754056 - Crash in gfxReusableSurfaceWrapper

Status: RESOLVED FIXED

(Core :: Graphics, defect)

Description

[Kartikaya Gupta (email:kats@mozilla.staktrace.com)]

Using a debug build off central, and every so often I get a crash with the following stack:

adb| ###!!! ABORT: Should not be locked when released: 'mReadCount == 0', file /Users/kats/zspace/mozilla-git/gfx/thebes/gfxReusableSurfaceWrapper.cpp, line 20

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 24562]
TouchBadMemory () at /Users/kats/zspace/mozilla-git/memory/mozalloc/mozalloc_abort.cpp:68
68	    gDummyCounter += *p;   // TODO annotation saying we know 
(gdb) bt
#0  TouchBadMemory () at /Users/kats/zspace/mozilla-git/memory/mozalloc/mozalloc_abort.cpp:68
#1  0x5bf2b770 in mozalloc_abort (msg=<optimized out>) at /Users/kats/zspace/mozilla-git/memory/mozalloc/mozalloc_abort.cpp:89
#2  0x61924b30 in Abort (aMsg=<optimized out>) at /Users/kats/zspace/mozilla-git/xpcom/base/nsDebugImpl.cpp:417
#3  NS_DebugBreak_P (aSeverity=3, aStr=<optimized out>, aExpr=<optimized out>, aFile=<optimized out>, aLine=20)
    at /Users/kats/zspace/mozilla-git/xpcom/base/nsDebugImpl.cpp:404
#4  0x619970ac in gfxReusableSurfaceWrapper::~gfxReusableSurfaceWrapper (this=0x661fffc0, __in_chrg=<optimized out>)
    at /Users/kats/zspace/mozilla-git/gfx/thebes/gfxReusableSurfaceWrapper.cpp:20
#5  0x619a5cca in gfxReusableSurfaceWrapper::Release (this=0x661fffc0) at ../../dist/include/gfxReusableSurfaceWrapper.h:31
#6  0x619b89d4 in ~nsRefPtr (this=<optimized out>, __in_chrg=<optimized out>) at ../../dist/include/nsAutoPtr.h:908
#7  ~BasicTiledLayerTile (this=<optimized out>, __in_chrg=<optimized out>) at ../../dist/include/BasicTiledThebesLayer.h:26
#8  Destruct (e=<optimized out>) at ../../dist/include/nsTArray.h:380
#9  DestructRange (count=<optimized out>, start=<optimized out>, this=<optimized out>) at ../../dist/include/nsTArray.h:1243
#10 ReplaceElementsAt<mozilla::layers::BasicTiledLayerTile> (arrayLen=<optimized out>, array=<optimized out>, count=<optimized out>, start=<optimized out>, 
    this=<optimized out>) at ../../dist/include/nsTArray.h:754
#11 operator= (other=<optimized out>, this=<optimized out>) at ../../dist/include/nsTArray.h:490
#12 operator= (this=<optimized out>) at /Users/kats/zspace/mozilla-git/gfx/layers/TiledLayerBuffer.h:69
#13 mozilla::layers::BasicTiledLayerBuffer::operator= (this=0x65360a24) at ../../dist/include/BasicTiledThebesLayer.h:78
#14 0x619b8a84 in mozilla::layers::TiledThebesLayerOGL::PaintedTiledLayerBuffer (this=0x65360800, mTiledBuffer=0x1612b08)
    at /Users/kats/zspace/mozilla-git/gfx/layers/opengl/TiledThebesLayerOGL.cpp:134
#15 0x619c1b0c in mozilla::layers::ShadowLayersParent::RecvUpdate (this=0x636c1fd0, cset=<optimized out>, isFirstPaint=<optimized out>, reply=<optimized out>)
    at /Users/kats/zspace/mozilla-git/gfx/layers/ipc/ShadowLayersParent.cpp:330
#16 0x619c12e6 in mozilla::layers::ShadowLayersParent::RecvUpdateNoSwap (this=0x636c1fd0, cset=..., isFirstPaint=@0x638ffb88)
    at /Users/kats/zspace/mozilla-git/gfx/layers/ipc/ShadowLayersParent.cpp:156
#17 0x6186c040 in mozilla::layers::PLayersParent::OnMessageReceived (this=0x636c1fd0, __msg=<optimized out>)
    at /Users/kats/zspace/mozilla-git/obj-android-debug/ipc/ipdl/PLayersParent.cpp:275
#18 0x6186729a in mozilla::layers::PCompositorParent::OnMessageReceived (this=0x636fa800, __msg=...)
    at /Users/kats/zspace/mozilla-git/obj-android-debug/ipc/ipdl/PCompositorParent.cpp:288
#19 0x6182d1fa in mozilla::ipc::AsyncChannel::OnDispatchMessage (this=0x636fa808, msg=...) at /Users/kats/zspace/mozilla-git/ipc/glue/AsyncChannel.cpp:495
#20 0x61832110 in mozilla::ipc::RPCChannel::OnMaybeDequeueOne (this=0x636fa808) at /Users/kats/zspace/mozilla-git/ipc/glue/RPCChannel.cpp:434
#21 0x6181a2c4 in DispatchToMethod<mozilla::plugins::PluginInstanceChild, void (mozilla::plugins::PluginInstanceChild::*)()> (arg=<optimized out>, 
    method=<optimized out>, obj=<optimized out>) at /Users/kats/zspace/mozilla-git/ipc/chromium/src/base/tuple.h:383
#22 RunnableMethod<mozilla::plugins::PluginInstanceChild, void (mozilla::plugins::PluginInstanceChild::*)(), Tuple0>::Run (this=<optimized out>)
    at /Users/kats/zspace/mozilla-git/ipc/chromium/src/base/task.h:307
#23 0x618304f2 in Run (this=<optimized out>) at ../../dist/include/mozilla/ipc/RPCChannel.h:462
#24 mozilla::ipc::RPCChannel::DequeueTask::Run (this=0x5e728640) at ../../dist/include/mozilla/ipc/RPCChannel.h:485
#25 0x6194d246 in MessageLoop::RunTask (this=0x638ffdd4, task=0x5e728640) at /Users/kats/zspace/mozilla-git/ipc/chromium/src/base/message_loop.cc:318
#26 0x6194da50 in MessageLoop::DeferOrRunPendingTask (this=0xa, pending_task=<optimized out>) at /Users/kats/zspace/mozilla-git/ipc/chromium/src/base/message_loop.cc:326
#27 0x6194e73e in MessageLoop::DoWork (this=0x638ffdd4) at /Users/kats/zspace/mozilla-git/ipc/chromium/src/base/message_loop.cc:426
#28 0x6194eaaa in base::MessagePumpDefault::Run (this=0x637b3600, delegate=0x638ffdd4) at /Users/kats/zspace/mozilla-git/ipc/chromium/src/base/message_pump_default.cc:23
#29 0x6194d7e2 in MessageLoop::RunInternal (this=0x638ffdd4) at /Users/kats/zspace/mozilla-git/ipc/chromium/src/base/message_loop.cc:208
#30 0x6194d842 in RunHandler (this=<optimized out>) at /Users/kats/zspace/mozilla-git/ipc/chromium/src/base/message_loop.cc:201
#31 MessageLoop::Run (this=0x638ffdd4) at /Users/kats/zspace/mozilla-git/ipc/chromium/src/base/message_loop.cc:175
#32 0x619572e8 in base::Thread::ThreadMain (this=0x636c1ac0) at /Users/kats/zspace/mozilla-git/ipc/chromium/src/base/thread.cc:156
#33 0x61964ae2 in ThreadFunc (closure=0xa) at /Users/kats/zspace/mozilla-git/ipc/chromium/src/base/platform_thread_posix.cc:27
#34 0x400f9c50 in pthread_setspecific () from /Users/kats/android/jdb/moz-gdb/lib/01466E640801401C/system/lib/libc.so
#35 0x400f9c50 in pthread_setspecific () from /Users/kats/android/jdb/moz-gdb/lib/01466E640801401C/system/lib/libc.so
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Comment 1

[Benoit Girard (:BenWa)]

This might explain some of the problem we see with tiling.

Comment 2

[Benoit Girard (:BenWa)]

bjacob looked at this and found a plausible solution.

Comment 3

[Benoit Jacob [:bjacob] (mostly away)]

Attachment: call ReadUnlock() before replacing tiles

Patch really written by BenWa, but trivial enough that it should be OK to ask him to review it.

Comment 4

[Benoit Girard (:BenWa)]

Comment on attachment 623235 [details] [diff] [review]
call ReadUnlock() before replacing tiles

Thanks!

Comment 5

[Benoit Jacob [:bjacob] (mostly away)]

http://hg.mozilla.org/integration/mozilla-inbound/rev/3cf3f6ba83bf

Comment 6

[Matt Brubeck (:mbrubeck)]

https://hg.mozilla.org/mozilla-central/rev/3cf3f6ba83bf

Comment 7

[Kartikaya Gupta (email:kats@mozilla.staktrace.com)]

Should this be uplifted to aurora?

Comment 8

[Benoit Girard (:BenWa)]

Comment on attachment 623235 [details] [diff] [review]
call ReadUnlock() before replacing tiles

[Approval Request Comment]
Regression caused by (bug #): bug 739679
User impact if declined: leaks (assertion crashes in debug)
Testing completed (on m-c, etc.): on m-c
Risk to taking this patch (and alternatives if risky): low & mobile-only, code was missing an unlock
String changes made by this patch: none

Comment 9

[Benoit Girard (:BenWa)]

Comment on attachment 623235 [details] [diff] [review]
call ReadUnlock() before replacing tiles

Actually no, we haven't uplifted noswap drawing. Aurora isn't affacted. But if we uplift that fix we should include this as well.