Closed Bug 1141781 Opened 9 years ago Closed 9 years ago

Intermittent test_peerConnection_promiseSendOnly.html | application crashed [@ nsSVGEffects::InvalidateDirectRenderingObservers(mozilla::dom::Element*, unsigned int)]

Categories

(Core :: WebRTC, defect)

39 Branch
ARM
Android
defect
Not set
normal

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox36 --- wontfix
firefox37 --- wontfix
firefox38 --- fixed
firefox39 --- fixed
firefox-esr31 --- wontfix
b2g-v2.2 --- wontfix
b2g-master --- fixed

People

(Reporter: KWierso, Assigned: padenot)

Details

(Keywords: crash, intermittent-failure)

Attachments

(1 file)

13:58:17 INFO - Found by: call frame info
13:58:17 INFO - 15 libxul.so!XREMain::XRE_main(int, char**, nsXREAppData const*) [nsAppRunner.cpp:c06350801711 : 4259 + 0x5]
13:58:17 INFO - r4 = 0x5c3ffaa0 r5 = 0x00000000 r6 = 0x00000000 r7 = 0x00000000
13:58:17 INFO - r8 = 0x648d8d03 r9 = 0x56c6cf84 r10 = 0x409b9f44 fp = 0x5c3ffc04
13:58:17 INFO - sp = 0x5c3ffa78 pc = 0x642440c7
13:58:17 INFO - Found by: call frame info
13:58:17 INFO - 16 libxul.so!XRE_main [nsAppRunner.cpp:c06350801711 : 4479 + 0x3]
13:58:17 INFO - r4 = 0x00000000 r5 = 0x5bfe6b98 r6 = 0x5c106288 r7 = 0x0000000c
13:58:17 INFO - r8 = 0x648d8d03 r9 = 0x56c6cf84 r10 = 0x409b9f44 fp = 0x5c3ffc04
13:58:17 INFO - sp = 0x5c3ffaa0 pc = 0x64244247
13:58:17 INFO - Found by: call frame info
13:58:17 INFO - 17 libxul.so!GeckoStart [nsAndroidStartup.cpp:c06350801711 : 73 + 0xf]
13:58:17 INFO - r4 = 0x5c3ffbb4 r5 = 0x00000000 r6 = 0x5c13d400 r7 = 0x5bfe6b98
13:58:17 INFO - r8 = 0x648d8d03 r9 = 0x56c6cf84 r10 = 0x409b9f44 fp = 0x5c3ffc04
13:58:17 INFO - sp = 0x5c3ffbb0 pc = 0x64247497
13:58:17 INFO - Found by: call frame info
13:58:17 INFO - 18 libmozglue.so!Java_org_mozilla_gecko_mozglue_GeckoLoader_nativeRun [APKOpen.cpp:c06350801711 : 407 + 0x3]
13:58:17 INFO - r4 = 0x5c13d400 r5 = 0x5bfe83f0 r6 = 0x000001c2 r7 = 0x28e00005
13:58:17 INFO - r8 = 0x642473e1 r9 = 0x56c6cf84 r10 = 0x409b9f44 fp = 0x5c3ffc04
13:58:17 INFO - sp = 0x5c3ffbd0 pc = 0x5bfbc185
13:58:17 INFO - Found by: call frame info
13:58:17 INFO - 19 libdvm.so + 0x1e7b2
13:58:17 INFO - r4 = 0x00000001 r5 = 0x56f19ba8 r6 = 0x00000000 r7 = 0x56c6cf8c
13:58:17 INFO - r8 = 0x5c3ffbf0 r9 = 0x56c6cf84 r10 = 0x409b9f44 fp = 0x5c3ffc04
13:58:17 INFO - sp = 0x5c3ffbf0 pc = 0x408fe7b4
13:58:17 INFO - Found by: call frame info
13:58:17 INFO - 20 libmozglue.so!Java_org_mozilla_gecko_mozglue_GeckoLoader_loadNSSLibsNative [APKOpen.cpp:c06350801711 : 387 + 0x23]
13:58:17 INFO - sp = 0x5c3ffbf4 pc = 0x5bfbc12d
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 21 0x36dfffff
13:58:17 INFO - r4 = 0x012b9548 r5 = 0x56c6cf84 r6 = 0x00000000 sp = 0x5c3ffc04
13:58:17 INFO - pc = 0x36e00001
13:58:17 INFO - Found by: call frame info
13:58:17 INFO - 22 libdvm.so + 0x66ff9
13:58:17 INFO - sp = 0x5c3ffc08 pc = 0x40946ffb
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 23 data@app@org.mozilla.fennec-1.apk@classes.dex + 0x3c09b3
13:58:17 INFO - sp = 0x5c3ffc10 pc = 0x5bdbd9b5
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 24 libmozglue.so!Java_org_mozilla_gecko_mozglue_GeckoLoader_loadNSSLibsNative [APKOpen.cpp:c06350801711 : 387 + 0x23]
13:58:17 INFO - sp = 0x5c3ffc14 pc = 0x5bfbc12d
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 25 0x401155e2
13:58:17 INFO - r4 = 0x012b9558 r5 = 0x01260ba0 r6 = 0x00000000 sp = 0x5c3ffc24
13:58:17 INFO - pc = 0x401155e4
13:58:17 INFO - Found by: call frame info
13:58:17 INFO - 26 dalvik-heap (deleted) + 0x6f95a6
13:58:17 INFO - sp = 0x5c3ffc28 pc = 0x4125b5a8
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 27 dalvik-LinearAlloc (deleted) + 0x294ba6
13:58:17 INFO - sp = 0x5c3ffc34 pc = 0x56f19ba8
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 28 libmozglue.so!Java_org_mozilla_gecko_mozglue_GeckoLoader_loadNSSLibsNative [APKOpen.cpp:c06350801711 : 387 + 0x23]
13:58:17 INFO - sp = 0x5c3ffc54 pc = 0x5bfbc12d
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 29 0x1260b9e
13:58:17 INFO - r4 = 0x401155e4 r5 = 0x5bfbc12d r6 = 0x0122aee0 sp = 0x5c3ffc64
13:58:17 INFO - pc = 0x01260ba0
13:58:17 INFO - Found by: call frame info
13:58:17 INFO - 30 libc.so + 0x1701d
13:58:17 INFO - sp = 0x5c3ffc78 pc = 0x400c101f
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 31 libdvm.so + 0x69535
13:58:17 INFO - sp = 0x5c3ffc80 pc = 0x40949537
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 32 dalvik-heap (deleted) + 0x700056
13:58:17 INFO - sp = 0x5c3ffc84 pc = 0x41262058
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 33 dalvik-heap (deleted) + 0x700056
13:58:17 INFO - sp = 0x5c3ffc8c pc = 0x41262058
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 34 dalvik-heap (deleted) + 0x700056
13:58:17 INFO - sp = 0x5c3ffca0 pc = 0x41262058
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 35 dalvik-heap (deleted) + 0x700056
13:58:17 INFO - sp = 0x5c3ffca4 pc = 0x41262058
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 36 libdvm.so + 0x70309
13:58:17 INFO - sp = 0x5c3ffca8 pc = 0x4095030b
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 37 libdvm.so + 0xd9f42
13:58:17 INFO - sp = 0x5c3ffcac pc = 0x409b9f44
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 38 dalvik-heap (deleted) + 0x700056
13:58:17 INFO - sp = 0x5c3ffcb0 pc = 0x41262058
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 39 libdvm.so + 0xdec66
13:58:17 INFO - sp = 0x5c3ffcb4 pc = 0x409bec68
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 40 libdvm.so + 0xd9f42
13:58:17 INFO - sp = 0x5c3ffcbc pc = 0x409b9f44
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 41 libdvm.so + 0x3382e
13:58:17 INFO - sp = 0x5c3ffcc0 pc = 0x40913830
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 42 libdvm.so + 0x8bf4b
13:58:17 INFO - sp = 0x5c3ffce0 pc = 0x4096bf4d
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 43 libdvm.so + 0xdec66
13:58:17 INFO - sp = 0x5c3ffce4 pc = 0x409bec68
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 44 libdvm.so + 0xd9f42
13:58:17 INFO - sp = 0x5c3ffcec pc = 0x409b9f44
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 45 libdvm.so + 0x3382e
13:58:17 INFO - sp = 0x5c3ffcf0 pc = 0x40913830
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 46 libdvm.so + 0xdec66
13:58:17 INFO - sp = 0x5c3ffcf4 pc = 0x409bec68
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 47 dalvik-heap (deleted) + 0x70007e
13:58:17 INFO - sp = 0x5c3ffd04 pc = 0x41262080
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 48 dalvik-LinearAlloc (deleted) + 0x294ba6
13:58:17 INFO - sp = 0x5c3ffd08 pc = 0x56f19ba8
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 49 libdvm.so + 0x46d7b
13:58:17 INFO - sp = 0x5c3ffd0c pc = 0x40926d7d
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 50 libdvm.so + 0xd9f42
13:58:17 INFO - sp = 0x5c3ffd20 pc = 0x409b9f44
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 51 libdvm.so + 0x46d8b
13:58:17 INFO - sp = 0x5c3ffd28 pc = 0x40926d8d
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 52 dalvik-LinearAlloc (deleted) + 0x294ba6
13:58:17 INFO - sp = 0x5c3ffd30 pc = 0x56f19ba8
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 53 dalvik-LinearAlloc (deleted) + 0x294ba6
13:58:17 INFO - sp = 0x5c3ffd34 pc = 0x56f19ba8
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 54 libdvm.so + 0x46d7b
13:58:17 INFO - sp = 0x5c3ffd38 pc = 0x40926d7d
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 55 dalvik-heap (deleted) + 0x6f95a6
13:58:17 INFO - sp = 0x5c3ffd40 pc = 0x4125b5a8
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 56 libdvm.so + 0x692ed
13:58:17 INFO - sp = 0x5c3ffd48 pc = 0x409492ef
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 57 data@app@org.mozilla.fennec-1.apk@classes.dex + 0x22f592
13:58:17 INFO - sp = 0x5c3ffd54 pc = 0x5bc2c594
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 58 dalvik-heap (deleted) + 0x6f95a6
13:58:17 INFO - sp = 0x5c3ffd60 pc = 0x4125b5a8
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 59 libdvm.so + 0x1e93e
13:58:17 INFO - sp = 0x5c3ffd64 pc = 0x408fe940
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 60 libdvm.so + 0x3060e
13:58:17 INFO - sp = 0x5c3ffd70 pc = 0x40910610
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 61 libdvm.so + 0xdec66
13:58:17 INFO - sp = 0x5c3ffd78 pc = 0x409bec68
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 62 dalvik-LinearAlloc (deleted) + 0x2cdd3e
13:58:17 INFO - sp = 0x5c3ffd7c pc = 0x56f52d40
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 63 libdvm.so + 0xd9f42
13:58:17 INFO - sp = 0x5c3ffd90 pc = 0x409b9f44
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - 64 libdvm.so + 0x35006
13:58:17 INFO - sp = 0x5c3ffd98 pc = 0x40915008
13:58:17 INFO - Found by: stack scanning
13:58:17 INFO - Thread 0
Martin, any idea what might be going on here?
Flags: needinfo?(martin.thomson)
Keywords: crash
I wish that I did know, but the graphics stuff is a black art to me. SVG even more so. Might pay to find someone who knows the svg code. I is conceivable that we have some bugs in webrtc that ate setting this up, but I'd ask Jesup there.
Flags: needinfo?(martin.thomson)
Randell, there's MSG stuff on the stack for most of these. Any ideas what might be up?
Flags: needinfo?(rjesup)
Crash location (nsSVGEffects::InvalidateDirectRenderingObservers) is bogus (linker artifact I presume)

This is run MSG::RunInStableState(), running a batch of runnables, including MediaStreamGraphImpl::PlayVideo(MediaStream* aStream)'s 
      NS_NewRunnableMethod(output, &VideoFrameContainer::Invalidate);

My best guess would be that the VideoFrameContainer has been freed.

They are raw ptrs(!) and come from nsTArray<nsRefPtr<VideoFrameContainer> > mVideoOutputs;
    VideoFrameContainer* output = aStream->mVideoOutputs[i];

Items in the array get added and are removed with AddVideoOutput() and RemoveVideoOutput().

It's possible there's a race between RemoveVideoOutput() and a queued Invalidate runnable.

Doesn't appear to be directly webrtc; this is <video> and the MediaStream input support I presume.
Flags: needinfo?(roc)
Flags: needinfo?(rjesup)
Flags: needinfo?(padenot)
Flags: needinfo?(jwwang)
Indeed, something like this looks safer.
Attachment #8577233 - Flags: review?(roc)
Assignee: nobody → padenot
Status: NEW → ASSIGNED
Not 100% curtain it is the same thing, but today I ran into this while running a fuzz test under ASAN:

==17041==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x7f5d5e81990d bp 0x7fff44d17ee0 sp 0x7fff44d17ed0 T0)
    #0 0x7f5d5e81990c in GetBoolFlag /home/nohlmeier/src/mozilla-central/dom/base/nsINode.h:1473:12
    #1 0x7f5d5e81990c in HasRenderingObservers /home/nohlmeier/src/mozilla-central/dom/base/nsINode.h:1478
    #2 0x7f5d5e81990c in nsSVGEffects::InvalidateDirectRenderingObservers(mozilla::dom::Element*, unsigned int) /home/nohlmeier/src/mozilla-central/layout/svg/nsSVGEffects.cpp:805
    #3 0x7f5d5cd435d0 in apply<mozilla::VideoFrameContainer, void (mozilla::VideoFrameContainer::*)()> /home/nohlmeier/src/mozilla-central/objdir-ff-asan/dom/media/../../dist/include/nsThreadUtils.h:573:5
    #4 0x7f5d5cd435d0 in nsRunnableMethodImpl<void (mozilla::VideoFrameContainer::*)(), true>::Run() /home/nohlmeier/src/mozilla-central/objdir-ff-asan/dom/media/../../dist/include/nsThreadUtils.h:665
    #5 0x7f5d5cd17b1c in mozilla::MediaStreamGraphImpl::RunInStableState(bool) /home/nohlmeier/src/mozilla-central/dom/media/MediaStreamGraph.cpp:1732:5
    #6 0x7f5d5cd2783f in mozilla::(anonymous namespace)::MediaStreamGraphStableStateRunnable::Run() /home/nohlmeier/src/mozilla-central/dom/media/MediaStreamGraph.cpp:1544:7
    #7 0x7f5d5db201a2 in assign_assuming_AddRef /home/nohlmeier/src/mozilla-central/objdir-ff-asan/widget/../dist/include/nsCOMPtr.h:336:7
    #8 0x7f5d5db201a2 in operator=<nsIRunnable> /home/nohlmeier/src/mozilla-central/objdir-ff-asan/widget/../dist/include/nsCOMPtr.h:570
    #9 0x7f5d5db201a2 in Forget /home/nohlmeier/src/mozilla-central/widget/nsBaseAppShell.h:108
    #10 0x7f5d5db201a2 in nsBaseAppShell::RunSyncSectionsInternal(bool, unsigned int) /home/nohlmeier/src/mozilla-central/widget/nsBaseAppShell.cpp:375
    #11 0x7f5d5db20cae in RunSyncSections /home/nohlmeier/src/mozilla-central/widget/nsBaseAppShell.h:93:7
    #12 0x7f5d5db20cae in AfterProcessNextEvent /home/nohlmeier/src/mozilla-central/widget/nsBaseAppShell.cpp:427
    #13 0x7f5d5db20cae in non-virtual thunk to nsBaseAppShell::AfterProcessNextEvent(nsIThreadInternal*, unsigned int, bool) /home/nohlmeier/src/mozilla-central/widget/nsBaseAppShell.cpp:422
    #14 0x7f5d582cbfa1 in nsThread::ProcessNextEvent(bool, bool*) /home/nohlmeier/src/mozilla-central/xpcom/threads/nsThread.cpp:890:5
    #15 0x7f5d58328bda in NS_ProcessNextEvent(nsIThread*, bool) /home/nohlmeier/src/mozilla-central/xpcom/glue/nsThreadUtils.cpp:265:10
    #16 0x7f5d58c65def in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/nohlmeier/src/mozilla-central/ipc/glue/MessagePump.cpp:99:21
    #17 0x7f5d58befe77 in RunInternal /home/nohlmeier/src/mozilla-central/ipc/chromium/src/base/message_loop.cc:233:3
    #18 0x7f5d58befe77 in RunHandler /home/nohlmeier/src/mozilla-central/ipc/chromium/src/base/message_loop.cc:226
    #19 0x7f5d58befe77 in MessageLoop::Run() /home/nohlmeier/src/mozilla-central/ipc/chromium/src/base/message_loop.cc:200
    #20 0x7f5d5db1e8cf in nsBaseAppShell::Run() /home/nohlmeier/src/mozilla-central/widget/nsBaseAppShell.cpp:164:3
    #21 0x7f5d5f6dcf81 in nsAppStartup::Run() /home/nohlmeier/src/mozilla-central/toolkit/components/startup/nsAppStartup.cpp:281:19
    #22 0x7f5d5f7d3a08 in XREMain::XRE_mainRun() /home/nohlmeier/src/mozilla-central/toolkit/xre/nsAppRunner.cpp:4183:10
    #23 0x7f5d5f7d49e5 in XREMain::XRE_main(int, char**, nsXREAppData const*) /home/nohlmeier/src/mozilla-central/toolkit/xre/nsAppRunner.cpp:4259:8
    #24 0x7f5d5f7d58c9 in XRE_main /home/nohlmeier/src/mozilla-central/toolkit/xre/nsAppRunner.cpp:4479:16
    #25 0x4d2ff2 in do_main /home/nohlmeier/src/mozilla-central/browser/app/nsBrowserApp.cpp:294:12
    #26 0x4d2ff2 in main /home/nohlmeier/src/mozilla-central/browser/app/nsBrowserApp.cpp:667
    #27 0x7f5d69042fdf in __libc_start_main (/lib64/libc.so.6+0x1ffdf)
    #28 0x41aa28 in _start (/home/nohlmeier/src/mozilla-central/objdir-ff-asan/dist/bin/firefox+0x41aa28)
Presumably this affects most or all revs (Nov 20th in bug 1102665 the window was likely made larger by changing from DispatchToMainThread to DispatchToMainThreadAfterSteramStateUpdate).  Failure in tbpl reports is always null-deref on Android; however there's no reason to believe it's limited to that pattern.
Flags: needinfo?(jwwang)
https://hg.mozilla.org/mozilla-central/rev/0fad3c32e928
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
Please nominate this for uplift to whatever branches make sense (not sure how to read comment 14).
Flags: needinfo?(padenot)
Comment on attachment 8577233 [details] [diff] [review]
Grip the VideoFrameContainer when queing a call to invalidate in the MediaStreamGraph. r=

Approval Request Comment
[Feature/regressing bug #]: bug 1102665
[User impact if declined]: crash
[Describe test coverage new/current, TreeHerder]: baked on nightly, was caught by a test (that was crashing) on tbpl
[Risks and why]: small risk, cause and fix are well understood, and this is an edge case
[String/UUID change made/needed]: none
Flags: needinfo?(padenot)
Attachment #8577233 - Flags: approval-mozilla-beta?
Attachment #8577233 - Flags: approval-mozilla-b2g37?
Attachment #8577233 - Flags: approval-mozilla-aurora?
Attachment #8577233 - Flags: approval-mozilla-beta?
Attachment #8577233 - Flags: approval-mozilla-beta+
Attachment #8577233 - Flags: approval-mozilla-aurora?
Attachment #8577233 - Flags: approval-mozilla-aurora+
Even if this impacts 31, we won't take it there this late in the 31 cycle.
Attachment #8577233 - Flags: approval-mozilla-b2g37? → approval-mozilla-b2g37+
Flags: needinfo?(padenot)
Well I don't know what's up with that, there must be a race somewhere if we're expecting a pointer to not be null, but it is null. jesup, any idea? In any case, I don't know this code much.
Flags: needinfo?(padenot) → needinfo?(rjesup)
Attachment #8577233 - Flags: approval-mozilla-beta+
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Target Milestone: mozilla39 → ---
I think i have an idea why 37 got the errors:  mPtrExtCapture in 37 is nulled when the partner VideoConduit (other direction) gets killed, and I'm guessing this patch changes the timing.  In 38, we finally merged inbound and outbound conduits.

Still no idea why we see a few rare failures after landing, though it clearly got better.
Flags: needinfo?(rjesup)
Per IRC discussion with Paul, nothing else is likely to happen here at this point.
Status: REOPENED → RESOLVED
Closed: 9 years ago9 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.