Closed Bug 1151701 Opened 10 years ago Closed 7 years ago

[7715ea_v2.1s][dolphin] monkey test crash at libxul.so!JS_updateMallocCounter(JSContext*, unsigned int) [jsapi.cpp : 1446 + 0x0]

Categories

(Core :: DOM: Core & HTML, defect, P5)

Product:
Core
Component:
DOM: Core & HTML
Platform:
ARM
Gonk (Firefox OS)
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: David.Zhao, Unassigned)

Details

(Whiteboard: sprd Bug 418043)

Attachments

(3 files)

minidump_stackwalk_1128
5.41 MB, application/x-executable
Details
minidump_stackwalk_1128_result
85.53 KB, text/plain
Details
check_return_value.patch
459 bytes, patch
Details | Diff | Splinter Review
Operating system: Android 0.0.0 Linux 3.10.17-00004-gdf636d2 #1 PREEMPT Fri Mar 20 05:42:10 CST 2015 armv7l Spreadtrum/scx15_sp7715eaplus/scx15_sp7715ea:4.4.2/KOT49H/79:userdebug/test-keys CPU: arm 1 CPU Crash reason: SIGSEGV Crash address: 0x0 Thread 0 (crashed) 0 libxul.so!JS_updateMallocCounter(JSContext*, unsigned int) [jsapi.cpp : 1446 + 0x0] r4 = 0xb313c900 r5 = 0xb2fb3b40 r6 = 0xb6b3f730 r7 = 0x00000000 r8 = 0xb4602660 r9 = 0x00000001 r10 = 0x00000000 fp = 0xb4602648 sp = 0xbec75c40 lr = 0xb5a4adff pc = 0xb6371d5c Found by: given as instruction pointer in context 1 libxul.so!mozilla::dom::EncodingCompleteEvent::Run() [ImageEncoder.cpp : 49 + 0x7] r4 = 0xb313c900 r5 = 0xb2fb3b40 r6 = 0xb6b3f730 r7 = 0x00000000 r8 = 0xb4602660 r9 = 0x00000001 r10 = 0x00000000 fp = 0xb4602648 sp = 0xbec75c40 pc = 0xb5a4adff Found by: call frame info 2 libxul.so!nsThread::ProcessNextEvent(bool, bool*) [nsThread.cpp : 823 + 0x5] r4 = 0xb4602630 r5 = 0x00000000 r6 = 0xbec75d44 r7 = 0xbec75d7f r8 = 0xb4602660 r9 = 0x00000001 r10 = 0x00000000 fp = 0xb4602648 sp = 0xbec75d18 pc = 0xb53b58cb Found by: call frame info 3 libxul.so!NS_ProcessNextEvent(nsIThread*, bool) [nsThreadUtils.cpp : 265 + 0xb] r4 = 0x00000000 r5 = 0xbec75e80 r6 = 0xb4601c20 r7 = 0x00000001 r8 = 0xbec7681c r9 = 0x0000881b r10 = 0x00000000 fp = 0xbec767fc sp = 0xbec75d78 pc = 0xb53c1d37 Found by: call frame info 4 libxul.so!mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) [MessagePump.cpp : 99 + 0x7] r4 = 0xb4601c10 r5 = 0xbec75e80 r6 = 0xb4601c20 r7 = 0x00000001 r8 = 0xbec7681c r9 = 0x0000881b r10 = 0x00000000 fp = 0xbec767fc sp = 0xbec75d88 pc = 0xb5503809 Found by: call frame info 5 libxul.so!MessageLoop::RunInternal() [message_loop.cc : 234 + 0x5] r4 = 0xbec75e80 r5 = 0xb3a26460 r6 = 0xb4602630 r7 = 0x00000007 r8 = 0xbec7681c r9 = 0x0000881b r10 = 0x00000000 fp = 0xbec767fc sp = 0xbec75db0 pc = 0xb54f76af Found by: call frame info 6 libxul.so!MessageLoop::Run() [message_loop.cc : 227 + 0x5] r4 = 0xbec75e80 r5 = 0xb3a26460 r6 = 0xb4602630 r7 = 0x00000007 r8 = 0xbec7681c r9 = 0x0000881b r10 = 0x00000000 fp = 0xbec767fc sp = 0xbec75db8 pc = 0xb54f7761 Found by: call frame info 7 libxul.so!nsBaseAppShell::Run() [nsBaseAppShell.cpp : 164 + 0x7] r4 = 0x00000000 r5 = 0xb3a26460 r6 = 0xb4602630 r7 = 0x00000007 r8 = 0xbec7681c r9 = 0x0000881b r10 = 0x00000000 fp = 0xbec767fc sp = 0xbec75dd0 pc = 0xb5bafebf Found by: call frame info 8 libxul.so!XRE_RunAppShell [nsEmbedFunctions.cpp : 702 + 0x5] r4 = 0xbec75de4 r5 = 0x00000002 r6 = 0xb65a3d8c r7 = 0x00000007 r8 = 0xbec7681c r9 = 0x0000881b r10 = 0x00000000 fp = 0xbec767fc sp = 0xbec75de0 pc = 0xb603aff7 Found by: call frame info 9 libxul.so!MessageLoop::RunInternal() [message_loop.cc : 234 + 0x5] r4 = 0xbec75e80 r5 = 0x00000002 r6 = 0xb65a3d8c r7 = 0x00000007 r8 = 0xbec7681c r9 = 0x0000881b r10 = 0x00000000 fp = 0xbec767fc sp = 0xbec75df8 pc = 0xb54f76af Found by: call frame info 10 libxul.so!MessageLoop::Run() [message_loop.cc : 227 + 0x5] r4 = 0xbec75e80 r5 = 0x00000002 r6 = 0xb65a3d8c r7 = 0x00000007 r8 = 0xbec7681c r9 = 0x0000881b r10 = 0x00000000 fp = 0xbec767fc sp = 0xbec75e00 pc = 0xb54f7761 Found by: call frame info 11 libxul.so!XRE_InitChildProcess [nsEmbedFunctions.cpp : 539 + 0x5] r4 = 0xbec769ae r5 = 0x00000002 r6 = 0xb65a3d8c r7 = 0x00000007 r8 = 0xbec7681c r9 = 0x0000881b r10 = 0x00000000 fp = 0xbec767fc sp = 0xbec75e18 pc = 0xb603b421 Found by: call frame info 12 plugin-container!content_process_main(int, char**) [plugin-container.cpp : 150 + 0x7] r4 = 0x00000000 r5 = 0x00000007 r6 = 0xbec76804 r7 = 0x00000007 r8 = 0xbec7681c r9 = 0x0000881b r10 = 0x00000000 fp = 0xbec767fc sp = 0xbec767b0 pc = 0x0000875f Found by: call frame info 13 libc.so!__libc_init [libc_init_dynamic.cpp : 112 + 0x7] r4 = 0xbec76804 r5 = 0xbec76828 r6 = 0x00000008 r7 = 0xb6e98fd8 r8 = 0x0000877d r9 = 0x00000000 r10 = 0x00000000 fp = 0xbec767fc sp = 0xbec767d0 pc = 0xb6e5d3fd Found by: call frame info 14 plugin-container + 0x662 r4 = 0x00000000 r5 = 0x00000000 r6 = 0x00000000 r7 = 0x00000000 r8 = 0x00000000 r9 = 0x00000000 r10 = 0x00000000 fp = 0xbec767fc sp = 0xbec767e8 pc = 0x00008664 Found by: call frame info 15 linker!set_soinfo_pool_protection [linker.cpp : 291 + 0xb] sp = 0xbec76800 pc = 0xb6f0c885 Found by: stack scanning 16 0xbec769ac r4 = 0xbec7696c r5 = 0xbec769a6 sp = 0xbec76810 pc = 0xbec769ae Found by: call frame info
Whiteboard: sprd Bug 392733
Whiteboard: sprd Bug 392733 → sprd Bug 418043
log URL: http://yunpan.cn/cVwHepymL5cqv (提取码:a91e)
log URL: http://yunpan.cn/cVwHepymL5cqv (extract code:a91e)
Hi vchen, please help to assign someone to investigate this crash, thanks
Flags: needinfo?(vchen)
Component: Gaia::System → JavaScript Engine
Product: Firefox OS → Core
Flags: needinfo?(styang)
Hi styang, Could you help to assign someone to investigate this crash thanks!
Rex, could you help on this issue? thanks.
Flags: needinfo?(styang) → needinfo?(rhung)
Flags: needinfo?(vchen)
It should be the deference of a null pointer. Could you try to generate the minidump result again via the attached minidump_stackwalk binary? Hope we can get the value of R0~R3 at last frame.
Flags: needinfo?(rhung)
(In reply to Rex Hung[:rhung] from comment #6) > Created attachment 8589495 [details] > minidump_stackwalk_1128 > > It should be the deference of a null pointer. > Could you try to generate the minidump result again via the attached > minidump_stackwalk binary? Hope we can get the value of R0~R3 at last frame. Hi Rex, I don't know how to "generate the minidump result again via the attached minidump_stackwalk binary". Wether you mean to get the minidump file in the phone at /data/b2g/mozilla/*.default/minidumps/? Please describe the steps detailly. I will get it for you as quickly as I can. Thanks
As I know, you guys use a set of shell scripts and some binary files to catch and parse logs for monkey test. You can just replace the file named "minidump_stackwalk" in "bin" folder with attachment 8589495 [details] and then execute the shell script you use to catch logs for FFOS originally. minidump result is supposed to be generated based on Comment#6. Hi, Yu, Could you help for this also? Thank you.
Flags: needinfo?(yu.xing)
Hi Rex, Do you want to use the minidump_stackwalk tool to see the value of R0~R3? this tool can not realize the function, it only see the value of R4~R10. I've ever used this tool to capture minidum file,but it can not display the value of R0~R3. The tool useage as following: ./minidump_stackwalk XXXXXXX.dmp objdir-gecko/dist/crashreporter-symbols/ if the phone produce crash ,the directory :objdir-gecko/dist/crashreporter-symbols/ will be at the project's symbols directory, such as: /symbols_sp7715ea_gonk4.4_v2.1s/objdir-gecko/dist/crashreporter-symbols/
Flags: needinfo?(yu.xing)
It should be an issue of minidump. Refer to the following link for the detail: https://code.google.com/p/google-breakpad/issues/detail?id=456&can=1&q=register I have used the latest minidump_stackwalk to parse dump file locally and can see the value of R0~R3. So, could you try my minidump_stackwalk at comment 6 to see if you can get the same result as me also.
Hi Rex, How do you generated the minidump_stackwalk binary? I am at the /gecko/toolkit/crashreporter/google-breakpad/ directory exce the following command: ./configure && make but generating the error: src/processor/exploitability.cc:44: fatal error: processor/logging.h: No such file or directory , I enter the directory and finded it is not exist! Under Normal Circumstances, the file should be existed! Are you generated the minidump_stackwalk binary file in your host? Please help for this issue! I should add some configure options when I exce the configure command ? Thanks you very much ! In addition, I exce you minidump_stackwalk binary, I get the same result as you also.
(In reply to Yu.Xing from comment #11) > Hi Rex, > How do you generated the minidump_stackwalk binary? I am at the > /gecko/toolkit/crashreporter/google-breakpad/ directory exce the following > command: > > ./configure && make > > but generating the error: src/processor/exploitability.cc:44: fatal error: > processor/logging.h: No such file or directory , I enter the directory and > finded it is not exist! Under Normal Circumstances, the file should be > existed! > > Are you generated the minidump_stackwalk binary file in your host? Please > help for this issue! I should add some configure options when I exce the > configure command ? Thanks you very much ! Yes, I downloaded source from breakpad project page and make a local build to have a minidump_stackwalker binary. https://code.google.com/p/google-breakpad/source/checkout > In addition, I exce you minidump_stackwalk binary, I get the same result as > you also. Could you share with me your parse result?
Dear Rex the part result as following and all reuslt at attachment 8590040 [details] . In addition, when you make a local build to have a minidump_stackwalker binary in you host, Are you exce the following command: ./configure make please help to confirm ,thanks a lot ! the minidum result: Operating system: Android 0.0.0 Linux 3.10.17-00004-gdf636d2 #1 PREEMPT Tue Mar 24 14:22:41 CST 2015 armv7l Spreadtrum/scx15_sp7715eaplus/scx15_sp7715ea:4.4.2/KOT49H/96:userdebug/test-keys CPU: arm ARMv0 1 CPU Crash reason: SIGSEGV Crash address: 0x0 Process uptime: not available Thread 0 (crashed) 0 libxul.so!JS_updateMallocCounter(JSContext*, unsigned int) [jsapi.cpp : 1446 + 0x0] r0 = 0x00000000 r1 = 0x00002c49 r2 = 0x00002c49 r3 = 0x00000000 r4 = 0xb3865f00 r5 = 0xb336a120 r6 = 0xb670e730 r7 = 0x00000000 r8 = 0x00000000 r9 = 0xbec68dcf r10 = 0x00000000 r12 = 0xb670e9ac fp = 0xb6765aa0 sp = 0xbec68c98 lr = 0xb56248ff pc = 0xb5f4133c Found by: given as instruction pointer in context 1 libxul.so!mozilla::dom::EncodingCompleteEvent::Run() [ImageEncoder.cpp : 49 + 0x7] r4 = 0xb3865f00 r5 = 0xb336a120 r6 = 0xb670e730 r7 = 0x00000000 r8 = 0x00000000 r9 = 0xbec68dcf r10 = 0x00000000 fp = 0xb6765aa0 sp = 0xbec68c98 pc = 0xb56248ff Found by: call frame info 2 libxul.so!nsThread::ProcessNextEvent(bool, bool*) [nsThread.cpp : 823 + 0x5] r4 = 0xb6a02660 r5 = 0x00000001 r6 = 0xb6a02630 r7 = 0xbec68d94 r8 = 0x00000000 r9 = 0xbec68dcf r10 = 0x00000000 fp = 0xb6765aa0 sp = 0xbec68d70 pc = 0xb4f95d1b Found by: call frame info 3 libxul.so!NS_ProcessNextEvent(nsIThread*, bool) [nsThreadUtils.cpp : 265 + 0xb] r4 = 0x00000000 r5 = 0xbec68ed0 r6 = 0xb6a01d10 r7 = 0x00000001 r8 = 0xb6a01b0c r9 = 0xb6172c1b r10 = 0xb6a2b1c0 fp = 0xb6a5d0c0 sp = 0xbec68dc8 pc = 0xb4fa2157 Found by: call frame info 4 libxul.so!mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) [MessagePump.cpp : 99 + 0x7] r0 = 0xb6a02630 r1 = 0x01000000 r4 = 0xb6a01d00 r5 = 0xbec68ed0 r6 = 0xb6a01d10 r7 = 0x00000001 r8 = 0xb6a01b0c r9 = 0xb6172c1b r10 = 0xb6a2b1c0 fp = 0xb6a5d0c0 sp = 0xbec68dd8 pc = 0xb50e292d Found by: call frame info 5 libxul.so!MessageLoop::RunInternal() [message_loop.cc : 234 + 0x5] r4 = 0xbec68ed0 r5 = 0xb3f36400 r6 = 0xb6a02630 r7 = 0x00000008 r8 = 0xb6a01b0c r9 = 0xb6172c1b r10 = 0xb6a2b1c0 fp = 0xb6a5d0c0 sp = 0xbec68e00 pc = 0xb50d67ef Found by: call frame info 6 libxul.so!MessageLoop::Run() [message_loop.cc : 227 + 0x5] r3 = 0x00000000 r4 = 0xbec68ed0 r5 = 0xb3f36400 r6 = 0xb6a02630 r7 = 0x00000008 r8 = 0xb6a01b0c r9 = 0xb6172c1b r10 = 0xb6a2b1c0 fp = 0xb6a5d0c0 sp = 0xbec68e08 pc = 0xb50d68a1 Found by: call frame info
(In reply to Yu.Xing from comment #14) > Dear Rex the part result as following and all reuslt at attachment 8590040 [details] > [details] . > > In addition, when you make a local build to have a minidump_stackwalker > binary in you host, Are you exce the following command: > > ./configure > make > > please help to confirm ,thanks a lot ! Yes, I just download the source and run "./configure" and "make" to generate a minidump_stackwalk located in $LOCAL_PATH/google-breakpad-read-only/src/processor/minidump_stackwalk
According to the comment 14, jsapi.cx() returns "mCx" which is still a null pointer because the value of r0 at last frame is 0x00000000. So, null pointer dereference occurs at line 1446 of jsapi.cpp and triggers a segmentation fault. // gecko/js/src/jsapi.cpp 1443 JS_PUBLIC_API(void) 1444 JS_updateMallocCounter(JSContext *cx, size_t nbytes) ^^^^^^^^^^^^^ passed by r0 1445 { 1446 return cx->runtime()->updateMallocCounter(cx->zone(), nbytes); ^^^^^^^^^^^^^ null pointer dereference 1447 } // dom/canvas/ImageEncoder.cpp 46 { 47 AutoJSAPI jsapi; 48 jsapi.Init(mGlobal); 49 JS_updateMallocCounter(jsapi.cx(), mImgSize); ^^^^^^^^^^ 50 } // dom/base/ScriptSettings.h 244 JSContext* cx() const { 245 MOZ_ASSERT(mCx, "Must call Init before using an AutoJSAPI"); 246 MOZ_ASSERT_IF(NS_IsMainThread(), CxPusherIsStackTop()); 247 return mCx; ^^^ 248 } stack dump 0 libxul.so!JS_updateMallocCounter(JSContext*, unsigned int) [jsapi.cpp : 1446 + 0x0] r0 = 0x00000000 r1 = 0x00002c49 r2 = 0x00002c49 r3 = 0x00000000 ^^^^^^^^^^^^^^^ r4 = 0xb3865f00 r5 = 0xb336a120 r6 = 0xb670e730 r7 = 0x00000000 r8 = 0x00000000 r9 = 0xbec68dcf r10 = 0x00000000 r12 = 0xb670e9ac fp = 0xb6765aa0 sp = 0xbec68c98 lr = 0xb56248ff pc = 0xb5f4133c Found by: given as instruction pointer in context 1 libxul.so!mozilla::dom::EncodingCompleteEvent::Run() [ImageEncoder.cpp : 49 + 0x7] r4 = 0xb3865f00 r5 = 0xb336a120 r6 = 0xb670e730 r7 = 0x00000000 r8 = 0x00000000 r9 = 0xbec68dcf r10 = 0x00000000 fp = 0xb6765aa0 sp = 0xbec68c98 pc = 0xb56248ff Found by: call frame info
Hi, Ms2ger, Could you take a look at comment 16? Thank you.
Flags: needinfo?(Ms2ger)
Reproducing in a debug build should give more information, but on first sight it seems like we need to check the return value of the Init() call.
Component: JavaScript Engine → DOM
Flags: needinfo?(Ms2ger) → needinfo?(bobbyholley)
Yes, you need to check the result of the AutoJSAPI::Init for failure unless you call it with no arguments.
Flags: needinfo?(bobbyholley)
(In reply to Rex Hung[:rhung] from comment #17) > Hi, Ms2ger, > > Could you take a look at comment 16? Thank you. Hi Rex, As comment 18&19,what can I do for this bug? And do you have some new progress? Thanks
Ms2ger, How do you think? Will you provide a patch based on comment 19 to partner?
Flags: needinfo?(Ms2ger)
I don't intend to at this point.
Flags: needinfo?(Ms2ger)
Hi, Stephen, Could you take a look for comment 16 and suggest how to make an appropriate patch for this bug? In my opinion, at least the return value of AutoJSAPI::Init should be checked in order to avoid null pointer dereference(mCx). How do you think?
Flags: needinfo?(spohl.mozilla.bugs)
I'm surprised to see this stack, as ImageEncoder.cpp has gone through a refactor in September of 2014[1] that should have addressed this, or at least resulted in a different stack trace. We no longer call JS_updateMallocCounter from EncodingCompleteEvent::Run. What am I missing? [1] http://hg.mozilla.org/mozilla-central/rev/bb3377f01ad9
Flags: needinfo?(spohl.mozilla.bugs) → needinfo?(rhung)
You're missing the fact that this is reported against b2g 2.1, which is on Gecko 34.
Flags: needinfo?(rhung)
Thanks, Kyle. Unfortunately, I'm too out-of-the-loop to be of much help here.
Stephen, could you suggest anyone who can help to provide a patch/fix for this bug?
Flags: needinfo?(spohl.mozilla.bugs)
I'm not sure who's working on b2g 2.1, but I would ask Alfredo next who's done the refactor mentioned in comment 24. He might be able to assist, or redirect to the right people.
Flags: needinfo?(spohl.mozilla.bugs) → needinfo?(ayang)
This is fixed on b2g 2.2. See bug 1139005.
Flags: needinfo?(ayang)
Hi, Yu, Please refer to the attached patch for your monkey test. I created this patch based on the same idea as comment 29 since there is a big refactor for this feature after v2.2.
Flags: needinfo?(yu.xing)
Hi zhaoyang, as the comment 30, please refer to the attached patch for your monkey test.
Flags: needinfo?(yu.xing) → needinfo?(David.Zhao)
Hi Rex & Yu ~ I will apply this patch for monkey test and feedback test results. Thanks a lot ~
Flags: needinfo?(David.Zhao)
https://bugzilla.mozilla.org/show_bug.cgi?id=1472046 Move all DOM bugs that haven't been updated in more than 3 years and has no one currently assigned to P5. If you have questions, please contact :mdaly.
Priority: -- → P5
Closing as we are not working on Firefox OS anymore.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: