Closed Bug 886897 Opened 11 years ago Closed 11 years ago

Crash: mozalloc_abort from libxul.so!mozilla::layers::PImageContainerChild::FatalError

Categories

(Firefox OS Graveyard :: General, defect)

Product:
Firefox OS Graveyard
Component:
General
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(blocking-b2g:leo+, firefox23 wontfix, firefox24 wontfix, firefox25 fixed, b2g18 fixed, b2g18-v1.0.0 wontfix, b2g18-v1.0.1 wontfix, b2g-v1.1hd fixed)

Status:
RESOLVED FIXED
Milestone:
1.1 QE4 (15jul)
Project Flags:
blocking-b2g leo+
Tracking Flags:
Tracking Status
firefox23 --- wontfix
firefox24 --- wontfix
firefox25 --- fixed
b2g18 --- fixed
b2g18-v1.0.0 --- wontfix
b2g18-v1.0.1 --- wontfix
b2g-v1.1hd --- fixed

People

(Reporter: ikumar, Assigned: sotaro)

References

Details

(Keywords: crash, regression, Whiteboard: [b2g-crash][btg-1653])

Crash Data

Attachments

(3 files, 1 obsolete file)

minidump
70.23 KB, text/plain
Details
patch v2 - call VideoFrameContainer::ClearCurrentFrame() before camera hw close
2.59 KB, patch
sotaro
: review+
Details | Diff | Splinter Review
patch v2 for b2g18 - call VideoFrameContainer::ClearCurrentFrame() before camera hw close
2.62 KB, patch
sotaro
: review+
Details | Diff | Splinter Review
Attached file minidump
Test Steps: 1. Run the scripts with Music, Video, Camera and Camcorder test cases. 2. After night run device generated mini dumps. Reproducibility: Seen once Decoded minidump: Crash reason: SIGSEGV Crash address: 0x0 Thread 10 (crashed) 0 libxul.so!mozalloc_abort [mozalloc_abort.cpp : 30 + 0x4] r0 = 0x00000157 r1 = 0x439842c8 r2 = 0x0000007b r3 = 0x00000000 r4 = 0x43984b1c r5 = 0x00000000 r6 = 0xffffffff r7 = 0x43984730 r8 = 0x40c419dd r9 = 0x00000001 r10 = 0x43984730 fp = 0x43cedae8 sp = 0x43984718 lr = 0x410b8c3f pc = 0x410b8c42 Found by: given as instruction pointer in context 1 libxul.so!NS_DebugBreak_P [nsDebugImpl.cpp : 423 + 0x5] r4 = 0x43984b1c r5 = 0x00000000 r6 = 0xffffffff r7 = 0x43984730 r8 = 0x40c419dd r9 = 0x00000001 r10 = 0x43984730 fp = 0x43cedae8 sp = 0x43984720 pc = 0x40c417c5 Found by: call frame info 2 libxul.so!mozilla::layers::PImageContainerChild::FatalError [PImageContainerChild.cpp : 535 + 0x13] r4 = 0x43984b5c r5 = 0x00000000 r6 = 0x41141d0f r7 = 0x43984d0c r8 = 0x00000000 r9 = 0x4291fb10 r10 = 0x00000001 fp = 0x00000001 sp = 0x43984b50 pc = 0x40bb642f Found by: call frame info 3 libxul.so!mozilla::layers::PImageContainerChild::Read [PImageContainerChild.cpp : 1043 + 0xd] r4 = 0x440850c0 r5 = 0x43984cbc r6 = 0x43984c70 r7 = 0x43984d0c r8 = 0x00000000 r9 = 0x4291fb10 r10 = 0x00000001 fp = 0x00000001 sp = 0x43984bc0 pc = 0x40bb5edf Found by: call frame info 4 libxul.so!mozilla::layers::PImageContainerChild::Read [PImageContainerChild.cpp : 648 + 0xb] r0 = 0x00000000 r1 = 0x43984c70 r4 = 0x43984c70 r5 = 0x440850c0 r6 = 0x43984d0c r7 = 0x43984be0 r8 = 0x43984cbc r9 = 0x4291fb10 r10 = 0x00000001 fp = 0x00000001 sp = 0x43984be0 pc = 0x40bb6261 Found by: call frame info 5 libxul.so!mozilla::layers::PImageContainerChild::Read [PImageContainerChild.cpp : 841 + 0x3] r4 = 0x43984c70 r5 = 0x440850c0 r6 = 0x43984d0c r7 = 0x43984c10 r8 = 0x43984cbc r9 = 0x4291fb10 r10 = 0x00000001 fp = 0x00000001 sp = 0x43984c10 pc = 0x40bb6317 Found by: call frame info 6 libxul.so!mozilla::layers::PImageContainerChild::OnMessageReceived [PImageContainerChild.cpp : 388 + 0x3] r4 = 0x440850c0 r5 = 0x00000000 r6 = 0x43984c70 r7 = 0x00160000 r8 = 0x43984d70 r9 = 0x4291fb10 r10 = 0x00000001 fp = 0x00000001 sp = 0x43984c70 pc = 0x40bb647f Found by: call frame info 7 libxul.so!mozilla::layers::PCompositorChild::OnMessageReceived [PCompositorChild.cpp : 627 + 0x7] r4 = 0x4362f3d0 r5 = 0x43984d0c r6 = 0x43984d0c r7 = 0x43984df8 r8 = 0x43984d70 r9 = 0x4291fb10 r10 = 0x00000001 fp = 0x00000001 sp = 0x43984cd8 pc = 0x40bb365d Found by: call frame info 8 libxul.so!mozilla::ipc::AsyncChannel::OnDispatchMessage [AsyncChannel.cpp : 471 + 0x5] r0 = 0x4362f3d0 r1 = 0x43984d0c r2 = 0x43984d0c r3 = 0x40bb3631 r4 = 0x4362f3dc r5 = 0x43984d0c r6 = 0x43984d0c r7 = 0x43984df8 r8 = 0x43984d70 r9 = 0x4291fb10 r10 = 0x00000001 fp = 0x00000001 sp = 0x43984cf8 pc = 0x40b2cba3 Found by: call frame info 9 libxul.so!mozilla::ipc::RPCChannel::OnMaybeDequeueOne [RPCChannel.cpp : 402 + 0x7] r0 = 0x4362f3dc r1 = 0x43984d0c r4 = 0x4362f3dc r5 = 0x43984d0c r6 = 0x43984d0c r7 = 0x43984df8 r8 = 0x43984d70 r9 = 0x4291fb10 r10 = 0x00000001 fp = 0x00000001 sp = 0x43984d08 pc = 0x40b31a1f Found by: call frame info 10 libxul.so!RunnableMethod<IPC::ChannelProxy::Context, void (IPC::ChannelProxy::Context::*)(), Tuple0>::Run [tuple.h : 383 + 0x5] r4 = 0x43984dec r5 = 0x42af7128 r6 = 0x43984d78 r7 = 0x43984df8 r8 = 0x43984d70 r9 = 0x4291fb10 r10 = 0x00000001 fp = 0x00000001 sp = 0x43984d40 pc = 0x40b122a7 Found by: call frame info 11 libxul.so!mozilla::ipc::RPCChannel::DequeueTask::Run [RPCChannel.h : 425 + 0x9] r4 = 0x43984dec r5 = 0x42af7128 r6 = 0x43984d78 r7 = 0x43984df8 r8 = 0x43984d70 r9 = 0x4291fb10 r10 = 0x00000001 fp = 0x00000001 sp = 0x43984d48 pc = 0x40b303c9 Found by: call frame info 12 libxul.so!MessageLoop::RunTask [message_loop.cc : 337 + 0x5] r4 = 0x43984dec r5 = 0x42af7128 r6 = 0x43984d78 r7 = 0x43984df8 r8 = 0x43984d70 r9 = 0x4291fb10 r10 = 0x00000001 fp = 0x00000001 sp = 0x43984d50 pc = 0x40c5f4c5 Found by: call frame info 13 libxul.so!MessageLoop::DeferOrRunPendingTask [message_loop.cc : 345 + 0x5] r4 = 0x00000001 r5 = 0x43984d68 r6 = 0x43984d78 r7 = 0x43984df8 r8 = 0x43984d70 r9 = 0x4291fb10 r10 = 0x00000001 fp = 0x00000001 sp = 0x43984d60 pc = 0x40c602f7 Found by: call frame info 14 libxul.so!MessageLoop::DoWork [message_loop.cc : 445 + 0x7] r4 = 0x43984dec r5 = 0x43984d68 r6 = 0x43984d78 r7 = 0x43984df8 r8 = 0x43984d70 r9 = 0x4291fb10 r10 = 0x00000001 fp = 0x00000001 sp = 0x43984d68 pc = 0x40c60ed5 Found by: call frame info 15 libxul.so!base::MessagePumpDefault::Run [message_pump_default.cc : 23 + 0x7] r4 = 0x4291fb00 r5 = 0x43984dec r6 = 0x4291fb0c r7 = 0x43984da0 r8 = 0x43984d98 r9 = 0x4291fb10 r10 = 0x00000001 fp = 0x00000001 sp = 0x43984d98 pc = 0x40c61165 Found by: call frame info 16 libxul.so!MessageLoop::RunInternal [message_loop.cc : 219 + 0x5] r0 = 0x4291fb00 r1 = 0x43984dec r2 = 0x00000000 r3 = 0x40c61149 r4 = 0x43984dec r5 = 0x43984dec r6 = 0x00000010 r7 = 0x01a51958 r8 = 0x01a51948 r9 = 0x01a52420 r10 = 0x00100000 fp = 0x00000001 sp = 0x43984dc8 pc = 0x40c5f481 Found by: call frame info 17 libxul.so!MessageLoop::Run [message_loop.cc : 212 + 0x5] r4 = 0x43984dec r5 = 0x43984dec r6 = 0x00000010 r7 = 0x01a51958 r8 = 0x01a51948 r9 = 0x01a52420 r10 = 0x00100000 fp = 0x00000001 sp = 0x43984dd0 pc = 0x40c5f52b Found by: call frame info 18 libxul.so!base::Thread::ThreadMain [thread.cc : 156 + 0x5] r0 = 0x00000001 r1 = 0x4291fa00 r2 = 0x43984dec r3 = 0x00000000 r4 = 0x436865b0 r5 = 0x43984dec r6 = 0x00000010 r7 = 0x01a51958 r8 = 0x01a51948 r9 = 0x01a52420 r10 = 0x00100000 fp = 0x00000001 sp = 0x43984de8 pc = 0x40c67845 Found by: call frame info 19 libxul.so!ThreadFunc [platform_thread_posix.cc : 39 + 0x5] r4 = 0x43984f00 r5 = 0x40c71805 r6 = 0x436865b0 r7 = 0x00000078 r8 = 0x40c71805 r9 = 0x436865b0 r10 = 0x00100000 fp = 0x00000001 sp = 0x43984ee8 pc = 0x40c7180d Found by: call frame info 20 libc.so!__thread_entry [pthread.c : 217 + 0x6] r4 = 0x43984f00 r5 = 0x40c71805 r6 = 0x436865b0 r7 = 0x00000078 r8 = 0x40c71805 r9 = 0x436865b0 r10 = 0x00100000 fp = 0x00000001 sp = 0x43984ef0 pc = 0x4005a114 Found by: call frame info 21 libc.so!pthread_create [pthread.c : 357 + 0xe] r4 = 0x43984f00 r5 = 0x01a52e40 r6 = 0xbed5db68 r7 = 0x00000078 r8 = 0x40c71805 r9 = 0x436865b0 r10 = 0x00100000 fp = 0x00000001 sp = 0x43984f00 pc = 0x40059c68 Found by: call frame info
Looks like bug 827833 has reappeared.
blocking-b2g: --- → leo?
(leo+, a stability regression from CS)
blocking-b2g: leo? → leo+
Keywords: regression
Dupe of bug 862230/bug 868965?
Severity: normal → critical
Crash Signature: [@ mozalloc_abort | NS_DebugBreak_P | mozilla::layers::PImageContainerChild::FatalError]
(In reply to Scoobidiver from comment #3) > Dupe of bug 862230/bug 868965? From attachment 767318 [details], it seems different bug.
attachment 767318 [details] in Thread 13 is calling GonkCameraHardware::Close() and GonkNativeWindow is freeing gralloc buffers. Before doing it, VideoFrameContainer::ClearCurrentFrame() needs to be called. The function clears all gralloc buffers used for rendering from ImageBridge and compositor. Therefore, it seems that VideoFrameContainer::ClearCurrentFrame() is not called before GonkCameraHardware::Close().
Blocks: 862230
Passing to Hema to help with assignment.Thanks
Assignee: nobody → hkoka
Assignee: hkoka → sotaro.ikeda.g
nsGonkCameraControl::ReleaseHardwareImpl() forcibly stop preview and release camera hw. It calls nsGonkCameraControl::StopPreviewInternal() and the called function needs to synchronously call VideoFrameContainer::ClearCurrentFrame().
Comment on attachment 772271 [details] [diff] [review] patch - call VideoFrameContainer::ClearCurrentFrame() before camera hw close Obsolete it. It does not work correctly.
Attachment #772271 - Attachment is obsolete: true
Comment on attachment 772271 [details] [diff] [review] patch - call VideoFrameContainer::ClearCurrentFrame() before camera hw close Set it valid again. I faced the camera preview screen black. I can not reproduce it. It seems different problem.
Attachment #772271 - Attachment is obsolete: false
(In reply to Sotaro Ikeda [:sotaro] from comment #8) > Created attachment 772271 [details] [diff] [review] > patch - call VideoFrameContainer::ClearCurrentFrame() before camera hw close Inder, can you confirm if attachment 772271 [details] [diff] [review] works?
Flags: needinfo?(ikumar)
Requested test guys to try to reproduce it with the patch. Will let you know how it goes.
Flags: needinfo?(ikumar)
Attachment #772271 - Flags: review?(mhabicher)
Attachment #772271 - Flags: review?(mhabicher) → review+
Patch for master. Carry "mhabicher: review+".
Attachment #774204 - Flags: review+
Patch for b2g18. Carry "mhabicher: review+".
Attachment #772271 - Attachment is obsolete: true
Attachment #774208 - Flags: review+
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/2c97b243eb03
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
(In reply to Inder from comment #12) > Requested test guys to try to reproduce it with the patch. Will let you know > how it goes. :sotaro FYI, Test folks were not able to reproduce the crash with the patch.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: