Crash in libxul.so!android::MediaResourceManagerService::onMessageReceived

RESOLVED FIXED in Firefox 24

Status

defect
--
critical
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: ikumar, Assigned: sotaro)

Tracking

({crash})

unspecified
1.1 QE3 (26jun)
ARM
Gonk (Firefox OS)
Dependency tree / graph

Firefox Tracking Flags

(blocking-b2g:leo+, firefox22 wontfix, firefox23 wontfix, firefox24 fixed, b2g18 fixed, b2g18-v1.0.0 wontfix, b2g18-v1.0.1 wontfix, b2g-v1.1hd fixed)

Details

(Whiteboard: [b2g-crash][btg-1601], crash signature)

Attachments

(2 attachments, 1 obsolete attachment)

Posted file minidump
Test Steps:
1. Run test scripts with Music, Video, Camera , Camcorder, Call, SMS and Airplane mode on/off test cases.
2. After night run device generated mini dumps.
Reproducibility: Seen once

Decoded minidump:
Crash reason:  SIGSEGV
Crash address: 0x0

Thread 12 (crashed)
 0  libxul.so!android::MediaResourceManagerService::onMessageReceived [MediaResourceManagerService.cpp : 154 + 0x2]
     r0 = 0x00000000    r1 = 0x00000001    r2 = 0x4400f6b4    r3 = 0x4aaf36b0
     r4 = 0x4400f6bc    r5 = 0x4400f6b4    r6 = 0x44678e0c    r7 = 0x4400f6a0
     r8 = 0x00000000    r9 = 0x4400f6c0   r10 = 0x00000000    fp = 0x00000001
     sp = 0x44678e08    lr = 0x410157a1    pc = 0x410157a4
    Found by: given as instruction pointer in context
 1  libxul.so!android::AHandlerReflector<android::MediaResourceManagerService>::onMessageReceived [AHandlerReflector.h : 35 + 0x5]
     r0 = 0x4400f6a0    r1 = 0x00000000    r4 = 0x4400cf80    r5 = 0x44678e78
     r6 = 0x44678e78    r7 = 0x4400cf80    r8 = 0x44678eb0    r9 = 0x440074e0
    r10 = 0x00100000    fp = 0x00000001    sp = 0x44678e30    pc = 0x410158b3
    Found by: call frame info
 2  libstagefright_foundation.so!android::ALooperRoster::deliverMessage [ALooperRoster.cpp : 133 + 0x7]
     r0 = 0x4400cf80    r1 = 0x4400f6a0    r2 = 0x00000000    r4 = 0x403f4678
     r5 = 0x00000000    r6 = 0x44678e78    r7 = 0x4400cf80    r8 = 0x44678eb0
     r9 = 0x440074e0   r10 = 0x00100000    fp = 0x00000001    sp = 0x44678e48
     pc = 0x403f1265
    Found by: call frame info
 3  libstagefright_foundation.so!android::ALooper::loop [ALooper.cpp : 212 + 0xb]
     r4 = 0x00000001    r5 = 0x4400df78    r6 = 0x4a0f03e0    r7 = 0x0004df57
     r8 = 0x44678eb0    r9 = 0x440074e0   r10 = 0x00100000    fp = 0x00000001
     sp = 0x44678e70    pc = 0x403f0dcf
    Found by: call frame info
 4  libstagefright_foundation.so!android::ALooper::LooperThread::threadLoop [ALooper.cpp : 47 + 0x5]
     r4 = 0x4400ea80    r5 = 0x4400ea80    r6 = 0x4400ea8c    r7 = 0x44678eb4
     r8 = 0x44678eb0    r9 = 0x440074e0   r10 = 0x00100000    fp = 0x00000001
     sp = 0x44678ea0    pc = 0x403f0f45
    Found by: call frame info
 5  libutils.so!android::Thread::_threadLoop [Threads.cpp : 834 + 0x5]
     r4 = 0x4400ea80    r5 = 0x4400ea80    r6 = 0x4400ea8c    r7 = 0x44678eb4
     r8 = 0x44678eb0    r9 = 0x440074e0   r10 = 0x00100000    fp = 0x00000001
     sp = 0x44678ea8    pc = 0x40165e59
    Found by: call frame info
 6  libutils.so!thread_data_t::trampoline [Threads.cpp : 127 + 0x3]
     r0 = 0x4400ea80    r1 = 0x440074d0    r2 = 0x4400ea80    r3 = 0x4400ea80
     r4 = 0x4400cfc0    r5 = 0x40165de5    r6 = 0x4400ea80    r7 = 0x00000000
     r8 = 0x40166409    r9 = 0x440074e0   r10 = 0x00100000    fp = 0x00000001
     sp = 0x44678ed0    pc = 0x4016649f
    Found by: call frame info
 7  libc.so!__thread_entry [pthread.c : 217 + 0x6]
     r0 = 0x00000000    r1 = 0x0170f1e0    r2 = 0x44678ffc    r4 = 0x44678f00
     r5 = 0x40166409    r6 = 0x440074e0    r7 = 0x00000078    r8 = 0x40166409
     r9 = 0x440074e0   r10 = 0x00100000    fp = 0x00000001    sp = 0x44678ef0
     pc = 0x40057114
    Found by: call frame info
 8  libc.so!pthread_create [pthread.c : 357 + 0xe]
     r4 = 0x44678f00    r5 = 0x0170f1e0    r6 = 0xbe8535ec    r7 = 0x00000078
     r8 = 0x40166409    r9 = 0x440074e0   r10 = 0x00100000    fp = 0x00000001
     sp = 0x44678f00    pc = 0x40056c68
    Found by: call frame info

Thread 0
 0  libc.so + 0xe430
     r0 = 0xfffffffc    r1 = 0xbe8536a8    r2 = 0x00000010    r3 = 0xffffffff
     r4 = 0xbe8536a8    r5 = 0x4331ac40    r6 = 0xbe8536a8    r7 = 0x000000fc
     r8 = 0x00000014    r9 = 0x00000000   r10 = 0x00000001    fp = 0x00000000
     sp = 0xbe853680    lr = 0x413d44df    pc = 0x40052430
    Found by: given as instruction pointer in context
 1  libxul.so!nsAppShell::ProcessNextNativeEvent [nsAppShell.cpp : 722 + 0x5]
     sp = 0xbe8536a8    pc = 0x41213171
    Found by: stack scanning
 2  libxul.so!nsBaseAppShell::DoProcessNextNativeEvent [nsBaseAppShell.cpp : 139 + 0x5]
     r4 = 0x4331ac40    r5 = 0x40407c40    r6 = 0x00000000    r7 = 0x00000000
     r8 = 0x00000014    sp = 0xbe8537c8    pc = 0x4122fe37
    Found by: call frame info
 3  libxul.so!nsBaseAppShell::OnProcessNextEvent [nsBaseAppShell.cpp : 298 + 0x5]
     r4 = 0x4331ac40    r5 = 0x40407c40    r6 = 0x003c11ad    r7 = 0x00000000
     r8 = 0x00000014    sp = 0xbe8537e0    pc = 0x4122ff15
    Found by: call frame info
 4  libxul.so!nsThread::ProcessNextEvent [nsThread.cpp : 593 + 0x5]
     r0 = 0x4331ac40    r1 = 0x01407c40    r4 = 0x40407c40    r5 = 0x00000001
     r6 = 0x4122fe59    r7 = 0x00000001    r8 = 0xbe85384f    r9 = 0x4042d000
    r10 = 0x00000000    sp = 0xbe853808    pc = 0x413b81d7
    Found by: call frame info
 5  libxul.so!NS_ProcessNextEvent_P [nsThreadUtils.cpp : 237 + 0xb]
     r4 = 0x00000001    r5 = 0x4044c0c0    r6 = 0x40402530    r7 = 0x00000000
     r8 = 0x00000000    r9 = 0x4042d000   r10 = 0x00000000    sp = 0xbe853848
     pc = 0x4139865f
    Found by: call frame info
 6  libxul.so!mozilla::ipc::MessagePump::Run [MessagePump.cpp : 117 + 0x7]
     r0 = 0x40407c40    r1 = 0x00000001    r4 = 0x40402520    r5 = 0x4044c0c0
     r6 = 0x40402530    r7 = 0x00000000    r8 = 0x00000000    r9 = 0x4042d000
    r10 = 0x00000000    sp = 0xbe853858    pc = 0x412aac53
    Found by: call frame info
 7  libxul.so!MessageLoop::RunInternal [message_loop.cc : 219 + 0x5]
     r4 = 0x4044c0c0    r5 = 0x4331ac40    r6 = 0x40407c40    r7 = 0xbe853afd
     r8 = 0x00000000    r9 = 0x4042d000   r10 = 0x00000000    sp = 0xbe853880
     pc = 0x413da201
    Found by: call frame info
 8  libxul.so!MessageLoop::Run [message_loop.cc : 212 + 0x5]
     r4 = 0x4044c0c0    r5 = 0x4331ac40    r6 = 0x40407c40    r7 = 0xbe853afd
     r8 = 0x00000000    r9 = 0x4042d000   r10 = 0x00000000    sp = 0xbe853888
     pc = 0x413da2ab
    Found by: call frame info
 9  libxul.so!nsBaseAppShell::Run [nsBaseAppShell.cpp : 163 + 0x7]
     r0 = 0x00000001    r1 = 0x41c85700    r2 = 0x4044c0c0    r3 = 0x00000000
     r4 = 0x00000000    r5 = 0x4331ac40    r6 = 0x40407c40    r7 = 0xbe853afd
     r8 = 0x00000000    r9 = 0x4042d000   r10 = 0x00000000    sp = 0xbe8538a0
     pc = 0x4122f9fd
    Found by: call frame info
10  libxul.so!nsAppStartup::Run [nsAppStartup.cpp : 290 + 0x5]
     r4 = 0x4400deb0    r5 = 0x413a2fbd    r6 = 0x00000000    r7 = 0xbe853afd
     r8 = 0x00000000    r9 = 0x4042d000   r10 = 0x00000000    sp = 0xbe8538b0
     pc = 0x41193c0d
    Found by: call frame info
11  libxul.so!XREMain::XRE_mainRun [nsAppRunner.cpp : 3794 + 0x5]
     r4 = 0xbe853a0c    r5 = 0x413a2fbd    r6 = 0x00000000    r7 = 0xbe853afd
     r8 = 0x00000000    r9 = 0x4042d000   r10 = 0x00000000    sp = 0xbe8538b8
     pc = 0x40bb94fb
    Found by: call frame info
12  libxul.so!XREMain::XRE_main [nsAppRunner.cpp : 3860 + 0x5]
     r4 = 0xbe853a0c    r5 = 0xbe8539e7    r6 = 0x00000000    r7 = 0xbe855bf4
     r8 = 0x40428000    r9 = 0x4042d000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbe8539e0    pc = 0x40bbbc99
    Found by: call frame info
13  libxul.so!XRE_main [nsAppRunner.cpp : 3935 + 0x3]
     r0 = 0x40428000    r1 = 0x00000001    r2 = 0xbe855bf4    r4 = 0x0001f170
     r5 = 0xbe855bf4    r6 = 0x00000001    r7 = 0x00000000    r8 = 0xbe853a0c
     r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000    sp = 0xbe853a08
     pc = 0x40bbbde5
    Found by: call frame info
14  b2g!main [nsBrowserApp.cpp : 168 + 0xf]
     r4 = 0x40bbbd99    r5 = 0x00000000    r6 = 0x00000001    r7 = 0xbe855bf4
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbe853b18    pc = 0x0000999f
    Found by: call frame info
15  libc.so!__libc_init [libc_init_dynamic.c : 114 + 0x7]
     r4 = 0x00009714    r5 = 0xbe855bf4    r6 = 0x00000001    r7 = 0xbe855bfc
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbe855bd8    pc = 0x4005aa77
    Found by: call frame info
16  libc.so!__cxa_atexit [atexit.c : 99 + 0x3]
     r4 = 0x00000000    r5 = 0x00000000    r6 = 0x00000000    r7 = 0x00000000
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbe855bf0    pc = 0x40063437
    Found by: call frame info
17  0xbe855db3
     r0 = 0x00000001    r1 = 0xbe855cf3    r4 = 0x00000000    r5 = 0xbe855d03
     r6 = 0xbe855d15    r7 = 0xbe855d28    r8 = 0xbe855d4b    r9 = 0xbe855d64
    r10 = 0xbe855d81    fp = 0x00000000    sp = 0xbe855c18    pc = 0xbe855db5
    Found by: call frame info

Complete decoded minidump is attached.
blocking-b2g: --- → leo?
Whiteboard: [btg-1601]
Severity: normal → critical
Crash Signature: [@ android::MediaResourceManagerService::onMessageReceived] [@ android::MediaResourceManagerService::onMessageReceived(android::sp<android::AMessage> const&)]
Keywords: crash
Whiteboard: [btg-1601] → [b2g-crash][btg-1601]
Assignee: nobody → sotaro.ikeda.g
Attachment #764542 - Attachment description: patch - remove item correctly from ector → patch - remove item correctly from vector
Attachment #764542 - Flags: review?(chris.double)
Attachment #764542 - Flags: review?(chris.double) → review+
blocking-b2g: leo? → leo+
Target Milestone: --- → 1.1 QE3 (24jun)
Could this fix please be landed right away?
Add a header. Carry "chris.double: review+"
Attachment #764542 - Attachment is obsolete: true
Attachment #764756 - Flags: review+
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/dd48a19a10fe
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Duplicate of this bug: 889167
Depends on: 891445
You need to log in before you can comment on or make changes to this bug.