
 3  libxul.so!mozilla::layers::APZCTreeManager::ReceiveInputEvent(mozilla::WidgetInputEvent&, mozilla::layers::ScrollableLayerGuid*) [APZCTreeManager.cpp : 769 + 0x9]
     r4 = 0xbeb794fc    r5 = 0xbeb79468    r6 = 0xb0f87e20    r7 = 0xbeb794a0
     r8 = 0x00000000    r9 = 0xbeb7961f   r10 = 0x0000001c    fp = 0xb6865a90
     sp = 0xbeb79410    pc = 0xb53ff279
    Found by: call frame info
 4  libxul.so!mozilla::dom::TabParent::SendRealTouchEvent(mozilla::WidgetTouchEvent&) [TabParent.cpp : 999 + 0x3]
     r4 = 0x00000000    r5 = 0x00000000    r6 = 0xac1aee00    r7 = 0xbeb794a0
     r8 = 0x00000000    r9 = 0xbeb7961f   r10 = 0x00000000    fp = 0xb6865a90
     sp = 0xbeb79458    pc = 0xb5800185
    Found by: call frame info
 5  libxul.so!mozilla::dom::TabParent::TryCapture(mozilla::WidgetGUIEvent const&) [TabParent.cpp : 1056 + 0x7]
     r4 = 0xbeb79540    r5 = 0xac1aee00    r6 = 0x00000012    r7 = 0xadc2d640
     r8 = 0x00000001    r9 = 0xbeb7961f   r10 = 0x00000000    fp = 0xb6865a90
     sp = 0xbeb79498    pc = 0xb58002bd
    Found by: call frame info
 6  libxul.so!nsWindow::DispatchInputEvent(mozilla::WidgetGUIEvent&, bool*) [nsWindow.cpp : 227 + 0x5]
     r4 = 0xbeb7953f    r5 = 0xbeb79540    r6 = 0xb688d71c    r7 = 0xadc2d640
     r8 = 0x00000001    r9 = 0xbeb7961f   r10 = 0x00000000    fp = 0xb6865a90
     sp = 0xbeb79510    pc = 0xb58a083d
    Found by: call frame info
 7  libxul.so!mozilla::GeckoTouchDispatcher::DispatchTouchEvent(mozilla::MultiTouchInput&) [GeckoTouchDispatcher.cpp : 367 + 0x9]
     r4 = 0xb6b027b0    r5 = 0x00000001    r6 = 0xafd87650    r7 = 0xadc2d640
     r8 = 0x00000001    r9 = 0xbeb7961f   r10 = 0x00000000    fp = 0xb6865a90
     sp = 0xbeb79528    pc = 0xb589bbd5
    Found by: call frame info
 8  libxul.so!mozilla::DispatchSingleTouchMainThread::Run() [GeckoTouchDispatcher.cpp : 110 + 0x7]
     r4 = 0xb6b027b0    r5 = 0x00000001    r6 = 0xb6b02780    r7 = 0xbeb795e4
     r8 = 0x00000001    r9 = 0xbeb7961f   r10 = 0x00000000    fp = 0xb6865a90
     sp = 0xbeb795b8    pc = 0xb589bcc9
    Found by: call frame info
 9  libxul.so!nsThread::ProcessNextEvent(bool, bool*) [nsThread.cpp : 823 + 0x5]
     r4 = 0xb6b027b0    r5 = 0x00000001    r6 = 0xb6b02780    r7 = 0xbeb795e4
     r8 = 0x00000001    r9 = 0xbeb7961f   r10 = 0x00000000    fp = 0xb6865a90
     sp = 0xbeb795c0    pc = 0xb5097e53
    Found by: call frame info
10  libxul.so!NS_ProcessNextEvent(nsIThread*, bool) [nsThreadUtils.cpp : 265 + 0xb]
     r4 = 0x00000001    r5 = 0xb6b58280    r6 = 0xb6b5b0e0    r7 = 0x00000000
     r8 = 0xbeb796b0    r9 = 0xbeb796a0   r10 = 0x00000000    fp = 0x0000000f
     sp = 0xbeb79618    pc = 0xb50a428f
    Found by: call frame info
11  libxul.so!mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) [MessagePump.cpp : 140 + 0x7]
     r4 = 0xb6b5b0d0    r5 = 0xb6b58280    r6 = 0xb6b5b0e0    r7 = 0x00000000
     r8 = 0xbeb796b0    r9 = 0xbeb796a0   r10 = 0x00000000    fp = 0x0000000f
     sp = 0xbeb79628    pc = 0xb51e48e7
    Found by: call frame info
12  libxul.so!MessageLoop::RunInternal() [message_loop.cc : 234 + 0x5]
     r4 = 0xb6b58280    r5 = 0xb1f48700    r6 = 0xb6b02780    r7 = 0xbeb79875
     r8 = 0xbeb796b0    r9 = 0xbeb796a0   r10 = 0x00000000    fp = 0x0000000f
     sp = 0xbeb79650    pc = 0xb51d879f
    Found by: call frame info
13  libxul.so!MessageLoop::Run() [message_loop.cc : 227 + 0x5]
     r4 = 0xb6b58280    r5 = 0xb1f48700    r6 = 0xb6b02780    r7 = 0xbeb79875
     r8 = 0xbeb796b0    r9 = 0xbeb796a0   r10 = 0x00000000    fp = 0x0000000f
     sp = 0xbeb79658    pc = 0xb51d8851
    Found by: call frame info
14  libxul.so!nsBaseAppShell::Run() [nsBaseAppShell.cpp : 164 + 0x7]
     r4 = 0x00000000    r5 = 0xb1f48700    r6 = 0xb6b02780    r7 = 0xbeb79875
     r8 = 0xbeb796b0    r9 = 0xbeb796a0   r10 = 0x00000000    fp = 0x0000000f
     sp = 0xbeb79670    pc = 0xb588795b
    Found by: call frame info
15  libxul.so!nsAppStartup::Run() [nsAppStartup.cpp : 280 + 0x5]
     r4 = 0xb1930a00    r5 = 0xbeb79780    r6 = 0xb5082e01    r7 = 0xbeb79875
     r8 = 0xbeb796b0    r9 = 0xbeb796a0   r10 = 0x00000000    fp = 0x0000000f
     sp = 0xbeb79680    pc = 0xb5cf60e7
    Found by: call frame info
16  libxul.so!XREMain::XRE_mainRun() [nsAppRunner.cpp : 4128 + 0x5]
     r4 = 0xbeb796b8    r5 = 0xbeb79780    r6 = 0xb5082e01    r7 = 0xbeb79875
     r8 = 0xbeb796b0    r9 = 0xbeb796a0   r10 = 0x00000000    fp = 0x0000000f
     sp = 0xbeb79688    pc = 0xb5d09943
    Found by: call frame info
17  libxul.so!XREMain::XRE_main(int, char**, nsXREAppData const*) [nsAppRunner.cpp : 4201 + 0x5]
     r4 = 0xbeb79780    r5 = 0x00000000    r6 = 0x00000000    r7 = 0x00000000
     r8 = 0x00000001    r9 = 0xbeb7aa34   r10 = 0x00002c1d    fp = 0xbeb7aa2c
     sp = 0xbeb79758    pc = 0xb5d0ab95
    Found by: call frame info
18  libxul.so!XRE_main [nsAppRunner.cpp : 4415 + 0x3]
     r4 = 0x00000000    r5 = 0x000238fc    r6 = 0xb6b2b188    r7 = 0x00000001
     r8 = 0x00000001    r9 = 0xbeb7aa34   r10 = 0x00002c1d    fp = 0xbeb7aa2c
     sp = 0xbeb79780    pc = 0xb5d0ad03
    Found by: call frame info
19  b2g!do_main [nsBrowserApp.cpp : 165 + 0xf]
     r4 = 0xb6b2b188    r5 = 0x00000001    r6 = 0xb5d0acb1    r7 = 0xbeb7aa34
     r8 = 0x00000001    r9 = 0xbeb7aa34   r10 = 0x00002c1d    fp = 0xbeb7aa2c
     sp = 0xbeb79890    pc = 0x0000b1ad
    Found by: call frame info
20  b2g!b2g_main(int, char const**) [nsBrowserApp.cpp : 291 + 0x5]
     r4 = 0xb6b2b188    r5 = 0x00000001    r6 = 0x00000000    r7 = 0xbeb7aa34
     r8 = 0x00000001    r9 = 0xbeb7aa34   r10 = 0x00002c1d    fp = 0xbeb7aa2c
     sp = 0xbeb7a8b0    pc = 0x0000b2a7
    Found by: call frame info
21  b2g!main [B2GLoader.cpp : 225 + 0x7]
     r4 = 0x00000000    r5 = 0xbeb7a960    r6 = 0x00000008    r7 = 0x0000000a
     r8 = 0x00000001    r9 = 0xbeb7aa34   r10 = 0x00002c1d    fp = 0xbeb7aa2c
     sp = 0xbeb7a958    pc = 0x0000b03d
    Found by: call frame info
22  libc.so!__libc_init [libc_init_dynamic.cpp : 112 + 0x7]
     r4 = 0xbeb7aa34    r5 = 0xbeb7aa3c    r6 = 0x00000001    r7 = 0xb6f5bfd8
     r8 = 0x0000af21    r9 = 0x00000000   r10 = 0x00000000    fp = 0xbeb7aa2c
     sp = 0xbeb7aa00    pc = 0xb6f203fd
    Found by: call frame info
23  b2g + 0x2be2
     r4 = 0x00000000    r5 = 0x00000000    r6 = 0x00000000    r7 = 0x00000000
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00000000    fp = 0xbeb7aa2c
     sp = 0xbeb7aa18    pc = 0x0000abe4
    Found by: call frame info
24  linker!set_soinfo_pool_protection [linker.cpp : 291 + 0xb]
     sp = 0xbeb7aa30    pc = 0xb6fcf885
    Found by: stack scanning
25  0xbeb7ab5d
     r4 = 0xbeb7ab4f    r5 = 0x00000000    sp = 0xbeb7aa40    pc = 0xbeb7ab5f
    Found by: call frame info
(Reporter)

Comment 1

3 years ago
STR: run monkey test(12h)
I have uploaded logs to :ftp://ftp.spreadtrum.com/7715/1126141
username:mouzhi
password:mouZHI$$61
Whiteboard: [sprd=396326]
(Reporter)

Comment 2

3 years ago
eight times occurred in last night's monkey test.
similar issues following by Rex. ni for double check.
blocking-b2g: --- → 2.1S?
Flags: needinfo?(rhung)

Updated

3 years ago
Whiteboard: [sprd=396326] → [sprd=396326](22times_2rd)

Updated

3 years ago
Severity: normal → critical
Frequently hit. blocking....
blocking-b2g: 2.1S? → 2.1S+

Comment 5

3 years ago
Created attachment 8558441 [details] [diff] [review]
enable_apz_debug_log.patch

Hi, Yaoyao,

Could you apply the attached patch to your source tree and restart your monkey test? In this patch, I enable debug logs regarding to apz and try to get more clues for this bug. Thank you.

Comment 6

3 years ago
Hi, Kartikaya,

Could you have a look for this bug?
Accroding to the backtrace, b2g process crashed at a magic number(0x5a5a5a5a) when handling touch events(TouchBlockState::AddEvent()) during monkey test. It is supposed to be "use-after-free" or uninitialized memory access.
Flags: needinfo?(rhung) → needinfo?(bugmail.mozilla)
(Reporter)

Comment 7

3 years ago
(In reply to Rex Hung[:rhung] from comment #5)
> Created attachment 8558441 [details] [diff] [review]
> enable_apz_debug_log.patch
> 
> Hi, Yaoyao,
> 
> Could you apply the attached patch to your source tree and restart your
> monkey test? In this patch, I enable debug logs regarding to apz and try to
> get more clues for this bug. Thank you.

Hi Rex, OK.
Please let me know what gecko version (specific git/hg changeset) the stacktrace in comment 0 is from. And yes, please apply the logging patch that Rex provided and needinfo me once you have the logs from that. Thanks!
Flags: needinfo?(bugmail.mozilla)

Comment 9

3 years ago
Hi, Yaoyao,

Please run the following steps to get full SW information of the failed device for us. Thank you.
1. git clone https://github.com/Mozilla-TWQA/B2G-flash-tool
2. cd B2G-flash-tool/
3. Connect USB cable to your device and make sure adb works well.
4. Run ./check_version.sh
Flags: needinfo?(yaoyao.wu)
(Reporter)

Comment 10

3 years ago
(In reply to Rex Hung[:rhung] from comment #9)
> Hi, Yaoyao,
> 
> Please run the following steps to get full SW information of the failed
> device for us. Thank you.
> 1. git clone https://github.com/Mozilla-TWQA/B2G-flash-tool
> 2. cd B2G-flash-tool/
> 3. Connect USB cable to your device and make sure adb works well.
> 4. Run ./check_version.sh

Hi Rex,

I'm sorry I can't get the gecko version of comment0 ,because the corresponding local code is changed.
If you need,I can provide another gecko version and corresponding logs and minidump files.

Comment 11

3 years ago
Ok, please run the action in comment 5 first. Once the bug is reproduced, please provide full SW information of failed device to us.

Comment 12

3 years ago
Dear Rex,

Do these logs as below have any problem or bring crash ?

01-28 14:40:03.531 <3>[47935.918023] c0 ion_ioctl: ion alloc error! and handle is 0xffffffea

01-28 14:40:05.631 <4>[47938.009073] c0 Exception stack(0xd0cc9fb0 to 0xd0cc9ff8)

01-28 21:17:42.738 <4>[71795.124805] c0 DCAM: Invalid addr, 0x0DCAM close CLK 192000000 

Thanks.
Flags: needinfo?(rhung)
(Reporter)

Comment 13

3 years ago
(In reply to Rex Hung[:rhung] from comment #11)
> Ok, please run the action in comment 5 first. Once the bug is reproduced,
> please provide full SW information of failed device to us.
Hi Rex,
After add the log patch you provided,the issue reproduced again.
I have uploaded the log to :
ftp://ftp.spreadtrum.com/7715/1126141/0205/
username:mouzhi
password:mouZHI$$61

./check_versions.sh 
Gaia-Rev        17bf14f12e43043654498330d610d469b8b55e64
Gecko-Rev       7287d6bdbe1620361c249b02613623059c13bcba
Build-ID        20150204152117
Version         34.0
Device-Name     scx15_sp7715ea
FW-Release      4.4.2
FW-Incremental  48
FW-Date         Wed Feb  4 15:18:38 CST 2015

Updated

3 years ago
See Also: → bug 1119120

Comment 14

3 years ago
This bug should have the same root cause as bug 1119120. So, will focus on bug 1119120 first.
Flags: needinfo?(rhung)
Depends on: 1119120
See Also: bug 1119120
Does the patch on bug 1119120 fix this bug as well? I assume it does but it would be good to have confirmation. Thanks.

Comment 16

3 years ago
According to the backtrace in Comment#1, it should be the same problem as bug 1119120: use-after-free memory access in TouchBlockState instance.
Ok, duping it over then. Thanks!
Status: NEW → RESOLVED
Last Resolved: 3 years ago
No longer depends on: 1119120
Resolution: --- → DUPLICATE
Duplicate of bug: 1119120
You need to log in before you can comment on or make changes to this bug.