OOM crash in mozilla::layers::ThebesLayerBuffer::GetContextForQuadrantUpdate

VERIFIED FIXED in Firefox 14

Status

()

Core
Graphics: Layers
--
critical
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: xti, Assigned: vlad)

Tracking

({crash, reproducible})

14 Branch
mozilla15
ARM
Android
crash, reproducible
Points:
---
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(firefox14 fixed, firefox15 verified, blocking-fennec1.0 .N+)

Details

(Whiteboard: [native-crash], crash signature)

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

5 years ago
This bug was filed from the Socorro interface and is 
report bp-59898e5d-1c48-4252-9c74-4b6542120430 .
============================================================= 
Frame 	Module 	Signature 	Source
0 	libmozalloc.so 	TouchBadMemory 	memory/mozalloc/mozalloc_abort.cpp:68
1 	libmozalloc.so 	mozalloc_abort 	memory/mozalloc/mozalloc_abort.cpp:89
2 	libmozalloc.so 	moz_xmalloc 	memory/mozalloc/mozalloc.cpp:89
3 	libxul.so 	mozilla::layers::ThebesLayerBuffer::GetContextForQuadrantUpdate 	mozalloc.h:229
4 	libxul.so 	mozilla::layers::ThebesLayerBuffer::BeginPaint 	gfx/layers/ThebesLayerBuffer.cpp:307
5 	libxul.so 	mozilla::layers::BasicThebesLayer::PaintThebes 	gfx/layers/basic/BasicLayers.cpp:653
6 	libxul.so 	mozilla::layers::BasicLayerManager::PaintLayer 	gfx/layers/basic/BasicLayers.cpp:1875
7 	libxul.so 	mozilla::layers::BasicLayerManager::PaintLayer 	gfx/layers/basic/BasicLayers.cpp:1890
8 	libxul.so 	mozilla::layers::BasicLayerManager::EndTransactionInternal 	gfx/layers/basic/BasicLayers.cpp:1580
9 	libxul.so 	mozilla::layers::BasicShadowLayerManager::EndTransaction 	gfx/layers/basic/BasicLayers.cpp:1527
10 	libxul.so 	nsDisplayList::PaintForFrame 	layout/base/nsDisplayList.cpp:651
11 	libxul.so 	nsDisplayList::PaintRoot 	layout/base/nsDisplayList.cpp:556
12 	libxul.so 	nsLayoutUtils::PaintFrame 	layout/base/nsLayoutUtils.cpp:1802
13 	libxul.so 	PresShell::Paint 	layout/base/nsPresShell.cpp:5428
14 	libxul.so 	nsViewManager::Refresh 	view/src/nsViewManager.cpp:377
15 	libxul.so 	nsViewManager::DispatchEvent 	view/src/nsViewManager.cpp:813
16 	libxul.so 	HandleEvent 	view/src/nsView.cpp:158
17 	libxul.so 	nsWindow::DispatchEvent 	widget/android/nsWindow.cpp:673
18 	libxul.so 	nsWindow::DrawTo 	widget/android/nsWindow.cpp:1036
19 	libxul.so 	nsWindow::DrawTo 	widget/android/nsWindow.cpp:1084
20 	libxul.so 	nsWindow::OnDraw 	widget/android/nsWindow.cpp:1151
21 	libxul.so 	nsWindow::OnGlobalAndroidEvent 	widget/android/nsWindow.cpp:898
22 	libxul.so 	nsAppShell::ProcessNextNativeEvent 	widget/android/nsAppShell.cpp:574
23 	libxul.so 	nsBaseAppShell::DoProcessNextNativeEvent 	widget/xpwidgets/nsBaseAppShell.cpp:171
24 	libxul.so 	nsBaseAppShell::OnProcessNextEvent 	widget/xpwidgets/nsBaseAppShell.cpp:306
25 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:618
26 	libxul.so 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:245
27 	libxul.so 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:110
28 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:208
29 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:201
30 	libxul.so 	nsBaseAppShell::Run 	widget/xpwidgets/nsBaseAppShell.cpp:189
31 	libxul.so 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:295
32 	libxul.so 	XREMain::XRE_mainRun 	toolkit/xre/nsAppRunner.cpp:3780
33 	libxul.so 	XREMain::XRE_main 	toolkit/xre/nsAppRunner.cpp:3857
34 	libxul.so 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3933
35 	libxul.so 	GeckoStart 	toolkit/xre/nsAndroidStartup.cpp:109
36 	libmozglue.so 	Java_org_mozilla_gecko_GeckoAppShell_nativeRun 	mozglue/android/APKOpen.cpp:996
37 	libdvm.so 	dvmPlatformInvoke 	
38 	libdvm.so 	dvmCallJNIMethod_general 	
39 	libdvm.so 	dvmResolveNativeMethod 	
40 	libdvm.so 	dvmAsmSisterStart 	
41 	libdvm.so 	dvmMterpStd 	
42 	libdvm.so 	dvmInterpret 	
43 	libdvm.so 	dvmCallMethodV 	
44 	libdvm.so 	dvmCallMethod 	
45 	libdvm.so 	dvmDetachCurrentThread 	
46 	libc.so 	__thread_entry 	
47 	libc.so 	pthread_create 	

Steps to reproduce:
1. Open Fennec
2. Go to https://adblockplus.org/devbuilds/adblockplus/adblockplus-2.0.4a.3399.xpi (http://goo.gl/jOSYR) and install the add-on
3. When install is complete, a popup is triggered. Tap on Restart button
4. After Fennec restarts, wait

Expected result:
No crash should occur

Actual result:
After step 4, Fennec will crash.

--
Firefox 14.0a2 (2012-04-30)
Device: Samsung Captivate
OS: Android 2.2
(Reporter)

Comment 1

5 years ago
Note: This crash is always reproducible on a clean profile

Updated

5 years ago
Component: General → Graphics
Keywords: reproducible
Product: Fennec Native → Core
QA Contact: general → thebes
Hardware: All → ARM
Summary: crash [@ TouchBadMemory | mozalloc_abort | moz_xmalloc | mozilla::layers::ThebesLayerBuffer::GetContextForQuadrantUpdate ] → OOM crash in mozilla::layers::ThebesLayerBuffer::GetContextForQuadrantUpdate
Whiteboard: [native-crash]
Version: Firefox 14 → 14 Branch
(Reporter)

Comment 2

5 years ago
I guess that this crash might be related to this bug: https://crash-stats.mozilla.com/report/index/bp-1ada14c0-77cc-4924-a8f7-cd6832120503

Before performing step 2, I opened several webpages, each one in a new tab.
Crash Signature: [@ TouchBadMemory | mozalloc_abort | moz_xmalloc | mozilla::layers::ThebesLayerBuffer::GetContextForQuadrantUpdate] → [@ TouchBadMemory | mozalloc_abort | moz_xmalloc | mozilla::layers::ThebesLayerBuffer::GetContextForQuadrantUpdate] [@ TouchBadMemory | mozalloc_abort | moz_xmalloc | libxul.so@0x8f34a9 | pthread_mutex_unlock ]

Updated

5 years ago
Component: Graphics → Graphics: Layers
QA Contact: thebes → graphics-layers
I can reproduce this on a Galaxy Nexus, latest m-c build, with original STR.
Assignee: nobody → vladimir
blocking-fennec1.0: --- → ?
Hrm.  Curious.  My crash on a Galaxy Nexus is different than the one here; my stack looks like:

#0  0x4084aa2a in dvmAbort () from /home/vladimir/proj/android/moz-gdb/lib/01467D5504010005/system/lib/libdvm.so
#1  0x4084f762 in dvmDecodeIndirectRef(_JNIEnv*, _jobject*) ()
   from /home/vladimir/proj/android/moz-gdb/lib/01467D5504010005/system/lib/libdvm.so
#2  0x40850f44 in ?? () from /home/vladimir/proj/android/moz-gdb/lib/01467D5504010005/system/lib/libdvm.so
#3  0x6262e772 in GetIntField (fieldID=<optimized out>, obj=<optimized out>, this=<optimized out>)
    at /home/vladimir/proj/android/android-ndk-r5c/platforms/android-5/arch-arm/usr/include/jni.h:706
#4  AndroidGLController::ProvideEGLSurface (this=0x62f36404)
    at /home/vladimir/proj/mozilla-central/widget/android/AndroidLayerViewWrapper.cpp:100
#5  0x6262cf9e in mozilla::AndroidBridge::ProvideEGLSurface (this=<optimized out>)
    at /home/vladimir/proj/mozilla-central/widget/android/AndroidBridge.cpp:1213
#6  0x6279728c in CreateSurfaceForWindow (config=<optimized out>, aWidget=<optimized out>)
    at /home/vladimir/proj/mozilla-central/gfx/gl/GLContextProviderEGL.cpp:1435
#7  mozilla::gl::GLContextProviderEGL::CreateForWindow (aWidget=0x64e22080)
    at /home/vladimir/proj/mozilla-central/gfx/gl/GLContextProviderEGL.cpp:1522
#8  0x62786f24 in mozilla::layers::LayerManagerOGL::CreateContext (this=<optimized out>)
    at /home/vladimir/proj/mozilla-central/gfx/layers/opengl/LayerManagerOGL.cpp:177
#9  0x6278df50 in Initialize (force=<optimized out>, this=<optimized out>) at ../../dist/include/LayerManagerOGL.h:110
#10 mozilla::layers::CompositorParent::AllocPLayers (this=0x64e7bb40, backendType=<optimized out>)
    at /home/vladimir/proj/mozilla-central/gfx/layers/ipc/CompositorParent.cpp:473
#11 0x626bdbb0 in mozilla::layers::PCompositorParent::OnMessageReceived (this=0x64e7bb40, __msg=<optimized out>, 
    __reply=@0x661ffcfc) at /home/vladimir/proj/fx-android-debug/ipc/ipdl/PCompositorParent.cpp:470


AndroidGLController::ProvideEGLSurface uses CallObjectMethod(mJObj, jProvideEGLSurfaceMethod) and then uses jObj without checking its return value (or checking for an exception -- return value might be bogus in this case anyway).  ProvideEGLSurface is throwing an exception here, as per the log:

E/SurfaceTexture(  117): [SurfaceView] connect: already connected (cur=1, req=1)
E/libEGL  (30454): EGLNativeWindowType 0xff860 already connected to another API
E/libEGL  (30454): eglCreateWindowSurface:374 error 300b (EGL_BAD_NATIVE_WINDOW)
W/dalvikvm(30454): Invalid indirect reference 0x41a5b170 in decodeIndirectRef
E/dalvikvm(30454): VM aborting
Created attachment 624812 [details] [diff] [review]
protct against exceptions

Protect against an exception raised java-side here.  I don't know why we're getting the exception or anything like that, but this stops a crash without any ill effects that I can see.
Attachment #624812 - Flags: review?(jmuizelaar)
Comment on attachment 624812 [details] [diff] [review]
protct against exceptions

Review of attachment 624812 [details] [diff] [review]:
-----------------------------------------------------------------

::: widget/android/AndroidLayerViewWrapper.cpp
@@ +92,5 @@
>      jobject jObj = mJEnv->CallObjectMethod(mJObj, jProvideEGLSurfaceMethod);
> +    if (mJEnv->ExceptionOccurred()) {
> +        mJEnv->ExceptionDescribe();
> +        mJEnv->ExceptionClear();
> +        return NULL;

use if (jniFrame.CheckForException())

@@ +114,5 @@
> +
> +
> +
> +
> +

oh god the white space
Attachment #624812 - Flags: review?(jmuizelaar) → review-
not enough volume to block on this, but nominate it for uplift once it lands on m-c and we'll probably take it.
blocking-fennec1.0: ? → -
Created attachment 624861 [details] [diff] [review]
fix, v2

I have no idea where that whitespace came from.  Now with CheckForException.
Attachment #624812 - Attachment is obsolete: true
Attachment #624861 - Flags: review?(blassey.bugs)
Comment on attachment 624861 [details] [diff] [review]
fix, v2

Review of attachment 624861 [details] [diff] [review]:
-----------------------------------------------------------------

::: widget/android/AndroidLayerViewWrapper.cpp
@@ +91,5 @@
>      AutoLocalJNIFrame jniFrame(mJEnv);
>      jobject jObj = mJEnv->CallObjectMethod(mJObj, jProvideEGLSurfaceMethod);
> +    if (jniFrame.CheckForException()) {
> +        return NULL;
> +    }

nit, no curly braces
Attachment #624861 - Flags: review?(blassey.bugs) → review+
On inbound, sans curly braces: https://tbpl.mozilla.org/?tree=Mozilla-Inbound&rev=e11498dfd15c
xti, can you try to reproduce with tomorrow (Saturday's) nightly?
https://hg.mozilla.org/mozilla-central/rev/e11498dfd15c
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Flags: in-testsuite-
Resolution: --- → FIXED
Target Milestone: --- → mozilla15
(Reporter)

Comment 13

5 years ago
(In reply to Vladimir Vukicevic (:vlad) from comment #11)
> xti, can you try to reproduce with tomorrow (Saturday's) nightly?

I cannot reproduce this issue anymore on the latest Nightly build. However, when I perform the str from comment #0, the following bugs can be reproduced: Bug 737928 (if I install the add-on without opening any webpage) and Bug 738935 (if ~3-4 webpages are opened in new tabs before installing the add-on).

I will close the bug as verified fixed on:

Firefox 15.0a1 (2012-05-20)
Device: Samsung Captivate
OS: Android 2.2
Status: RESOLVED → VERIFIED
status-firefox15: --- → verified
(Reporter)

Updated

5 years ago
Blocks: 757007

Updated

5 years ago
No longer blocks: 757007
Comment on attachment 624861 [details] [diff] [review]
fix, v2

[Approval Request Comment]
User impact if declined: potential uncaught exception leading to GL weirdness
Testing completed (on m-c, etc.): on m-c for a few days
Risk to taking this patch (and alternatives if risky): very little; adds an exception check.  might introduce NULL-related crashes, but the alternative is random-memory-related crashes
Attachment #624861 - Flags: approval-mozilla-aurora?

Updated

5 years ago
status-firefox14: --- → affected
Attachment #624861 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

Comment 15

5 years ago
This was approved for 14 (when 14 was Aurora) but never landed there. This is almost certainly what fixed the AndroidGLController::ProvideEGLSurface crashes on 15 and 16. Since these crashes are the #2 and #5 top crashers on 14.0b7 (Bug 763175, which is .N+ blocker), we should consider uplifting this to Beta.

Updated

5 years ago
Blocks: 763175
Given comment 15, renomming.
blocking-fennec1.0: - → ?
blocking-fennec1.0: ? → .N+
Comment on attachment 624861 [details] [diff] [review]
fix, v2

[Triage Comment]

This can land on beta for 14.0.1 but please land on mozilla-beta tip only, not the release branch
Attachment #624861 - Flags: approval-mozilla-aurora+ → approval-mozilla-beta+
This hasn't yet landed - is anything blocking?
Problem solved ;-)

https://hg.mozilla.org/releases/mozilla-beta/rev/8ae11b4ede65
status-firefox14: affected → fixed
You need to log in before you can comment on or make changes to this bug.