Closed Bug 853960 Opened 11 years ago Closed 6 years ago

B2G crashes as PGrallocBuffers are deleted, then passed to Send__delete__

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: bjacob, Unassigned)

Details

(Keywords: crash, Whiteboard: [b2g-crash])

Crash Data

Attachments

(2 files, 1 obsolete file)

xz-compressed GDB session log showing relevant stuff
64.06 KB, application/x-xz
Details
WIP patch, allows to get a bit further, still crashes
5.05 KB, patch
Details | Diff | Splinter Review 
This crash keeps haunting people both on mozilla-central and on the graphics branch --- so it's probably not specific to the graphics branch.

Here's what I get with the graphics branch (see attached GDB session) plus the attached working patch as we;ve been toying with various gfx/layers/ipc changes (credit mostly goes to jrmuizel btw).

Inside of PCompositorParent::DeallocSubtree, where we delete PLayers kids, we first call DeallocSubtree on kids, which deletes a PGrallocBufferParent (through PLayers), and then we call DeallocPLayers which goes through a long chain of destructors calling destructors and eventually, in the case of the graphics branch, we're in ~TextureHost() and that tries to Send__delete__ a PGrallocBufferParent that was destroyed above. Not sure how the crash would look like on mozilla-central but people (snorp) have definitely reported similar issues there (bug 829747).

Note that everytime we've reproduced, PCompositorParent::DeallocSubtree was being called by OnChannelError. At the moment on B2G+graphics branch the quickest way to reproduce is to launch the camera app.
Severity: normal → critical
Keywords: crash
Whiteboard: [b2g-crash]
Thanks again to Jeff who came up with this idea: that the crash is apparently caused by us failing to clean up earlier and that can be fixed by implementing ClearCachedResources.

This allows to get a bit further but we still crash:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1837.1863]
0x41f4c860 in ~ImageLayerComposite (this=0x46db8c00, __in_chrg=<value optimized out>) at /hack/mozilla-graphics/gfx/layers/composite/ImageLayerComposite.cpp:36
36        MOZ_ASSERT(mDestroyed);
(gdb) bt
#0  0x41f4c860 in ~ImageLayerComposite (this=0x46db8c00, __in_chrg=<value optimized out>) at /hack/mozilla-graphics/gfx/layers/composite/ImageLayerComposite.cpp:36
#1  0x41f4c8e6 in ~ImageLayerComposite (this=0x46db8c00, __in_chrg=<value optimized out>) at /hack/mozilla-graphics/gfx/layers/composite/ImageLayerComposite.cpp:37
#2  0x40f4afce in mozilla::layers::Layer::Release (this=0x46db8c90) at ../../dist/include/Layers.h:588
#3  0x41f4aa54 in mozilla::layers::ContainerLayerComposite::RemoveChild (this=0x44d0dc00, aChild=0x46db8c90) at /hack/mozilla-graphics/gfx/layers/composite/ContainerLayerComposite.cpp:249
#4  0x41f4a6b0 in ~ContainerLayerComposite (this=0x44d0dc00, __in_chrg=<value optimized out>) at /hack/mozilla-graphics/gfx/layers/composite/ContainerLayerComposite.cpp:179
#5  0x41f4a726 in ~ContainerLayerComposite (this=0x44d0dc00, __in_chrg=<value optimized out>) at /hack/mozilla-graphics/gfx/layers/composite/ContainerLayerComposite.cpp:181
#6  0x40f4afce in mozilla::layers::Layer::Release (this=0x44d0dc90) at ../../dist/include/Layers.h:588
#7  0x41f4aa54 in mozilla::layers::ContainerLayerComposite::RemoveChild (this=0x44d0e800, aChild=0x44d0dc90) at /hack/mozilla-graphics/gfx/layers/composite/ContainerLayerComposite.cpp:249
#8  0x41f4a6b0 in ~ContainerLayerComposite (this=0x44d0e800, __in_chrg=<value optimized out>) at /hack/mozilla-graphics/gfx/layers/composite/ContainerLayerComposite.cpp:179
#9  0x41f4a726 in ~ContainerLayerComposite (this=0x44d0e800, __in_chrg=<value optimized out>) at /hack/mozilla-graphics/gfx/layers/composite/ContainerLayerComposite.cpp:181
#10 0x40f4afce in mozilla::layers::Layer::Release (this=0x44d0e890) at ../../dist/include/Layers.h:588
#11 0x41f1990e in ~nsRefPtr (this=0x47c98270, __in_chrg=<value optimized out>) at ../../dist/include/nsAutoPtr.h:880
#12 0x41f8793c in ~ShadowLayersParent (this=0x47c98240, __in_chrg=<value optimized out>) at /hack/mozilla-graphics/gfx/layers/ipc/ShadowLayersParent.cpp:150
#13 0x41f8799a in ~ShadowLayersParent (this=0x47c98240, __in_chrg=<value optimized out>) at /hack/mozilla-graphics/gfx/layers/ipc/ShadowLayersParent.cpp:150
#14 0x41f6ae28 in mozilla::layers::CrossProcessCompositorParent::DeallocPLayers (this=0x487d0b20, aLayers=0x47c98240) at /hack/mozilla-graphics/gfx/layers/ipc/CompositorParent.cpp:1467
#15 0x41b53a66 in mozilla::layers::PCompositorParent::DeallocSubtree (this=0x487d0b20) at /hack/b2g/B2G/objdir-gecko/ipc/ipdl/PCompositorParent.cpp:837
#16 0x41b53c6e in mozilla::layers::PCompositorParent::OnChannelError (this=0x487d0b20) at /hack/b2g/B2G/objdir-gecko/ipc/ipdl/PCompositorParent.cpp:675

Apparently the reason why mDestroyed is false is Disconnect() or Destroy() were never called. How to fix that?
Attachment #728352 - Attachment is obsolete: true
Crash Signature: [@ ~ImageLayerComposite()]
Crash Signature: [@ ~ImageLayerComposite()] → [@ ~ImageLayerComposite()] [@ ~ImageLayerComposite]
Crash Signature: [@ ~ImageLayerComposite()] [@ ~ImageLayerComposite] → [@ ~ImageLayerComposite()] [@ ~ImageLayerComposite] [@ mozilla::layers::ImageLayerComposite::~ImageLayerComposite ]
Mass closing as we are no longer working on b2g/firefox os.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Mass closing as we are no longer working on b2g/firefox os.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: