crash in mozilla::layers::TextureSourceBasic::UpdateImpl @ gfxASurface::GetContentType

RESOLVED FIXED in Firefox 23

Status

()

defect
--
critical
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: scoobidiver, Assigned: mattwoodrow)

Tracking

({crash, regression, topcrash})

23 Branch
mozilla24
ARM
Android
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox22 unaffected, firefox23+ fixed, firefox24 fixed, fennec23+)

Details

(Whiteboard: [native-crash][startupcrash], crash signature)

Attachments

(1 attachment)

It first showed up in 23.0a1/20130506, has been hit by three users and is discontinuous across builds.
Based on the stack trace, it's likely a regression from bug 865104.

Signature 	gfxASurface::GetContentType() const More Reports Search
UUID	755bdc38-cad4-4fba-be2f-0920a2130511
Date Processed	2013-05-11 11:54:37
Uptime	39
Last Crash	4.2 weeks before submission
Install Age	10.5 hours since version was first installed.
Install Time	2013-05-11 01:27:18
Product	FennecAndroid
Version	23.0a1
Build ID	20130510094137
Release Channel	nightly
OS	Android
OS Version	0.0.0 Linux 3.0.31-gd5a18e0-dirty #1 SMP PREEMPT Sat Nov 17 14:20:25 EST 2012 armv7l google/full_maguro/maguro:4.2.1/JOP40D/eng.mmuzzy.20130112.162740:userdebug/test-keys
Build Architecture	arm
Build Architecture Info	ARMv0
Crash Reason	SIGSEGV
Crash Address	0x14
App Notes 	
AdapterDescription: 'Imagination Technologies -- PowerVR SGX 540 -- OpenGL ES 2.0 build 1.8@905891 -- Model: Galaxy Nexus, Product: full_maguro, Manufacturer: samsung, Hardware: tuna'
Stagefright? Stagefright+ 
samsung Galaxy Nexus
google/full_maguro/maguro:4.2.1/JOP40D/eng.mmuzzy.20130112.162740:userdebug/test-keys
Processor Notes 	sp-processor10_phx1_mozilla_com_29113:2012; exploitability tool: ERROR: unable to analyze dump
EMCheckCompatibility	True
Adapter Vendor ID	Imagination Technologies
Adapter Device ID	PowerVR SGX 540
Device	samsung Galaxy Nexus
Android API Version	17 (REL)
Android CPU ABI	armeabi-v7a

Bugzilla - Report this bug in FennecAndroid, Core, Plug-Ins, or Toolkit
Crashing Thread
Frame 	Module 	Signature 	Source
0 	libxul.so 	gfxASurface::GetContentType const 	gfx/thebes/gfxASurface.cpp:214
1 	libxul.so 	mozilla::layers::ShadowLayerForwarder::GetDescriptorSurfaceContentType 	gfx/layers/ipc/ShadowLayers.cpp:530
2 	libxul.so 	mozilla::layers::TextureSourceBasic::UpdateImpl 	gfx/layers/basic/BasicCompositor.cpp:41
3 	libxul.so 	mozilla::layers::CompositingRenderTarget::~CompositingRenderTarget 	obj-firefox/dist/include/mozilla/layers/TextureHost.h:69
4 	dalvik-aux-structure (deleted) 	dalvik-aux-structure @0xdffe 	
5 	libmozglue.so 	__wrap_malloc 	memory/mozjemalloc/jemalloc.c:4247
6 	libxul.so 	mozilla::layers::TextureHost::SwapTexturesImpl 	obj-firefox/dist/include/mozilla/layers/TextureHost.h:296
7 	libxul.so 	mozilla::layers::TextureHost::SwapTextures 	gfx/layers/composite/TextureHost.cpp:102
8 	libxul.so 	mozilla::layers::ImageHostBuffered::Update 	gfx/layers/composite/ImageHost.cpp:164
9 	libxul.so 	mozilla::layers::CompositableParentManager::ReceiveCompositableUpdate 	gfx/layers/ipc/CompositableTransactionParent.cpp:85
10 	libxul.so 	std::priv::_Slist_iterator<std::pair<int const, IPC::Channel::Listener*>, std::_ 	_hashtable.h:610
11 	libxul.so 	libxul.so@0xa84893 	
12 	libxul.so 	mozilla::layers::PImageBridgeParent::Read 	obj-firefox/ipc/ipdl/PImageBridgeParent.cpp:1534
13 	libxul.so 	Pickle::ReadIntPtr const 	
14 	libxul.so 	Pickle::ReadDouble const 	
15 	libxul.so 	mozilla::layers::PImageBridgeParent::Read 	ipc/chromium/src/chrome/common/ipc_message_utils.h:328
16 	libxul.so 	mozilla::layers::PImageBridgeParent::Read 	obj-firefox/ipc/ipdl/PImageBridgeParent.cpp:1065
17 	libxul.so 	std::priv::_Slist_iterator<std::pair<int const, IPC::Channel::Listener*>, std::_ 	_hashtable.h:610
18 	libxul.so 	libxul.so@0xa845fb 	
19 	libxul.so 	Pickle::ReadInt const 	ipc/chromium/src/base/pickle.cc:134
20 	libxul.so 	dwarf2reader::CallFrameInfo::ExpressionRule::Handle const 	toolkit/crashreporter/google-breakpad/src/common/dwarf/dwarf2reader.cc:1026
21 	libxul.so 	Pickle::ReadInt const 	ipc/chromium/src/base/pickle.cc:134
22 	libxul.so 	dwarf2reader::CallFrameInfo::ExpressionRule::Handle const 	toolkit/crashreporter/google-breakpad/src/common/dwarf/dwarf2reader.cc:1026
23 	libxul.so 	mozilla::layers::PImageBridgeParent::Read 	obj-firefox/ipc/ipdl/_ipdlheaders/mozilla/layers/PImageBridgeParent.h:397
24 	libxul.so 	mozilla::layers::SurfaceDescriptor::~SurfaceDescriptor 	obj-firefox/ipc/ipdl/LayersSurfaces.cpp:668
25 	libxul.so 	mozilla::layers::PImageBridgeParent::Read 	obj-firefox/ipc/ipdl/PImageBridgeParent.cpp:1702
26 	libmozglue.so 	__wrap_malloc 	memory/mozjemalloc/jemalloc.c:4247
27 	libmozalloc.so 	moz_xmalloc 	memory/mozalloc/mozalloc.cpp:54
28 	libxul.so 	mozilla::layers::ImageBridgeParent::RecvUpdate 	gfx/layers/ipc/ImageBridgeParent.cpp:52
29 	libxul.so 	mozilla::layers::PImageBridgeParent::OnMessageReceived 	obj-firefox/ipc/ipdl/PImageBridgeParent.cpp:507
30 	libmozglue.so 	__wrap_realloc 	memory/mozjemalloc/jemalloc.c:4692
31 	libmozglue.so 	__wrap_realloc 	memory/mozjemalloc/jemalloc.c:4247
32 	libxul.so 	mozilla::ipc::SyncChannel::OnDispatchMessage 	ipc/glue/SyncChannel.cpp:145
33 	libxul.so 	mozilla::ipc::RPCChannel::OnMaybeDequeueOne 	ipc/glue/RPCChannel.cpp:400
34 	libxul.so 	RunnableMethod<IPC::ChannelProxy::Context, void 	ipc/chromium/src/base/tuple.h:383
35 	libxul.so 	libxul.so@0xa71a0b 	
36 	libxul.so 	mozilla::ipc::RPCChannel::DequeueTask::Run 	obj-firefox/dist/include/mozilla/ipc/RPCChannel.h:425
37 	libxul.so 	MessageLoop::RunTask 	ipc/chromium/src/base/message_loop.cc:337
38 	libxul.so 	MessageLoop::DeferOrRunPendingTask 	ipc/chromium/src/base/message_loop.cc:345
39 	libxul.so 	MessageLoop::DoWork 	ipc/chromium/src/base/message_loop.cc:445
40 	libxul.so 	base::MessagePumpDefault::Run 	ipc/chromium/src/base/message_pump_default.cc:23
41 	libmozglue.so 	arena_dalloc 	memory/mozjemalloc/jemalloc.c:4675
42 	libxul.so 	base::CreatePlatformFile 	ipc/chromium/src/base/platform_file_posix.cc:66
43 	libxul.so 	base::CreatePlatformFile 	ipc/chromium/src/base/platform_file_posix.cc:66
44 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:219
45 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:212
46 	libxul.so 	base::Thread::ThreadMain 	ipc/chromium/src/base/thread.cc:159

More reports at:
https://crash-stats.mozilla.com/report/list?signature=gfxASurface%3A%3AGetContentType%28%29+const
It's #3 crasher in 23.0a2 (#7 without dupes) and #18 in 24.0a1.

Here are two comments from the same user: "Using the official twitter app trying to open a hyper link to a vine. Was on the detail view of the tweet. I clicked on a hashtag by mistake, and then clicked back, then clicked on the vine, then it crashed.", "again! same thing! I clicked on a link to a vine"
That's why it occurs at startup.
tracking-fennec: --- → ?
Keywords: topcrash
Assignee: nobody → matt.woodrow
tracking-fennec: ? → 23+
Do we really need to track this?

It's only possible to hit this if you change a pref to force enable the BasicCompositor. It's not enabled by default anywhere, and for good reason.
This crash is because ImageBridgeChild doesn't know what the compositor backend type is, and just assumes LAYERS_OPENGL.

It then creates a TextureClientShmemYCbCr (which isn't supported with LAYERS_BASIC currently), and we crash when the compositor receives this.

Not sure if you had plans for this nical, just threw this together as it seemed the simple way to fix it.

Stops BasicCompositor + async-video crashing at least!

I may work on getting BasicCompositor to support YCbCr images, but we should fix this bug regardless.
Attachment #765191 - Flags: review?(nical.bugzilla)
Attachment #765191 - Flags: review?(nical.bugzilla) → review+
https://hg.mozilla.org/mozilla-central/rev/5ac656c40652
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
This landed on mozilla-central whilst it was still mozilla24, however mcMerge references the bugzilla target milestone field ordering, which was updated pre-emptively before the merge had occurred.
Target Milestone: mozilla25 → mozilla24
Uplift nomination for Beta?
Flags: needinfo?(matt.woodrow)
Comment on attachment 765191 [details] [diff] [review]
Call IdentifyTextureHost on ImageBridgeChild

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 865104
User impact if declined: Crash if they use undocumented preferences...
Testing completed (on m-c, etc.): Been on m-c for a while. Still not really tested anywhere, as it is code that is off by default.
Risk to taking this patch (and alternatives if risky): Low risk.
String or IDL/UUID changes made by this patch: None
Attachment #765191 - Flags: approval-mozilla-beta?
Attachment #765191 - Flags: approval-mozilla-aurora?
It's already in Aurora. The latest Nightly crash happened in 24.0a1/20130616, a few build before the patch landed but it was discontinuous previously.
Flags: needinfo?(matt.woodrow)
Attachment #765191 - Flags: approval-mozilla-aurora?
Attachment #765191 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.