Closed Bug 1214149 Opened 9 years ago Closed 9 years ago

Crash happens when using the screen reader

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1212366
Project Flags:
blocking-b2g 2.5+
Tracking Flags:
Tracking Status
b2g-v2.2 --- unaffected
b2g-master --- affected

People

(Reporter: julienw, Assigned: m_kato)

References

Details

(Keywords: regression)

Attachments

(2 files)

logcat_1607.txt
372.53 KB, text/plain
Details
Aries_v2.5.3gp
3.03 MB, video/3gpp
Details 
It's quite current that the system crashes (and reboots) when using the screen reader. I navigate in a quite fast way but otherwise I don't have a specific STR.
Maybe this log means something:

10-13 07:50:41.575  5616  5616 I r_submix: adev_open(name=audio_hw_if)
10-13 07:50:41.575  5616  5616 I r_submix: adev_init_check()
10-13 07:50:41.575  5616  5616 I AudioFlinger: loadHwModule() Loaded r_submix audio interface from Wifi Display audio HAL (audio) handle 5
10-13 07:50:41.575  5616  5616 I AudioPolicyService: Loaded audio policy from LEGACY Audio Policy HAL (audio_policy)
10-13 07:50:41.605  5624  5626 I Gecko   : [5624] WARNING: Tried to RegisterCallback without an AtExitManager: file /builds/slave/b2g_m-cen_flm-kk_eng_ntly-0000/build/gecko/ipc/chromium/src/base/at_exit.cc, line 40
10-13 07:50:41.605  5606  5606 W         : could not open framebuffer

I'm not completely sure it happened just before the crash.
QAnalysts, Can you please try reproducing this and share STR?

Thanks
Keywords: qawanted
For me it happens a lot merely navigating in the homescreen, moving from icon to icon.
This bug can be repro on the latest build of Flame KK 2.5 and Aires KK 2.5 by the STR in comment 3, but can't be repro on latest Flame KK v2.2.

Actual results: When moving from icon to icon on homescreen, device will reboot with the Firefox OS animation and then enter homescreen.

~Crash Title:
B2G 44.0a1 Crash Report [@ libxul.so@0xdc4e6c | libxul.so@0xdcc527 | libxul.so@0xdc6f85 | libxul.so@0xdcc6bf | libxul.so@0xd9094b | object_lock_exclusive_ ]
~Crash Report:
https://crash-stats.mozilla.com/report/index/43605f92-e3e0-4ffc-ada8-3462c2151020

See attachments: Aries_v2.5.3gp and logcat_1607.txt.
Reproduce rate: 10/10 (v2.5), 0/15(v2.2)

--------------------------------------------------------------------------
Device: Flame KK 2.2 (unaffected) 
Build ID               20151019032501
Gaia Revision          885647d92208fb67574ced44004ab2f29d23cb45
Gaia Date              2015-10-07 13:05:24
Gecko Revision         https://hg.mozilla.org/releases/mozilla-b2g37_v2_2/rev/6b4e563acaf9
Gecko Version          37.0
Device Name            flame
Firmware(Release)      4.4.2
Firmware(Incremental)  eng.cltbld.20151019.070114
Firmware Date          Mon Oct 19 07:01:25 EDT 2015
Firmware Version       v18D v4
Bootloader             L1TC000118D0

Device: Flame KK 2.5 (Affected)
Build ID               20151019150205
Gaia Revision          a87f947366c2e044bd6336e1982419ac45378969
Gaia Date              2015-10-19 15:22:08
Gecko Revision         https://hg.mozilla.org/mozilla-central/rev/9605da94e75d61598d3c00f01a12d1b6bc427a6c
Gecko Version          44.0a1
Device Name            flame
Firmware(Release)      4.4.2
Firmware(Incremental)  eng.cltbld.20151019.182947
Firmware Date          Mon Oct 19 18:29:58 EDT 2015
Firmware Version       v18D v4
Bootloader             L1TC000118D0

Device: Aries KK 2.5 (Affected)
Build ID               20151019205841
Gaia Revision          a87f947366c2e044bd6336e1982419ac45378969
Gaia Date              2015-10-19 15:22:08
Gecko Revision         https://hg.mozilla.org/mozilla-central/rev/9605da94e75d61598d3c00f01a12d1b6bc427a6c
Gecko Version          44.0a1
Device Name            aries
Firmware(Release)      4.4.2
Firmware(Incremental)  eng.worker.20151019.201730
Firmware Date          Mon Oct 19 20:17:38 UTC 2015
Bootloader             s1
Here is a backtrace:

#0  mozilla::dom::MediaRecorder::Session::Extract (this=0x1, aForceFlush=<optimized out>) at /home/julien/travail/git/gecko-dev/dom/media/MediaRecorder.cpp:489
#1  0x000a7200 in ?? ()
#2  0x000a7200 in ?? ()

Sorry I don't have the symbols and I don't know how to get them from symbolapi.mozilla.org.
Got another one from my Aries where I have the symbols (not the same build than for the previous trace):


Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 3195.9424]
mozilla::MediaStream::SetAudioOutputVolumeImpl (this=<optimized out>, aKey=0x9d01e680, aVolume=1) at /home/julien/travail/git/gecko-dev/dom/media/MediaStreamGraph.cpp:1781
1781	  for (uint32_t i = 0; i < mAudioOutputs.Length(); ++i) {
(gdb) bt
#0  mozilla::MediaStream::SetAudioOutputVolumeImpl (this=<optimized out>, aKey=0x9d01e680, aVolume=1) at /home/julien/travail/git/gecko-dev/dom/media/MediaStreamGraph.cpp:1781
#1  0xb46d588c in mozilla::MediaStreamGraphImpl::UpdateGraph (this=this@entry=0x9bcc8d00, aEndBlockingDecisions=<optimized out>) at /home/julien/travail/git/gecko-dev/dom/media/MediaStreamGraph.cpp:1009
#2  0xb46d5a24 in mozilla::MediaStreamGraphImpl::OneIteration (this=0x9bcc8d00, aStateEnd=<optimized out>) at /home/julien/travail/git/gecko-dev/dom/media/MediaStreamGraph.cpp:1205
#3  0xb469c86c in mozilla::AudioCallbackDriver::DataCallback (this=0x9f084400, aBuffer=<optimized out>, aFrames=960) at /home/julien/travail/git/gecko-dev/dom/media/GraphDriver.cpp:845
#4  0xb4d3d64a in noop_resampler::fill (this=0x9bd818a0, buffer=0x9c388000, frames_needed=<optimized out>) at ../../../../media/libcubeb/src/cubeb_resampler.cpp:89
#5  0xb3d57896 in mozilla::net::Predictor::GetInterface (this=<optimized out>, iid=..., result=<optimized out>) at /home/julien/travail/git/gecko-dev/netwerk/base/Predictor.cpp:501
#6  0xb4d3ce3e in bufferqueue_callback (caller=<optimized out>, user_ptr=0x9d05bd00) at ../../../../media/libcubeb/src/cubeb_opensl.c:123
#7  0xad1106de in audioTrack_callBack_pullFromBuffQueue (info=<optimized out>, user=0xa6269e00, event=<optimized out>) at frameworks/wilhelm/src/android/AudioPlayer_to_android.cpp:1192
#8  audioTrack_callBack_pullFromBuffQueue (event=<optimized out>, user=0xa6269e00, info=<optimized out>) at frameworks/wilhelm/src/android/AudioPlayer_to_android.cpp:1089
#9  0xb35994aa in operator= (other=..., this=0x9a3e5d20) at system/core/include/utils/String8.h:285
#10 android::AudioTrack::set (this=0x52e3b915, streamType=768, sampleRate=0, format=2587778312, channelMask=0, frameCountInt=0, 
    flags=(AUDIO_OUTPUT_FLAG_NON_BLOCKING | AUDIO_OUTPUT_FLAG_INCALL_MUSIC | unknown: 2638545472), cbf=0x0, user=0x0, notificationFrames=-1469032448, sharedBuffer=..., threadCanCallJava=false, sessionId=0, 
    transferType=<optimized out>, offloadInfo=0x0, uid=0) at frameworks/av/media/libmedia/AudioTrack.cpp:327
#11 0x0722022a in ?? ()
#12 0x0722022a in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
Here is another crash using a build from latest master+central:

#0  mozilla::MediaStream::SetAudioOutputVolumeImpl (this=<optimized out>, aKey=0xa2c14470, aVolume=1) at /home/julien/travail/git/gecko-dev/dom/media/MediaStreamGraph.cpp:1781
#1  0xb46b5e70 in mozilla::MediaStreamGraphImpl::UpdateGraph (this=this@entry=0xac18b600, aEndBlockingDecisions=<optimized out>) at /home/julien/travail/git/gecko-dev/dom/media/MediaStreamGraph.cpp:1009
#2  0xb46b6008 in mozilla::MediaStreamGraphImpl::OneIteration (this=0xac18b600, aStateEnd=<optimized out>) at /home/julien/travail/git/gecko-dev/dom/media/MediaStreamGraph.cpp:1205
#3  0xb467a3e4 in mozilla::AudioCallbackDriver::DataCallback (this=0xa22ccf00, aBuffer=<optimized out>, aFrames=960) at /home/julien/travail/git/gecko-dev/dom/media/GraphDriver.cpp:845
#4  0xb4d251ba in noop_resampler::fill (this=0xa767ff00, buffer=0xa4281000, frames_needed=<optimized out>) at ../../../../media/libcubeb/src/cubeb_resampler.cpp:89
#5  0xb3d1987e in mozilla::net::Predictor::GetInterface (this=<optimized out>, iid=..., result=<optimized out>) at /home/julien/travail/git/gecko-dev/netwerk/base/Predictor.cpp:501
#6  0xb4d249ae in bufferqueue_callback (caller=<optimized out>, user_ptr=0xa23c1580) at ../../../../media/libcubeb/src/cubeb_opensl.c:123
#7  0xace266de in audioTrack_callBack_pullFromBuffQueue (info=<optimized out>, user=0xaa131e00, event=<optimized out>) at frameworks/wilhelm/src/android/AudioPlayer_to_android.cpp:1192
#8  audioTrack_callBack_pullFromBuffQueue (event=<optimized out>, user=0xaa131e00, info=<optimized out>) at frameworks/wilhelm/src/android/AudioPlayer_to_android.cpp:1089
#9  0xb35054aa in operator= (other=..., this=0xa6004d20) at system/core/include/utils/String8.h:285
#10 android::AudioTrack::set (this=0x52e3b915, streamType=768, sampleRate=0, format=2785037576, channelMask=0, frameCountInt=0, 
    flags=(AUDIO_OUTPUT_FLAG_NON_BLOCKING | AUDIO_OUTPUT_FLAG_LPA | AUDIO_OUTPUT_FLAG_TUNNEL | AUDIO_OUTPUT_FLAG_VOIP_RX | unknown: 2809597568), cbf=0x0, user=0x0, notificationFrames=-1553944000, 
    sharedBuffer=..., threadCanCallJava=false, sessionId=0, transferType=<optimized out>, offloadInfo=0x0, uid=0) at frameworks/av/media/libmedia/AudioTrack.cpp:327
#11 0x198c3ecc in ?? ()
#12 0x198c3ecc in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
I've helped Julien debug some, looks like an UAF or something, but it's unclear because we were debugging an opt build. This was not happening in the previous foxfood build, so we have a regression range of several months.

We're doing a debug build to confirm.
Could QA try to find a regression window ?

I'm quite sure the bug didn't happen in the previous dogfood build, so maybe starting with a build at the start of August.

In the mean time I'm building a debug build so that :padenot can try to debug.
QA Contact: jmercado
This issue seems to have been caused by bug 1191667.  It may be a dupe of bug 1212366.

Mozilla-inbound Regression Window

Last Working 
Environmental Variables:
Device: Flame 2.5
BuildID: 20150901004026
Gaia: c80e8ff25425b007181fd6e3de0500a0358fab37
Gecko: dffea8ce8b6073c522d7ea128ad0aee2efdfe66d
Version: 43.0a1 (2.5) 
Firmware Version: v18D
User Agent: Mozilla/5.0 (Mobile; rv:43.0) Gecko/43.0 Firefox/43.0

First Broken 
Environmental Variables:
Device: Flame 2.5
BuildID: 20150901015323
Gaia: c80e8ff25425b007181fd6e3de0500a0358fab37
Gecko: fdd0c566464b141f905876e97874e952981798e1
Version: 43.0a1 (2.5) 
Firmware Version: v18D
User Agent: Mozilla/5.0 (Mobile; rv:43.0) Gecko/43.0 Firefox/43.0

Last Working gaia / First Broken gecko - Issue DOES occur
Gaia: c80e8ff25425b007181fd6e3de0500a0358fab37
Gecko: fdd0c566464b141f905876e97874e952981798e1

First Broken gaia / Last Working gecko - Issue does NOT occur
Gaia: c80e8ff25425b007181fd6e3de0500a0358fab37
Gecko: dffea8ce8b6073c522d7ea128ad0aee2efdfe66d

Gaia Pushlog: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=dffea8ce8b6073c522d7ea128ad0aee2efdfe66d&tochange=fdd0c566464b141f905876e97874e952981798e1
Blocks: 1191667
QA Whiteboard: [MGSEI-Triage+] → [MGSEI-Triage+][QAnalyst-Triage?]
Flags: needinfo?(ktucker)
See Also: → 1212366
Makoto can you please take a look at this?  This changes for bug 1191667 seem to have caused this.
Flags: needinfo?(m_kato)
Assignee: nobody → m_kato
Flags: needinfo?(m_kato)
Component: Gaia::System::Accessibility → DOM
Product: Firefox OS → Core
Seems close enough to bug 1212366 so let's dupe it there. Thanks for tracking down the regression, Jayme!
Status: NEW → RESOLVED
blocking-b2g: 2.5? → 2.5+
Closed: 9 years ago
Resolution: --- → DUPLICATE
QA Whiteboard: [MGSEI-Triage+][QAnalyst-Triage?] → [MGSEI-Triage+][QAnalyst-Triage+]
Flags: needinfo?(ktucker)
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: