Closed
Bug 717658
Opened 13 years ago
Closed 2 years ago
Crash with abort message "###!!! ABORT: creating ThebesLayer 'back buffer' failed! type=3000"
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
WORKSFORME
Tracking | Status | |
---|---|---|
blocking-fennec1.0 | --- | - |
People
(Reporter: scoobidiver, Unassigned)
References
()
Details
(Keywords: crash, reproducible, Whiteboard: [mobile-crash][STR in comment 25][keep open!])
Crash Data
Attachments
(3 files)
1.11 KB,
patch
|
joe
:
review+
akeybl
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
11.04 KB,
text/plain
|
Details | |
11.62 KB,
text/plain
|
Details |
It's #4 top crasher in Fennec 10.0b3.
It's probably the new form of bug 711706 for Fennec 10.
App notes let think it's a graphics bug.
Signature mozalloc_abort | __swrite | libxul.so@0xead678 More Reports Search
UUID e49ccbed-097a-4b5c-8273-478b72120111
Date Processed 2012-01-11 14:01:06.729007
Process Type content
Uptime 117
Install Age 4.8 minutes since version was first installed.
Install Time 2012-01-11 21:56:32
Product Fennec
Version 10.0
Build ID 20120104111157
Release Channel beta
OS Linux
OS Version 0.0.0 Linux 2.6.35.13-g84f8edd #1 SMP PREEMPT Fri Aug 5 01:14:20 CST 2011 armv7l
Build Architecture arm
Build Architecture Info
Crash Reason SIGSEGV
Crash Address 0x0
App Notes
xpcom_runtime_abort(###!!! ABORT: creating ThebesLayer 'back buffer' failed!: file /builds/slave/rel-m-beta-lnx-andrd-bld/build/gfx/layers/basic/BasicLayers.cpp, line 2383)
EMCheckCompatibility True
Frame Module Signature [Expand] Source
0 libmozalloc.so mozalloc_abort memory/mozalloc/mozalloc_abort.cpp:66
1 libc.so __swrite
2 libxul.so libxul.so@0xead678
3 libxul.so nsHTMLEditRules::MoveNodeSmart editor/libeditor/html/nsHTMLEditRules.cpp:2869
4 libxul.so nsBlockFrame::GetBaseline layout/generic/nsBlockFrame.cpp:550
Reporter | ||
Updated•13 years ago
|
Summary: Crash in nsHTMLEditRules::MoveNodeSmart @ mozalloc_abort | __swrite | libxul.so@0xa → Crash in nsHTMLEditRules::MoveNodeSmart @ mozalloc_abort | __swrite | libxul.so@0xe...
Reporter | ||
Comment 1•13 years ago
|
||
With combined signatures, it's #6 top crasher in 10.0b4.
Crash Signature: libxul.so@0xead5f8] → libxul.so@0xead5f8]
[@ mozalloc_abort | __swrite | libxul.so@0xead688 | nsHTMLEditRules::CheckForEmptyBlock]
[@ mozalloc_abort | nsHTMLEditRules::CheckForEmptyBlock]
Component: General → Graphics
Product: Fennec → Core
QA Contact: general → thebes
Summary: Crash in nsHTMLEditRules::MoveNodeSmart @ mozalloc_abort | __swrite | libxul.so@0xe... → Crash @ mozalloc_abort | __swrite | libxul.so@0xe... with abort message "###!!! ABORT: creating ThebesLayer 'back buffer' failed!"
Version: Firefox 10 → 10 Branch
Comment 2•13 years ago
|
||
This is an out-of-memory error.
I agree we should trust the assertion message from the AppNotes, more than the stacks.
What this strongly suggests is that some code around BasicLayers/ThebesLayer needs to improve its handling of OOM conditions.
This assertion message points to this line:
http://hg.mozilla.org/mozilla-central/file/79e5d0b77d10/gfx/layers/basic/BasicLayers.cpp#l2402
2398 // XXX error handling
2399 if (!BasicManager()->AllocBuffer(gfxIntSize(aSize.width, aSize.height),
2400 aType,
2401 &mBackBuffer)) {
* 2402 NS_RUNTIMEABORT("creating ThebesLayer 'back buffer' failed!");
2403 }
Comment 3•13 years ago
|
||
CC'ing romaxa for http://hg.mozilla.org/mozilla-central/rev/b083bc8b79ab
Comment 4•13 years ago
|
||
OTOH, it doesn't seem easy/possible to recover from this allocation failure, so maybe I'm wrong and the real problem is with what causes us to get there.
Maybe a good first step would be to print the AllocBuffer parameters as part of this assert message, so we see if there's an obvious problem with them (e.g. absurdly large size).
Comment 5•13 years ago
|
||
This will get us more information in those assert messages.
Attachment #589563 -
Flags: review?(joe)
Updated•13 years ago
|
Attachment #589563 -
Flags: review?(joe) → review+
Reporter | ||
Comment 6•13 years ago
|
||
(In reply to Benoit Jacob [:bjacob] from comment #5)
> This will get us more information in those assert messages.
First feedback in two months when 12.0 becomes Beta. I think it should land in Aurora and even Beta if the code is not shared with desktop.
Reporter | ||
Updated•13 years ago
|
Crash Signature: libxul.so@0xead5f8]
[@ mozalloc_abort | __swrite | libxul.so@0xead688 | nsHTMLEditRules::CheckForEmptyBlock]
[@ mozalloc_abort | nsHTMLEditRules::CheckForEmptyBlock] → libxul.so@0xead5f8]
[@ mozalloc_abort | __swrite | libxul.so@0xead688 | nsHTMLEditRules::CheckForEmptyBlock]
[@ mozalloc_abort | nsHTMLEditRules::CheckForEmptyBlock]
[@ mozalloc_abort | __swrite | libxul.so@0xead668 | nsHTMLEditRules::MoveNodeSmart]
Comment 7•13 years ago
|
||
http://hg.mozilla.org/integration/mozilla-inbound/rev/bdc686b071bb
So hopefully we'll start getting more informative crash reports in 2 days.
Whiteboard: [mobile-crash], → [mobile-crash], keep open!
Reporter | ||
Comment 8•13 years ago
|
||
(In reply to Benoit Jacob [:bjacob] from comment #7)
> So hopefully we'll start getting more informative crash reports in 2 days.
There are about 500-1000 Aurora and Nightly testers on Fennec which is not enough to make this crash appear in these versions. So the first results will be in 12.0b1.
Comment 9•13 years ago
|
||
Comment on attachment 589563 [details] [diff] [review]
dump sizes and contenttype
(In reply to Scoobidiver from comment #8)
> (In reply to Benoit Jacob [:bjacob] from comment #7)
> > So hopefully we'll start getting more informative crash reports in 2 days.
> There are about 500-1000 Aurora and Nightly testers on Fennec which is not
> enough to make this crash appear in these versions. So the first results
> will be in 12.0b1.
In that case, let's land it on aurora now so that it will be uplifted into 11.0b1, so we win 6 weeks.
Attachment #589563 -
Flags: approval-mozilla-aurora?
Comment 10•13 years ago
|
||
Assignee: nobody → bjacob
Comment 11•13 years ago
|
||
Comment on attachment 589563 [details] [diff] [review]
dump sizes and contenttype
[Triage Comment]
Extra debug info in support of a top crasher - approved for Aurora.
Attachment #589563 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 12•13 years ago
|
||
Reporter | ||
Updated•13 years ago
|
Crash Signature: libxul.so@0xead5f8]
[@ mozalloc_abort | __swrite | libxul.so@0xead688 | nsHTMLEditRules::CheckForEmptyBlock]
[@ mozalloc_abort | nsHTMLEditRules::CheckForEmptyBlock]
[@ mozalloc_abort | __swrite | libxul.so@0xead668 | nsHTMLEditRules::MoveNodeSmart] → libxul.so@0xead5f8]
[@ mozalloc_abort | __swrite | libxul.so@0xead688 | nsHTMLEditRules::CheckForEmptyBlock]
[@ mozalloc_abort | nsHTMLEditRules::CheckForEmptyBlock]
[@ mozalloc_abort | __swrite | libxul.so@0xead668 | nsHTMLEditRules::MoveNodeSmart]
[…
Reporter | ||
Updated•13 years ago
|
Crash Signature: mozalloc_abort | org.mozilla.firefox_beta-2.apk@0x619ffe] → mozalloc_abort | org.mozilla.firefox_beta-2.apk@0x619ffe]
[@ mozalloc_abort | __swrite | libxul.so@0xead688]
Reporter | ||
Updated•13 years ago
|
Crash Signature: mozalloc_abort | org.mozilla.firefox_beta-2.apk@0x619ffe]
[@ mozalloc_abort | __swrite | libxul.so@0xead688] → mozalloc_abort | org.mozilla.firefox_beta-2.apk@0x619ffe]
[@ mozalloc_abort | __swrite | libxul.so@0xead688]
[@ mozalloc_abort | __swrite | libxul.so@0xead6b8 | nsHTMLEditRules::CheckForEmptyBlock]
Reporter | ||
Comment 13•13 years ago
|
||
Here are the first crashes in Fennec 11.0b3 with the extra debug info:
https://crash-stats.mozilla.com/report/list?product=Fennec&signature=mozalloc_abort%20|%20__swrite%20|%20libxul.so%400xf7a311%20|%20mozilla%3A%3Adom%3A%3AindexedDB%3A%3AIDBObjectStore%3A%3AAppendIndexUpdateInfo
Type is always set to 3000.
Crash Signature: mozalloc_abort | org.mozilla.firefox_beta-2.apk@0x619ffe]
[@ mozalloc_abort | __swrite | libxul.so@0xead688]
[@ mozalloc_abort | __swrite | libxul.so@0xead6b8 | nsHTMLEditRules::CheckForEmptyBlock] → mozalloc_abort | org.mozilla.firefox_beta-2.apk@0x619ffe]
[@ mozalloc_abort | __swrite | libxul.so@0xead688]
[@ mozalloc_abort | __swrite | libxul.so@0xead6b8 | nsHTMLEditRules::CheckForEmptyBlock]
[@ mozalloc_abort | __swrite | libxul.so@0xf7a311 | mo…
Reporter | ||
Updated•13 years ago
|
Crash Signature: mozalloc_abort | org.mozilla.firefox_beta-2.apk@0x619ffe]
[@ mozalloc_abort | __swrite | libxul.so@0xead688]
[@ mozalloc_abort | __swrite | libxul.so@0xead6b8 | nsHTMLEditRules::CheckForEmptyBlock]
[@ mozalloc_abort | __swrite | libxul.so@0xf7a311 | mo… → mozalloc_abort | org.mozilla.firefox_beta-2.apk@0x619ffe]
[@ mozalloc_abort | __swrite | libxul.so@0xead688]
[@ mozalloc_abort | __swrite | libxul.so@0xead6b8]
[@ mozalloc_abort | __swrite | libxul.so@0xead6b8 | nsHTMLEditRules::CheckForEmptyBlock]
[@…
Summary: Crash @ mozalloc_abort | __swrite | libxul.so@0xe... with abort message "###!!! ABORT: creating ThebesLayer 'back buffer' failed!" → Crash @ mozalloc_abort | __swrite | libxul.so@0xe... with abort message "###!!! ABORT: creating ThebesLayer 'back buffer' failed! type=3000"
Reporter | ||
Updated•13 years ago
|
Crash Signature: [@ mozalloc_abort | nsHTMLEditRules::MoveNodeSmart]
[@ mozalloc_abort | __swrite | nsHTMLEditRules::MoveNodeSmart ]
[@ mozalloc_abort | __swrite | libxul.so@0xead678]
[@ mozalloc_abort | __swrite | libxul.so@0xead648]
[@ mozalloc_abort | __swrite | l… → [@ mozalloc_abort | __swrite | libxul.so@0xead678]
[@ mozalloc_abort | __swrite | libxul.so@0xead648]
[@ mozalloc_abort | __swrite | libxul.so@0xead5f8]
[@ mozalloc_abort | __swrite | libxul.so@0xead688 | nsHTMLEditRules::CheckForEmptyBlock]
[@ mozall…
Reporter | ||
Updated•13 years ago
|
Crash Signature: [@ mozalloc_abort | __swrite | libxul.so@0xead678]
[@ mozalloc_abort | __swrite | libxul.so@0xead648]
[@ mozalloc_abort | __swrite | libxul.so@0xead5f8]
[@ mozalloc_abort | __swrite | libxul.so@0xead688 | nsHTMLEditRules::CheckForEmptyBlock]
[@ mozall… → [@ mozalloc_abort | nsHTMLEditRules::CheckForEmptyBlock]
[@ mozalloc_abort | __swrite | libxul.so@0xead6b8]
[@ mozalloc_abort | __swrite | libxul.so@0xead6b8 | nsHTMLEditRules::CheckForEmptyBlock]
[@ mozalloc_abort | __swrite | libxul.so@0xf7a311 | moz…
Comment 14•13 years ago
|
||
Sorry I forgot a bit about this one. The good news is that the extra debug info is very conclusive:
for example in:
https://crash-stats.mozilla.com/report/index/5043a48c-2296-4006-8eb3-98d292120224
We get:
###!!! ABORT: creating ThebesLayer 'back buffer' failed! width=1092240, height=546120, type=3000: file /builds/slave/rel-m-beta-andrd-xul-bld/build/gfx/layers/basic/BasicLayers.cpp, line 2389
This width and height are hugem and explain the OOM condition. The next question is why do we have these huge dimensions here.
Comment 15•13 years ago
|
||
Notice that in the above exampe, we have width == 2*height.
Comment 16•13 years ago
|
||
The next thing we notice is that each crash report has different huge values here. This might be an uninitialized value, but that's not very clear: these values seem to be concentrated around the 1e+6 order of magnitude, which is uncharacteristic of uninitialized values.
Also, the 'rule' that width == 2*height seems to always hold, within +/- 1 precision on height.
Comment 17•13 years ago
|
||
Here is the data for the 3 days from Feb. 23 to Feb. 25. That's 30 crashes in 3 days so 10/day.
The 'rule' about width == 2*height is not always true. Sometimes it's height==2*width and sometimes it's neither. Sometimes, only one of the two dimensions is huge.
width=1600, height=40218, type=3000
width=1600, height=40218, type=3000
width=450116, height=225058, type=3000
width=48150, height=32101, type=3000
width=48150, height=32101, type=3000
width=1246128, height=1869192, type=3000
width=1041525, height=2603811, type=3000
width=1155584, height=770390, type=3000
width=470, height=56416, type=3000
width=470, height=56416, type=3000
width=1004, height=35322, type=3000
width=1004, height=35321, type=3000
width=1004, height=35475, type=3000
width=1027186, height=2567963, type=3000
width=519, height=34436, type=3000
width=182532, height=60845, type=3000
width=182532, height=60845, type=3000
width=1420, height=38674, type=3000
width=555, height=33554, type=3000
width=1420, height=38674, type=3000
width=2054371, height=1027186, type=3000
width=1092240, height=546120, type=3000
width=3617588, height=1808795, type=3000
width=468, height=36617, type=3000
width=232, height=139023, type=3000
width=1239, height=37521, type=3000
width=20583, height=13722, type=3000
width=29848, height=59694, type=3000
width=20445, height=13630, type=3000
width=25852, height=51703, type=3000
Comment 18•13 years ago
|
||
To 1% accuracy, the width/height ratio is always very close to a simple fraction:
1/25
1/25
2/1
3/2
3/2
2/3
2/5
3/2
1/120
1/120
1/35
1/35
1/35
2/5
3/200
3/1
3/1
1/27
1/60
1/27
2/1
2/1
2/1
1/78
1/600
1/30
3/2
1/2
3/2
1/2
Comment 19•13 years ago
|
||
Someone who knows ThebesBasicLayers should have a look at that. The stacks point to
http://hg.mozilla.org/releases/mozilla-beta/annotate/2427757522ff/gfx/layers/basic/BasicLayers.cpp#l733
calling
http://hg.mozilla.org/releases/mozilla-beta/annotate/2427757522ff/gfx/layers/ThebesLayerBuffer.cpp#l273
but that doesn't really tell us where the weird sizes come from. They seem to be read from the mBufferRect member, but I don't know where that was set.
Comment 20•13 years ago
|
||
CC'ing people recommended by hg annotate.
Comment 21•13 years ago
|
||
(In reply to Benoit Jacob [:bjacob] from comment #18)
The fractions in comment 18 are further non-random in that they are made of small prime numbers only: mostly 2,3,5, one occurence 7 and one occurence of 13.
25 = 5*5
120 = 2*2*2*3*5
35 = 5*7
200 = 2*2*2*5*5
27 = 3*3*3
60 = 2*2*3*5
78 = 2*3*13
600 = 2*2*2*3*5*5
30 = 2*3*5
I wonder if the front-end code is setting the displayport to a very large value?
Updated•13 years ago
|
Assignee: bjacob → nobody
Reporter | ||
Updated•13 years ago
|
Crash Signature: GetKeyFromValue]
[@ mozalloc_abort | __swrite | libxul.so@0xf7a469 | GetKeyFromValue] → GetKeyFromValue]
[@ mozalloc_abort | __swrite | libxul.so@0xf7a469 | GetKeyFromValue]
[@ mozalloc_abort | __swrite | libxul.so@0xf79349 | mozilla::dom::indexedDB::IDBObjectStore::StructuredCloneReadCallback]
[@ mozalloc_abort]
[@ mozalloc_abort | mozi…
Reporter | ||
Updated•13 years ago
|
Crash Signature: mozilla::dom::indexedDB::IDBObjectStore::StructuredCloneReadCallback] → mozilla::dom::indexedDB::IDBObjectStore::StructuredCloneReadCallback]
[@ mozalloc_abort | __swrite | libxul.so@0xeadefc | nsHTMLEditRules::InDifferentTableElements]
[@ mozalloc_abort | nsHTMLEditRules::InDifferentTableElements]
Reporter | ||
Updated•13 years ago
|
Summary: Crash @ mozalloc_abort | __swrite | libxul.so@0xe... with abort message "###!!! ABORT: creating ThebesLayer 'back buffer' failed! type=3000" → Crash with abort message "###!!! ABORT: creating ThebesLayer 'back buffer' failed! type=3000"
Comment 24•13 years ago
|
||
People of the Layout work week, here is a very useful bug to look at while you're in the same room!
Comment 25•13 years ago
|
||
Fennec crashes consistently on this url for me: https://developer.mozilla.org/nl/demos/detail/css3-piano/launch
And I've seen it with other css3 demo-sites too.
It crashes on the Samsung Galaxy Nexus, Android 4.0.2 and the HTC Desire HD, Android 2.3.5.
Updated•13 years ago
|
blocking-fennec1.0: ? → beta+
Comment 26•13 years ago
|
||
Also crashing here: file:///C:/Users/mw22/Desktop/tests/performance/overflowscrollscrolling.htm
After tapping on the link.
Reporter | ||
Updated•13 years ago
|
Keywords: reproducible
Whiteboard: [mobile-crash], keep open! → [mobile-crash][STR in comment 25][keep open!]
Comment 27•13 years ago
|
||
Bingo, I can reproduce with the link in comment 25 on a Nexus S, Android 2.3.
Comment 28•13 years ago
|
||
Here's what I got by reproducing in moz-gdb.
The last messages before the crash say:
adb| State - 17760257
adb| Got a document start
adb| leaving void mozilla::AndroidBridge::HandleGeckoMessage(const nsAString_...
adb| ###!!! ASSERTION: Wrong bounds: 'bounds.IsEqualInterior(aChildren.GetBou...
adb| ###!!! ASSERTION: Residual translation out of range: '-0.5 <= mResidualT...
adb| ShmemAndroid::ShareToProcess(): Too many open files (24)
adb| ###!!! ABORT: creating ThebesLayer 'back buffer' failed! width=44, heigh...
Don't the "wrong bounds" and "out of range" messages sound interesting in connection with this apparently layout-related bug? See also the strange "too many open files" message, which I can't make sense of.
Comment 29•13 years ago
|
||
Another strange thing: this time the sizes are small: width=44, height=9!
Comment 30•13 years ago
|
||
I got this crash again, this time after a few device orientation changes. This time, the warning messages preceding the crash are quite different:
adb| ###!!! ASSERTION: RenderTo with uninitialised buffer!: 'Initialised()', ...
adb| ###!!! ASSERTION: RenderTo with uninitialised buffer!: 'Initialised()', ...
adb| Compositor: Composite took 2055 ms.
adb| ShmemAndroid::ShareToProcess(): Too many open files (24)
The only common message between these two runs seems to be the 'Too many open files' message, immediately before the crash. Can anyone make sense of it?
Comment 31•13 years ago
|
||
Last spam, I promise: all these assertions sound really scary. Why aren't they fatal? Wouldn't it make this bug easier to debug?
Also, how do I run with XPCOM_DEBUG_BREAK=abort on Android with moz-gdb? I tried
set environment XPCOM_DEBUG_BREAK=abort
in moz-gdb, but that didn't seem to make a difference.
Comment 32•13 years ago
|
||
(In reply to Benoit Jacob [:bjacob] from comment #31)
> Last spam, I promise: all these assertions sound really scary. Why aren't
> they fatal? Wouldn't it make this bug easier to debug?
>
> Also, how do I run with XPCOM_DEBUG_BREAK=abort on Android with moz-gdb? I
> tried
>
> set environment XPCOM_DEBUG_BREAK=abort
>
> in moz-gdb, but that didn't seem to make a difference.
When I want to run with environment variables, I launch the app first and attach to it with moz-gdb.
To launch with environment variables, you can do:
adb shell am start -a android.activity.MAIN -n org.mozilla.fennec_$USER/org.mozilla.fennec_$USER.App --es env0 VAR1=VAL1 --es env1 VAR2=VAL2
With regards to the too many files, it sounds like we're opening too many shared memory handles and not closing them (leak)? I'm not familiar with how shmem works on android at the moment, so this comment might be nonsense.
Comment 33•13 years ago
|
||
re-nom'ing because I don't see this in the top crashes anymore
blocking-fennec1.0: beta+ → ?
Updated•13 years ago
|
blocking-fennec1.0: ? → -
Comment 34•13 years ago
|
||
Sorry, comment 26 should have pointed to http://people.mozilla.com/~mwargers/tests/performance/overflowscrollscrolling.htm
That link doesn't seem to crash anymore on the Samsung Galaxy Nexus or the Samsung Galaxy SII.
The link from comment 25 does close Fennec after zooming in and changing orientation, but that seems more like an Android close because of OOM, not an OOM crash from within Fennec.
Reporter | ||
Updated•13 years ago
|
Crash Signature: mozilla::dom::indexedDB::IDBObjectStore::StructuredCloneReadCallback]
[@ mozalloc_abort | __swrite | libxul.so@0xeadefc | nsHTMLEditRules::InDifferentTableElements]
[@ mozalloc_abort | nsHTMLEditRules::InDifferentTableElements] → mozilla::dom::indexedDB::IDBObjectStore::StructuredCloneReadCallback]
[@ mozalloc_abort | __swrite | libxul.so@0xeadefc | nsHTMLEditRules::InDifferentTableElements]
[@ mozalloc_abort | nsHTMLEditRules::InDifferentTableElements]
[@ mozalloc_abort | __sw…
Comment 35•13 years ago
|
||
It looks like the "mozalloc_abort | __swrite | libxul.so@0xeb14f4 | nsHTMLEditRules::GetChildNodesForOperation" signature has been introduced into the stable XUL releases with 10.0.4esr - apparently it wasn't there for 10.0.3esr
Reporter | ||
Comment 36•13 years ago
|
||
All stacks are buggy (libeditor component), only the abort message is right (graphics component).
Reporter | ||
Updated•13 years ago
|
Crash Signature: __swrite | libxul.so@0xeb14f4]
[@ mozalloc_abort | __swrite | libxul.so@0xeb14f4 | nsHTMLEditRules::GetChildNodesForOperation]
[@ mozalloc_abort | nsHTMLEditRules::GetChildNodesForOperation] → __swrite | libxul.so@0xeb14f4]
[@ mozalloc_abort | __swrite | libxul.so@0xeb14f4 | nsHTMLEditRules::GetChildNodesForOperation]
[@ mozalloc_abort | nsHTMLEditRules::GetChildNodesForOperation]
[@ TouchBadMemory | mozalloc_abort | nsEditorHookUtils::GetHo…
Comment 37•12 years ago
|
||
I'm working on bug 703484 and this abort is showing also on Windows (with omtc enabled), it is ShareToProcess that is failing here.
I don't know if the cause is the same.
Reporter | ||
Updated•12 years ago
|
Crash Signature: nsEditorHookUtils::GetHookEnumeratorFromDocument] → nsEditorHookUtils::GetHookEnumeratorFromDocument]
[@ mozalloc_abort | __swrite | libxul.so@0xeb15b4 | nsHTMLEditRules::RemoveListStructure]
[@ mozalloc_abort | nsHTMLEditRules::RemoveListStructure]
Comment 38•12 years ago
|
||
The steps-to-reproduce in comment 25 now give me a OOM SIGKILL instead of the above-discussed assertion failures.
Shortly before death, I see this in logcat:
07-05 17:07:40.812 I/GeckoScreenshot( 1334): rect: 30.000000, 0.000000, 980.000000, 1408.750000
07-05 17:07:40.816 I/GeckoScreenshot( 1334): rect: -441.000000, -3592.166748, 1755.650146, 1409.000000
07-05 17:07:45.738 I/ActivityManager( 107): Process android.process.acore (pid 1259) has died.
07-05 17:07:45.867 I/ActivityManager( 107): Process android.process.media (pid 1311) has died.
07-05 17:07:45.867 I/ActivityManager( 107): Low Memory: No more background processes.
07-05 17:07:46.195 I/ActivityManager( 107): Process com.android.launcher (pid 1226) has died.
So apparently we're taking an absurdly large screenshot and immediately then we start running out of memory. The too-large screenshot size seems to be another symptom of the same underlying hypothetical layout bug that would produce such absurdly large sizes.
Comment 39•12 years ago
|
||
Here's the code printing this rect message:
http://mxr.mozilla.org/mozilla-central/source/widget/android/nsAppShell.cpp#131
119 virtual nsresult HandleEvent(nsIDOMEvent* aEvent) {
120 nsCOMPtr<nsIDOMNotifyPaintEvent> paintEvent = do_QueryInterface(aEvent);
121 if (!paintEvent)
122 return NS_OK;
123
124 nsCOMPtr<nsIDOMClientRect> rect;
125 paintEvent->GetBoundingClientRect(getter_AddRefs(rect));
126 float top, left, bottom, right;
127 rect->GetTop(&top);
128 rect->GetLeft(&left);
129 rect->GetRight(&right);
130 rect->GetBottom(&bottom);
131 __android_log_print(ANDROID_LOG_INFO, "GeckoScreenshot", "rect: %f, %f, %f, %f", top, left, right, bottom);
132 AndroidBridge::NotifyPaintedRect(top, left, bottom, right);
133 return NS_OK;
134 }
So apparently this is the rect of a nsIDOMNotifyPaintEvent.
So are (-441.000000, -3592.166748, 1755.650146, 1409.000000) reasonable coords for a NotifyPaintEvent?
Yes, if the document is that large and it all gets invalidated.
Updated•2 years ago
|
Severity: critical → S2
Comment 42•2 years ago
|
||
The code mentioned in the bug title no longer exists.
All of the crash signatures linked to this bug have 0 crashes except for [@ mozalloc_abort ] . That is a very generic signature, and none of the crashes for it have any useful stack at all, so we don't have much info on them. I'm going to remove [@ mozalloc_abort ] from the signatures of this bug since it doesn't seem relevant to this bug and then close this bug since the code it was originally reported for no longer exists.
Status: NEW → RESOLVED
Crash Signature: GetKeyFromValue]
[@ mozalloc_abort | __swrite | libxul.so@0xf7a469 | GetKeyFromValue]
[@ mozalloc_abort | __swrite | libxul.so@0xf79349 | mozilla::dom::indexedDB::IDBObjectStore::StructuredCloneReadCallback]
[@ mozalloc_abort]
[@ mozalloc_abort | → GetKeyFromValue]
[@ mozalloc_abort | __swrite | libxul.so@0xf7a469 | GetKeyFromValue]
[@ mozalloc_abort | __swrite | libxul.so@0xf79349 | mozilla::dom::indexedDB::IDBObjectStore::StructuredCloneReadCallback]
[@ mozalloc_abort |
Closed: 2 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•