Closed Bug 831167 Opened 11 years ago Closed 11 years ago

crash in mozilla::dom::devicestorage::PDeviceStorageRequestParent::Write

Categories

(Core :: DOM: Device Interfaces, defect)

Product:
Core
Component:
DOM: Device Interfaces
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla21
Project Flags:
blocking-b2g tef+
Tracking Flags:
Tracking Status
firefox19 --- wontfix
firefox20 --- wontfix
firefox21 --- fixed
b2g18 + verified
b2g18-v1.0.0 --- fixed

People

(Reporter: m1, Assigned: dougt)

Details

(Keywords: crash, Whiteboard: [b2g-crash][BTG-982])

Crash Data

Attachments

(2 files)

decoded minidump of crash
96.44 KB, text/plain
Details
patch v.1
1.87 KB, patch
bent.mozilla
: review+
Details | Diff | Splinter Review 
Seen during camcorder.py stability test run using AU 176.  

.extra file contains:
xpcom_runtime_abort([Parent 127] ###!!! ABORT: NULL actor value passed to non-nullable param: file /local/mnt/workspace/lnxbuild/project/release_dev_msm7627a_616740/checkout/out/target/product/msm7627a/obj/objdir-gecko/ipc/ipdl/PDeviceStorageRequestParent.cpp, line 634)

Top frames:
Thread 0 (crashed)
 0  libxul.so!mozalloc_abort [mozalloc_abort.cpp : 30 + 0x4]
     r4 = 0xbeeef6d4    r5 = 0x00000000    r6 = 0xffffffff    r7 = 0xbeeef2e8
     r8 = 0x41153219    r9 = 0x00000001   r10 = 0xbeeef2e8    fp = 0x4163958d
     sp = 0xbeeef2d0    lr = 0x415c95df    pc = 0x415c95e2
    Found by: given as instruction pointer in context
 1  libxul.so!NS_DebugBreak_P [nsDebugImpl.cpp : 423 + 0x5]
     r4 = 0xbeeef6d4    r5 = 0x00000000    r6 = 0xffffffff    r7 = 0xbeeef2e8
     r8 = 0x41153219    r9 = 0x00000001   r10 = 0xbeeef2e8    fp = 0x4163958d
     sp = 0xbeeef2d8    pc = 0x41153001
    Found by: call frame info
 2  libxul.so!mozilla::dom::devicestorage::PDeviceStorageRequestParent::Write [PDeviceStorageRequestParent.cpp : 641 + 0x15]
     r4 = 0x00000000    r5 = 0x441beb00    r6 = 0x45477ee0    r7 = 0xbeeef78c
     r8 = 0x4af2dce0    r9 = 0x00000001   r10 = 0x4188a874    fp = 0xbeeef7b0
     sp = 0xbeeef708    pc = 0x41068651
    Found by: call frame info
 3  libxul.so!mozilla::dom::devicestorage::PDeviceStorageRequestParent::Write [PDeviceStorageRequestParent.cpp : 721 + 0x7]
     r4 = 0xbeeef78c    r5 = 0x441beb00    r6 = 0x45477ee0    r7 = 0xbeeef78c
     r8 = 0x4af2dce0    r9 = 0x00000001   r10 = 0x4188a874    fp = 0xbeeef7b0
     sp = 0xbeeef728    pc = 0x4106867f
    Found by: call frame info
 4  libxul.so!mozilla::dom::devicestorage::PDeviceStorageRequestParent::Write [PDeviceStorageRequestParent.cpp : 495 + 0x9]
     r4 = 0xbeeef78c    r5 = 0x441beb00    r6 = 0x45477ee0    r7 = 0xbeeef78c
     r8 = 0x4af2dce0    r9 = 0x00000001   r10 = 0x4188a874    fp = 0xbeeef7b0
     sp = 0xbeeef730    pc = 0x41068833
    Found by: call frame info
 5  libxul.so!mozilla::dom::devicestorage::PDeviceStorageRequestParent::Send__delete__ [PDeviceStorageRequestParent.cpp : 82 + 0x9]
     r4 = 0x45477ee0    r5 = 0x441beb00    r6 = 0x00000000    r7 = 0xbeeef78c
     r8 = 0x4af2dce0    r9 = 0x00000001   r10 = 0x4188a874    fp = 0xbeeef7b0
     sp = 0xbeeef750    pc = 0x41068965
    Found by: call frame info
Whiteboard: [BTG-982]
Severity: normal → critical
Crash Signature: [@ mozalloc_abort | NS_DebugBreak_P | mozilla::dom::devicestorage::PDeviceStorageRequestParent::Write]
tracking-b2g18: --- → ?
Keywords: crash
Whiteboard: [BTG-982] → [b2g-crash][BTG-982]
Looks like this must be happening at [1]

294   ContentParent* cp = static_cast<ContentParent*>(mParent->Manager());
295   BlobParent* actor = cp->GetOrCreateActorForBlob(blob);
296 
297   BlobResponse response;
298   response.blobParent() = actor;
299 
300   unused <<  mParent->Send__delete__(mParent, response);

bent, this is the same kind of code that we "fixed" previously by adding a null check and bailing, right?  Maybe we should switch to an error response if we can't create the blob?

[1] http://mxr.mozilla.org/mozilla-central/source/dom/devicestorage/DeviceStorageRequestParent.cpp#295
Component: General → DOM: Device Interfaces
Product: Boot2Gecko → Core
ugh... looks like everywhere else, we check for a null actor.

And here we only assert:

http://mxr.mozilla.org/mozilla-central/source/dom/indexedDB/IDBObjectStore.cpp#3009
Assignee: nobody → doug.turner
Attached patch patch v.1Splinter Review 

        Attachment #703169 -
        Flags: review?(bent.mozilla)
blocking-b2g: tef? → tef+

          tracking-b2g18:
          ?+

    
    

    
  
Comment on attachment 703169 [details] [diff] [review]
patch v.1

Review of attachment 703169 [details] [diff] [review]:
-----------------------------------------------------------------

r=me with this change:

::: dom/indexedDB/IDBObjectStore.cpp
@@ +3008,5 @@
>        BlobChild* actor =
>          contentChild->GetOrCreateActorForBlob(file.mFile);
>        NS_ASSERTION(actor, "This should never fail without aborting!");
> +      if (!actor) {
> +        continue;

This should return an error instead of continuing. Also, can you remove the assertion above?

        Attachment #703169 -
        Flags: review?(bent.mozilla) → review+

          status-firefox19:
          --- → wontfix

          status-firefox20:
          --- → wontfix

          status-firefox21:
          --- → fixed
Target Milestone: --- → mozilla21

    
    

    
  
Landed on mozilla-b2g18/gaia master prior to the 1/25 branching to mozilla-b2g18_v1_0_0/v1.0.0, updating status-b2g-v1.0.0 to fixed.

          status-b2g18-v1.0.0:
          --- → fixed

    
    

    
  
verified with 1.1 build of 20130322070202

assumes stability tests of this have passed since fix was landed.
Status: RESOLVED → VERIFIED

          status-b2g18:
          fixedverified

          You need to log in
          before you can comment on or make changes to this bug.