677552 - crash [@ je_free]

Status: RESOLVED INCOMPLETE

(Core :: Graphics, defect)

Description

[Naoki Hirata :nhirata (please use needinfo instead of cc)]

This bug was filed from the Socorro interface and is 
report bp-baf14579-6b5a-43a1-bd14-3a10e2110807 .
============================================================= 
Frame 	Module 	Signature [Expand] 	Source
0 	libc.so 	libc.so@0x15f40 	
1 	libc.so 	libc.so@0x1caa6 	
2 	libc.so 	libc.so@0x426d7 	
3 	libc.so 	libc.so@0x426d7 	
4 	libc.so 	libc.so@0x426d7 	
5 	libmozalloc.so 	mozalloc_abort 	memory/mozalloc/mozalloc_abort.cpp:76
6 	pkg.apk 	pkg.apk@0x11f0120 	
7 	libxul.so 	nsBuiltinDecoderStateMachine::Run 	content/media/nsBuiltinDecoderStateMachine.h:395
8 	libxul.so 	nsTHashtable<mozilla::FramePropertyTable::Entry>::s_MatchEntry 	nsTHashtable.h:376
9 	libxul.so 	PL_DHashTableOperate 	obj-firefox/xpcom/build/pldhash.c:625
10 		@0x41d0f1ef 	
11 	libmozalloc.so 	je_free 	memory/jemalloc/jemalloc.c:1394
12 	libmozalloc.so 	moz_free 	memory/mozalloc/mozalloc.cpp:95
13 	libxul.so 	nsTArray_base<nsTArrayDefaultAllocator>::ShiftData 	nsTArray-inl.h:143
14 	libxul.so 	mozilla::FrameLayerBuilder::Clip::~Clip 	layout/base/FrameLayerBuilder.h:317
15 	libxul.so 	mozilla::FrameLayerBuilder::AddThebesDisplayItem 	layout/base/FrameLayerBuilder.cpp:1473
16 	libxul.so 	mozilla::::ContainerState::ProcessDisplayItems 	layout/base/nsDisplayList.h:793
17 		@0xbeefba0f 	
18 	libxul.so 	std::vector<mozilla::layers::Edit, std::allocator<mozilla::layers::Edit> >::push_back 	stl_vector.h:754
19 		@0x439ad0c3 	
20 	libxul.so 	nsRegion::SetToElements 	gfx/src/nsRegion.cpp:286
21 		@0x13f57 	
22 	libxul.so 	mozilla::layers::BasicThebesLayerBuffer::CreateBuffer 	gfx/layers/basic/BasicLayers.cpp:674
23 	libxul.so 	mozilla::layers::BasicThebesLayerBuffer::CreateBuffer 	gfx/layers/basic/BasicLayers.cpp:676
24 	libxul.so 	mozilla::layers::ThebesLayerBuffer::BeginPaint 	gfx/layers/ThebesLayerBuffer.cpp:368
25 	libxul.so 	mozilla::layers::BasicThebesLayer::PaintThebes 	nsRegion.h:387
26 	libxul.so 	mozilla::layers::BasicLayerManager::PaintLayer 	gfx/layers/basic/BasicLayers.cpp:1543
27 	libxul.so 	mozilla::layers::BasicLayerManager::PaintLayer 	gfx/layers/basic/BasicLayers.cpp:1556
28 	libxul.so 	mozilla::layers::BasicLayerManager::PaintLayer 	gfx/layers/basic/BasicLayers.cpp:1556
29 	libxul.so 	mozilla::layers::BasicLayerManager::EndTransactionInternal 	gfx/layers/basic/BasicLayers.cpp:1419
30 	libxul.so 	mozilla::layers::BasicLayerManager::EndTransaction 	gfx/layers/basic/BasicLayers.cpp:1348
31 	libxul.so 	mozilla::layers::BasicShadowLayerManager::EndTransaction 	gfx/layers/basic/BasicLayers.cpp:2917
32 	libxul.so 	nsDisplayList::PaintForFrame 	layout/base/nsDisplayList.cpp:632
33 	libxul.so 	nsDisplayList::PaintRoot 	layout/base/nsDisplayList.cpp:540
34 	libxul.so 	nsLayoutUtils::PaintFrame 	layout/base/nsLayoutUtils.cpp:1642
35 	libxul.so 	PresShell::Paint 	layout/base/nsPresShell.cpp:6250
36 	libxul.so 	nsViewManager::RenderViews 	view/src/nsViewManager.cpp:428
37 	libxul.so 	nsViewManager::Refresh 	view/src/nsViewManager.h:239
38 	libxul.so 	nsViewManager::DispatchEvent 	nsCOMPtr.h:492
39 	libxul.so 	HandleEvent 	nsCOMPtr.h:492
40 	libxul.so 	mozilla::widget::PuppetWidget::DispatchEvent 	widget/src/xpwidgets/PuppetWidget.cpp:325
41 	libxul.so 	mozilla::widget::PuppetWidget::DispatchPaintEvent 	widget/src/xpwidgets/PuppetWidget.cpp:534
42 	libxul.so 	mozilla::widget::PuppetWidget::PaintTask::Run 	widget/src/xpwidgets/PuppetWidget.cpp:576
43 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:618
44 	libxul.so 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:245
45 	libxul.so 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:111
46 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:230
47 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:219
48 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:511
49 	libxul.so 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:191
50 	libxul.so 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp:671
51 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:222
52 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:219
53 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:511
54 	libxul.so 	XRE_InitChildProcess 	toolkit/xre/nsEmbedFunctions.cpp:514
55 	libmozutils.so 	ChildProcessInit 	other-licenses/android/APKOpen.cpp:797
56 	plugin-container 	main 	ipc/app/MozillaRuntimeMainAndroid.cpp:69
57 	libc.so 	libc.so@0x14df0

More Reports: https://crash-stats.mozilla.com/report/list?range_value=7&range_unit=days&date=2011-08-08%2006%3A00%3A00&signature=libc.so%400x15f40&version=Fennec%3A6.0

Comment 1

[Josh Matthews [:jdm]]

I'm pretty certain that the nsBuiltinDecoderStateMachine::Run signature is bogus, since we're backing up through libc.so.

Comment 2

[Mats Palmgren (inactive)]

Yeah, frames 0..21 looks bogus

Comment 3

[Chris Pearce [:cpearce (Not reading bugmail)]]

This looks similar to bug 677548.

Comment 4

[Scoobidiver (away)]

libc.so has been added to the Socorro skiplist.
I change the signature.

Comment 5

[u279076]

I am closing this bug as incomplete as we have no recent reports of this crash on Android. Please reopen if you can reproduce this crash in a modern Fennec version.