Closed Bug 795179 Opened 12 years ago Closed 12 years ago

Web Activities intermittently cause segfault

Categories

(Firefox OS Graveyard :: General, defect, P1)

defect

Tracking

(blocking-basecamp:+, b2g18 fixed)

RESOLVED DUPLICATE of bug 789399
blocking-basecamp +
Tracking Status
b2g18 --- fixed

People

(Reporter: benfrancis, Assigned: fabrice)

Details

(Keywords: crash)

On Desktop B2G...

STR
* Start up B2G
* Open the browser app
* Open bookmark menu
* Click "add to homescreen"
* click and drag the mouse around on the (empty) homescreen

Expected:
* See homescreen with icons, new icon gets added to screen

Actual:
* See empty homescreen, followed by complete crash of B2G

Output on console:

loading http://browser.gaiamobile.org:8080/start.html, 1
XXX FIXME : Got a mozContentEvent: activity-choice
[Child 3666] WARNING: pipe error (3): Connection reset by peer: file /home/tola/Code/hg.mozilla.org/mozilla-central/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 422
Segmentation fault


I can also sometimes reproduce this by just opening the browser app and pressing the home key to return to the homescreen, which I believe also triggers a web activity.

Vivien says this sometimes happens on the device too.

I'm not 100% sure it's caused by Web Activities, but it does seem to happen more often when carrying out actions which trigger them.
blocking-basecamp: ? → +
Keywords: crash
Assignee: nobody → fabrice
Priority: -- → P1
Here's a stack trace:

#0  0x00007f539e8b306c in mozilla::layers::ShadowLayerParent::ActorDestroy (this=0x7f53743c5760, 
    why=mozilla::ipc::IProtocolManager<mozilla::ipc::RPCChannel::RPCListener>::Deletion)
    at /home/tim/workspace/b2g-desktop/gfx/layers/ipc/ShadowLayerParent.cpp:60
#1  0x00007f539e51194c in mozilla::layers::PLayerParent::DestroySubtree (this=0x7f53743c5760, 
    why=mozilla::ipc::IProtocolManager<mozilla::ipc::RPCChannel::RPCListener>::Deletion)
    at /home/tim/workspace/b2g-desktop/objdir-ff-debug/ipc/ipdl/PLayerParent.cpp:324
#2  0x00007f539e5116c5 in mozilla::layers::PLayerParent::OnMessageReceived (this=0x7f53743c5760, __msg=...)
    at /home/tim/workspace/b2g-desktop/objdir-ff-debug/ipc/ipdl/PLayerParent.cpp:172
#3  0x00007f539e4de42f in mozilla::dom::PContentParent::OnMessageReceived (this=0x7f53747f9c00, __msg=...)
    at /home/tim/workspace/b2g-desktop/objdir-ff-debug/ipc/ipdl/PContentParent.cpp:1338
#4  0x00007f539e45a357 in mozilla::ipc::AsyncChannel::OnDispatchMessage (this=0x7f53747f9c10, msg=...)
    at /home/tim/workspace/b2g-desktop/ipc/glue/AsyncChannel.cpp:473
#5  0x00007f539e466cc5 in mozilla::ipc::RPCChannel::OnMaybeDequeueOne (this=0x7f53747f9c10)
    at /home/tim/workspace/b2g-desktop/ipc/glue/RPCChannel.cpp:402
#6  0x00007f539e46ad4d in DispatchToMethod<mozilla::ipc::RPCChannel, bool (mozilla::ipc::RPCChannel::*)()> (
    obj=0x7f53747f9c10, method=
    (bool (mozilla::ipc::RPCChannel::*)(mozilla::ipc::RPCChannel * const)) 0x7f539e466a5e <mozilla::ipc::RPCChannel::OnMaybeDequeueOne()>, arg=...) at /home/tim/workspace/b2g-desktop/ipc/chromium/src/base/tuple.h:383
#7  0x00007f539e46aca8 in RunnableMethod<mozilla::ipc::RPCChannel, bool (mozilla::ipc::RPCChannel::*)(), Tuple0>::Run (this=0x7f5374639800) at /home/tim/workspace/b2g-desktop/ipc/chromium/src/base/task.h:307
#8  0x00007f539e4654cb in mozilla::ipc::RPCChannel::RefCountedTask::Run (this=0x7f5374819190)
    at ../../dist/include/mozilla/ipc/RPCChannel.h:425
#9  0x00007f539e4655ce in mozilla::ipc::RPCChannel::DequeueTask::Run (this=0x7f5378da9e40)
    at ../../dist/include/mozilla/ipc/RPCChannel.h:448
#10 0x00007f539e79e8c3 in MessageLoop::RunTask (this=0x7f53a10c0120, task=0x7f5378da9e40)
    at /home/tim/workspace/b2g-desktop/ipc/chromium/src/base/message_loop.cc:333
#11 0x00007f539e79e93b in MessageLoop::DeferOrRunPendingTask (this=0x7f53a10c0120, pending_task=...)
    at /home/tim/workspace/b2g-desktop/ipc/chromium/src/base/message_loop.cc:341
#12 0x00007f539e79ed11 in MessageLoop::DoWork (this=0x7f53a10c0120)
    at /home/tim/workspace/b2g-desktop/ipc/chromium/src/base/message_loop.cc:441
#13 0x00007f539e463a07 in mozilla::ipc::DoWorkRunnable::Run (this=0x7f53926276a0)
    at /home/tim/workspace/b2g-desktop/ipc/glue/MessagePump.cpp:42
#14 0x00007f539e74a3dc in nsThread::ProcessNextEvent (this=0x7f53a106f4a0, mayWait=false, result=0x7fff5e479f0f)
    at /home/tim/workspace/b2g-desktop/xpcom/threads/nsThread.cpp:612
#15 0x00007f539e6db382 in NS_ProcessNextEvent_P (thread=0x7f53a106f4a0, mayWait=false)
    at /home/tim/workspace/b2g-desktop/objdir-ff-debug/xpcom/build/nsThreadUtils.cpp:220
#16 0x00007f539e463c78 in mozilla::ipc::MessagePump::Run (this=0x7f5392676cc0, aDelegate=0x7f53a10c0120)
    at /home/tim/workspace/b2g-desktop/ipc/glue/MessagePump.cpp:82
#17 0x00007f539e79e403 in MessageLoop::RunInternal (this=0x7f53a10c0120)
    at /home/tim/workspace/b2g-desktop/ipc/chromium/src/base/message_loop.cc:215
#18 0x00007f539e79e394 in MessageLoop::RunHandler (this=0x7f53a10c0120)
    at /home/tim/workspace/b2g-desktop/ipc/chromium/src/base/message_loop.cc:208
#19 0x00007f539e79e36d in MessageLoop::Run (this=0x7f53a10c0120)
    at /home/tim/workspace/b2g-desktop/ipc/chromium/src/base/message_loop.cc:182
#20 0x00007f539e2e27d0 in nsBaseAppShell::Run (this=0x7f538b035cf0)
    at /home/tim/workspace/b2g-desktop/widget/xpwidgets/nsBaseAppShell.cpp:163
#21 0x00007f539e03e802 in nsAppStartup::Run (this=0x7f538981f4c0)
    at /home/tim/workspace/b2g-desktop/toolkit/components/startup/nsAppStartup.cpp:290
Valgrind gives the following:

==6969== Invalid read of size 8
==6969==    at 0x75BBCD8: mozilla::layers::ShadowLayerParent::ActorDestroy(mozilla::ipc::IProtocolManager<mozilla::ipc::RPCChannel::RPCListener>::ActorDestroyReason) (ShadowLayerParent.cpp:60)
==6969==    by 0x73A3DEB: mozilla::layers::PLayerParent::DestroySubtree(mozilla::ipc::IProtocolManager<mozilla::ipc::RPCChannel::RPCListener>::ActorDestroyReason) (PLayerParent.cpp:324)
==6969==    by 0x73A3F48: mozilla::layers::PLayerParent::OnMessageReceived(IPC::Message const&) (PLayerParent.cpp:172)
==6969==    by 0x7391BA1: mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) (PContentParent.cpp:1338)
==6969==    by 0x7353A7C: mozilla::ipc::AsyncChannel::OnDispatchMessage(IPC::Message const&) (AsyncChannel.cpp:473)
==6969==    by 0x735BCC0: mozilla::ipc::RPCChannel::OnMaybeDequeueOne() (RPCChannel.cpp:402)
==6969==    by 0x73266A1: RunnableMethod<mozilla::ipc::RPCChannel, bool (mozilla::ipc::RPCChannel::*)(), Tuple0>::Run() (tuple.h:383)
==6969==    by 0x73590AA: mozilla::ipc::RPCChannel::DequeueTask::Run() (RPCChannel.h:425)
==6969==    by 0x751BD25: MessageLoop::RunTask(Task*) (message_loop.cc:333)
==6969==    by 0x751D84E: MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) (message_loop.cc:341)
==6969==    by 0x751DA83: MessageLoop::DoWork() (message_loop.cc:441)
==6969==    by 0x73585CE: mozilla::ipc::DoWorkRunnable::Run() (MessagePump.cpp:42)
==6969==  Address 0x176da7a8 is 168 bytes inside a block of size 832 free'd
==6969==    at 0x402B5B9: free (vg_replace_malloc.c:446)
==6969==    by 0x4041012: moz_free (mozalloc.cpp:51)
==6969==    by 0x75A3748: mozilla::layers::ShadowThebesLayerOGL::~ShadowThebesLayerOGL() (mozalloc.h:224)
==6969==    by 0x7594B0B: void mozilla::layers::ContainerRemoveChild<mozilla::layers::ShadowContainerLayerOGL>(mozilla::layers::ShadowContainerLayerOGL*, mozilla::layers::Layer*) (Layers.h:517)
==6969==    by 0x7594B34: mozilla::layers::ShadowContainerLayerOGL::RemoveChild(mozilla::layers::Layer*) (ContainerLayerOGL.cpp:418)
==6969==    by 0x75BCA96: mozilla::layers::ShadowLayersParent::RecvUpdate(InfallibleTArray<mozilla::layers::Edit> const&, mozilla::layers::TargetConfig const&, bool const&, InfallibleTArray<mozilla::layers::EditReply>*) (ShadowLayersParent.cpp:354)
==6969==    by 0x75BD7B5: mozilla::layers::ShadowLayersParent::RecvUpdateNoSwap(InfallibleTArray<mozilla::layers::Edit> const&, mozilla::layers::TargetConfig const&, bool const&) (ShadowLayersParent.cpp:154)
==6969==    by 0x73A9EE9: mozilla::layers::PLayersParent::OnMessageReceived(IPC::Message const&) (PLayersParent.cpp:353)
==6969==    by 0x7391BA1: mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) (PContentParent.cpp:1338)
==6969==    by 0x7353A7C: mozilla::ipc::AsyncChannel::OnDispatchMessage(IPC::Message const&) (AsyncChannel.cpp:473)
==6969==    by 0x735BCC0: mozilla::ipc::RPCChannel::OnMaybeDequeueOne() (RPCChannel.cpp:402)
==6969==    by 0x73266A1: RunnableMethod<mozilla::ipc::RPCChannel, bool (mozilla::ipc::RPCChannel::*)(), Tuple0>::Run() (tuple.h:383)
Adding cjones as this looks like a user-after-free in the layers code.
That stack trace makes a little more sense:

#3  0x00007fb2b6a8fb96 in malloc_printerr (action=3, str=0x7fb2b6b8b913 "free(): invalid pointer", 
    ptr=<optimized out>) at malloc.c:5007
#4  0x00007fb2b79fe013 in moz_free (ptr=<optimized out>)
    at /home/tim/workspace/b2g-desktop/memory/mozalloc/mozalloc.cpp:51
#5  0x00007fb2b52bf5cb in operator delete (ptr=0x1809f68) at ../../dist/include/mozilla/mozalloc.h:224
#6  mozilla::layers::Layer::~Layer (this=0x1809f68, __in_chrg=<optimized out>)
    at /home/tim/workspace/b2g-desktop/gfx/layers/Layers.cpp:296
#7  0x00007fb2b52ecd09 in Release (this=<optimized out>)
    at /home/tim/workspace/b2g-desktop/gfx/layers/Layers.h:517
#8  assign_assuming_AddRef (newPtr=0x0, this=0x3ad91a8) at ../../dist/include/nsAutoPtr.h:862
#9  assign_with_AddRef (rawPtr=0x0, this=0x3ad91a8) at ../../dist/include/nsAutoPtr.h:846
#10 operator= (rhs=0x0, this=0x3ad91a8) at ../../dist/include/nsAutoPtr.h:930
#11 mozilla::layers::ShadowLayerParent::ActorDestroy (this=0x3ad9180, why=<optimized out>)
    at /home/tim/workspace/b2g-desktop/gfx/layers/ipc/ShadowLayerParent.cpp:75

http://mxr.mozilla.org/mozilla-central/source/gfx/layers/ipc/ShadowLayerParent.cpp#75
That looks similar to bug 789399
Yes, that's exactly the same. I like your STR more but then comment #3 here contains a Valgrind trace that I think is very helpful because it shows where the area has been freed before.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.