Closed Bug 1214149 Opened 10 years ago Closed 10 years ago

Crash happens when using the screen reader

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1212366
Project Flags:
blocking-b2g 2.5+
Tracking Flags:
Tracking Status
b2g-v2.2 --- unaffected
b2g-master --- affected

People

(Reporter: julienw, Assigned: m_kato)

References

Details

(Keywords: regression)

Attachments

(2 files)

logcat_1607.txt
372.53 KB, text/plain
Details
Aries_v2.5.3gp
3.03 MB, video/3gpp
Details
It's quite current that the system crashes (and reboots) when using the screen reader. I navigate in a quite fast way but otherwise I don't have a specific STR.
Maybe this log means something: 10-13 07:50:41.575 5616 5616 I r_submix: adev_open(name=audio_hw_if) 10-13 07:50:41.575 5616 5616 I r_submix: adev_init_check() 10-13 07:50:41.575 5616 5616 I AudioFlinger: loadHwModule() Loaded r_submix audio interface from Wifi Display audio HAL (audio) handle 5 10-13 07:50:41.575 5616 5616 I AudioPolicyService: Loaded audio policy from LEGACY Audio Policy HAL (audio_policy) 10-13 07:50:41.605 5624 5626 I Gecko : [5624] WARNING: Tried to RegisterCallback without an AtExitManager: file /builds/slave/b2g_m-cen_flm-kk_eng_ntly-0000/build/gecko/ipc/chromium/src/base/at_exit.cc, line 40 10-13 07:50:41.605 5606 5606 W : could not open framebuffer I'm not completely sure it happened just before the crash.
QAnalysts, Can you please try reproducing this and share STR? Thanks
Keywords: qawanted
For me it happens a lot merely navigating in the homescreen, moving from icon to icon.
This bug can be repro on the latest build of Flame KK 2.5 and Aires KK 2.5 by the STR in comment 3, but can't be repro on latest Flame KK v2.2. Actual results: When moving from icon to icon on homescreen, device will reboot with the Firefox OS animation and then enter homescreen. ~Crash Title: B2G 44.0a1 Crash Report [@ libxul.so@0xdc4e6c | libxul.so@0xdcc527 | libxul.so@0xdc6f85 | libxul.so@0xdcc6bf | libxul.so@0xd9094b | object_lock_exclusive_ ] ~Crash Report: https://crash-stats.mozilla.com/report/index/43605f92-e3e0-4ffc-ada8-3462c2151020 See attachments: Aries_v2.5.3gp and logcat_1607.txt. Reproduce rate: 10/10 (v2.5), 0/15(v2.2) -------------------------------------------------------------------------- Device: Flame KK 2.2 (unaffected) Build ID 20151019032501 Gaia Revision 885647d92208fb67574ced44004ab2f29d23cb45 Gaia Date 2015-10-07 13:05:24 Gecko Revision https://hg.mozilla.org/releases/mozilla-b2g37_v2_2/rev/6b4e563acaf9 Gecko Version 37.0 Device Name flame Firmware(Release) 4.4.2 Firmware(Incremental) eng.cltbld.20151019.070114 Firmware Date Mon Oct 19 07:01:25 EDT 2015 Firmware Version v18D v4 Bootloader L1TC000118D0 Device: Flame KK 2.5 (Affected) Build ID 20151019150205 Gaia Revision a87f947366c2e044bd6336e1982419ac45378969 Gaia Date 2015-10-19 15:22:08 Gecko Revision https://hg.mozilla.org/mozilla-central/rev/9605da94e75d61598d3c00f01a12d1b6bc427a6c Gecko Version 44.0a1 Device Name flame Firmware(Release) 4.4.2 Firmware(Incremental) eng.cltbld.20151019.182947 Firmware Date Mon Oct 19 18:29:58 EDT 2015 Firmware Version v18D v4 Bootloader L1TC000118D0 Device: Aries KK 2.5 (Affected) Build ID 20151019205841 Gaia Revision a87f947366c2e044bd6336e1982419ac45378969 Gaia Date 2015-10-19 15:22:08 Gecko Revision https://hg.mozilla.org/mozilla-central/rev/9605da94e75d61598d3c00f01a12d1b6bc427a6c Gecko Version 44.0a1 Device Name aries Firmware(Release) 4.4.2 Firmware(Incremental) eng.worker.20151019.201730 Firmware Date Mon Oct 19 20:17:38 UTC 2015 Bootloader s1
Here is a backtrace: #0 mozilla::dom::MediaRecorder::Session::Extract (this=0x1, aForceFlush=<optimized out>) at /home/julien/travail/git/gecko-dev/dom/media/MediaRecorder.cpp:489 #1 0x000a7200 in ?? () #2 0x000a7200 in ?? () Sorry I don't have the symbols and I don't know how to get them from symbolapi.mozilla.org.
Got another one from my Aries where I have the symbols (not the same build than for the previous trace): Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 3195.9424] mozilla::MediaStream::SetAudioOutputVolumeImpl (this=<optimized out>, aKey=0x9d01e680, aVolume=1) at /home/julien/travail/git/gecko-dev/dom/media/MediaStreamGraph.cpp:1781 1781 for (uint32_t i = 0; i < mAudioOutputs.Length(); ++i) { (gdb) bt #0 mozilla::MediaStream::SetAudioOutputVolumeImpl (this=<optimized out>, aKey=0x9d01e680, aVolume=1) at /home/julien/travail/git/gecko-dev/dom/media/MediaStreamGraph.cpp:1781 #1 0xb46d588c in mozilla::MediaStreamGraphImpl::UpdateGraph (this=this@entry=0x9bcc8d00, aEndBlockingDecisions=<optimized out>) at /home/julien/travail/git/gecko-dev/dom/media/MediaStreamGraph.cpp:1009 #2 0xb46d5a24 in mozilla::MediaStreamGraphImpl::OneIteration (this=0x9bcc8d00, aStateEnd=<optimized out>) at /home/julien/travail/git/gecko-dev/dom/media/MediaStreamGraph.cpp:1205 #3 0xb469c86c in mozilla::AudioCallbackDriver::DataCallback (this=0x9f084400, aBuffer=<optimized out>, aFrames=960) at /home/julien/travail/git/gecko-dev/dom/media/GraphDriver.cpp:845 #4 0xb4d3d64a in noop_resampler::fill (this=0x9bd818a0, buffer=0x9c388000, frames_needed=<optimized out>) at ../../../../media/libcubeb/src/cubeb_resampler.cpp:89 #5 0xb3d57896 in mozilla::net::Predictor::GetInterface (this=<optimized out>, iid=..., result=<optimized out>) at /home/julien/travail/git/gecko-dev/netwerk/base/Predictor.cpp:501 #6 0xb4d3ce3e in bufferqueue_callback (caller=<optimized out>, user_ptr=0x9d05bd00) at ../../../../media/libcubeb/src/cubeb_opensl.c:123 #7 0xad1106de in audioTrack_callBack_pullFromBuffQueue (info=<optimized out>, user=0xa6269e00, event=<optimized out>) at frameworks/wilhelm/src/android/AudioPlayer_to_android.cpp:1192 #8 audioTrack_callBack_pullFromBuffQueue (event=<optimized out>, user=0xa6269e00, info=<optimized out>) at frameworks/wilhelm/src/android/AudioPlayer_to_android.cpp:1089 #9 0xb35994aa in operator= (other=..., this=0x9a3e5d20) at system/core/include/utils/String8.h:285 #10 android::AudioTrack::set (this=0x52e3b915, streamType=768, sampleRate=0, format=2587778312, channelMask=0, frameCountInt=0, flags=(AUDIO_OUTPUT_FLAG_NON_BLOCKING | AUDIO_OUTPUT_FLAG_INCALL_MUSIC | unknown: 2638545472), cbf=0x0, user=0x0, notificationFrames=-1469032448, sharedBuffer=..., threadCanCallJava=false, sessionId=0, transferType=<optimized out>, offloadInfo=0x0, uid=0) at frameworks/av/media/libmedia/AudioTrack.cpp:327 #11 0x0722022a in ?? () #12 0x0722022a in ?? () Backtrace stopped: previous frame identical to this frame (corrupt stack?)
Here is another crash using a build from latest master+central: #0 mozilla::MediaStream::SetAudioOutputVolumeImpl (this=<optimized out>, aKey=0xa2c14470, aVolume=1) at /home/julien/travail/git/gecko-dev/dom/media/MediaStreamGraph.cpp:1781 #1 0xb46b5e70 in mozilla::MediaStreamGraphImpl::UpdateGraph (this=this@entry=0xac18b600, aEndBlockingDecisions=<optimized out>) at /home/julien/travail/git/gecko-dev/dom/media/MediaStreamGraph.cpp:1009 #2 0xb46b6008 in mozilla::MediaStreamGraphImpl::OneIteration (this=0xac18b600, aStateEnd=<optimized out>) at /home/julien/travail/git/gecko-dev/dom/media/MediaStreamGraph.cpp:1205 #3 0xb467a3e4 in mozilla::AudioCallbackDriver::DataCallback (this=0xa22ccf00, aBuffer=<optimized out>, aFrames=960) at /home/julien/travail/git/gecko-dev/dom/media/GraphDriver.cpp:845 #4 0xb4d251ba in noop_resampler::fill (this=0xa767ff00, buffer=0xa4281000, frames_needed=<optimized out>) at ../../../../media/libcubeb/src/cubeb_resampler.cpp:89 #5 0xb3d1987e in mozilla::net::Predictor::GetInterface (this=<optimized out>, iid=..., result=<optimized out>) at /home/julien/travail/git/gecko-dev/netwerk/base/Predictor.cpp:501 #6 0xb4d249ae in bufferqueue_callback (caller=<optimized out>, user_ptr=0xa23c1580) at ../../../../media/libcubeb/src/cubeb_opensl.c:123 #7 0xace266de in audioTrack_callBack_pullFromBuffQueue (info=<optimized out>, user=0xaa131e00, event=<optimized out>) at frameworks/wilhelm/src/android/AudioPlayer_to_android.cpp:1192 #8 audioTrack_callBack_pullFromBuffQueue (event=<optimized out>, user=0xaa131e00, info=<optimized out>) at frameworks/wilhelm/src/android/AudioPlayer_to_android.cpp:1089 #9 0xb35054aa in operator= (other=..., this=0xa6004d20) at system/core/include/utils/String8.h:285 #10 android::AudioTrack::set (this=0x52e3b915, streamType=768, sampleRate=0, format=2785037576, channelMask=0, frameCountInt=0, flags=(AUDIO_OUTPUT_FLAG_NON_BLOCKING | AUDIO_OUTPUT_FLAG_LPA | AUDIO_OUTPUT_FLAG_TUNNEL | AUDIO_OUTPUT_FLAG_VOIP_RX | unknown: 2809597568), cbf=0x0, user=0x0, notificationFrames=-1553944000, sharedBuffer=..., threadCanCallJava=false, sessionId=0, transferType=<optimized out>, offloadInfo=0x0, uid=0) at frameworks/av/media/libmedia/AudioTrack.cpp:327 #11 0x198c3ecc in ?? () #12 0x198c3ecc in ?? () Backtrace stopped: previous frame identical to this frame (corrupt stack?)
I've helped Julien debug some, looks like an UAF or something, but it's unclear because we were debugging an opt build. This was not happening in the previous foxfood build, so we have a regression range of several months. We're doing a debug build to confirm.
Could QA try to find a regression window ? I'm quite sure the bug didn't happen in the previous dogfood build, so maybe starting with a build at the start of August. In the mean time I'm building a debug build so that :padenot can try to debug.
Keywords: regressionwindow-wanted
QA Contact: jmercado
This issue seems to have been caused by bug 1191667. It may be a dupe of bug 1212366. Mozilla-inbound Regression Window Last Working Environmental Variables: Device: Flame 2.5 BuildID: 20150901004026 Gaia: c80e8ff25425b007181fd6e3de0500a0358fab37 Gecko: dffea8ce8b6073c522d7ea128ad0aee2efdfe66d Version: 43.0a1 (2.5) Firmware Version: v18D User Agent: Mozilla/5.0 (Mobile; rv:43.0) Gecko/43.0 Firefox/43.0 First Broken Environmental Variables: Device: Flame 2.5 BuildID: 20150901015323 Gaia: c80e8ff25425b007181fd6e3de0500a0358fab37 Gecko: fdd0c566464b141f905876e97874e952981798e1 Version: 43.0a1 (2.5) Firmware Version: v18D User Agent: Mozilla/5.0 (Mobile; rv:43.0) Gecko/43.0 Firefox/43.0 Last Working gaia / First Broken gecko - Issue DOES occur Gaia: c80e8ff25425b007181fd6e3de0500a0358fab37 Gecko: fdd0c566464b141f905876e97874e952981798e1 First Broken gaia / Last Working gecko - Issue does NOT occur Gaia: c80e8ff25425b007181fd6e3de0500a0358fab37 Gecko: dffea8ce8b6073c522d7ea128ad0aee2efdfe66d Gaia Pushlog: http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=dffea8ce8b6073c522d7ea128ad0aee2efdfe66d&tochange=fdd0c566464b141f905876e97874e952981798e1
Blocks: 1191667
QA Whiteboard: [MGSEI-Triage+] → [MGSEI-Triage+][QAnalyst-Triage?]
Flags: needinfo?(ktucker)
See Also: → 1212366
Makoto can you please take a look at this? This changes for bug 1191667 seem to have caused this.
Flags: needinfo?(m_kato)
Assignee: nobody → m_kato
Flags: needinfo?(m_kato)
Component: Gaia::System::Accessibility → DOM
Product: Firefox OS → Core
Seems close enough to bug 1212366 so let's dupe it there. Thanks for tracking down the regression, Jayme!
Status: NEW → RESOLVED
blocking-b2g: 2.5? → 2.5+
Closed: 10 years ago
Resolution: --- → DUPLICATE
QA Whiteboard: [MGSEI-Triage+][QAnalyst-Triage?] → [MGSEI-Triage+][QAnalyst-Triage+]
Flags: needinfo?(ktucker)
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: