B2G crash: nsHTMLMediaElement::UpdateAudioChannelPlayingState

RESOLVED FIXED in Firefox 19

Status

()

defect
RESOLVED FIXED
7 years ago
7 years ago

People

(Reporter: gwagner, Assigned: baku)

Tracking

({crash})

Trunk
mozilla20
ARM
Gonk (Firefox OS)
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(blocking-basecamp:+, firefox19 fixed, firefox20 fixed, b2g18 fixed)

Details

(Whiteboard: [b2g-crash])

Attachments

(1 attachment)

After receiving a phone call. With debug build on otoro phone.

We access a garbage collected object?

Program received signal SIGSEGV, Segmentation fault.
0x41970ec0 in nsQueryInterface::operator() (this=0xbe8f7b48, aIID=..., 
    answer=0xbe8f7b54)
    at /Volumes/2mac/gaia/3src/debotorobuild/xpcom/build/nsCOMPtr.cpp:14
14					status = mRawPtr->QueryInterface(aIID, answer);
(gdb) bt
#0  0x41970ec0 in nsQueryInterface::operator() (this=0xbe8f7b48, aIID=..., 
    answer=0xbe8f7b54)
    at /Volumes/2mac/gaia/3src/debotorobuild/xpcom/build/nsCOMPtr.cpp:14
#1  0x403e1d3e in nsCOMPtr<nsIRDFDelegateFactory>::assign_from_qi (
    this=0xbe8f7b84, qi=..., aIID=...) at ../../dist/include/nsCOMPtr.h:1163
#2  0x40be2f94 in nsCOMPtr (this=0xbe8f7b84, qi=...)
    at ../../../../dist/include/nsCOMPtr.h:556
#3  0x40be2b50 in nsCOMPtr<nsIAudioChannelAgent>::Assert_NoQueryNeeded (
    this=0x446c34f4) at ../../../../dist/include/nsCOMPtr.h:504
#4  0x40be1fc2 in nsCOMPtr<nsIAudioChannelAgent>::operator= (this=0x446c34f4, 
    rhs=0x0) at ../../../../dist/include/nsCOMPtr.h:625
#5  0x40be155a in nsHTMLMediaElement::UpdateAudioChannelPlayingState (
    this=0x446c3350)
    at /Volumes/2mac/gaia/3src/content/html/content/src/nsHTMLMediaElement.cpp:3586
#6  0x40bdefd2 in nsHTMLMediaElement::ChangeReadyState (this=0x446c3350, 
    aState=2)
    at /Volumes/2mac/gaia/3src/content/html/content/src/nsHTMLMediaElement.cpp:2877
#7  0x40bdee34 in nsHTMLMediaElement::UpdateReadyStateForData (
    this=0x446c3350, 
    aNextFrame=mozilla::MediaDecoderOwner::NEXT_FRAME_UNAVAILABLE)
    at /Volumes/2mac/gaia/3src/content/html/content/src/nsHTMLMediaElement.cpp:2---Type <return> to continue, or q <return> to quit---
822
#8  0x4109bf9a in mozilla::MediaDecoder::UpdateReadyStateForData (
    this=0x44530ba0)
    at /Volumes/2mac/gaia/3src/content/media/MediaDecoder.cpp:1019
#9  0x4109b47e in mozilla::MediaDecoder::PlaybackEnded (this=0x44530ba0)
    at /Volumes/2mac/gaia/3src/content/media/MediaDecoder.cpp:825
#10 0x40404bba in nsRunnableMethodImpl<tag_nsresult (mozilla::net::BackgroundFileSaverStreamListener::*)(), true>::Run (this=0x446d8180)
    at ../../../dist/include/nsThreadUtils.h:367
#11 0x419d804c in nsThread::ProcessNextEvent (this=0x43907240, mayWait=false, 
    result=0xbe8f7d77)
    at /Volumes/2mac/gaia/3src/xpcom/threads/nsThread.cpp:627
#12 0x4197806e in NS_ProcessNextEvent_P (thread=0x43907240, mayWait=false)
    at /Volumes/2mac/gaia/3src/debotorobuild/xpcom/build/nsThreadUtils.cpp:237
#13 0x416db8d6 in mozilla::ipc::MessagePump::Run (this=0x439022e0, 
    aDelegate=0xbe8f8890)
    at /Volumes/2mac/gaia/3src/ipc/glue/MessagePump.cpp:82



(gdb) p *this
$2 = {mRawPtr = 0x5a5a5a5a}
blocking-basecamp: --- → ?
Maybe Related:
Program received signal SIGSEGV, Segmentation fault.
0x403ed610 in nsRefPtr<nsTransportStatusEvent>::assign_assuming_AddRef (this=0x431f0400, newPtr=0x0) at ../../../dist/include/nsAutoPtr.h:864
864	            oldPtr->Release();
(gdb) bt
#0  0x403ed610 in nsRefPtr<nsTransportStatusEvent>::assign_assuming_AddRef (this=0x431f0400, newPtr=0x0) at ../../../dist/include/nsAutoPtr.h:864
#1  0x403ed584 in nsRefPtr<nsTransportStatusEvent>::assign_with_AddRef (this=0x431f0400, rawPtr=0x0) at ../../../dist/include/nsAutoPtr.h:848
#2  0x40e08992 in mozilla::StaticRefPtr<mozilla::dom::AudioChannelServiceChild>::operator= (this=0x431f0400, rhs=0x0)
    at ../../dist/include/mozilla/StaticPtr.h:111
#3  0x40e087c4 in mozilla::dom::AudioChannelServiceChild::Shutdown () at /Volumes/2mac/gaia/3src/dom/audiochannel/AudioChannelServiceChild.cpp:51
#4  0x40e073d0 in mozilla::dom::AudioChannelService::Shutdown () at /Volumes/2mac/gaia/3src/dom/audiochannel/AudioChannelService.cpp:58
#5  0x40641438 in nsLayoutStatics::Shutdown () at /Volumes/2mac/gaia/3src/layout/build/nsLayoutStatics.cpp:374
#6  0x40639d5e in nsLayoutStatics::Release () at /Volumes/2mac/gaia/3src/layout/build/nsLayoutStatics.h:44
#7  0x40a03730 in ~nsNodeInfoManager (this=0x45585c70, __in_chrg=<value optimized out>)
    at /Volumes/2mac/gaia/3src/content/base/src/nsNodeInfoManager.cpp:129
#8  0x4095d356 in nsNodeInfoManager::Release (this=0x45585c70) at ../../../dist/include/nsNodeInfoManager.h:38
#9  0x40962216 in ~nsRefPtr (this=0xbee0fe80, __in_chrg=<value optimized out>) at ../../../dist/include/nsAutoPtr.h:876
#10 0x40a032ea in nsNodeInfo::LastRelease (this=0x45090758) at /Volumes/2mac/gaia/3src/content/base/src/nsNodeInfo.cpp:244
#11 0x40a03046 in nsNodeInfo::Release (this=0x45090758) at /Volumes/2mac/gaia/3src/content/base/src/nsNodeInfo.cpp:190
#12 0x4196052e in nsXPCOMCycleCollectionParticipant::UnrootImpl (p=0x45090758)
    at /Volumes/2mac/gaia/3src/debotorobuild/xpcom/build/nsCycleCollectionParticipant.cpp:37
#13 0x419d6e06 in nsCycleCollector::CollectWhite (this=0x43956000, aListener=0x0) at /Volumes/2mac/gaia/3src/xpcom/base/nsCycleCollector.cpp:2409
#14 0x419d77e8 in nsCycleCollector::FinishCollection (this=0x43956000, aListener=0x0)
    at /Volumes/2mac/gaia/3src/xpcom/base/nsCycleCollector.cpp:2915
#15 0x419d7524 in nsCycleCollector::Collect (this=0x43956000, aMergeCompartments=false, aResults=0x0, aTryCollections=5, aListener=0x0)
    at /Volumes/2mac/gaia/3src/xpcom/base/nsCycleCollector.cpp:2799
#16 0x419d78c2 in nsCycleCollector::Shutdown (this=0x43956000) at /Volumes/2mac/gaia/3src/xpcom/base/nsCycleCollector.cpp:2968
#17 0x419d910e in nsCycleCollector_shutdown () at /Volumes/2mac/gaia/3src/xpcom/base/nsCycleCollector.cpp:3404
#18 0x4196a31c in mozilla::ShutdownXPCOM (servMgr=0x0) at /Volumes/2mac/gaia/3src/xpcom/build/nsXPComInit.cpp:622
#19 0x41969f6e in NS_ShutdownXPCOM_P (servMgr=0x0) at /Volumes/2mac/gaia/3src/xpcom/build/nsXPComInit.cpp:513
#20 0x403dbb12 in XRE_TermEmbedding () at /Volumes/2mac/gaia/3src/toolkit/xre/nsEmbedFunctions.cpp:196
#21 0x416c9008 in mozilla::ipc::ScopedXREEmbed::Stop (this=0x4392ca50) at /Volumes/2mac/gaia/3src/ipc/glue/ScopedXREEmbed.cpp:110
#22 0x4167f58c in mozilla::dom::ContentProcess::CleanUp (this=0x4392c800) at /Volumes/2mac/gaia/3src/dom/ipc/ContentProcess.cpp:37
#23 0x403dc13c in XRE_InitChildProcess (aArgc=5, aArgv=0xbee14a34, aProcess=GeckoProcessType_Content)
    at /Volumes/2mac/gaia/3src/toolkit/xre/nsEmbedFunctions.cpp:498
#24 0x0000862a in main (argc=6, argv=0xbee14a34) at /Volumes/2mac/gaia/3src/ipc/app/MozillaRuntimeMain.cpp:48
(gdb) p *this
$1 = {mRawPtr = 0x0}
(gdb)
The previous stack includes some CC fun.
If it's reproducible with a normal nightly build image, it would be nice to get a crash report ID for this, to see what signatures this brings up in the wild.
Keywords: crash
Whiteboard: [b2g-crash]
http://mxr.mozilla.org/mozilla-central/source/dom/audiochannel/AudioChannelServiceChild.cpp?rev=c82c7a4a7ca6&mark=50#47 at least looks wrong to me.
Deleting a smart pointer (though, I'm not familiar with StaticRefPtr)
Gah! That's totally wrong! I wish we wouldn't have removed nsDerivedSafe :(
Posted patch patchSplinter Review
Is this the right way to remove the object?
Attachment #694740 - Flags: review?(bugs)
Attachment #694740 - Flags: review?(bugs) → review+
Keywords: checkin-needed
(In reply to Jonas Sicking (:sicking) from comment #5)
> Gah! That's totally wrong! I wish we wouldn't have removed nsDerivedSafe :(

Do you recall why we remove nsDerivedSafe. It probably hasn't been ever in StaticPtr, but 
aren't nowadays also nsCOMPtr and nsRefPtr dangerous?
Target Milestone: mozilla20 → ---
Does this also fix the crash from the first stack? Or should we file a separate bug for it?
Assignee: nobody → amarchesini
Flags: in-testsuite-
OS: Mac OS X → Gonk (Firefox OS)
Hardware: x86 → ARM
Version: unspecified → Trunk
(In reply to Gregor Wagner [:gwagner] from comment #9)
> Does this also fix the crash from the first stack? Or should we file a
> separate bug for it?

The fix sounded like guessing to me. Can you reproduce the crash with the patch applied? If not I'd consider it closed.
blocking-basecamp: ? → +
https://hg.mozilla.org/mozilla-central/rev/06661265d9e9
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
Duplicate of this bug: 824227
Duplicate of this bug: 824294
You need to log in before you can comment on or make changes to this bug.