crash in mozilla::layers::ImageBridgeChild::DestroyThebesBuffer with abort message: "should not be called"




5 years ago
2 years ago


(Reporter: Paul Feher, Unassigned)



25 Branch

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [native-crash], crash signature)



5 years ago
This bug was filed from the Socorro interface and is 
report bp-0e578190-b168-4b7f-8323-0011e2130808 .
Aurora 25.0a2 2013-08-08
LG Slider (Android 2.3.4)


Crash stack:
0 	mozalloc_abort(char const*) 	memory/mozalloc/mozalloc_abort.cpp
1 	NS_DebugBreak 	xpcom/base/nsDebugImpl.cpp
2 	mozilla::layers::ImageBridgeChild::DestroyThebesBuffer(mozilla::layers::CompositableClient*) 	gfx/layers/ipc/ImageBridgeChild.h
3 	nsTextEditRules::CreateBogusNodeIfNeeded(nsISelection*) 	editor/libeditor/text/nsTextEditRules.cpp
4 	nsTextEditRules::Init(nsPlaintextEditor*) 	editor/libeditor/text/nsTextEditRules.cpp
5 	nsPlaintextEditor::InitRules() 	editor/libeditor/text/nsPlaintextEditor.cpp
6 	nsPlaintextEditor::EndEditorInit() 	editor/libeditor/text/nsPlaintextEditor.cpp
7 	nsAutoEditInitRulesTrigger::~nsAutoEditInitRulesTrigger() 	editor/libeditor/text/nsTextEditUtils.cpp
8 	nsPlaintextEditor::Init(nsIDOMDocument*, nsIContent*, nsISelectionController*, unsigned int) 	editor/libeditor/text/nsPlaintextEditor.cpp
9 	nsTextEditorState::PrepareEditor(nsAString_internal const*) 	content/html/content/src/nsTextEditorState.cpp
10 	nsTextControlFrame::EnsureEditorInitialized() 	layout/forms/nsTextControlFrame.cpp
11 	nsTextControlFrame::GetEditor(nsIEditor**) 	layout/forms/nsTextControlFrame.cpp
12 	nsTextControlFrame::AttributeChanged(int, nsIAtom*, int) 	layout/forms/nsTextControlFrame.cpp
13 	mozilla::RestyleManager::AttributeChanged(mozilla::dom::Element*, int, nsIAtom*, int) 	layout/base/RestyleManager.cpp
14 	PresShell::AttributeChanged(nsIDocument*, mozilla::dom::Element*, int, nsIAtom*, int) 	layout/base/nsPresShell.cpp
15 	nsNodeUtils::AttributeChanged(mozilla::dom::Element*, int, nsIAtom*, int) 	content/base/src/nsNodeUtils.cpp
16 	mozilla::dom::Element::SetAttrAndNotify(int, nsIAtom*, nsIAtom*, nsAttrValue const&, nsAttrValue&, unsigned char, bool, bool, bool) 	content/base/src/Element.cpp
17 	mozilla::dom::Element::SetAttr(int, nsIAtom*, nsIAtom*, nsAString_internal const&, bool) 	content/base/src/Element.cpp
18 	nsGenericHTMLElement::SetAttr(int, nsIAtom*, nsIAtom*, nsAString_internal const&, bool) 	content/html/content/src/nsGenericHTMLElement.cpp
19 	mozilla::dom::Element::SetAttr(int, nsIAtom*, nsAString_internal const&, bool) 	obj-firefox/dist/include/mozilla/dom/Element.h
20 	mozilla::dom::Element::SetAttribute(nsAString_internal const&, nsAString_internal const&, mozilla::ErrorResult&) 	content/base/src/Element.cpp
21 	mozilla::dom::ElementBinding::setAttribute 	obj-firefox/dom/bindings/ElementBinding.cpp
22 	mozilla::dom::ElementBinding::genericMethod 	obj-firefox/dom/bindings/ElementBinding.cpp
23 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/jscntxtinlines.h
24 	Interpret 	js/src/vm/Interpreter.cpp
25 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
26 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
27 	js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
28 	js::ion::DoCallFallback 	js/src/ion/BaselineIC.cpp
29 		@0x44a088c2
Component: General → Graphics: Layers
Product: Firefox for Android → Core
Version: Firefox 25 → 25 Branch
Wow! funny one, I don't know how we jumped from:

> 3 	nsTextEditRules::CreateBogusNodeIfNeeded(nsISelection*) 
> editor/libeditor/text/nsTextEditRules.cpp


> 2 
> mozilla::layers::ImageBridgeChild::DestroyThebesBuffer(mozilla::layers::
> CompositableClient*) 	gfx/layers/ipc/ImageBridgeChild.h

Especially since the only call of DestroyedThebesBuffer is in ContentClient which never uses ImageBridge.

It doesn't look like a layers bug though, if any kind of fancy memory corruption made it jump to the wrong symbol it's more likely on the call site.
Moving it right along then. Thanks!
Component: Graphics: Layers → Editor

Comment 3

5 years ago
A stack trace may be buggy but not the abort message.
The abort happens at that line,, which seems a graphics layer bug.
Hardware: All → ARM
Summary: crash in mozalloc_abort(char const*) | NS_DebugBreak | mozilla::layers::ImageBridgeChild::DestroyThebesBuffer(mozilla::layers::CompositableClient*) → crash in mozilla::layers::ImageBridgeChild::DestroyThebesBuffer with abort message: "should not be called"
Whiteboard: [native-crash]
(In reply to Scoobidiver from comment #3)
> A stack trace may be buggy but not the abort message.

In general that is true. But here, we may be in a tricky corner case. The message here is generated by NS_RUNTIMEABORT, which uses the special built-in preprocessor macros __FILE__ and __LINE__. What this looks like is Identical Code Folding, which we do use (can be disabled by --disable-icf), is somehow special-casing __FILE__ and __LINE__... I admit that that is really strange, as that would mean that __FILE__ and __LINE__ somehow survive in intermediate object files rather than just evaporating at preprocessing time. Maybe that was a compiler optimization to increase the reach of Identical Code Folding? Anyway, the stack trace is fairly unambiguous: the entire stack is in the editor, except for that single frame which is a one-line function just calling NS_RUNTIMEABORT, hence a prime candidate for Identical Code Folding.


2 years ago
Crash Signature: [@ mozalloc_abort(char const*) | NS_DebugBreak | mozilla::layers::ImageBridgeChild::DestroyThebesBuffer(mozilla::layers::CompositableClient*)] → [@ mozalloc_abort(char const*) | NS_DebugBreak | mozilla::layers::ImageBridgeChild::DestroyThebesBuffer(mozilla::layers::CompositableClient*)] [@ mozalloc_abort | NS_DebugBreak | mozilla::layers::ImageBridgeChild::DestroyThebesBuffer]
You need to log in before you can comment on or make changes to this bug.