Closed
Bug 882196
Opened 11 years ago
Closed 11 years ago
Android crash in nsXPCWrappedJS::AddRef
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
FIXED
mozilla24
| Tracking | Status | |
|---|---|---|
| firefox23 | --- | unaffected |
| firefox24 | + | fixed |
People
(Reporter: scoobidiver, Assigned: blassey)
References
Details
(Keywords: crash, topcrash, Whiteboard: [native-crash])
Crash Data
Attachments
(2 files)
|
9.86 KB,
patch
|
snorp
:
review+
|
Details | Diff | Splinter Review |
|
12.09 KB,
patch
|
kats
:
review+
|
Details | Diff | Splinter Review |
It has already been hit by three users in 24.0a1/20130612. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=86413e921d5d&tochange=0414d6d0f60d It's likely a regression from bug 770840. Signature nsXPCWrappedJS::AddRef() More Reports Search UUID 42c24efe-4075-414d-bd33-fe4252130612 Date Processed 2013-06-12 16:18:35 Uptime 511 Last Crash 4.5 days before submission Install Age 8.5 minutes since version was first installed. Install Time 2013-06-12 16:09:48 Product FennecAndroid Version 24.0a1 Build ID 20130612031138 Release Channel nightly OS Android OS Version 0.0.0 Linux 3.4.0+1.0.21100-313065-g1ccebb5-00166-g58b3171 #1 SMP PREEMPT Wed May 22 17:36:36 2013 armv7l SEMC/LT26i_1257-8080/LT26i:4.1.2/6.2.B.0.211/LL__zg:user/release-keys Build Architecture arm Build Architecture Info ARMv0 Crash Reason SIGSEGV Crash Address 0x0 App Notes AdapterDescription: 'Qualcomm -- Adreno (TM) 220 -- OpenGL ES 2.0 V@6.0 AU@1.04.01.01.06.041 (CL@) -- Model: LT26i, Product: LT26i_1257-8080, Manufacturer: Sony Ericsson, Hardware: semc' GL Layers! EGL? EGL+ GL Context? GL Context+ GL Layers+ Sony Ericsson LT26i SEMC/LT26i_1257-8080/LT26i:4.1.2/6.2.B.0.211/LL__zg:user/release-keys Processor Notes sp-processor09_phx1_mozilla_com_2330:2012; MDSW emitted too many frames, triggering truncation; exploitability tool: ERROR: unable to analyze dump EMCheckCompatibility True Adapter Vendor ID Qualcomm Adapter Device ID Adreno (TM) 220 Device Sony Ericsson LT26i Android API Version 16 (REL) Android CPU ABI armeabi-v7a Frame Module Signature Source 0 libxul.so nsXPCWrappedJS::AddRef js/xpconnect/src/XPCWrappedJS.cpp:158 1 libxul.so libxul.so@0x875577 2 libxul.so nsXPTCStubBase::AddRef xpcom/reflect/xptcall/src/xptcall.cpp:30 3 libxul.so mozilla::MapsMemoryReporter::Init xpcom/base/MapsMemoryReporter.cpp:572 4 libxul.so nsAppShell::CallObserver obj-firefox/dist/include/nsISupportsUtils.h:59 5 libxul.so nsAString_internal::ReplacePrep obj-firefox/dist/include/nsTSubstring.h:738 6 libdvm.so libdvm.so@0xb193e ... More reports at: https://crash-stats.mozilla.com/report/list?signature=nsXPCWrappedJS%3A%3AAddRef%28%29
|
||
Comment 1•11 years ago
|
||
mfinkle - looks like Android is occasionally addref/releaseing XPCWrappedJS callbacks off-main-thread. This is now forbidden, enforced with runtime aborts. Can you find an owner for this?
Flags: needinfo?(mark.finkle)
|
||
Comment 2•11 years ago
|
||
Pretty sure this is the problem: http://mxr.mozilla.org/mozilla-central/source/widget/android/nsAppShell.cpp#735 The MapsMemoryReporter stuff is a fakeout as far as I can tell. Presumably there's a JS observer in play here.
|
|
||
Comment 3•11 years ago
|
||
Also, NotifyObserversCaller (http://mxr.mozilla.org/mozilla-central/source/widget/android/nsAppShell.cpp#768) could be dangerous - it's instantiated off the main thread and and addrefs a random nsISupports pointers.
|
|
||
Comment 4•11 years ago
|
||
NotifyObserversCaller may be safe, since it appears from a cursory glance that the users of NotifyObservers only ever pass null. With respect to CallObserver, if AddObserver is only called on the main thread, mObserversHash could store nsMainThreadPtrHandle objects in a hashtable instead of the current addreffing interface hashtable.
|
||
Comment 6•11 years ago
|
||
This part of the code is the domain of the integration team. Assigning to Brad (even though I dislike it when it happens to me) so he can pass it on to someone else.
Assignee: nobody → blassey.bugs
Flags: needinfo?(mark.finkle)
|
|
||
Updated•11 years ago
|
tracking-fennec: ? → 24+
|
Assignee | |
Comment 7•11 years ago
|
||
(In reply to Josh Matthews [:jdm] from comment #2) > Pretty sure this is the problem: > http://mxr.mozilla.org/mozilla-central/source/widget/android/nsAppShell. > cpp#735 > > The MapsMemoryReporter stuff is a fakeout as far as I can tell. Presumably > there's a JS observer in play here. I'm thinking that GeckoAppShell.callObserver() should just be an event that gets processed on the main thread.
|
||
Comment 8•11 years ago
|
||
we can reproduce this crash in our gaia-UI automation build using https://pvtbuilds.mozilla.org/pub/mozilla.org/b2g/nightly/mozilla-central-unagi-eng/latest/ build from 13.06.2.12 It's reproducible when running the camera tests: https://github.com/mozilla/gaia-ui-tests/tree/master/gaiatest/tests/camera
tracking-fennec: 24+ → ?
|
Reporter | |
Comment 9•11 years ago
|
||
(In reply to Florin Strugariu [:Bebe] from comment #8) > It's reproducible when running the camera tests: > https://github.com/mozilla/gaia-ui-tests/tree/master/gaiatest/tests/camera It's bug 882328, not this one.
|
|
Reporter | |
Updated•11 years ago
|
Hardware: ARM → All
|
|
Assignee | |
Comment 10•11 years ago
|
||
Attachment #763154 -
Flags: review?(snorp)
|
||
Updated•11 years ago
|
Attachment #763154 -
Flags: review?(snorp) → review+
|
|
Assignee | |
Comment 11•11 years ago
|
||
either snorp or kats, whoever gets here first
Attachment #763776 -
Flags: review?(snorp)
Attachment #763776 -
Flags: review?(bugmail.mozilla)
|
||
Comment 12•11 years ago
|
||
Comment on attachment 763776 [details] [diff] [review] patch to remove nsAppShell::NotifyObservers Review of attachment 763776 [details] [diff] [review]: ----------------------------------------------------------------- Generally looks ok but unless you have a good reason to move the level check into c++ I would rather not do that. ::: mobile/android/base/MemoryMonitor.java @@ +147,5 @@ > } > > + if (GeckoThread.checkLaunchState(GeckoThread.LaunchState.GeckoRunning)) { > + GeckoAppShell.sendEventToGecko(GeckoEvent.createLowMemoryEvent(level)); > + } Why move the level check into c++? This means we will be sending messages to c++ that we know will be ignored, which is inefficient. ::: widget/android/AndroidJavaWrappers.cpp @@ +693,5 @@ > + case LOW_MEMORY: { > + mMetaState = jenv->GetIntField(jobj, jMetaStateField); > + break; > + } > + trailing whitespace on the blank line ::: widget/android/AndroidJavaWrappers.h @@ +712,5 @@ > dummy_java_enum_list_end > }; > > enum { > + // Memory pressue levels, keep in sync with those in GeckoEvent.java s/GeckoEvent.java/MemoryMonitor.java/. Also add a comment in MemoryMonitor.java that says it should be kept in sync with AndroidJavaWrappers.h ::: widget/android/nsAppShell.cpp @@ +527,5 @@ > + // TODO hook in memory-reduction stuff for different levels here > + if (curEvent->MetaState() >= AndroidGeckoEvent::MEMORY_PRESSURE_MEDIUM) { > + nsCOMPtr<nsIObserverService> os = mozilla::services::GetObserverService(); > + if (os) > + os->NotifyObservers(nullptr, indent (and braces, but you probably won't add those anyway...) @@ +542,5 @@ > + NS_NETWORK_LINK_TOPIC, > + nsString(curEvent->Characters()).get()); > + break; > + } > + trailing whitespace on blank line
Attachment #763776 -
Flags: review?(snorp)
|
|
||
Comment 13•11 years ago
|
||
Comment on attachment 763776 [details] [diff] [review] patch to remove nsAppShell::NotifyObservers r+'ing after discussion on IRC; blassey agreed to keep the level-check in Java as well so as to not send useless events to c++.
Attachment #763776 -
Flags: review?(bugmail.mozilla) → review+
|
||
Updated•11 years ago
|
|
||
Comment 14•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/f7628d639dd1 https://hg.mozilla.org/mozilla-central/rev/35b943a379dd
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
|
||
Updated•11 years ago
|
tracking-fennec: ? → ---
You need to log in
before you can comment on or make changes to this bug.
Description
•