Closed
Bug 805355
Opened 12 years ago
Closed 12 years ago
startup crash in _pixman_implementation_fill
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
FIXED
mozilla19
Tracking | Status | |
---|---|---|
firefox18 | --- | unaffected |
firefox19 | --- | fixed |
fennec | 19+ | --- |
People
(Reporter: scoobidiver, Assigned: BenWa)
References
Details
(Keywords: crash, regression, topcrash, Whiteboard: [native-crash][startupcrash])
Crash Data
Attachments
(1 file)
975 bytes,
patch
|
blassey
:
review+
BenWa
:
checkin+
|
Details | Diff | Splinter Review |
It's similar to bug 795234.
It first appeared in 19.0a1/20121024 and is currently #1 top crasher in this build (hit by 10 users). The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=48502b61a63e&tochange=93cc1ee94291
Signature libxul.so@0xca9378 | arm_neon_fill More Reports Search
UUID 1d299365-0800-4ea4-8cef-beca72121024
Date Processed 2012-10-24 21:06:55
Uptime 27
Install Age 16.9 minutes since version was first installed.
Install Time 2012-10-24 20:51:00
Product FennecAndroid
Version 19.0a1
Build ID 20121024030643
Release Channel nightly
OS Android
OS Version 0.0.0 Linux 2.6.29-omap1 #1 PREEMPT Tue Feb 28 23:20:29 CET 2012 armv7l archos/g8/G8A/:2.2.1/FROYO/eng..20120228.232428:user/test-keys
Build Architecture arm
Build Architecture Info
Crash Reason SIGSEGV
Crash Address 0x52e00000
App Notes
AdapterDescription: 'Imagination Technologies -- PowerVR SGX 530 -- OpenGL ES 2.0 -- Model: A70S, Product: Archos 70 Internet Tablet, Manufacturer: archos, Hardware: archos'
EGL? EGL+ GL Context? GL Context+ GL Layers? GL Layers+
archos A70S
archos/g8/G8A/:2.2.1/FROYO/eng..20120228.232428:user/test-keys
EMCheckCompatibility True
Adapter Vendor ID Imagination Technologies
Adapter Device ID PowerVR SGX 530
Device archos A70S
Android API Version 8 (REL)
Android CPU ABI armeabi-v7a
Frame Module Signature Source
0 libxul.so libxul.so@0xca9378
1 libxul.so arm_neon_fill pixman-arm-neon.c:226
2 libxul.so _pixman_implementation_fill pixman-implementation.c:182
3 libxul.so delegate_fill pixman-implementation.c:62
4 libxul.so _pixman_implementation_fill pixman-implementation.c:182
5 libxul.so _moz_pixman_fill pixman.c:772
6 libxul.so _clip_and_composite_boxes cairo-image-surface.c:2938
7 libxul.so _cairo_image_surface_fill cairo-image-surface.c:3750
8 libxul.so _cairo_surface_fill cairo-surface.c:2348
9 libxul.so _cairo_gstate_fill cairo-gstate.c:1290
10 libxul.so _moz_cairo_fill_preserve cairo.c:2459
11 libxul.so gfxContext::Fill gfxContext.cpp:310
12 libxul.so PresShell::RenderDocument nsPresShell.cpp:4304
13 libxul.so mozilla::AndroidBridge::TakeScreenshot AndroidBridge.cpp:2501
14 libxul.so ScreenshotRunnable::Run nsAppShell.cpp:89
15 libxul.so RunnableMethod<ScreenshotRunnable, tag_nsresult tuple.h:383
16 libxul.so MessageLoop::RunTask message_loop.cc:333
17 libxul.so MessageLoop::ProcessNextDelayedNonNestableTask message_loop.cc:231
18 libxul.so MessageLoop::DoIdleWork message_loop.cc:472
19 libxul.so mozilla::ipc::MessagePump::Run MessagePump.cpp:109
20 libxul.so MessageLoop::RunInternal message_loop.cc:215
21 libxul.so MessageLoop::Run message_loop.cc:208
22 libxul.so nsBaseAppShell::Run nsBaseAppShell.cpp:163
23 libxul.so nsAppStartup::Run nsAppStartup.cpp:290
24 libxul.so XREMain::XRE_mainRun nsAppRunner.cpp:3799
25 libxul.so XREMain::XRE_main nsAppRunner.cpp:3866
26 libxul.so XRE_main nsAppRunner.cpp:3941
More reports at:
https://crash-stats.mozilla.com/query/query?product=FennecAndroid&query_search=signature&query_type=contains&query=arm_neon_fill&do_query=1
Reporter | ||
Updated•12 years ago
|
Crash Signature: [@ libxul.so@0xca9378 | arm_neon_fill] → [@ libxul.so@0xca9378 | arm_neon_fill]
[@ fast_path_fill]
Summary: crash in arm_neon_fill → startup crash in _pixman_implementation_fill
Reporter | ||
Comment 1•12 years ago
|
||
It stopped in 19.0a1/20121025. The working range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=93cc1ee94291&tochange=5c82f5a5e90d
It might have been caused by the bustage of bug 803013 or bug 795259.
Reporter | ||
Comment 2•12 years ago
|
||
It's back in 19.0a1/20121026. The second regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=5c82f5a5e90d&tochange=5ecff3e46ed5
tracking-fennec: --- → ?
Crash Signature: [@ libxul.so@0xca9378 | arm_neon_fill]
[@ fast_path_fill] → [@ libxul.so@0xca9378 | arm_neon_fill]
[@ libxul.so@0xcab3f8 | arm_neon_fill]
[@ fast_path_fill]
status-firefox18:
--- → unaffected
status-firefox19:
--- → affected
tracking-firefox19:
--- → ?
Reporter | ||
Updated•12 years ago
|
Crash Signature: [@ libxul.so@0xca9378 | arm_neon_fill]
[@ libxul.so@0xcab3f8 | arm_neon_fill]
[@ fast_path_fill] → [@ libxul.so@0xca9378 | arm_neon_fill]
[@ libxul.so@0xcab3f8 | arm_neon_fill]
[@ libxul.so@0xcab6f8 | arm_neon_fill]
[@ fast_path_fill]
Reporter | ||
Updated•12 years ago
|
Crash Signature: [@ libxul.so@0xca9378 | arm_neon_fill]
[@ libxul.so@0xcab3f8 | arm_neon_fill]
[@ libxul.so@0xcab6f8 | arm_neon_fill]
[@ fast_path_fill] → [@ libxul.so@0xca9378 | arm_neon_fill]
[@ libxul.so@0xcab3f8 | arm_neon_fill]
[@ libxul.so@0xcab6f8 | arm_neon_fill]
[@ libxul.so@0xcacdf8 | arm_neon_fill]
[@ fast_path_fill]
Comment 3•12 years ago
|
||
This crash occurred on the latest Nightly just after I tried to open a website from the Top Sites on about:home:
https://crash-stats.mozilla.com/report/index/bp-6eb1a842-7445-434b-8899-617372121030
--
Firefox 19.0a1 (2012-10-29)
Device: Galaxy R
OS: Android 2.3.4
Reporter | ||
Updated•12 years ago
|
Crash Signature: [@ libxul.so@0xca9378 | arm_neon_fill]
[@ libxul.so@0xcab3f8 | arm_neon_fill]
[@ libxul.so@0xcab6f8 | arm_neon_fill]
[@ libxul.so@0xcacdf8 | arm_neon_fill]
[@ fast_path_fill] → [@ libxul.so@0xca9378 | arm_neon_fill]
[@ libxul.so@0xcab3f8 | arm_neon_fill]
[@ libxul.so@0xcab6f8 | arm_neon_fill]
[@ libxul.so@0xcacdf8 | arm_neon_fill]
[@ libxul.so@0xcaccb8 | arm_neon_fill]
[@ libxul.so@0xca8af8 | arm_neon_fill]
[@ fast_path_fi…
Assignee | ||
Comment 4•12 years ago
|
||
This looks to be related to bug 795234.
Assignee | ||
Comment 5•12 years ago
|
||
Actually if that's the case then this crash should stop now that bug 795259 is landed. That would be 2012-10-26 or later.
Reporter | ||
Comment 6•12 years ago
|
||
(In reply to Benoit Girard (:BenWa) from comment #5)
> That would be 2012-10-26 or later.
That's not the case. There are crashes in the latest Nightly, about 15 per build since it appeared.
Assignee | ||
Comment 7•12 years ago
|
||
I'm curious what view your using to see 15 per build? In the table it looks like a few crashes per build.
In any case you're right. I'm trying to see what we're crashing. As I understand it this feature should be turned off so likely it's only half off and crashing when something tries to call it. Should be easy fix if that's the case.
Assignee | ||
Comment 8•12 years ago
|
||
I added an abort in TakeScreenshot and it is indeed getting called on startup:
I/GeckoScreenshotHandler(30805): Screenshotting disabled
I/Gecko (30805): SCREENSHOT?
Assignee: nobody → bgirard
Status: NEW → ASSIGNED
Reporter | ||
Comment 9•12 years ago
|
||
(In reply to Benoit Girard (:BenWa) from comment #7)
> I'm curious what view your using to see 15 per build?
The link at the bottom of comment 0.
Assignee | ||
Comment 10•12 years ago
|
||
Ohh I though those were just crashes with similar addresses, not different builds.
Alright I confirmed that the crash is because we dispatch a checkerboard screenshot event before the preference is read that is likely the cause of this crash.
Assignee | ||
Comment 11•12 years ago
|
||
This patch should fix this crash. The preference doesn't properly enable/disable the screenshot. We need to decide if we want to properly support the preference or remove the java screenshot. Until then this patch will fix the crash.
Attachment #676893 -
Flags: review?(blassey.bugs)
Reporter | ||
Updated•12 years ago
|
Crash Signature: fast_path_fill] → libxul.so@0x12009e4 | arm_neon_fill]
[@ libxul.so@0xcab1b8 | arm_neon_fill]
[@ fast_path_fill]
Comment 12•12 years ago
|
||
(In reply to Benoit Girard (:BenWa) from comment #11)
> Created attachment 676893 [details] [diff] [review]
> patch
>
> This patch should fix this crash. The preference doesn't properly
> enable/disable the screenshot. We need to decide if we want to properly
> support the preference or remove the java screenshot. Until then this patch
> will fix the crash.
it should, but we really shouldn't crash even as it is now - I think we should take this patch anyway, as it'll be a startup improvement (I think?)
Perhaps the Java code assumes ownership when it shouldn't, or perhaps freeing the buffer while there's a screenshot message in flight causes this crash? Maybe it could be better fixed by making sure not to do any screenshotting until the pref read is returned?
Assignee | ||
Comment 13•12 years ago
|
||
(In reply to Chris Lord [:cwiiis] from comment #12)
> Perhaps the Java code assumes ownership when it shouldn't, or perhaps
> freeing the buffer while there's a screenshot message in flight causes this
> crash? Maybe it could be better fixed by making sure not to do any
> screenshotting until the pref read is returned?
I think what happens is we free the buffer when we disable the sceenshot but don't check if we have a message queued and when we try to use it we crash. This looks like a race condition that depends in the timing of event execution so you may or may not crash.
The preference is broken, I looked brief at fixing it but the code calling it makes some bad assumption that makes it non trivial to fix. I say we fix this crash since the preference is broken to begin with and we file a follow up bug to either (1) remove the code, (2) fix the preference.
Comment 14•12 years ago
|
||
(In reply to Benoit Girard (:BenWa) from comment #13)
> (In reply to Chris Lord [:cwiiis] from comment #12)
> > Perhaps the Java code assumes ownership when it shouldn't, or perhaps
> > freeing the buffer while there's a screenshot message in flight causes this
> > crash? Maybe it could be better fixed by making sure not to do any
> > screenshotting until the pref read is returned?
>
> I think what happens is we free the buffer when we disable the sceenshot but
> don't check if we have a message queued and when we try to use it we crash.
> This looks like a race condition that depends in the timing of event
> execution so you may or may not crash.
That was the cause of bug 795234 but that should be fixed now. If not, I'd like to get a proper fix.
>
> The preference is broken, I looked brief at fixing it but the code calling
> it makes some bad assumption that makes it non trivial to fix. I say we fix
> this crash since the preference is broken to begin with and we file a follow
> up bug to either (1) remove the code, (2) fix the preference.
How soon will we have low-res tiles? if it is relatively soon, I'd be ok with taking this patch and a follow up to remove the code.
Assignee | ||
Comment 15•12 years ago
|
||
I don't think it will be this cycle. We will likely use a bit of time to stabilize progressive drawing (regressions and crashes) and that will put us at the end of a cycle to drop a major feature.
Comment 16•12 years ago
|
||
that's fine, but in this case let's take this bandaid and fix the race condition that it is papering over in case we need to turn screenshots back on at some point
Updated•12 years ago
|
Attachment #676893 -
Flags: review?(blassey.bugs) → review+
Updated•12 years ago
|
tracking-fennec: ? → 19+
Assignee | ||
Comment 17•12 years ago
|
||
Comment on attachment 676893 [details] [diff] [review]
patch
https://hg.mozilla.org/integration/mozilla-inbound/rev/ee249a58f7d7
Attachment #676893 -
Flags: checkin+
Assignee | ||
Comment 18•12 years ago
|
||
Filed bug 807775 to fix the preference.
Comment 19•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Flags: in-testsuite-
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
Reporter | ||
Updated•12 years ago
|
tracking-firefox19:
? → ---
You need to log in
before you can comment on or make changes to this bug.
Description
•