Closed Bug 851667 Opened 11 years ago Closed 11 years ago

handle PGrallocBufferChild allocation failure

Categories

(Firefox OS Graveyard :: General, defect)

Product:
Firefox OS Graveyard
Component:
General
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(blocking-b2g:tef+, firefox21 wontfix, firefox22 wontfix, firefox23 fixed, b2g18 fixed, b2g18-v1.0.0 wontfix, b2g18-v1.0.1 fixed)

Status:
RESOLVED FIXED
Milestone:
B2G C4 (2jan on)
Project Flags:
blocking-b2g tef+
Tracking Flags:
Tracking Status
firefox21 --- wontfix
firefox22 --- wontfix
firefox23 --- fixed
b2g18 --- fixed
b2g18-v1.0.0 --- wontfix
b2g18-v1.0.1 --- fixed

People

(Reporter: ggrisco, Assigned: sotaro)

Details

(Keywords: crash, Whiteboard: c=performance [b2g-crash][CR 462608], QARegressExclude)

Crash Data

Attachments

(6 files, 1 obsolete file)

EXTRA file attachment
774 bytes, text/plain
Details
stack track of the setting app's crash 2
489 bytes, text/plain
Details
stack track of the setting app's crash 3
3.40 KB, text/plain
Details
stack track of the setting app's crash 4
550 bytes, text/plain
Details
patch v2 - handle SendPGrallocBufferConstructor() failure
1.30 KB, patch
sotaro
: review+
Details | Diff | Splinter Review
patch v2 for b2g18 - handle SendPGrallocBufferConstructor() failure
1.32 KB, patch
sotaro
: review+
Details | Diff | Splinter Review 
Operating system: Android
                  0.0.0 Linux 3.0.21-perf-ga73c871-00003-g40a4c39 #1 SMP PREEMPT Sat Feb 23 19:26:22 PST 2013 armv7l qcom/msm7627a/msm7627a:4.0.4/IMM76I/eng.lnxbuild.20130223.192112:userdebug/test-keys
CPU: arm
     0 CPUs

Crash reason:  SIGSEGV
Crash address: 0x30

Thread 0 (crashed)
 0  libxul.so!android::sp<android::GraphicBuffer>::operator= [StrongPointer.h : 156 + 0x0]
     r4 = 0x00000030    r5 = 0x00000000    r6 = 0x00000000    r7 = 0x44102998
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00003000    fp = 0xbef71428
     sp = 0xbef71108    lr = 0x40c5adf3    pc = 0x40c5ad84
    Found by: given as instruction pointer in context
 1  libxul.so!mozilla::layers::ShadowLayerForwarder::PlatformAllocBuffer [ShadowLayerUtilsGralloc.cpp : 243 + 0x3]
     r4 = 0xbef71124    r5 = 0x00000000    r6 = 0x00000000    r7 = 0x44102998
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00003000    fp = 0xbef71428
     sp = 0xbef71118    pc = 0x40c5adf3
    Found by: call frame info
 2  libxul.so!mozilla::layers::ShadowLayerForwarder::AllocBufferWithCaps [ShadowLayers.cpp : 441 + 0x5]
     r4 = 0x442b31ec    r5 = 0x00003000    r6 = 0xbef712b0    r7 = 0x44102998
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00003000    fp = 0xbef71428
     sp = 0xbef71158    pc = 0x40c58adb
    Found by: call frame info
 3  libxul.so!mozilla::layers::ShadowLayerForwarder::AllocBuffer [ShadowLayers.cpp : 428 + 0x7]
     r4 = 0x442b3000    r5 = 0x442b31ec    r6 = 0xbef71458    r7 = 0x00003000
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00003000    fp = 0xbef71428
     sp = 0xbef71180    pc = 0x40c58b1f
    Found by: call frame info
 4  libxul.so!mozilla::layers::BasicShadowableThebesLayer::CreateBuffer [BasicThebesLayer.cpp : 456 + 0x7]
     r4 = 0x442b3000    r5 = 0x442b31ec    r6 = 0xbef71458    r7 = 0x00003000
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00003000    fp = 0xbef71428
     sp = 0xbef71190    pc = 0x40c3dc5b
    Found by: call frame info
 5  libxul.so!mozilla::layers::BasicThebesLayerBuffer::CreateBuffer [BasicBuffers.cpp : 64 + 0x7]
     r4 = 0x442b31b8    r5 = 0xbef714d0    r6 = 0x40c3e6b9    r7 = 0x00000000
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00003000    fp = 0xbef71428
     sp = 0xbef712d8    pc = 0x40c3e6c3
    Found by: call frame info
 6  libxul.so!mozilla::layers::ThebesLayerBuffer::BeginPaint [ThebesLayerBuffer.cpp : 306 + 0x3]
     r4 = 0x442b31b8    r5 = 0xbef714d0    r6 = 0x40c3e6b9    r7 = 0x00000000
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00003000    fp = 0xbef71428
     sp = 0xbef712e0    pc = 0x40c42deb
    Found by: call frame info
 7  libxul.so!mozilla::layers::BasicThebesLayer::PaintThebes [BasicThebesLayer.cpp : 172 + 0x13]
     r4 = 0x442b3000    r5 = 0x43b485c0    r6 = 0x00003000    r7 = 0x00000001
     r8 = 0xbef714d0    r9 = 0xbef727e8   r10 = 0xbef71bc4    fp = 0x404d9851
     sp = 0xbef714a8    pc = 0x40c3e391
    Found by: call frame info
 8  libxul.so!mozilla::layers::BasicShadowableThebesLayer::PaintThebes [BasicThebesLayer.cpp : 307 + 0x13]
     r4 = 0x442b3000    r5 = 0x43b485c0    r6 = 0x00000000    r7 = 0xbef71660
     r8 = 0x404d9851    r9 = 0xbef727e8   r10 = 0xbef71bc4    fp = 0x43959970
     sp = 0xbef71658    pc = 0x40c3e64d
    Found by: call frame info
 9  libxul.so!mozilla::layers::BasicLayerManager::PaintSelfOrChildren [BasicLayerManager.cpp : 826 + 0x15]
     r4 = 0xbef71818    r5 = 0x40c3e5b9    r6 = 0x44102920    r7 = 0x43b485c0
     r8 = 0x442b31ac    r9 = 0x442b3000   r10 = 0x44102920    fp = 0x43959970
     sp = 0xbef71758    pc = 0x40c3873d
    Found by: call frame info
10  libxul.so!mozilla::layers::BasicLayerManager::PaintLayer [BasicLayerManager.cpp : 939 + 0x9]
     r4 = 0x43b485c0    r5 = 0x442b3000    r6 = 0x00000000    r7 = 0x442b3028
     r8 = 0x442b3028    r9 = 0xbef71818   r10 = 0x44102920    fp = 0x43959970
     sp = 0xbef717c0    pc = 0x40c38bb7
    Found by: call frame info
11  libxul.so!mozilla::layers::BasicLayerManager::PaintSelfOrChildren [BasicLayerManager.cpp : 841 + 0x17]
     r4 = 0xbef71c40    r5 = 0x00000002    r6 = 0x44102920    r7 = 0x43b485c0
     r8 = 0xbef71bc4    r9 = 0x442b1000   r10 = 0x44102920    fp = 0x43959970
     sp = 0xbef71b80    pc = 0x40c387a1
    Found by: call frame info
12  libxul.so!mozilla::layers::BasicLayerManager::PaintLayer [BasicLayerManager.cpp : 939 + 0x9]
     r4 = 0x43b485c0    r5 = 0x442b1000    r6 = 0x00000000    r7 = 0x442b1028
     r8 = 0xbef71c40    r9 = 0xbef71e28   r10 = 0x44102920    fp = 0x43959970
     sp = 0xbef71be8    pc = 0x40c38bb7
    Found by: call frame info
13  libxul.so!mozilla::layers::BasicLayerManager::PaintSelfOrChildren [BasicLayerManager.cpp : 841 + 0x17]
     r4 = 0xbef72068    r5 = 0x00000001    r6 = 0x44102920    r7 = 0x43b485c0
     r8 = 0xbef71fec    r9 = 0x445fcc00   r10 = 0x44102920    fp = 0x43959970
     sp = 0xbef71fa8    pc = 0x40c387a1
    Found by: call frame info
14  libxul.so!mozilla::layers::BasicLayerManager::PaintLayer [BasicLayerManager.cpp : 939 + 0x9]
     r4 = 0x43b485c0    r5 = 0x445fcc00    r6 = 0x00000000    r7 = 0x445fcc28
     r8 = 0xbef72068    r9 = 0xbef72068   r10 = 0x44102920    fp = 0x43959970
     sp = 0xbef72010    pc = 0x40c38bb7
    Found by: call frame info
15  libxul.so!mozilla::layers::BasicLayerManager::EndTransactionInternal [BasicLayerManager.cpp : 586 + 0x13]
     r4 = 0x44102920    r5 = 0xbef7257c    r6 = 0xbef72460    r7 = 0x00000002
     r8 = 0xbef72498    r9 = 0xbef727e8   r10 = 0x40c3b22d    fp = 0x43960160
     sp = 0xbef723d0    pc = 0x40c3935d
    Found by: call frame info
16  libxul.so!mozilla::layers::BasicLayerManager::EndTransaction [BasicLayerManager.cpp : 509 + 0x3]
     r4 = 0x00000000    r5 = 0x00000002    r6 = 0xbef727e8    r7 = 0x404d9851
     r8 = 0x445b6320    r9 = 0x00000000   r10 = 0x4148d5c4    fp = 0x43960160
     sp = 0xbef725c0    pc = 0x40c393f1
    Found by: call frame info
17  libxul.so!mozilla::layers::BasicShadowLayerManager::EndTransaction [BasicLayerManager.cpp : 1149 + 0x3]
     r4 = 0x44102920    r5 = 0x00000002    r6 = 0xbef727e8    r7 = 0x404d9851
     r8 = 0x445b6320    r9 = 0x00000000   r10 = 0x4148d5c4    fp = 0x43960160
     sp = 0xbef725c8    pc = 0x40c39827
    Found by: call frame info
18  libxul.so!nsDisplayList::PaintForFrame [nsDisplayList.cpp : 1144 + 0x7]
     r4 = 0x44102920    r5 = 0x4395a780    r6 = 0x445fcc00    r7 = 0xbef727e8
     r8 = 0x445b6320    r9 = 0x00000000   r10 = 0x4148d5c4    fp = 0x43960160
     sp = 0xbef72660    pc = 0x404f8d83
    Found by: call frame info
19  libxul.so!nsDisplayList::PaintRoot [nsDisplayList.cpp : 1009 + 0xd]
     r4 = 0x00000000    r5 = 0xbef727e8    r6 = 0xbef72b70    r7 = 0x0000000d
     r8 = 0xbef72b40    r9 = 0x00000000   r10 = 0x00000000    fp = 0x442b5000
     sp = 0xbef72788    pc = 0x404f8ee9
    Found by: call frame info
20  libxul.so!nsLayoutUtils::PaintFrame [nsLayoutUtils.cpp : 1955 + 0x7]
     r4 = 0x434ba800    r5 = 0x00000000    r6 = 0x00000304    r7 = 0xbef727e8
     r8 = 0xbef72b40    r9 = 0x00000000   r10 = 0x00000000    fp = 0x442b5000
     sp = 0xbef727b0    pc = 0x405079f7
    Found by: call frame info
21  libxul.so!PresShell::Paint [nsPresShell.cpp : 5364 + 0xd]
     r4 = 0x44102920    r5 = 0x434ba800    r6 = 0x00000304    r7 = 0x43beeb00
     r8 = 0x00000001    r9 = 0x00000000   r10 = 0x442b5000    fp = 0xbef72d70
     sp = 0xbef72c20    pc = 0x40513be1
    Found by: call frame info
22  libxul.so!nsViewManager::ProcessPendingUpdatesForView [nsViewManager.cpp : 431 + 0x1f]
     r4 = 0x00000000    r5 = 0x43960160    r6 = 0x44286460    r7 = 0xbef72d70
     r8 = 0x40513925    r9 = 0x00000001   r10 = 0x43beeb00    fp = 0xbef72e58
     sp = 0xbef72d68    pc = 0x40726723
    Found by: call frame info
23  libxul.so!nsViewManager::ProcessPendingUpdates [nsViewManager.cpp : 1221 + 0x9]
     r4 = 0x44286460    r5 = 0xbef72eb8    r6 = 0x00000003    r7 = 0x4341ed80
     r8 = 0xfffffffc    r9 = 0x4148d5c4   r10 = 0xbef72e0c    fp = 0xbef72e58
     sp = 0xbef72dc0    pc = 0x407267bf
    Found by: call frame info
24  libxul.so!nsRefreshDriver::Notify [nsRefreshDriver.cpp : 436 + 0x5]
     r4 = 0x4341ed50    r5 = 0xbef72eb8    r6 = 0x00000003    r7 = 0x4341ed80
     r8 = 0xfffffffc    r9 = 0x4148d5c4   r10 = 0xbef72e0c    fp = 0xbef72e58
     sp = 0xbef72dc8    pc = 0x4051750f
    Found by: call frame info
25  libxul.so!nsTimerImpl::Fire [nsTimerImpl.cpp : 476 + 0x9]
     r4 = 0x44577e50    r5 = 0x4341ed50    r6 = 0x00000001    r7 = 0x00004c71
     r8 = 0xbef72fa7    r9 = 0x41a06bac   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbef72f20    pc = 0x40bd9bb5
    Found by: call frame info
26  libxul.so!nsTimerEvent::Run [nsTimerImpl.cpp : 556 + 0x5]
     r4 = 0x44577e50    r5 = 0x00000000    r6 = 0x00000000    r7 = 0x00000001
     r8 = 0xbef72fa7    r9 = 0x41a06bac   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbef72f58    pc = 0x40bd9c63
    Found by: call frame info
27  libxul.so!nsThread::ProcessNextEvent [nsThread.cpp : 620 + 0x5]
     r4 = 0x41a06b80    r5 = 0x00000000    r6 = 0x00000000    r7 = 0x00000001
     r8 = 0xbef72fa7    r9 = 0x41a06bac   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbef72f60    pc = 0x40bd7d9b
    Found by: call frame info
28  libxul.so!NS_ProcessNextEvent_P [nsThreadUtils.cpp : 237 + 0xb]
     r4 = 0x00000000    r5 = 0xbef738b8    r6 = 0x41a022f0    r7 = 0x00000001
     r8 = 0x41a23000    r9 = 0x41a28000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbef72fa0    pc = 0x40bb81bf
    Found by: call frame info
29  libxul.so!mozilla::ipc::MessagePump::Run [MessagePump.cpp : 82 + 0x7]
     r4 = 0x41a022e0    r5 = 0xbef738b8    r6 = 0x41a022f0    r7 = 0x00000001
     r8 = 0x41a23000    r9 = 0x41a28000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbef72fb0    pc = 0x40ad1ce9
    Found by: call frame info
30  libxul.so!mozilla::ipc::MessagePumpForChildProcess::Run [MessagePump.cpp : 231 + 0x7]
     r4 = 0xbef738b8    r5 = 0x41a022e0    r6 = 0xbef738b8    r7 = 0x00000001
     r8 = 0x41a23000    r9 = 0x41a28000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbef72fd8    pc = 0x40ad1d9b
    Found by: call frame info
31  libxul.so!MessageLoop::RunInternal [message_loop.cc : 216 + 0x5]
     r4 = 0xbef738b8    r5 = 0x43472340    r6 = 0x41a06b80    r7 = 0x00000003
     r8 = 0x41a23000    r9 = 0x41a28000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbef72ff0    pc = 0x40bf9bb1
    Found by: call frame info
32  libxul.so!MessageLoop::Run [message_loop.cc : 209 + 0x5]
     r4 = 0xbef738b8    r5 = 0x43472340    r6 = 0x41a06b80    r7 = 0x00000003
     r8 = 0x41a23000    r9 = 0x41a28000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbef72ff8    pc = 0x40bf9c67
    Found by: call frame info
33  libxul.so!nsBaseAppShell::Run [nsBaseAppShell.cpp : 163 + 0x7]
     r4 = 0x00000000    r5 = 0x43472340    r6 = 0x41a06b80    r7 = 0x00000003
     r8 = 0x41a23000    r9 = 0x41a28000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbef73010    pc = 0x40a582f1
    Found by: call frame info
34  libxul.so!XRE_RunAppShell [nsEmbedFunctions.cpp : 646 + 0x5]
     r4 = 0xbef73024    r5 = 0x41a022e0    r6 = 0x00000002    r7 = 0x00000003
     r8 = 0x41a23000    r9 = 0x41a28000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbef73020    pc = 0x403f4e5d
    Found by: call frame info
35  libxul.so!mozilla::ipc::MessagePumpForChildProcess::Run [MessagePump.cpp : 198 + 0x3]
     r4 = 0xbef738b8    r5 = 0x41a022e0    r6 = 0x00000002    r7 = 0x00000003
     r8 = 0x41a23000    r9 = 0x41a28000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbef73038    pc = 0x40ad1d69
    Found by: call frame info
36  libxul.so!MessageLoop::RunInternal [message_loop.cc : 216 + 0x5]
     r4 = 0xbef738b8    r5 = 0x41a31190    r6 = 0x00000002    r7 = 0x00000003
     r8 = 0x41a23000    r9 = 0x41a28000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbef73050    pc = 0x40bf9bb1
    Found by: call frame info
37  libxul.so!MessageLoop::Run [message_loop.cc : 209 + 0x5]
     r4 = 0xbef738b8    r5 = 0x41a31190    r6 = 0x00000002    r7 = 0x00000003
     r8 = 0x41a23000    r9 = 0x41a28000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbef73058    pc = 0x40bf9c67
    Found by: call frame info
38  libxul.so!XRE_InitChildProcess [nsEmbedFunctions.cpp : 485 + 0xb]
     r4 = 0xbef738b8    r5 = 0x41a31190    r6 = 0x00000002    r7 = 0x00000003
     r8 = 0x41a23000    r9 = 0x41a28000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbef73070    pc = 0x403f5201
    Found by: call frame info
39  plugin-container!main [MozillaRuntimeMain.cpp : 48 + 0x5]
     r4 = 0xbef73a14    r5 = 0x00000005    r6 = 0x00000006    r7 = 0xbef73a30
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbef739e8    pc = 0x00008411
    Found by: call frame info
40  libc.so!__libc_init [libc_init_dynamic.c : 114 + 0x7]
     r4 = 0x000083d4    r5 = 0xbef73a14    r6 = 0x00000006    r7 = 0xbef73a30
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbef739f8    pc = 0x400e8a77
    Found by: call frame info
41  0xb00045a9
     r4 = 0x00000000    r5 = 0x00000000    r6 = 0x00000000    r7 = 0x00000000
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbef73a10    pc = 0xb00045ab
    Found by: call frame info
blocking-b2g: --- → tef?
(tef+ as this is a new stability issue that has appeared since the CS release.)
blocking-b2g: tef? → tef+
Greg, can you please attach the .extra file for this minidump?
Flags: needinfo?(ggrisco)
Crash Signature: [@ android::sp<android::GraphicBuffer>::operator= ]
No longer blocks: 848037
Attached file EXTRA file attachment 
Flags: needinfo?(ggrisco)

    
  
Whiteboard: [b2g-crash][BTG-1245] → [b2g-crash][CR 462608]

    
    

    
  
Jeff took a look at this.  He thinks an about:memory report might help here.

It looks like we're trying to allocate memory, that fails, and then we try to use that memory anyway?

Could this be adreno-related?

I know reproducibility is likely low here, but is there some semblance of an STR that we go on?  :)
Flags: needinfo?(ggrisco)

    
    

    
  
Trying to see if anyone from Taipei team can check this case as well.

    
    

    
  
(In reply to Andrew Overholt [:overholt] from comment #4)

> I know reproducibility is likely low here, but is there some semblance of an
> STR that we go on?  :)

The crash was reproducible in the last three AUs that we ran stability on.  It's just the STR cannot be clarified since the scripts that we run are doing multiple things and we don't know at what point the crash occurs.
Flags: needinfo?(ggrisco)

    
    

    
  
Ben, can you set up a Valgrind run with music playing on loop and some phone calls?

Maybe Greg can give you some more things to do like their scripts are doing?
Assignee: nobody → bent.mozilla
Flags: needinfo?(ggrisco)

    
    

    
  
wonder what's the latest on this bug? thannks

    
    

    
  
It's hard to make progress without an STR.

Greg, can you provide any more info that we can go on to investigate?  We can meet up in person if that'll help :)
Assignee: bent.mozilla → nobody

    
    

    
  
From Bug 851664 comment #28 , I got attachment 734313 [details]. And I also got 2 other stack traces from the custom rom. They are similar to comment #0.

    
    

    
  


  
A stack trace of the crash of comment #10

    
    

    
  


  
Another crash pattern of of comment #10.

    
    

    
  
attachment 734314 [details] and attachment 734315 [details] show stacks are corrupted.

    
    

    
  
Triaged on April 9th: Alan, could you help on this case? Thanks.
Flags: needinfo?(ahuang)

    
    

    
  
The backtrace from attachment 734315 [details] seems not reasonable. This usually happens when using optimized build or mismatched symbols.

I suggest using build with "ac_add_options --disable-optimize" (or export B2G_NOOPT=1). This could help a lot.
Flags: needinfo?(ahuang)

    
    

    
  
(In reply to Alan Huang [:ahuang] from comment #15)
> The backtrace from attachment 734315 [details] seems not reasonable. This
> usually happens when using optimized build or mismatched symbols.
> 
> I suggest using build with "ac_add_options --disable-optimize" (or export
> B2G_NOOPT=1). This could help a lot.

ahuang, thanks for the info. I created the ROM by setting "ac_add_options --disable-optimize". Though, I still got almost same stack.

    
    

    
  


  
crash on ROM applying "ac_add_options --disable-optimize".

    
  
Assignee: nobody → ahuang

    
    

    
  
Hello Sotaro,

(In reply to Sotaro Ikeda [:sotaro] from comment #17)
> Created attachment 734751 [details]
> stack track of the setting app's crash 4
> 
> crash on ROM applying "ac_add_options --disable-optimize".

According to your attachments, we suspect this occurs in gralloc register when deserialize. This would need device log and kernel log. If you have attached gdb on target process, then it won't died immediately when receive SIGSEGV or SIGABRT. lsof of that process could help us to know whether it would related to too many fd.

I think bugreport/dumpstate could help. Can you also provide bugreport? You can use "adb bugreport > bugreport.txt" to get it. Thank you!

    
    

    
  
isn't it the same as bug 851664?

    
    

    
  
ahuang, attachment 734751 [details] is just an artificial crashe that I made to analyze bug 851664. From Bug 851664 comment #38, I am thinking IPC falure might triggers the crash.

    
    

    
  
(In reply to Joe Cheng [:jcheng] from comment #19)
> isn't it the same as bug 851664?

I think the source of the bug is same.

    
    

    
  
I confirmed that an error check in ShadowLayerForwarder::PlatformAllocBuffer() is not correct. The function checks failure by following code. There are cases that "if (handle.Tnull_t == handle.type()) " can not detect failure.

>PGrallocBufferChild* gc =
>mShadowManager->SendPGrallocBufferConstructor(aSize, aContent, &handle);
>if (handle.Tnull_t == handle.type()) {
>  PGrallocBufferChild::Send__delete__(gc);
>  return false;
>}

    
    

    
  
(In reply to Sotaro Ikeda [:sotaro] from comment #22)
> I confirmed that an error check in
> ShadowLayerForwarder::PlatformAllocBuffer() is not correct. The function
> checks failure by following code. There are cases that "if (handle.Tnull_t
> == handle.type()) " can not detect failure.

In the case, PGrallocBufferChild* gc is null, it makes the crash. in GrallocBufferActor::InitFromHandle().

    
    

    
  


  
fix SendPGrallocBufferConstructor() failure handling correctly.

    
    

    
  
(In reply to Sotaro Ikeda [:sotaro] from comment #24)
> Created attachment 735408 [details] [diff] [review]
> patch - handle SendPGrallocBufferConstructor() failure
> 
> fix SendPGrallocBufferConstructor() failure handling correctly.

I confirmed that the crash in this bug is prevented by applying the patch on my custom rom on unagi.

    
    

    
  
Comment on attachment 735408 [details] [diff] [review]
patch - handle SendPGrallocBufferConstructor() failure

:jrmuizel, can you review the patch?

        Attachment #735408 -
        Flags: review?(jmuizelaar)

    
    

    
  
Comment on attachment 735408 [details] [diff] [review]
patch - handle SendPGrallocBufferConstructor() failure

Review of attachment 735408 [details] [diff] [review]:
-----------------------------------------------------------------

::: gfx/layers/ipc/ShadowLayerUtilsGralloc.cpp
@@ +262,5 @@
>    MaybeMagicGrallocBufferHandle handle;
>    PGrallocBufferChild* gc =
>      mShadowManager->SendPGrallocBufferConstructor(aSize, aContent, &handle);
> +  if (!gc) {
> +    NS_ERROR("GrallocBufferConstructor failed by nullptr!");

How about "GrallocBufferConstructor failed by returned null"

@@ +265,5 @@
> +  if (!gc) {
> +    NS_ERROR("GrallocBufferConstructor failed by nullptr!");
> +    return false;
> +  } else if (handle.Tnull_t == handle.type()) {
> +    NS_ERROR("GrallocBufferConstructor failed by Tnull_t");

and "GrallocBufferConstructor failed by returning handle with type Tnull_t"

        Attachment #735408 -
        Flags: review?(jmuizelaar) → review+

    
    

    
  
(In reply to Jeff Muizelaar [:jrmuizel] from comment #27)
> Comment on attachment 735408 [details] [diff] [review]
> patch - handle SendPGrallocBufferConstructor() failure
> 
> Review of attachment 735408 [details] [diff] [review]:
> -----------------------------------------------------------------

I will update the patch as the comments.

    
    

    
  


  
Commitable patch. Carry "jmuizelaar: review+".

        Attachment #735408 -
        Attachment is obsolete: true

    
  

        Attachment #735880 -
        Flags: review+

    
    

    
  


  
Commitable patch for b2g18. Carry "jmuizelaar: review+".

        Attachment #735881 -
        Flags: review+

    
    

    
  
change summary as to summarize the bug.
Summary: Crash seen while playing music in background in repeat mode while on MO call → handle PGrallocBufferChild allocation failure

    
    

    
  
(In reply to Sotaro Ikeda [:sotaro] from comment #32)
> https://tbpl.mozilla.org/?tree=Try&rev=5de2f370550d

Linux is burning. It is not related to this change. The change is built only on gonk.

    
  
Keywords: checkin-needed

    
    

    
  
(In reply to Andrew Overholt [:overholt] from comment #7)

> Maybe Greg can give you some more things to do like their scripts are doing?

Not sure how helpful this is now, but I learned that this stacktrace was seen in for different scenarios:

1. (manual testing)
  a. Play music in background in repeat mode.
  b. Enable auto answer and receive MT (mobile terminated) calls randomly from other phones.
  c. Make MO (mobile originated) calls continuously using QXDM. (Short duration calls)
  d. After weekend run mini dumps are generated in the phone.

2. (test using script)

  a. Play Music in repeat mode in the background.
  b. Run a script which will do the following things sequentially.
    1. Airplane mode on and off, 
    2. MO call and 
    3. MO SMS.
    (Eg: First airplane mode on and off will be done for 5 times, then it will make 5 MO calls for each call wait for 10 seconds and ends the call then it will send 5 MO SMS )
  c. After night run we have seen mini dumps in the phone.

3. (manual testing)

  a. Play music in background in repeat mode.
  b. Enable auto answer and receive MT calls randomly from other phones.
  c. Turn ON BT. 
  d. Make MO calls continuously using QXDM. (Short duration calls)
  e. After weekend run mini dumps are generated in the phone.

4. (manual testing)

  a. Play music in background in repeat mode.
  b. Enable auto answer and receive MT calls randomly from other phones.
  c. Turn ON BT. 
  d. Make MO calls continuously using QXDM. (Short duration calls)
  e. After weekend run mini dumps are generated in the phone.
Flags: needinfo?(ggrisco)

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/5c5faa6e978e
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → B2G C4 (2jan on)

    
  
Assignee: ahuang → sotaro.ikeda.g

    
  
Whiteboard: [b2g-crash][CR 462608] → c=performance [b2g-crash][CR 462608]

    
    

    
  
Unable to test. Marking as QARegressExclude.
Whiteboard: c=performance [b2g-crash][CR 462608] → c=performance [b2g-crash][CR 462608], QARegressExclude

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: