Closed Bug 1224113 Opened 9 years ago Closed 8 years ago

B2G process crash when fling play the video again while the previous video played to the end.

Categories

(Firefox OS Graveyard :: Gaia::TV, defect, P1)

Product:
Firefox OS Graveyard
Component:
Gaia::TV
Platform:
ARM
Gonk (Firefox OS)
Type:
defect

Tracking

(blocking-b2g:2.5+, firefox46 fixed, b2g-v2.5 fixed, b2g-master fixed)

Status:
RESOLVED FIXED
Project Flags:
blocking-b2g 2.5+
Tracking Flags:
Tracking Status
firefox46 --- fixed
b2g-v2.5 --- fixed
b2g-master --- fixed

People

(Reporter: JamesCheng, Assigned: schien)

References

Details

(Whiteboard: [ft:conndevices][partner-cherry-pick][partner-blocker])

Attachments

(1 file, 1 obsolete file)

bug1224113.patch
3.85 KB, patch
jdm
: review+
jocheng
: approval‑mozilla‑b2g44+
Details | Diff | Splinter Review 
I was trying to reproduce this crash issue bug 1222923 as Alison provided but I've never encountered this crash symptom.

But I found a 100% crashing issue. 

Please see below reproduce step,

1. Share the video from Fennec to the NX5 with TV build GAIA.

2. (NX5)Try to seek to the end of the video and do not press "PLAY" button.

3. Do Step1 again. You can find out that the b2g process relaunch.

Here is the call stack and the Assertion logs

I/Gecko   (  918): [Parent 918] WARNING: '!IsSessionReady()', file gecko/dom/presentation/PresentationSessionInfo.cpp, line 379
I/Gecko   (  918): [Parent 918] WARNING: 'NS_FAILED(aReason)', file gecko/dom/presentation/PresentationSessionInfo.cpp, line 237
F/MOZ_Assert(  918): Assertion failure: int32_t(mRefCnt) > 0 (dup release), at gecko/dom/presentation/PresentationSessionTransport.cpp:65


Program received signal SIGSEGV, Segmentation fault.
0xb38a2d72 in mozilla::dom::PresentationSessionTransport::Release (this=0xa6c7d2e0) at dom/presentation/PresentationSessionTransport.cpp:65
65  NS_IMPL_CYCLE_COLLECTING_RELEASE(PresentationSessionTransport)
(gdb) bt
#0  0xb38a2d72 in mozilla::dom::PresentationSessionTransport::Release (this=0xa6c7d2e0) at dom/presentation/PresentationSessionTransport.cpp:65
#1  0xb26ffa92 in nsProxyReleaseEvent::Run (this=<optimized out>) at xpcom/glue/nsProxyRelease.cpp:18
#2  0xb26e75da in nsThread::ProcessNextEvent (this=0xb606e420, aMayWait=<optimized out>, aResult=0xbed445e7) at xpcom/threads/nsThread.cpp:964
#3  0xb270393a in NS_ProcessNextEvent (aThread=0xb606e420, aMayWait=aMayWait@entry=false) at xpcom/glue/nsThreadUtils.cpp:297
#4  0xb28f0870 in mozilla::ipc::MessagePump::Run (this=0xb6038790, aDelegate=0xb6071280) at ipc/glue/MessagePump.cpp:95
#5  0xb28d5a48 in MessageLoop::RunInternal (this=this@entry=0xb6071280) at ipc/chromium/src/base/message_loop.cc:234
#6  0xb28d5a62 in RunHandler (this=0xb6071280) at ipc/chromium/src/base/message_loop.cc:227
#7  MessageLoop::Run (this=0xb6071280) at ipc/chromium/src/base/message_loop.cc:201
#8  0xb38c4cc2 in nsBaseAppShell::Run (this=0xae864b20) at widget/nsBaseAppShell.cpp:156
#9  0xb3da36f4 in nsAppStartup::Run (this=0xae8784c0) at toolkit/components/startup/nsAppStartup.cpp:281
#10 0xb3ddb27c in XREMain::XRE_mainRun (this=this@entry=0xbed447a0) at ../../../../toolkit/xre/nsAppRunner.cpp:4298
#11 0xb3ddb666 in XREMain::XRE_main (this=this@entry=0xbed447a0, argc=argc@entry=1, argv=argv@entry=0xb6003300, aAppData=aAppData@entry=0xb6f7fb88 <_ZL8sAppData>)
    at ../../../../toolkit/xre/nsAppRunner.cpp:4391
#12 0xb3ddb84a in XRE_main (argc=1, argv=0xb6003300, aAppData=0xb6f7fb88 <_ZL8sAppData>, aFlags=<optimized out>) at ../../../../toolkit/xre/nsAppRunner.cpp:4493
#13 0xb6f60f7e in do_main (argc=argc@entry=1, argv=argv@entry=0xb6003300) at ../../../../b2g/app/nsBrowserApp.cpp:167
#14 0xb6f610f0 in b2g_main (argc=1, argv=<optimized out>) at ../../../../b2g/app/nsBrowserApp.cpp:299
#15 0xb6f60dfe in RunProcesses (aReservedFds=..., argv=0xbed45a84, argc=1) at ../../../../b2g/app/B2GLoader.cpp:232
#16 main (argc=1, argv=0xbed45a84) at ../../../../b2g/app/B2GLoader.cpp:297
This issue appears to become intermittent, even with the same steps to reproduce. And the call stack also becomes as follows:

Program received signal SIGSEGV, Segmentation fault.
nsCOMPtr_base::assign_assuming_AddRef (this=this@entry=0xad8a0858, aNewPtr=0x0, aNewPtr@entry=0xad8a0820) at ../../dist/include/nsCOMPtr.h:335
335	      NSCAP_RELEASE(this, oldPtr);
(gdb) bt
#0  nsCOMPtr_base::assign_assuming_AddRef (this=this@entry=0xad8a0858, aNewPtr=0x0, aNewPtr@entry=0xad8a0820) at ../../dist/include/nsCOMPtr.h:335
#1  0xb3f493f0 in nsCOMPtr_base::assign_with_AddRef (this=this@entry=0xad8a0858, aRawPtr=0xad8a0820, aRawPtr@entry=0x0) at /home/selin/workspace4/B2G/gecko/xpcom/glue/nsCOMPtr.cpp:52
#2  0xb4b222a0 in operator= (aRhs=0x0, this=0xad8a0858) at ../../dist/include/nsCOMPtr.h:578
#3  mozilla::dom::PresentationSessionInfo::NotifyTransportClosed (this=0xad8a0820, aReason=NS_OK) at /home/selin/workspace4/B2G/gecko/dom/presentation/PresentationSessionInfo.cpp:377
#4  0xb4b22af0 in mozilla::dom::PresentationSessionTransport::SetReadyState (this=<optimized out>, aReadyState=<optimized out>) at /home/selin/workspace4/B2G/gecko/dom/presentation/PresentationSessionTransport.cpp:407
#5  0xb4b22b26 in OnStopRequest (aStatusCode=NS_OK, this=0xaf88a9c0, aRequest=<optimized out>, aContext=<optimized out>) at /home/selin/workspace4/B2G/gecko/dom/presentation/PresentationSessionTransport.cpp:487
#6  mozilla::dom::PresentationSessionTransport::OnStopRequest (this=0xaf88a9c0, aRequest=<optimized out>, aContext=<optimized out>, aStatusCode=NS_OK)
    at /home/selin/workspace4/B2G/gecko/dom/presentation/PresentationSessionTransport.cpp:462
#7  0xb3f7bf4e in OnStateStop (this=0xad3e3940) at /home/selin/workspace4/B2G/gecko/netwerk/base/nsInputStreamPump.cpp:715
#8  nsInputStreamPump::OnStateStop (this=0xad3e3940) at /home/selin/workspace4/B2G/gecko/netwerk/base/nsInputStreamPump.cpp:670
#9  0xb3f7dfe8 in nsInputStreamPump::OnInputStreamReady (this=0xad3e3940, stream=<optimized out>) at /home/selin/workspace4/B2G/gecko/netwerk/base/nsInputStreamPump.cpp:434
#10 0xb3f31522 in nsInputStreamReadyEvent::Run (this=0xaa291840) at /home/selin/workspace4/B2G/gecko/xpcom/io/nsStreamUtils.cpp:91
#11 0xb3f3d9c0 in ProcessNextEvent (aResult=0xbec7869f, aMayWait=false, this=0xb6b025c0) at /home/selin/workspace4/B2G/gecko/xpcom/threads/nsThread.cpp:964
#12 nsThread::ProcessNextEvent (this=0xb6b025c0, aMayWait=<optimized out>, aResult=0xbec7869f) at /home/selin/workspace4/B2G/gecko/xpcom/threads/nsThread.cpp:849
#13 0xb3f4f26e in NS_ProcessNextEvent (aThread=<optimized out>, aMayWait=aMayWait@entry=false) at /home/selin/workspace4/B2G/gecko/xpcom/glue/nsThreadUtils.cpp:297
#14 0xb40aac38 in mozilla::ipc::MessagePump::Run (this=0xb6b55970, aDelegate=0xb1fd41a0) at /home/selin/workspace4/B2G/gecko/ipc/glue/MessagePump.cpp:95
#15 0xb4098020 in MessageLoop::RunInternal (this=this@entry=0xb1fd41a0) at /home/selin/workspace4/B2G/gecko/ipc/chromium/src/base/message_loop.cc:234
#16 0xb40980d4 in RunHandler (this=0xb1fd41a0) at /home/selin/workspace4/B2G/gecko/ipc/chromium/src/base/message_loop.cc:227
#17 MessageLoop::Run (this=0xb1fd41a0) at /home/selin/workspace4/B2G/gecko/ipc/chromium/src/base/message_loop.cc:201
#18 0xb4b33dc2 in nsBaseAppShell::Run (this=0xb06d8b20) at /home/selin/workspace4/B2G/gecko/widget/nsBaseAppShell.cpp:156
#19 0xb4e9cc96 in nsAppStartup::Run (this=0xb0d5dbb0) at /home/selin/workspace4/B2G/gecko/toolkit/components/startup/nsAppStartup.cpp:281
#20 0xb4ebeaba in XREMain::XRE_mainRun (this=this@entry=0xbec78808) at ../../../gecko/toolkit/xre/nsAppRunner.cpp:4298
#21 0xb4ebecc2 in XREMain::XRE_main (this=this@entry=0xbec78808, argc=argc@entry=1, argv=argv@entry=0xb6b2b190, aAppData=aAppData@entry=0xb6fe9c90 <_ZL8sAppData>) at ../../../gecko/toolkit/xre/nsAppRunner.cpp:4391
#22 0xb4ebee3e in XRE_main (argc=1, argv=0xb6b2b190, aAppData=0xb6fe9c90 <_ZL8sAppData>, aFlags=<optimized out>) at ../../../gecko/toolkit/xre/nsAppRunner.cpp:4493
#23 0xb6fcba84 in do_main (argc=argc@entry=1, argv=argv@entry=0xb6b2b190) at ../../../gecko/b2g/app/nsBrowserApp.cpp:167
#24 0xb6fcbb92 in b2g_main (argc=argc@entry=1, argv=argv@entry=0xbec79ac4) at ../../../gecko/b2g/app/nsBrowserApp.cpp:299
#25 0xb6fcb924 in RunProcesses (aReservedFds=..., argv=0xbec79ac4, argc=1) at ../../../gecko/b2g/app/B2GLoader.cpp:232
#26 main (argc=1, argv=0xbec79ac4) at ../../../gecko/b2g/app/B2GLoader.cpp:297
I also occur this issue while I close my Mac B2G desktop or relaunch my app via new presentation request. The call stack as follows:
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   XUL                           	0x0000000101d9a5e8 NS_LogCOMPtrRelease + 24
1   XUL                           	0x0000000104759d63 mozilla::dom::PresentationSessionInfo::NotifyTransportClosed(nsresult) + 83
2   XUL                           	0x00000001047601e1 mozilla::dom::PresentationSessionTransport::OnStopRequest(nsIRequest*, nsISupports*, nsresult) + 177
3   XUL                           	0x0000000101eda774 nsInputStreamPump::OnStateStop() + 324
4   XUL                           	0x0000000101ed9c0f nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) + 367
5   XUL                           	0x0000000101de8419 nsInputStreamReadyEvent::Run() + 41
6   XUL                           	0x0000000101e06029 nsThread::ProcessNextEvent(bool, bool*) + 1513
7   XUL                           	0x0000000101e46c8f NS_ProcessPendingEvents(nsIThread*, unsigned int) + 79
8   XUL                           	0x0000000104798c84 nsBaseAppShell::NativeEventCallback() + 116
9   XUL                           	0x000000010480033e nsAppShell::ProcessGeckoEvents(void*) + 190
10  com.apple.CoreFoundation      	0x00007fff906f2a01 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
11  com.apple.CoreFoundation      	0x00007fff906e4b8d __CFRunLoopDoSources0 + 269
12  com.apple.CoreFoundation      	0x00007fff906e41bf __CFRunLoopRun + 927
13  com.apple.CoreFoundation      	0x00007fff906e3bd8 CFRunLoopRunSpecific + 296
14  com.apple.HIToolbox           	0x00007fff8a64556f RunCurrentEventLoopInMode + 235
15  com.apple.HIToolbox           	0x00007fff8a6452ea ReceiveNextEventCommon + 431
16  com.apple.HIToolbox           	0x00007fff8a64512b
I can easily reproduce this issue with B2G desktop on OS X. We should be able to use refcount tracer [1] to figure out the root cause.

[1] https://developer.mozilla.org/en-US/docs/Mozilla/Performance/Refcount_tracing_and_balancing
The 100% STR I use is just like bug 1217373 comment #5. Reestablish presentation session without closing previous one.
Assignee: nobody → schien
The crash happened if PresentationSessionInfo is only referenced PresentationSessionTransport object.

While underlying channel is closed, PresentationSessionTransport will notify PresentationSessionInfo via NotifyTransportClosed callback. However in PresentationSessionInfo::NotifyTransportClosed, it'll make PresentationSessionTransport remove the callback reference [1], which will lead the destruction of PresentationSessionInfo object. Therefore, all the access via |this| pointer in PresentationSessionInfo::NotifyTransportClosed will be dangling.

[1] https://dxr.mozilla.org/mozilla-central/source/dom/presentation/PresentationSessionInfo.cpp#374
Blocks: TV_P1
blocking-b2g: --- → 2.5+
Whiteboard: [ft:conndevices][partner-cherry-pick][partner-blocker]
Priority: -- → P1
Attached patch bug1224113.patch (obsolete) — Splinter Review 
Calling NotifyTransportClosed might lead to the destruction of mCallback, need extra refcount to guarantee mCallback is still alive before completing NotifyTransportClosed.

I'll do further check and verification but I'd like your inputs in parallel.
Attachment #8700869 - Flags: feedback?(selin)
Attachment #8700869 - Flags: feedback?(josh)
I would be tempted to move the `mTransport->SetCallback(nullptr)` out of PresentationSessionInfo::NotifyTransportClosed and make PresentationSessionTransport::SetReadyState clear mCallback instead.
Attachment #8700869 - Flags: feedback?(josh) → feedback-
Comment on attachment 8700869 [details] [diff] [review]
bug1224113.patch

Review of attachment 8700869 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good to me.
Attachment #8700869 - Flags: feedback?(selin) → feedback+
Attached patch bug1224113.patchSplinter Review 
Thanks for the advice, this approach can even reduce the interface between PresentationSessionTransport and PresentationSessionInfo.
Attachment #8700869 - Attachment is obsolete: true
Attachment #8701014 - Flags: review?(josh)
Attachment #8701014 - Flags: review?(josh) → review+
https://hg.mozilla.org/mozilla-central/rev/6967cf4e2fd9
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox46: --- → fixed
Resolution: --- → FIXED
Comment on attachment 8701014 [details] [diff] [review]
bug1224113.patch

NOTE: Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 1244646
User impact if declined: b2g will be crashed when fling-player play video at second times
Testing completed: manual testing passed
Risk to taking this patch (and alternatives if risky): I think there is no risk with this patch.
String or UUID changes made by this patch: uuid updated
Attachment #8701014 - Flags: approval‑mozilla‑b2g44?
Comment on attachment 8701014 [details] [diff] [review]
bug1224113.patch

Approve for TV 2.5
Attachment #8701014 - Flags: approval‑mozilla‑b2g44? → approval‑mozilla‑b2g44+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: