Closed
Bug 828207
Opened 11 years ago
Closed 11 years ago
crash in mozilla::layout::RenderFrameParent::RenderFrameParent
Categories
(Firefox OS Graveyard :: General, defect)
Tracking
(blocking-b2g:tef+, blocking-basecamp:-, firefox19 wontfix, firefox20 wontfix, firefox21 fixed, b2g18 fixed, b2g18-v1.0.0 fixed)
RESOLVED
FIXED
B2G C4 (2jan on)
People
(Reporter: m1, Assigned: roc)
Details
(Keywords: crash, Whiteboard: [b2g-crash], QARegressExclude)
Crash Data
Attachments
(3 files)
107.90 KB,
text/plain
|
Details | |
2.49 KB,
patch
|
mattwoodrow
:
review+
|
Details | Diff | Splinter Review |
1.91 KB,
patch
|
cjones
:
review+
|
Details | Diff | Splinter Review |
Seen multiple times during stability test. See attached for minidump. Top frames: Crash reason: SIGSEGV Crash address: 0x0 Thread 0 (crashed) 0 libxul.so!mozilla::layout::RenderFrameParent::RenderFrameParent [RenderFrameParent.cpp : 603 + 0x0] r4 = 0x4233cd00 r5 = 0x00000000 r6 = 0x43c8b7e0 r7 = 0x423123c0 r8 = 0xbe9445e8 r9 = 0x0128ebf0 r10 = 0xbe9445e4 fp = 0x417ebd48 sp = 0xbe9444c8 lr = 0x40bbdd79 pc = 0x40b2d8d8 Found by: given as instruction pointer in context 1 libxul.so!mozilla::dom::TabParent::AllocPRenderFrame [TabParent.cpp : 1121 + 0x3] r4 = 0x4233cd00 r5 = 0xbe9445ec r6 = 0x43c8b7e0 r7 = 0xbe9445e8 r8 = 0xbe9445e4 r9 = 0x00000000 r10 = 0x00000001 fp = 0xbe944580 sp = 0xbe944518 pc = 0x41075663 Found by: call frame info 2 libxul.so!mozilla::dom::PBrowserParent::OnMessageReceived [PBrowserParent.cpp : 1789 + 0x1d] r4 = 0x48308710 r5 = 0xbe944754 r6 = 0x41075629 r7 = 0x0005001b r8 = 0xbe9445e4 r9 = 0x00000000 r10 = 0x00000001 fp = 0xbe944580 sp = 0xbe944540 pc = 0x410a9da5 Found by: call frame info 3 libxul.so!mozilla::dom::PContentParent::OnMessageReceived [PContentParent.cpp : 2410 + 0x9] r4 = 0x42313ca0 r5 = 0xbe944754 r6 = 0xbe94476c r7 = 0x404390c8 r8 = 0x41a15b18 r9 = 0x00000006 r10 = 0x00000000 fp = 0x00000000 sp = 0xbe944628 pc = 0x410b20a5 Found by: call frame info .extra file didn't contain anything of interest
Comment 1•11 years ago
|
||
Any information of which actions in the stability test were happening at the point of crash?
Reporter | ||
Comment 2•11 years ago
|
||
This instance was from the browser.py test we shared.
Updated•11 years ago
|
Severity: normal → critical
Crash Signature: [@ mozilla::layout::RenderFrameParent::RenderFrameParent]
Keywords: crash
Whiteboard: [b2g-crash]
Comment 3•11 years ago
|
||
Blocking for 1.0 not for basecamp. Jet, can you find an owner for this?
Assignee: nobody → bugs
blocking-b2g: --- → tef+
blocking-basecamp: ? → -
Comment 4•11 years ago
|
||
Does this fail consistently at a specific test, or after several stability test runs? Looks like a nullptr dereference, possibly OOM. I don't see any guard code around the offending line in RenderFrameParent.cpp but I also don't see much guard code elsewhere in that code. Rather than sprinkle null-checks here, I'd prefer to make an earlier allocation infallible and OOM-abort early & cleanly.
Comment 5•11 years ago
|
||
We need an owner here. Jet, except if you know the code well enough to fix this yourself, we really should assign this as soon as possible. We already lost a day here.
Reporter | ||
Comment 6•11 years ago
|
||
(In reply to Jet Villegas (:jet) from comment #4) > Does this fail consistently at a specific test, or after several stability > test runs? The latter, we have only seen this crash during multihour stability runs.
Comment 7•11 years ago
|
||
(In reply to Lucas Adamski from comment #3) > Blocking for 1.0 not for basecamp. Jet, can you find an owner for this? To Anthony for a look...
Assignee: bugs → ajones
Assignee | ||
Comment 8•11 years ago
|
||
I doubt this is OOM. The new RenderFrameParent is trying to retrieve the layer manager for the document that the frame belongs to (NOT the subdocument it manages), and apparently that's returning null. It's unlikely that there is not already a layer manager there considering this is a long-lived test and this process has the radio thread so I guess this process (and its widget) are old. (I can't tell for sure which process this crash is in, though.) There's not much data to go on here. I'll produce a debugging patch.
Assignee | ||
Comment 9•11 years ago
|
||
Assignee: ajones → roc
Attachment #700173 -
Flags: review?(matt.woodrow)
Assignee | ||
Comment 10•11 years ago
|
||
I believe this patch is somewhat reasonable. The information we're failing to set here is only advisory anyway. The main danger of this patch is that the underlying problem, whatever it is, will resurface in some even less understandable way.
Attachment #700174 -
Flags: review?(jones.chris.g)
Updated•11 years ago
|
Attachment #700173 -
Flags: review?(matt.woodrow) → review+
Comment on attachment 700174 [details] [diff] [review] Wallpaper fix for this bug Looks good. (This would be wrong-ish for non-omtc cross-process layers, but that's not really supported atm.)
Attachment #700174 -
Flags: review?(jones.chris.g) → review+
Updated•11 years ago
|
Keywords: checkin-needed
Assignee | ||
Comment 13•11 years ago
|
||
I'm not sure if I should just land this logging patch. It will add debug spew to all builds --- spew which is hopefully hardly ever triggered, but who knows.
Is that code relatively hot? If not, seems useful. (And d'oh, forgot about that patch when I pushed your fix.)
Going to go ahead and close this, and we can decide about landing the logging separately. https://hg.mozilla.org/releases/mozilla-b2g18/rev/f6573002716e
Status: NEW → RESOLVED
Closed: 11 years ago
status-b2g18:
--- → fixed
status-firefox19:
--- → wontfix
status-firefox20:
--- → wontfix
Resolution: --- → FIXED
Updated•11 years ago
|
Target Milestone: --- → B2G C4 (2jan on)
Updated•11 years ago
|
status-firefox21:
--- → fixed
Comment 17•11 years ago
|
||
Landed on mozilla-b2g18/gaia master prior to the 1/25 branching to mozilla-b2g18_v1_0_0/v1.0.0, updating status-b2g-v1.0.0 to fixed.
status-b2g18-v1.0.0:
--- → fixed
Updated•11 years ago
|
Whiteboard: [b2g-crash] → [b2g-crash], QARegressExclude
Comment 19•11 years ago
|
||
Cannot verify, need steps to black box test this issue.
You need to log in
before you can comment on or make changes to this bug.
Description
•