Closed
Bug 795179
Opened 12 years ago
Closed 12 years ago
Web Activities intermittently cause segfault
Categories
(Firefox OS Graveyard :: General, defect, P1)
Firefox OS Graveyard
General
Tracking
(blocking-basecamp:+, b2g18 fixed)
RESOLVED
DUPLICATE
of bug 789399
blocking-basecamp | + |
Tracking | Status | |
---|---|---|
b2g18 | --- | fixed |
People
(Reporter: benfrancis, Assigned: fabrice)
Details
(Keywords: crash)
On Desktop B2G... STR * Start up B2G * Open the browser app * Open bookmark menu * Click "add to homescreen" * click and drag the mouse around on the (empty) homescreen Expected: * See homescreen with icons, new icon gets added to screen Actual: * See empty homescreen, followed by complete crash of B2G Output on console: loading http://browser.gaiamobile.org:8080/start.html, 1 XXX FIXME : Got a mozContentEvent: activity-choice [Child 3666] WARNING: pipe error (3): Connection reset by peer: file /home/tola/Code/hg.mozilla.org/mozilla-central/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 422 Segmentation fault I can also sometimes reproduce this by just opening the browser app and pressing the home key to return to the homescreen, which I believe also triggers a web activity. Vivien says this sometimes happens on the device too. I'm not 100% sure it's caused by Web Activities, but it does seem to happen more often when carrying out actions which trigger them.
Updated•12 years ago
|
Assignee: nobody → fabrice
Updated•12 years ago
|
Priority: -- → P1
Comment 2•12 years ago
|
||
Here's a stack trace: #0 0x00007f539e8b306c in mozilla::layers::ShadowLayerParent::ActorDestroy (this=0x7f53743c5760, why=mozilla::ipc::IProtocolManager<mozilla::ipc::RPCChannel::RPCListener>::Deletion) at /home/tim/workspace/b2g-desktop/gfx/layers/ipc/ShadowLayerParent.cpp:60 #1 0x00007f539e51194c in mozilla::layers::PLayerParent::DestroySubtree (this=0x7f53743c5760, why=mozilla::ipc::IProtocolManager<mozilla::ipc::RPCChannel::RPCListener>::Deletion) at /home/tim/workspace/b2g-desktop/objdir-ff-debug/ipc/ipdl/PLayerParent.cpp:324 #2 0x00007f539e5116c5 in mozilla::layers::PLayerParent::OnMessageReceived (this=0x7f53743c5760, __msg=...) at /home/tim/workspace/b2g-desktop/objdir-ff-debug/ipc/ipdl/PLayerParent.cpp:172 #3 0x00007f539e4de42f in mozilla::dom::PContentParent::OnMessageReceived (this=0x7f53747f9c00, __msg=...) at /home/tim/workspace/b2g-desktop/objdir-ff-debug/ipc/ipdl/PContentParent.cpp:1338 #4 0x00007f539e45a357 in mozilla::ipc::AsyncChannel::OnDispatchMessage (this=0x7f53747f9c10, msg=...) at /home/tim/workspace/b2g-desktop/ipc/glue/AsyncChannel.cpp:473 #5 0x00007f539e466cc5 in mozilla::ipc::RPCChannel::OnMaybeDequeueOne (this=0x7f53747f9c10) at /home/tim/workspace/b2g-desktop/ipc/glue/RPCChannel.cpp:402 #6 0x00007f539e46ad4d in DispatchToMethod<mozilla::ipc::RPCChannel, bool (mozilla::ipc::RPCChannel::*)()> ( obj=0x7f53747f9c10, method= (bool (mozilla::ipc::RPCChannel::*)(mozilla::ipc::RPCChannel * const)) 0x7f539e466a5e <mozilla::ipc::RPCChannel::OnMaybeDequeueOne()>, arg=...) at /home/tim/workspace/b2g-desktop/ipc/chromium/src/base/tuple.h:383 #7 0x00007f539e46aca8 in RunnableMethod<mozilla::ipc::RPCChannel, bool (mozilla::ipc::RPCChannel::*)(), Tuple0>::Run (this=0x7f5374639800) at /home/tim/workspace/b2g-desktop/ipc/chromium/src/base/task.h:307 #8 0x00007f539e4654cb in mozilla::ipc::RPCChannel::RefCountedTask::Run (this=0x7f5374819190) at ../../dist/include/mozilla/ipc/RPCChannel.h:425 #9 0x00007f539e4655ce in mozilla::ipc::RPCChannel::DequeueTask::Run (this=0x7f5378da9e40) at ../../dist/include/mozilla/ipc/RPCChannel.h:448 #10 0x00007f539e79e8c3 in MessageLoop::RunTask (this=0x7f53a10c0120, task=0x7f5378da9e40) at /home/tim/workspace/b2g-desktop/ipc/chromium/src/base/message_loop.cc:333 #11 0x00007f539e79e93b in MessageLoop::DeferOrRunPendingTask (this=0x7f53a10c0120, pending_task=...) at /home/tim/workspace/b2g-desktop/ipc/chromium/src/base/message_loop.cc:341 #12 0x00007f539e79ed11 in MessageLoop::DoWork (this=0x7f53a10c0120) at /home/tim/workspace/b2g-desktop/ipc/chromium/src/base/message_loop.cc:441 #13 0x00007f539e463a07 in mozilla::ipc::DoWorkRunnable::Run (this=0x7f53926276a0) at /home/tim/workspace/b2g-desktop/ipc/glue/MessagePump.cpp:42 #14 0x00007f539e74a3dc in nsThread::ProcessNextEvent (this=0x7f53a106f4a0, mayWait=false, result=0x7fff5e479f0f) at /home/tim/workspace/b2g-desktop/xpcom/threads/nsThread.cpp:612 #15 0x00007f539e6db382 in NS_ProcessNextEvent_P (thread=0x7f53a106f4a0, mayWait=false) at /home/tim/workspace/b2g-desktop/objdir-ff-debug/xpcom/build/nsThreadUtils.cpp:220 #16 0x00007f539e463c78 in mozilla::ipc::MessagePump::Run (this=0x7f5392676cc0, aDelegate=0x7f53a10c0120) at /home/tim/workspace/b2g-desktop/ipc/glue/MessagePump.cpp:82 #17 0x00007f539e79e403 in MessageLoop::RunInternal (this=0x7f53a10c0120) at /home/tim/workspace/b2g-desktop/ipc/chromium/src/base/message_loop.cc:215 #18 0x00007f539e79e394 in MessageLoop::RunHandler (this=0x7f53a10c0120) at /home/tim/workspace/b2g-desktop/ipc/chromium/src/base/message_loop.cc:208 #19 0x00007f539e79e36d in MessageLoop::Run (this=0x7f53a10c0120) at /home/tim/workspace/b2g-desktop/ipc/chromium/src/base/message_loop.cc:182 #20 0x00007f539e2e27d0 in nsBaseAppShell::Run (this=0x7f538b035cf0) at /home/tim/workspace/b2g-desktop/widget/xpwidgets/nsBaseAppShell.cpp:163 #21 0x00007f539e03e802 in nsAppStartup::Run (this=0x7f538981f4c0) at /home/tim/workspace/b2g-desktop/toolkit/components/startup/nsAppStartup.cpp:290
Comment 3•12 years ago
|
||
Valgrind gives the following: ==6969== Invalid read of size 8 ==6969== at 0x75BBCD8: mozilla::layers::ShadowLayerParent::ActorDestroy(mozilla::ipc::IProtocolManager<mozilla::ipc::RPCChannel::RPCListener>::ActorDestroyReason) (ShadowLayerParent.cpp:60) ==6969== by 0x73A3DEB: mozilla::layers::PLayerParent::DestroySubtree(mozilla::ipc::IProtocolManager<mozilla::ipc::RPCChannel::RPCListener>::ActorDestroyReason) (PLayerParent.cpp:324) ==6969== by 0x73A3F48: mozilla::layers::PLayerParent::OnMessageReceived(IPC::Message const&) (PLayerParent.cpp:172) ==6969== by 0x7391BA1: mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) (PContentParent.cpp:1338) ==6969== by 0x7353A7C: mozilla::ipc::AsyncChannel::OnDispatchMessage(IPC::Message const&) (AsyncChannel.cpp:473) ==6969== by 0x735BCC0: mozilla::ipc::RPCChannel::OnMaybeDequeueOne() (RPCChannel.cpp:402) ==6969== by 0x73266A1: RunnableMethod<mozilla::ipc::RPCChannel, bool (mozilla::ipc::RPCChannel::*)(), Tuple0>::Run() (tuple.h:383) ==6969== by 0x73590AA: mozilla::ipc::RPCChannel::DequeueTask::Run() (RPCChannel.h:425) ==6969== by 0x751BD25: MessageLoop::RunTask(Task*) (message_loop.cc:333) ==6969== by 0x751D84E: MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) (message_loop.cc:341) ==6969== by 0x751DA83: MessageLoop::DoWork() (message_loop.cc:441) ==6969== by 0x73585CE: mozilla::ipc::DoWorkRunnable::Run() (MessagePump.cpp:42) ==6969== Address 0x176da7a8 is 168 bytes inside a block of size 832 free'd ==6969== at 0x402B5B9: free (vg_replace_malloc.c:446) ==6969== by 0x4041012: moz_free (mozalloc.cpp:51) ==6969== by 0x75A3748: mozilla::layers::ShadowThebesLayerOGL::~ShadowThebesLayerOGL() (mozalloc.h:224) ==6969== by 0x7594B0B: void mozilla::layers::ContainerRemoveChild<mozilla::layers::ShadowContainerLayerOGL>(mozilla::layers::ShadowContainerLayerOGL*, mozilla::layers::Layer*) (Layers.h:517) ==6969== by 0x7594B34: mozilla::layers::ShadowContainerLayerOGL::RemoveChild(mozilla::layers::Layer*) (ContainerLayerOGL.cpp:418) ==6969== by 0x75BCA96: mozilla::layers::ShadowLayersParent::RecvUpdate(InfallibleTArray<mozilla::layers::Edit> const&, mozilla::layers::TargetConfig const&, bool const&, InfallibleTArray<mozilla::layers::EditReply>*) (ShadowLayersParent.cpp:354) ==6969== by 0x75BD7B5: mozilla::layers::ShadowLayersParent::RecvUpdateNoSwap(InfallibleTArray<mozilla::layers::Edit> const&, mozilla::layers::TargetConfig const&, bool const&) (ShadowLayersParent.cpp:154) ==6969== by 0x73A9EE9: mozilla::layers::PLayersParent::OnMessageReceived(IPC::Message const&) (PLayersParent.cpp:353) ==6969== by 0x7391BA1: mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) (PContentParent.cpp:1338) ==6969== by 0x7353A7C: mozilla::ipc::AsyncChannel::OnDispatchMessage(IPC::Message const&) (AsyncChannel.cpp:473) ==6969== by 0x735BCC0: mozilla::ipc::RPCChannel::OnMaybeDequeueOne() (RPCChannel.cpp:402) ==6969== by 0x73266A1: RunnableMethod<mozilla::ipc::RPCChannel, bool (mozilla::ipc::RPCChannel::*)(), Tuple0>::Run() (tuple.h:383)
Comment 4•12 years ago
|
||
Adding cjones as this looks like a user-after-free in the layers code.
Comment 5•12 years ago
|
||
That stack trace makes a little more sense: #3 0x00007fb2b6a8fb96 in malloc_printerr (action=3, str=0x7fb2b6b8b913 "free(): invalid pointer", ptr=<optimized out>) at malloc.c:5007 #4 0x00007fb2b79fe013 in moz_free (ptr=<optimized out>) at /home/tim/workspace/b2g-desktop/memory/mozalloc/mozalloc.cpp:51 #5 0x00007fb2b52bf5cb in operator delete (ptr=0x1809f68) at ../../dist/include/mozilla/mozalloc.h:224 #6 mozilla::layers::Layer::~Layer (this=0x1809f68, __in_chrg=<optimized out>) at /home/tim/workspace/b2g-desktop/gfx/layers/Layers.cpp:296 #7 0x00007fb2b52ecd09 in Release (this=<optimized out>) at /home/tim/workspace/b2g-desktop/gfx/layers/Layers.h:517 #8 assign_assuming_AddRef (newPtr=0x0, this=0x3ad91a8) at ../../dist/include/nsAutoPtr.h:862 #9 assign_with_AddRef (rawPtr=0x0, this=0x3ad91a8) at ../../dist/include/nsAutoPtr.h:846 #10 operator= (rhs=0x0, this=0x3ad91a8) at ../../dist/include/nsAutoPtr.h:930 #11 mozilla::layers::ShadowLayerParent::ActorDestroy (this=0x3ad9180, why=<optimized out>) at /home/tim/workspace/b2g-desktop/gfx/layers/ipc/ShadowLayerParent.cpp:75 http://mxr.mozilla.org/mozilla-central/source/gfx/layers/ipc/ShadowLayerParent.cpp#75
Assignee | ||
Comment 6•12 years ago
|
||
That looks similar to bug 789399
Comment 7•12 years ago
|
||
Yes, that's exactly the same. I like your STR more but then comment #3 here contains a Valgrind trace that I think is very helpful because it shows where the area has been freed before.
Reporter | ||
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Updated•11 years ago
|
status-b2g18:
--- → fixed
You need to log in
before you can comment on or make changes to this bug.
Description
•