Closed Bug 798980 Opened 7 years ago Closed 7 years ago

[b2g] Crash when opening an inline Activity

Categories

(Core :: IPC, defect, P1, critical)

defect

Tracking

()

RESOLVED FIXED
mozilla19
blocking-basecamp +
Tracking Status
firefox17 --- unaffected
firefox18 --- fixed
firefox19 --- fixed

People

(Reporter: vingtetun, Assigned: cpeterson)

References

Details

Attachments

(1 file)

Step to reproduce: 
 - launch gaia on b2g desktop / device.
 - unlock the lock screen
 - on the homescreen do a long press (if this is a b2g desktop build you can simply hold the left button of the mouse)
 - see a screen coming in and choose 'camera'

Actual result: something goes wrong and the device restart / the desktop build crash

Expected result: the 'camera' app is launched.




Here is what I can see on a desktop build:

Program received signal SIGSEGV, Segmentation fault.
mozilla::layout::GetFrom (aFrameLoader=0x0) at /home/vivien/Devel/mozilla/b2g/desktop/src/layout/ipc/RenderFrameParent.cpp:472
472	  nsIDocument* doc = aFrameLoader->GetOwnerDoc();
(gdb) 

(gdb) bt
#0  mozilla::layout::GetFrom (aFrameLoader=0x0) at /home/vivien/Devel/mozilla/b2g/desktop/src/layout/ipc/RenderFrameParent.cpp:472
#1  0x00007ffff3396a25 in RenderFrameParent (this=0x7fffc77cdcc0, aFrameLoader=<value optimized out>, aScrollingBehavior=<value optimized out>, 
    aBackendType=0x7fffffffb404, aMaxTextureSize=0x7fffffffb400, aId=0x7fffffffb2d8)
    at /home/vivien/Devel/mozilla/b2g/desktop/src/layout/ipc/RenderFrameParent.cpp:558
#2  0x00007ffff3feb5da in mozilla::dom::TabParent::AllocPRenderFrame (this=<value optimized out>, aScrolling=0x7fffffffb408, aBackend=0x7fffffffb404, 
    aMaxTextureSize=0x7fffffffb400, aLayersId=0x7fffffffb2d8) at /home/vivien/Devel/mozilla/b2g/desktop/src/dom/ipc/TabParent.cpp:1022
#3  0x00007ffff405738d in mozilla::dom::PBrowserParent::OnMessageReceived (this=0x7fffc7bc0c80, __msg=<value optimized out>, __reply=@0x7fffffffb738)
    at /home/vivien/Devel/mozilla/b2g/desktop/build/ipc/ipdl/PBrowserParent.cpp:1748
#4  0x00007ffff4068dd5 in mozilla::dom::PContentParent::OnMessageReceived (this=0x7fffc8077c00, __msg=..., __reply=@0x7fffffffb738)
    at /home/vivien/Devel/mozilla/b2g/desktop/build/ipc/ipdl/PContentParent.cpp:2274
#5  0x00007ffff401f0a3 in mozilla::ipc::SyncChannel::OnDispatchMessage (this=0x7fffc8077c10, msg=...)
    at /home/vivien/Devel/mozilla/b2g/desktop/src/ipc/glue/SyncChannel.cpp:144
#6  0x00007ffff401c696 in mozilla::ipc::RPCChannel::OnMaybeDequeueOne (this=0x7fffc8077c10)
    at /home/vivien/Devel/mozilla/b2g/desktop/src/ipc/glue/RPCChannel.cpp:400
#7  0x00007ffff421ab55 in MessageLoop::RunTask (this=0x7ffff6deb240, task=0x7fffc88fc0e0)
    at /home/vivien/Devel/mozilla/b2g/desktop/src/ipc/chromium/src/base/message_loop.cc:326
#8  0x00007ffff421ab8e in MessageLoop::DeferOrRunPendingTask (this=0x0, pending_task=<value optimized out>)
    at /home/vivien/Devel/mozilla/b2g/desktop/src/ipc/chromium/src/base/message_loop.cc:334
#9  0x00007ffff421ae12 in MessageLoop::DoWork (this=0x7ffff6deb240) at /home/vivien/Devel/mozilla/b2g/desktop/src/ipc/chromium/src/base/message_loop.cc:434
#10 0x00007ffff40197e4 in mozilla::ipc::DoWorkRunnable::Run (this=<value optimized out>)
    at /home/vivien/Devel/mozilla/b2g/desktop/src/ipc/glue/MessagePump.cpp:42
#11 0x00007ffff41e6683 in nsThread::ProcessNextEvent (this=0x7ffff6d5b300, mayWait=true, result=0x7fffffffb99f)
    at /home/vivien/Devel/mozilla/b2g/desktop/src/xpcom/threads/nsThread.cpp:612
#12 0x00007ffff419ef04 in NS_ProcessNextEvent_P (thread=0x0, mayWait=true) at /home/vivien/Devel/mozilla/b2g/desktop/build/xpcom/build/nsThreadUtils.cpp:220
#13 0x00007ffff4019a9c in mozilla::ipc::MessagePump::Run (this=0x7ffff6dea600, aDelegate=0x7ffff6deb240)
    at /home/vivien/Devel/mozilla/b2g/desktop/src/ipc/glue/MessagePump.cpp:117
#14 0x00007ffff421b118 in MessageLoop::RunInternal (this=0x7ffff6deb240)
    at /home/vivien/Devel/mozilla/b2g/desktop/src/ipc/chromium/src/base/message_loop.cc:208
#15 0x00007ffff421b164 in MessageLoop::RunHandler (this=0x0) at /home/vivien/Devel/mozilla/b2g/desktop/src/ipc/chromium/src/base/message_loop.cc:201
#16 MessageLoop::Run (this=0x0) at /home/vivien/Devel/mozilla/b2g/desktop/src/ipc/chromium/src/base/message_loop.cc:175
#17 0x00007ffff3f0c10f in nsBaseAppShell::Run (this=0x7fffe32b6430) at /home/vivien/Devel/mozilla/b2g/desktop/src/widget/xpwidgets/nsBaseAppShell.cpp:163
#18 0x00007ffff3d45195 in nsAppStartup::Run (this=0x7fffe3282150)
    at /home/vivien/Devel/mozilla/b2g/desktop/src/toolkit/components/startup/nsAppStartup.cpp:290
#19 0x00007ffff30640e4 in XREMain::XRE_mainRun (this=0x7fffffffbdf0) at /home/vivien/Devel/mozilla/b2g/desktop/src/toolkit/xre/nsAppRunner.cpp:3782
#20 0x00007ffff30681dd in XREMain::XRE_main (this=0x7fffffffbdf0, argc=<value optimized out>, argv=0x7fffffffe1f8, aAppData=0x61c030)
    at /home/vivien/Devel/mozilla/b2g/desktop/src/toolkit/xre/nsAppRunner.cpp:3848
#21 0x00007ffff30683f1 in XRE_main (argc=3, argv=0x7fffffffe1f8, aAppData=0x61c030, aFlags=<value optimized out>)
    at /home/vivien/Devel/mozilla/b2g/desktop/src/toolkit/xre/nsAppRunner.cpp:3923
#22 0x0000000000402a0d in do_main (argc=3, argv=0x7fffffffe1f8) at /home/vivien/Devel/mozilla/b2g/desktop/src/b2g/app/nsBrowserApp.cpp:154
---Type <return> to continue, or q <return> to quit---
#23 main (argc=3, argv=0x7fffffffe1f8) at /home/vivien/Devel/mozilla/b2g/desktop/src/b2g/app/nsBrowserApp.cpp:239
(gdb)
Jet: Can you help find an owner.
Assignee: nobody → bugs
blocking-basecamp: ? → +
This bug hurts the Smoke Tests and make it impossible to go thought multiple applications.
Severity: normal → critical
Priority: -- → P1
Looks like a null dereference here...

/home/vivien/Devel/mozilla/b2g/desktop/src/layout/ipc/RenderFrameParent.cpp:472
472	  nsIDocument* doc = aFrameLoader->GetOwnerDoc();
(gdb) 

(gdb) bt
#0  mozilla::layout::GetFrom (aFrameLoader=0x0) at /home/vivien/Devel/mozilla/b2g/desktop/src/layout/ipc/RenderFrameParent.cpp:472
This is Jet's band-aid patch to check for a null FrameLoader. With this patch, the Camera app will "close with a problem", but at least the phone won't crash.
Comment on attachment 669616 [details] [diff] [review]
crash-camera-not-phone.patch

Seems to be a valid case for GetFrameLoader() to return null, so we should guard for that.
Attachment #669616 - Flags: review?(roc)
There's a less band-aid'y patch developing in bug 796293, but it's probably worth taking this too.
Comment on attachment 669616 [details] [diff] [review]
crash-camera-not-phone.patch

Brace { } the consequent and drop in an NS_ERROR("Can't allocate graphics resources, aborting subprocess");

r=me with that
Attachment #669616 - Flags: review?(roc) → review+
To Chris for the landing...
Assignee: bugs → cpeterson
Status: NEW → ASSIGNED
https://hg.mozilla.org/integration/mozilla-inbound/rev/4aa947bc6364

btw, here is another case where GetFrameLoader()'s return value is used without a null check:

https://hg.mozilla.org/mozilla-central/file/22d192c5d1fd/dom/ipc/TabParent.cpp#l437
Target Milestone: --- → mozilla19
That code is only called during event dispatch, and the way the event-dispatch code finds the TabParent is through its nsFrameLoader.  So that one is fine.
Whiteboard: [needs-checkin-aurora]
https://hg.mozilla.org/mozilla-central/rev/4aa947bc6364
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Duplicate of this bug: 798699
You need to log in before you can comment on or make changes to this bug.