crash in mozilla::layers::ImageBridgeChild::DestroyThebesBuffer with abort message: "should not be called"

NEW
Unassigned

Status

()

Core
Editor
--
critical
5 years ago
2 years ago

People

(Reporter: Paul Feher, Unassigned)

Tracking

({crash})

25 Branch
ARM
Android
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [native-crash], crash signature)

(Reporter)

Description

5 years ago
This bug was filed from the Socorro interface and is 
report bp-0e578190-b168-4b7f-8323-0011e2130808 .
 ============================================================= 
Aurora 25.0a2 2013-08-08
LG Slider (Android 2.3.4)

NO STR

Crash stack:
0 	libmozalloc.so 	mozalloc_abort(char const*) 	memory/mozalloc/mozalloc_abort.cpp
1 	libxul.so 	NS_DebugBreak 	xpcom/base/nsDebugImpl.cpp
2 	libxul.so 	mozilla::layers::ImageBridgeChild::DestroyThebesBuffer(mozilla::layers::CompositableClient*) 	gfx/layers/ipc/ImageBridgeChild.h
3 	libxul.so 	nsTextEditRules::CreateBogusNodeIfNeeded(nsISelection*) 	editor/libeditor/text/nsTextEditRules.cpp
4 	libxul.so 	nsTextEditRules::Init(nsPlaintextEditor*) 	editor/libeditor/text/nsTextEditRules.cpp
5 	libxul.so 	nsPlaintextEditor::InitRules() 	editor/libeditor/text/nsPlaintextEditor.cpp
6 	libxul.so 	nsPlaintextEditor::EndEditorInit() 	editor/libeditor/text/nsPlaintextEditor.cpp
7 	libxul.so 	nsAutoEditInitRulesTrigger::~nsAutoEditInitRulesTrigger() 	editor/libeditor/text/nsTextEditUtils.cpp
8 	libxul.so 	nsPlaintextEditor::Init(nsIDOMDocument*, nsIContent*, nsISelectionController*, unsigned int) 	editor/libeditor/text/nsPlaintextEditor.cpp
9 	libxul.so 	nsTextEditorState::PrepareEditor(nsAString_internal const*) 	content/html/content/src/nsTextEditorState.cpp
10 	libxul.so 	nsTextControlFrame::EnsureEditorInitialized() 	layout/forms/nsTextControlFrame.cpp
11 	libxul.so 	nsTextControlFrame::GetEditor(nsIEditor**) 	layout/forms/nsTextControlFrame.cpp
12 	libxul.so 	nsTextControlFrame::AttributeChanged(int, nsIAtom*, int) 	layout/forms/nsTextControlFrame.cpp
13 	libxul.so 	mozilla::RestyleManager::AttributeChanged(mozilla::dom::Element*, int, nsIAtom*, int) 	layout/base/RestyleManager.cpp
14 	libxul.so 	PresShell::AttributeChanged(nsIDocument*, mozilla::dom::Element*, int, nsIAtom*, int) 	layout/base/nsPresShell.cpp
15 	libxul.so 	nsNodeUtils::AttributeChanged(mozilla::dom::Element*, int, nsIAtom*, int) 	content/base/src/nsNodeUtils.cpp
16 	libxul.so 	mozilla::dom::Element::SetAttrAndNotify(int, nsIAtom*, nsIAtom*, nsAttrValue const&, nsAttrValue&, unsigned char, bool, bool, bool) 	content/base/src/Element.cpp
17 	libxul.so 	mozilla::dom::Element::SetAttr(int, nsIAtom*, nsIAtom*, nsAString_internal const&, bool) 	content/base/src/Element.cpp
18 	libxul.so 	nsGenericHTMLElement::SetAttr(int, nsIAtom*, nsIAtom*, nsAString_internal const&, bool) 	content/html/content/src/nsGenericHTMLElement.cpp
19 	libxul.so 	mozilla::dom::Element::SetAttr(int, nsIAtom*, nsAString_internal const&, bool) 	obj-firefox/dist/include/mozilla/dom/Element.h
20 	libxul.so 	mozilla::dom::Element::SetAttribute(nsAString_internal const&, nsAString_internal const&, mozilla::ErrorResult&) 	content/base/src/Element.cpp
21 	libxul.so 	mozilla::dom::ElementBinding::setAttribute 	obj-firefox/dom/bindings/ElementBinding.cpp
22 	libxul.so 	mozilla::dom::ElementBinding::genericMethod 	obj-firefox/dom/bindings/ElementBinding.cpp
23 	libxul.so 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/jscntxtinlines.h
24 	libxul.so 	Interpret 	js/src/vm/Interpreter.cpp
25 	libxul.so 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
26 	libxul.so 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
27 	libxul.so 	js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
28 	libxul.so 	js::ion::DoCallFallback 	js/src/ion/BaselineIC.cpp
29 		@0x44a088c2
Component: General → Graphics: Layers
Product: Firefox for Android → Core
Version: Firefox 25 → 25 Branch
Wow! funny one, I don't know how we jumped from:

> 3 	libxul.so 	nsTextEditRules::CreateBogusNodeIfNeeded(nsISelection*) 
> editor/libeditor/text/nsTextEditRules.cpp

to:

> 2 	libxul.so 
> mozilla::layers::ImageBridgeChild::DestroyThebesBuffer(mozilla::layers::
> CompositableClient*) 	gfx/layers/ipc/ImageBridgeChild.h

Especially since the only call of DestroyedThebesBuffer is in ContentClient which never uses ImageBridge.

It doesn't look like a layers bug though, if any kind of fancy memory corruption made it jump to the wrong symbol it's more likely on the call site.
Moving it right along then. Thanks!
Component: Graphics: Layers → Editor

Comment 3

5 years ago
A stack trace may be buggy but not the abort message.
The abort happens at that line, http://mxr.mozilla.org/mozilla-aurora/source/gfx/layers/ipc/ImageBridgeChild.h#318, which seems a graphics layer bug.
Hardware: All → ARM
Summary: crash in mozalloc_abort(char const*) | NS_DebugBreak | mozilla::layers::ImageBridgeChild::DestroyThebesBuffer(mozilla::layers::CompositableClient*) → crash in mozilla::layers::ImageBridgeChild::DestroyThebesBuffer with abort message: "should not be called"
Whiteboard: [native-crash]
(In reply to Scoobidiver from comment #3)
> A stack trace may be buggy but not the abort message.

In general that is true. But here, we may be in a tricky corner case. The message here is generated by NS_RUNTIMEABORT, which uses the special built-in preprocessor macros __FILE__ and __LINE__. What this looks like is Identical Code Folding, which we do use (can be disabled by --disable-icf), is somehow special-casing __FILE__ and __LINE__... I admit that that is really strange, as that would mean that __FILE__ and __LINE__ somehow survive in intermediate object files rather than just evaporating at preprocessing time. Maybe that was a compiler optimization to increase the reach of Identical Code Folding? Anyway, the stack trace is fairly unambiguous: the entire stack is in the editor, except for that single frame which is a one-line function just calling NS_RUNTIMEABORT, hence a prime candidate for Identical Code Folding.

Updated

2 years ago
Crash Signature: [@ mozalloc_abort(char const*) | NS_DebugBreak | mozilla::layers::ImageBridgeChild::DestroyThebesBuffer(mozilla::layers::CompositableClient*)] → [@ mozalloc_abort(char const*) | NS_DebugBreak | mozilla::layers::ImageBridgeChild::DestroyThebesBuffer(mozilla::layers::CompositableClient*)] [@ mozalloc_abort | NS_DebugBreak | mozilla::layers::ImageBridgeChild::DestroyThebesBuffer]
You need to log in before you can comment on or make changes to this bug.