Crash in the gallery application (not easily reproducible)

RESOLVED INCOMPLETE

Status

()

--
critical
RESOLVED INCOMPLETE
6 years ago
2 years ago

People

(Reporter: milan, Assigned: bas.schouten)

Tracking

({crash})

Trunk
x86
Gonk (Firefox OS)
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [b2g-crash], crash signature)

I can't tell if this is OOM, and it only happened once:
1. Flash the phone from trunk, debug build, attach gdb
2. Add the content: BUILD_APP_NAME=ds-test ./flash.sh gaia
3. Play some music, pause it
4. Go to the gallery app, scroll down for a while, before it's done loading, scroll back to the top.

Here's most of the trace.  Only happened once, same STR doesn't seem to reproduce it, but the stack could be useful:

#0  0x426a32d0 in mozalloc_abort (msg=<value optimized out>)
    at /Users/msreckovic/Repos/build-b2g/B2G/gecko/memory/mozalloc/mozalloc_abort.cpp:30
#1  0x41d0def4 in Abort (aSeverity=3, aStr=<value optimized out>,
    aExpr=<value optimized out>, aFile=<value optimized out>, aLine=718)
    at /Users/msreckovic/Repos/build-b2g/B2G/gecko/xpcom/base/nsDebugImpl.cpp:430
#2  NS_DebugBreak (aSeverity=3, aStr=<value optimized out>,
    aExpr=<value optimized out>, aFile=<value optimized out>, aLine=718)
    at /Users/msreckovic/Repos/build-b2g/B2G/gecko/xpcom/base/nsDebugImpl.cpp:417
#3  0x41a329de in mozilla::layers::PLayerTransactionParent::DeallocShmem (
    this=<value optimized out>, aMem=...)
    at /Users/msreckovic/Repos/build-b2g/B2G/objdir-gecko/ipc/ipdl/PLayerTransactionParent.cpp:718
#4  0x41ddc568 in mozilla::layers::LayerTransactionParent::DeallocShmem (
    this=0xa4, aShmem=...)
    at /Users/msreckovic/Repos/build-b2g/B2G/gecko/gfx/layers/ipc/LayerTransactionParent.h:64
#5  0x41ddfd20 in mozilla::layers::ISurfaceAllocator::DestroySharedSurface (
    this=0x452fd998, aSurface=0x464b6d40)
    at /Users/msreckovic/Repos/build-b2g/B2G/gecko/gfx/layers/ipc/ISurfaceAllocator.cpp:118
#6  0x41de137c in ~TextureHost (this=0x464ff400,
    __in_chrg=<value optimized out>)
    at /Users/msreckovic/Repos/build-b2g/B2G/gecko/gfx/layers/composite/TextureHost.cpp:69
#7  0x41de1ee8 in ~TextureImageTextureHostOGL (this=0x464ff400,
    __in_chrg=<value optimized out>)
    at /Users/msreckovic/Repos/build-b2g/B2G/gecko/gfx/layers/opengl/TextureHostOGL.cpp:122
#8  0x41de1f02 in ~TextureImageTextureHostOGL (this=0xa4,
    __in_chrg=<value optimized out>)
    at /Users/msreckovic/Repos/build-b2g/B2G/gecko/gfx/layers/opengl/TextureHostOGL.cpp:122
#9  0x41dd5278 in mozilla::RefCounted<mozilla::layers::TextureSource>::Release
    (t=0xa4) at ../../dist/include/mozilla/RefPtr.h:76
#10 mozilla::RefPtr<mozilla::layers::TextureHost>::unref (t=0xa4)
    at ../../dist/include/mozilla/RefPtr.h:171
#11 0x41dd5f08 in mozilla::RefPtr<mozilla::layers::TextureHost>::assign (
    this=0x45355078, t=<value optimized out>)
    at ../../dist/include/mozilla/RefPtr.h:157
#12 mozilla::RefPtr<mozilla::layers::TextureHost>::operator= (this=0x45355078,
    t=<value optimized out>) at ../../dist/include/mozilla/RefPtr.h:132
#13 0x41dd64d4 in mozilla::layers::ContentHostDoubleBuffered::DestroyTextures (
    this=0x45355000)
    at /Users/msreckovic/Repos/build-b2g/B2G/gecko/gfx/layers/composite/ContentHost.cpp:364
#14 0x41dd655a in ~ContentHostDoubleBuffered (this=0xa4,
    __in_chrg=<value optimized out>)
    at /Users/msreckovic/Repos/build-b2g/B2G/gecko/gfx/layers/composite/ContentHost.cpp:304
#15 0x41dd658e in ~ContentHostDoubleBuffered (this=0xa4,
    __in_chrg=<value optimized out>)
    at /Users/msreckovic/Repos/build-b2g/B2G/gecko/gfx/layers/composite/ContentHost.cpp:306
#16 0x41dab570 in mozilla::RefCounted<mozilla::layers::CompositableHost>::Release (t=0xa4) at ../../dist/include/mozilla/RefPtr.h:76
#17 mozilla::RefPtr<mozilla::layers::CompositableHost>::unref (t=0xa4)
...
Here's more stack:

#17 mozilla::RefPtr<mozilla::layers::CompositableHost>::unref (t=0xa4)
    at ../../dist/include/mozilla/RefPtr.h:171
#18 0x41dabfdc in ~RefPtr (this=0x442c2380, __in_chrg=<value optimized out>)
    at ../../dist/include/mozilla/RefPtr.h:121
#19 ~CompositableParent (this=0x442c2380, __in_chrg=<value optimized out>)
    at /Users/msreckovic/Repos/build-b2g/B2G/gecko/gfx/layers/composite/CompositableHost.cpp:104
#20 0x41dabffa in ~CompositableParent (this=0xa4, 
    __in_chrg=<value optimized out>)
    at /Users/msreckovic/Repos/build-b2g/B2G/gecko/gfx/layers/composite/CompositableHost.cpp:104
#21 0x40e5c842 in mozilla::net::NeckoParent::DeallocPCookieService (
    this=<value optimized out>, cs=0x478ff268)
    at /Users/msreckovic/Repos/build-b2g/B2G/gecko/netwerk/ipc/NeckoParent.cpp:424
#22 0x41a37d04 in mozilla::layers::PLayerTransactionParent::DeallocSubtree (
    this=0x452fd970)
    at /Users/msreckovic/Repos/build-b2g/B2G/objdir-gecko/ipc/ipdl/PLayerTransactionParent.cpp:803
#23 0x41a2d910 in mozilla::layers::PCompositorParent::DeallocSubtree (
    this=0x4aa227e0)
    at /Users/msreckovic/Repos/build-b2g/B2G/objdir-gecko/ipc/ipdl/PCompositorParent.cpp:827
#24 0x41a2db3a in mozilla::layers::PCompositorParent::OnChannelError (
    this=0x4aa227e0)
    at /Users/msreckovic/Repos/build-b2g/B2G/objdir-gecko/ipc/ipdl/PCompositorParent.cpp:664
#25 0x419c1456 in mozilla::ipc::AsyncChannel::NotifyMaybeChannelError (
    this=0x4aa227f0)
    at /Users/msreckovic/Repos/build-b2g/B2G/gecko/ipc/glue/AsyncChannel.cpp:568
#26 0x419c2534 in mozilla::ipc::AsyncChannel::OnNotifyMaybeChannelError (
    this=0x4aa227f0)
    at /Users/msreckovic/Repos/build-b2g/B2G/gecko/ipc/glue/AsyncChannel.cpp:533
#27 0x419954c8 in DispatchToMethod<mozilla::dom::ContentParent, void (mozilla::dom::ContentParent::*)()> (this=<value optimized out>)
    at /Users/msreckovic/Repos/build-b2g/B2G/gecko/ipc/chromium/src/base/tuple.h:383
#28 RunnableMethod<mozilla::dom::ContentParent, void (mozilla::dom::ContentParent::*)(), Tuple0>::Run (this=<value optimized out>)
    at /Users/msreckovic/Repos/build-b2g/B2G/gecko/ipc/chromium/src/base/task.h:307
#29 0x41d49772 in MessageLoop::RunTask (this=0x478ffdcc, task=0x47cf2280)
    at /Users/msreckovic/Repos/build-b2g/B2G/gecko/ipc/chromium/src/base/message_loop.cc:337
#30 0x41d49f9c in MessageLoop::DeferOrRunPendingTask (this=0xa4, 
    pending_task=<value optimized out>)
    at /Users/msreckovic/Repos/build-b2g/B2G/gecko/ipc/chromium/src/base/message_loop.cc:345
#31 0x41d4acee in MessageLoop::DoWork (this=0x478ffdcc)
    at /Users/msreckovic/Repos/build-b2g/B2G/gecko/ipc/chromium/src/base/message_loop.cc:445
#32 0x41d4b07e in base::MessagePumpDefault::Run (this=0x46b61960, 
    delegate=0x478ffdcc)
    at /Users/msreckovic/Repos/build-b2g/B2G/gecko/ipc/chromium/src/base/message_pump_default.cc:23
#33 0x41d49d26 in MessageLoop::RunInternal (this=0x478ffdcc)
    at /Users/msreckovic/Repos/build-b2g/B2G/gecko/ipc/chromium/src/base/message_loop.cc:219

Updated

6 years ago
Severity: normal → critical
Crash Signature: [@ mozalloc_abort(char const*) | NS_DebugBreak | mozilla::layers::PLayerTransactionParent::DeallocShmem(mozilla::layers::ipc::Shmem&)]
Keywords: crash
Whiteboard: [b2g-crash]
Same crash with a different workflow (open settings, open gallery, open camera - crash).
Bas, can you take a look?  It could be the same cycle collector issue, but I can't tell what bug number that is.  I can get it to abort the debug build with:
1. Make and flash a debug trunk build.
2. Open settings, fm radio, gallery.
3. Open camera app.  Just as the "do you want to share your location" overlay pops up, we'll crash.
Fifth function up the stack is: DeallocShmem(aSurface->get_YCbCrImage().data());
Assignee: nobody → bas
Benoit, needinfo to have you notice this seems to be another one of those SurfaceDescriptor issues.
Flags: needinfo?(bjacob)
Interesting; but at the moment I can't get b2g to use gralloc at all (bug 868556) and I run into other crashes all the time (bug 867813 comment 6).
Flags: needinfo?(bjacob)

Updated

3 years ago
Crash Signature: [@ mozalloc_abort(char const*) | NS_DebugBreak | mozilla::layers::PLayerTransactionParent::DeallocShmem(mozilla::layers::ipc::Shmem&)] → [@ mozalloc_abort(char const*) | NS_DebugBreak | mozilla::layers::PLayerTransactionParent::DeallocShmem(mozilla::layers::ipc::Shmem&)] [@ mozalloc_abort | NS_DebugBreak | mozilla::layers::PLayerTransactionParent::DeallocShmem]
I am closing this bug as incomplete since we've made no progress in over 3 years. Please reopen this bug report if you have any new leads.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.