Crash during video playback

RESOLVED FIXED in Firefox 25, Firefox OS v1.1hd

Status

--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: diego, Assigned: sotaro)

Tracking

({crash, regression})

unspecified
1.1 QE4 (15jul)
ARM
Gonk (Firefox OS)
crash, regression

Firefox Tracking Flags

(blocking-b2g:leo+, firefox23 wontfix, firefox24 wontfix, firefox25 fixed, b2g18 fixed, b2g18-v1.0.0 wontfix, b2g18-v1.0.1 wontfix, b2g-v1.1hd fixed)

Details

(Whiteboard: [b2g-crash] [cr 506769][LeoVB+], crash signature)

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

5 years ago
This happened on v1 train during several hours of continuous stability testing.

Sorry I don't have more details other than the crash stack, but didn't have anyone seeing it happen.

Apparently the video app can't play anymore after this.

Crash stack below. 

Crash reason:  SIGSEGV
Crash address: 0x0

Thread 0 (crashed)
 0  0x0
     r0 = 0x43e871c0    r1 = 0x42cad670    r2 = 0x00000000    r3 = 0x00000000
     r4 = 0xbeb1e820    r5 = 0xbeb1e820    r6 = 0x00000000    r7 = 0x00000000
     r8 = 0x42caa060    r9 = 0x00000001   r10 = 0x00000000    fp = 0x413765ac
     sp = 0xbeb1e800    lr = 0x408b02af    pc = 0x00000000
    Found by: given as instruction pointer in context
 1  libxul.so!nsDeque::ForEach [nsDeque.cpp : 374 + 0x7]
     sp = 0xbeb1e810    pc = 0x40c01c9f
    Found by: stack scanning
 2  libxul.so!nsBuiltinDecoderReader::VideoQueueMemoryInUse [nsBuiltinDecoderReader.h : 342 + 0x9]
     r4 = 0x42b45400    r5 = 0xbeb1ead0    r6 = 0x00000000    sp = 0xbeb1e820
     pc = 0x4087a59d
    Found by: call frame info
 3  libxul.so!nsBuiltinDecoderStateMachine::VideoQueueMemoryInUse [nsBuiltinDecoderStateMachine.h : 192 + 0x5]
     r0 = 0x41429920    r1 = 0xbeb1ead0    r2 = 0x00000000    r3 = 0x00000000
     r4 = 0x00000000    r5 = 0xbeb1ead0    r6 = 0x00000000    sp = 0xbeb1e838
     pc = 0x4087a3db
    Found by: call frame info
 4  libxul.so!nsBuiltinDecoder::VideoQueueMemoryInUse [nsBuiltinDecoder.h : 591 + 0x5]
     r4 = 0x00000000    r5 = 0xbeb1ead0    r6 = 0x00000000    sp = 0xbeb1e840
     pc = 0x4087a371
    Found by: call frame info
 5  libxul.so!mozilla::MemoryReporter_MediaDecodedVideoMemory::GetAmount [nsMediaDecoder.h : 499 + 0xd]
     r4 = 0x00000000    r5 = 0xbeb1ead0    r6 = 0x00000000    sp = 0xbeb1e848
     pc = 0x408b3b8f
    Found by: call frame info
 6  libxul.so!mozilla::MemoryInfoDumper::DumpMemoryReportsToFileImpl [MemoryInfoDumper.cpp : 864 + 0x7]
     r4 = 0xbeb1e930    r5 = 0x4384c230    r6 = 0x42caa270    r7 = 0x414df578
     r8 = 0x00000000    sp = 0xbeb1e860    pc = 0x40c2c83f
    Found by: call frame info
 7  libxul.so!mozilla::MemoryInfoDumper::DumpMemoryReportsToFile [MemoryInfoDumper.cpp : 590 + 0x5]
     r4 = 0x00000000    r5 = 0xbeb1eb38    r6 = 0xbeb1eb37    r7 = 0xbeb1eb38
     r8 = 0xbeb1ee4c    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeb1eb30    pc = 0x40c2ccf5
    Found by: call frame info
 8  libxul.so!mozilla::dom::ContentChild::RecvDumpMemoryReportsToFile [ContentChild.cpp : 508 + 0x7]
     r4 = 0x41b1b618    r5 = 0x40afad3d    r6 = 0xbeb1ee50    r7 = 0xbeb1ee58
     r8 = 0xbeb1ee4c    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeb1eb68    pc = 0x40afad49
    Found by: call frame info
 9  libxul.so!mozilla::dom::PContentChild::OnMessageReceived [PContentChild.cpp : 2509 + 0xd]
     r4 = 0x41b1b618    r5 = 0x40afad3d    r6 = 0xbeb1ee50    r7 = 0xbeb1ee58
     r8 = 0xbeb1ee4c    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeb1eb70    pc = 0x40b8d0bf
    Found by: call frame info
10  libxul.so!mozilla::ipc::AsyncChannel::OnDispatchMessage [AsyncChannel.cpp : 471 + 0x5]
     r4 = 0x41b1b624    r5 = 0xbeb1eeac    r6 = 0xbeb1eeac    r7 = 0xbeb1f8b0
     r8 = 0xbeb1ef10    r9 = 0x41b06c0c   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeb1ee98    pc = 0x40b10bc3
    Found by: call frame info
11  libxul.so!mozilla::ipc::RPCChannel::OnMaybeDequeueOne [RPCChannel.cpp : 402 + 0x7]
     r0 = 0x41b1b624    r1 = 0xbeb1eeac    r4 = 0x41b1b624    r5 = 0xbeb1eeac
     r6 = 0xbeb1eeac    r7 = 0xbeb1f8b0    r8 = 0xbeb1ef10    r9 = 0x41b06c0c
    r10 = 0x00000000    fp = 0x00000000    sp = 0xbeb1eea8    pc = 0x40b15a3f
    Found by: call frame info
12  libxul.so!RunnableMethod<IPC::ChannelProxy::Context, void (IPC::ChannelProxy::Context::*)(), Tuple0>::Run [tuple.h : 383 + 0x5]
     r4 = 0xbeb1f8a4    r5 = 0x4386a138    r6 = 0xbeb1ef18    r7 = 0xbeb1f8b0
     r8 = 0xbeb1ef10    r9 = 0x41b06c0c   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeb1eee0    pc = 0x40af62c7
    Found by: call frame info
13  libxul.so!mozilla::ipc::RPCChannel::DequeueTask::Run [RPCChannel.h : 425 + 0x9]
     r4 = 0xbeb1f8a4    r5 = 0x4386a138    r6 = 0xbeb1ef18    r7 = 0xbeb1f8b0
     r8 = 0xbeb1ef10    r9 = 0x41b06c0c   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeb1eee8    pc = 0x40b143e9
    Found by: call frame info
14  libxul.so!MessageLoop::RunTask [message_loop.cc : 337 + 0x5]
     r4 = 0xbeb1f8a4    r5 = 0x4386a138    r6 = 0xbeb1ef18    r7 = 0xbeb1f8b0
     r8 = 0xbeb1ef10    r9 = 0x41b06c0c   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeb1eef0    pc = 0x40c434e5
    Found by: call frame info
15  libxul.so!MessageLoop::DeferOrRunPendingTask [message_loop.cc : 345 + 0x5]
     r4 = 0x00000001    r5 = 0xbeb1ef08    r6 = 0xbeb1ef18    r7 = 0xbeb1f8b0
     r8 = 0xbeb1ef10    r9 = 0x41b06c0c   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeb1ef00    pc = 0x40c44317
    Found by: call frame info
16  libxul.so!MessageLoop::DoWork [message_loop.cc : 445 + 0x7]
     r4 = 0xbeb1f8a4    r5 = 0xbeb1ef08    r6 = 0xbeb1ef18    r7 = 0xbeb1f8b0
     r8 = 0xbeb1ef10    r9 = 0x41b06c0c   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeb1ef08    pc = 0x40c44ef5
    Found by: call frame info
17  libxul.so!mozilla::ipc::DoWorkRunnable::Run [MessagePump.cpp : 42 + 0x7]
     r4 = 0xbeb1f8a4    r5 = 0x00000001    r6 = 0x00000001    r7 = 0x00000001
     r8 = 0xbeb1ef8f    r9 = 0x41b06c0c   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeb1ef38    pc = 0x40b13da5
    Found by: call frame info
18  libxul.so!nsThread::ProcessNextEvent [nsThread.cpp : 620 + 0x5]
     r4 = 0x41b06be0    r5 = 0x00000000    r6 = 0x00000001    r7 = 0x00000001
     r8 = 0xbeb1ef8f    r9 = 0x41b06c0c   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeb1ef48    pc = 0x40c2152f
    Found by: call frame info
19  libxul.so!NS_ProcessNextEvent_P [nsThreadUtils.cpp : 237 + 0xb]
     r4 = 0x00000001    r5 = 0xbeb1f8a4    r6 = 0x41b02350    r7 = 0x00000000
     r8 = 0x41b23000    r9 = 0x41b28000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeb1ef88    pc = 0x40c01907
    Found by: call frame info
20  libxul.so!mozilla::ipc::MessagePump::Run [MessagePump.cpp : 117 + 0x7]
     r0 = 0x41b06be0    r1 = 0x01000001    r4 = 0x41b02340    r5 = 0xbeb1f8a4
     r6 = 0x41b02350    r7 = 0x00000000    r8 = 0x41b23000    r9 = 0x41b28000
    r10 = 0x00000000    fp = 0x00000000    sp = 0xbeb1ef98    pc = 0x40b13efb
    Found by: call frame info
21  libxul.so!mozilla::ipc::MessagePumpForChildProcess::Run [MessagePump.cpp : 231 + 0x7]
     r4 = 0xbeb1f8a4    r5 = 0x41b02340    r6 = 0xbeb1f8a4    r7 = 0x00000001
     r8 = 0x41b23000    r9 = 0x41b28000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeb1efc0    pc = 0x40b13f67
    Found by: call frame info
22  libxul.so!MessageLoop::RunInternal [message_loop.cc : 219 + 0x5]
     r4 = 0xbeb1f8a4    r5 = 0x4387d400    r6 = 0x41b06be0    r7 = 0x00000003
     r8 = 0x41b23000    r9 = 0x41b28000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeb1efd8    pc = 0x40c434a1
    Found by: call frame info
23  libxul.so!MessageLoop::Run [message_loop.cc : 212 + 0x5]
     r4 = 0xbeb1f8a4    r5 = 0x4387d400    r6 = 0x41b06be0    r7 = 0x00000003
     r8 = 0x41b23000    r9 = 0x41b28000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeb1efe0    pc = 0x40c4354b
    Found by: call frame info
24  libxul.so!nsBaseAppShell::Run [nsBaseAppShell.cpp : 163 + 0x7]
     r0 = 0x00000002    r1 = 0x414ef900    r2 = 0xbeb1f8a4    r3 = 0xbeb1f040
     r4 = 0x00000000    r5 = 0x4387d400    r6 = 0x41b06be0    r7 = 0x00000003
     r8 = 0x41b23000    r9 = 0x41b28000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeb1eff8    pc = 0x40a98ca5
    Found by: call frame info
25  libxul.so!XRE_RunAppShell [nsEmbedFunctions.cpp : 646 + 0x5]
     r4 = 0xbeb1f00c    r5 = 0x41b02340    r6 = 0x00000002    r7 = 0x00000003
     r8 = 0x41b23000    r9 = 0x41b28000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeb1f008    pc = 0x4042705d
    Found by: call frame info
26  libxul.so!mozilla::ipc::MessagePumpForChildProcess::Run [MessagePump.cpp : 198 + 0x3]
     r0 = 0x41b02340    r1 = 0x4387d400    r2 = 0x4385f1c0    r4 = 0xbeb1f8a4
     r5 = 0x41b02340    r6 = 0x00000002    r7 = 0x00000003    r8 = 0x41b23000
     r9 = 0x41b28000   r10 = 0x00000000    fp = 0x00000000    sp = 0xbeb1f020
     pc = 0x40b13f35
    Found by: call frame info
27  libxul.so!MessageLoop::RunInternal [message_loop.cc : 219 + 0x5]
     r4 = 0xbeb1f8a4    r5 = 0x41b1b600    r6 = 0x00000002    r7 = 0x00000003
     r8 = 0x41b23000    r9 = 0x41b28000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeb1f038    pc = 0x40c434a1
    Found by: call frame info
28  libxul.so!MessageLoop::Run [message_loop.cc : 212 + 0x5]
     r4 = 0xbeb1f8a4    r5 = 0x41b1b600    r6 = 0x00000002    r7 = 0x00000003
     r8 = 0x41b23000    r9 = 0x41b28000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeb1f040    pc = 0x40c4354b
    Found by: call frame info
29  libxul.so!XRE_InitChildProcess [nsEmbedFunctions.cpp : 485 + 0xb]
     r0 = 0x00000001    r1 = 0x00000000    r2 = 0xbeb1f8a4    r3 = 0x00000000
     r4 = 0xbeb1f8a4    r5 = 0x41b1b600    r6 = 0x00000002    r7 = 0x00000003
     r8 = 0x41b23000    r9 = 0x41b28000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeb1f058    pc = 0x40427401
    Found by: call frame info
30  plugin-container!main [MozillaRuntimeMain.cpp : 85 + 0x5]
     r4 = 0xbeb1fa14    r5 = 0x00000005    r6 = 0x00000012    r7 = 0xbeb1f9dc
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeb1f9d8    pc = 0x00008601
    Found by: call frame info
31  libc.so!__libc_init [libc_init_dynamic.c : 114 + 0x7]
     r0 = 0x00000006    r1 = 0x41b06b80    r2 = 0xbeb1fa30    r4 = 0x00008574
     r5 = 0xbeb1fa14    r6 = 0x00000006    r7 = 0xbeb1fa30    r8 = 0x00000000
     r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000    sp = 0xbeb1f9f8
     pc = 0x400fca77
    Found by: call frame info
32  0xb00045a9
     r4 = 0x00000000    r5 = 0x00000000    r6 = 0x00000000    r7 = 0x00000000
     r8 = 0x00000000    r9 = 0x00000000   r10 = 0x00000000    fp = 0x00000000
     sp = 0xbeb1fa10    pc = 0xb00045ab
    Found by: call frame info
(leo+.  v1.1 stability regression over CS build)
blocking-b2g: --- → leo+
status-b2g18: --- → affected
Keywords: regression

Updated

5 years ago
Severity: normal → critical
Crash Signature: [@ 0x0 | nsDeque::ForEach]
Keywords: crash
Whiteboard: [b2g-crash]
Keywords: steps-wanted
Whiteboard: [b2g-crash] → [b2g-crash] [cr 506769]
(Assignee)

Comment 4

5 years ago
I am not sure following code related to the crash. But the code is not correct. It always assume image format is PLANAR_YCBCR.

-----------------------------------------------

void* nsBuiltinDecoderReader::VideoQueueMemoryFunctor::operator()(void* anObject) {
  const VideoData* v = static_cast<const VideoData*>(anObject);
  if (!v->mImage) {
    return nullptr;
  }
  NS_ASSERTION(v->mImage->GetFormat() == PLANAR_YCBCR,
               "Wrong format?");
  mozilla::layers::PlanarYCbCrImage* vi = static_cast<mozilla::layers::PlanarYCbCrImage*>(v->mImage.get());

  mResult += vi->GetDataSize();
  return nullptr;
}
(Assignee)

Comment 5

5 years ago
Some image formats are used in gecko media
- PLANAR_YCBCR
- GRALLOC_PLANAR_YCBCR // for gonk
- GONK_IO_SURFACE // for gonk
- D3D9_RGB32_TEXTURE // for windows
(Assignee)

Updated

5 years ago
Assignee: nobody → sotaro.ikeda.g
The crash reports referenced here that are in relation to desktop have comments all mentioning something about about:memory.

Do we have any ideas on how memory analysis could play a role in invoking this crash?
(Assignee)

Comment 7

5 years ago
I manually added MemoryInfoDumper::DumpMemoryReportsToFile() and confirmed that the crash happened. The crash caused by incorrect static_cast from GonkIOSurfaceImage to PlanarYCbCrImage.
(Assignee)

Comment 8

5 years ago
Created attachment 770381 [details] [diff] [review]
patch - cast to PlanarYCbCrImage only when image format is PLANAR_YCBCR

Fix cast problem. The patch fix the crash by manual call of MemoryInfoDumper::DumpMemoryReportsToFile().
(Assignee)

Comment 9

5 years ago
Diego, can you check if attachment 770381 [details] [diff] [review] fixes the crash?
Flags: needinfo?(dwilson)
(Reporter)

Comment 10

5 years ago
I'm not sure how reproducible it was. I'll check with the testers.
Flags: needinfo?(dwilson)
(Assignee)

Updated

5 years ago
Attachment #770381 - Flags: review?(chris.double)
Seeing the patch here, I'm pulling steps-wanted. If you still want better STR before landing this patch, then feel free to add the keyword back.
Keywords: steps-wanted

Comment 12

5 years ago
Comment on attachment 770381 [details] [diff] [review]
patch - cast to PlanarYCbCrImage only when image format is PLANAR_YCBCR

Looks like Robert last reviewed this area of code. I defer to him.
Attachment #770381 - Flags: review?(chris.double) → review?(roc)
Comment on attachment 770381 [details] [diff] [review]
patch - cast to PlanarYCbCrImage only when image format is PLANAR_YCBCR

Review of attachment 770381 [details] [diff] [review]:
-----------------------------------------------------------------

Yes!
Attachment #770381 - Flags: review?(roc) → review+
(Assignee)

Comment 14

5 years ago
Created attachment 771408 [details] [diff] [review]
patch v2 - cast to PlanarYCbCrImage only when image format is PLANAR_YCBCR

Patch for master. Carry "roc: review+".
Attachment #770381 - Attachment is obsolete: true
Attachment #771408 - Flags: review+
(Assignee)

Comment 15

5 years ago
Created attachment 771409 [details] [diff] [review]
patch v2 for b2g18 - cast to PlanarYCbCrImage only when image format is PLANAR_YCBCR

Patch for b2g18. Carry "roc: review+".
Attachment #771409 - Flags: review+
(Assignee)

Updated

5 years ago
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/3b73653bc50c
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
https://hg.mozilla.org/releases/mozilla-b2g18/rev/b707158f6ed6
status-b2g18: affected → fixed
status-b2g18-v1.0.0: --- → wontfix
status-b2g18-v1.0.1: --- → wontfix
status-b2g-v1.1hd: --- → affected
status-firefox23: --- → wontfix
status-firefox24: --- → wontfix
status-firefox25: --- → fixed
Target Milestone: --- → 1.1 QE4 (15jul)

Updated

5 years ago
Whiteboard: [b2g-crash] [cr 506769] → [b2g-crash] [cr 506769][LeoVB+]
Blocks: 927477
You need to log in before you can comment on or make changes to this bug.