Closed Bug 831167 Opened 12 years ago Closed 12 years ago

crash in mozilla::dom::devicestorage::PDeviceStorageRequestParent::Write

Categories

(Core :: DOM: Device Interfaces, defect)

Product:
Core
Component:
DOM: Device Interfaces
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla21
Project Flags:
blocking-b2g tef+
Tracking Flags:
Tracking Status
firefox19 --- wontfix
firefox20 --- wontfix
firefox21 --- fixed
b2g18 + verified
b2g18-v1.0.0 --- fixed

People

(Reporter: m1, Assigned: dougt)

Details

(Keywords: crash, Whiteboard: [b2g-crash][BTG-982])

Crash Data

Attachments

(2 files)

decoded minidump of crash
96.44 KB, text/plain
Details
patch v.1
1.87 KB, patch
bent.mozilla
: review+
Details | Diff | Splinter Review
Seen during camcorder.py stability test run using AU 176. .extra file contains: xpcom_runtime_abort([Parent 127] ###!!! ABORT: NULL actor value passed to non-nullable param: file /local/mnt/workspace/lnxbuild/project/release_dev_msm7627a_616740/checkout/out/target/product/msm7627a/obj/objdir-gecko/ipc/ipdl/PDeviceStorageRequestParent.cpp, line 634) Top frames: Thread 0 (crashed) 0 libxul.so!mozalloc_abort [mozalloc_abort.cpp : 30 + 0x4] r4 = 0xbeeef6d4 r5 = 0x00000000 r6 = 0xffffffff r7 = 0xbeeef2e8 r8 = 0x41153219 r9 = 0x00000001 r10 = 0xbeeef2e8 fp = 0x4163958d sp = 0xbeeef2d0 lr = 0x415c95df pc = 0x415c95e2 Found by: given as instruction pointer in context 1 libxul.so!NS_DebugBreak_P [nsDebugImpl.cpp : 423 + 0x5] r4 = 0xbeeef6d4 r5 = 0x00000000 r6 = 0xffffffff r7 = 0xbeeef2e8 r8 = 0x41153219 r9 = 0x00000001 r10 = 0xbeeef2e8 fp = 0x4163958d sp = 0xbeeef2d8 pc = 0x41153001 Found by: call frame info 2 libxul.so!mozilla::dom::devicestorage::PDeviceStorageRequestParent::Write [PDeviceStorageRequestParent.cpp : 641 + 0x15] r4 = 0x00000000 r5 = 0x441beb00 r6 = 0x45477ee0 r7 = 0xbeeef78c r8 = 0x4af2dce0 r9 = 0x00000001 r10 = 0x4188a874 fp = 0xbeeef7b0 sp = 0xbeeef708 pc = 0x41068651 Found by: call frame info 3 libxul.so!mozilla::dom::devicestorage::PDeviceStorageRequestParent::Write [PDeviceStorageRequestParent.cpp : 721 + 0x7] r4 = 0xbeeef78c r5 = 0x441beb00 r6 = 0x45477ee0 r7 = 0xbeeef78c r8 = 0x4af2dce0 r9 = 0x00000001 r10 = 0x4188a874 fp = 0xbeeef7b0 sp = 0xbeeef728 pc = 0x4106867f Found by: call frame info 4 libxul.so!mozilla::dom::devicestorage::PDeviceStorageRequestParent::Write [PDeviceStorageRequestParent.cpp : 495 + 0x9] r4 = 0xbeeef78c r5 = 0x441beb00 r6 = 0x45477ee0 r7 = 0xbeeef78c r8 = 0x4af2dce0 r9 = 0x00000001 r10 = 0x4188a874 fp = 0xbeeef7b0 sp = 0xbeeef730 pc = 0x41068833 Found by: call frame info 5 libxul.so!mozilla::dom::devicestorage::PDeviceStorageRequestParent::Send__delete__ [PDeviceStorageRequestParent.cpp : 82 + 0x9] r4 = 0x45477ee0 r5 = 0x441beb00 r6 = 0x00000000 r7 = 0xbeeef78c r8 = 0x4af2dce0 r9 = 0x00000001 r10 = 0x4188a874 fp = 0xbeeef7b0 sp = 0xbeeef750 pc = 0x41068965 Found by: call frame info
Whiteboard: [BTG-982]
Severity: normal → critical
Crash Signature: [@ mozalloc_abort | NS_DebugBreak_P | mozilla::dom::devicestorage::PDeviceStorageRequestParent::Write]
tracking-b2g18: --- → ?
Keywords: crash
Whiteboard: [BTG-982] → [b2g-crash][BTG-982]
Looks like this must be happening at [1] 294 ContentParent* cp = static_cast<ContentParent*>(mParent->Manager()); 295 BlobParent* actor = cp->GetOrCreateActorForBlob(blob); 296 297 BlobResponse response; 298 response.blobParent() = actor; 299 300 unused << mParent->Send__delete__(mParent, response); bent, this is the same kind of code that we "fixed" previously by adding a null check and bailing, right? Maybe we should switch to an error response if we can't create the blob? [1] http://mxr.mozilla.org/mozilla-central/source/dom/devicestorage/DeviceStorageRequestParent.cpp#295
Component: General → DOM: Device Interfaces
Product: Boot2Gecko → Core
ugh... looks like everywhere else, we check for a null actor. And here we only assert: http://mxr.mozilla.org/mozilla-central/source/dom/indexedDB/IDBObjectStore.cpp#3009
Assignee: nobody → doug.turner
Attached patch patch v.1Splinter Review
Attachment #703169 - Flags: review?(bent.mozilla)
blocking-b2g: tef? → tef+
tracking-b2g18: ?+
Comment on attachment 703169 [details] [diff] [review] patch v.1 Review of attachment 703169 [details] [diff] [review]: ----------------------------------------------------------------- r=me with this change: ::: dom/indexedDB/IDBObjectStore.cpp @@ +3008,5 @@ > BlobChild* actor = > contentChild->GetOrCreateActorForBlob(file.mFile); > NS_ASSERTION(actor, "This should never fail without aborting!"); > + if (!actor) { > + continue; This should return an error instead of continuing. Also, can you remove the assertion above?
Attachment #703169 - Flags: review?(bent.mozilla) → review+
status-firefox19: --- → wontfix
status-firefox20: --- → wontfix
status-firefox21: --- → fixed
Target Milestone: --- → mozilla21
Landed on mozilla-b2g18/gaia master prior to the 1/25 branching to mozilla-b2g18_v1_0_0/v1.0.0, updating status-b2g-v1.0.0 to fixed.
status-b2g18-v1.0.0: --- → fixed
verified with 1.1 build of 20130322070202 assumes stability tests of this have passed since fix was landed.
Status: RESOLVED → VERIFIED
status-b2g18: fixedverified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: