crash when returning an xhr blob from an inline activity and passing it to the settings API

RESOLVED WORKSFORME

Status

()

RESOLVED WORKSFORME
5 years ago
5 years ago

People

(Reporter: djf, Unassigned)

Tracking

({crash})

Trunk
ARM
Gonk (Firefox OS)
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
As part of bug 905586 (which is a must-have feature for 1.2) I've modified the settings app to allow set ringtones by using a pick activity to invoke a new "Ringtones" app that manages the built-in ringtones.

In app/ringtones/js/pick.js I use XHR to read the user's selected ringtone as a blob, and then pass that blob back to the settings app with activity.postResult().  The settings app then attempts to store the blob in the settings database, and we crash.

In logcat, I see this:

[JavaScript Error: "TypeError: aObject is not an object" {file: "resource://gre/modules/XPCOMUtils.jsm" line: 180}]
E/GeckoConsole( 4022): [JavaScript Error: "TransactionInactiveError: A request was placed against a transaction which is currently not active, or which is finished." {file: "jar:file:///system/b2g/omni.ja!/components/SettingsManager.js" line: 115}]

I tried lots of things to work around this without success:

- setTimeout() to let the XHR complete before calling postResult

- make a copy of the blob with FileReader and then convert the resulting array buffer back into a blob before sending it.

- use XHR.responseType = 'arraybuffer' instead of 'blob'

Finally, I resorted to having the Ringtones app write the ringtone to a temporary file on the sdcard, and send that file instead of the in-memory blob through postResult().  

This fixes the crash, but is not a viable workaround because it means that I had to give the Ringtones app write permission to the sdcard and then I had to give the settings app write permission as well so it could delete the file.  It also means that ringtones won't be settable on devices without sdcards!  But it shows that this has something to do with in-memory blobs vs files.

As part of this same bug, I'm also writing another app that is able to return ringtones to the settings app.  This one, however, stores the ringtones in an indexedDB, so it does not use XHR. I do not see the crash when using this other app. 

Sorry I don't have a reduced test case. You can find the ringtones app and settings app changes in this PR: https://github.com/mozilla-b2g/gaia/pull/11914
For this bug you should be able to ignore all the apps/lc/* stuff in that patch.
(Reporter)

Comment 1

5 years ago
Note that to reproduce the bug, you'll have to remove the call to makePersistentCopy() in apps/ringtones/js/pick.js because that is the workaround described above.

Setting needinfo on Ben because this seems like a blob thing.

And needinfo on Fabrice because the error message from XPCOMUtils.jsm seems like it might be the sort of thing he'd know about.
Blocks: 887071
Flags: needinfo?(fabrice)
Flags: needinfo?(bent.mozilla)
Keywords: crash
OS: Mac OS X → Gonk (Firefox OS)
Hardware: x86 → ARM
Version: 18 Branch → Trunk
David, I'm trying to reproduce your issue without success. Can you give me steps to reproduce? I tried:
- In the settings app, changing the ringer or the alerts tones.
- If I select "System Ringtones", the "Done" button is inactive, only the "back arrow" on the top left works, and the new ringtone is not selected in the settings app.

What did I wrong?
Flags: needinfo?(fabrice)
(Reporter)

Comment 3

5 years ago
Fabrice,

Thanks for looking at this.

I tried again with the latest nightly build and I can still reproduce this on my Unagi. Since I applied a workaround, you have to unapply it in order to reproduce the bug, of course.

So pull https://github.com/mozilla-b2g/gaia/pull/11914 

And then modify apps/ringtones/js/pick.js so that the code around line 54 looks like this

//      makePersistentCopy(xhr.response, function(copy, filename) {
        activity.postResult({
          name: selectedSoundName,
//          blob: copy,
          blob: xhr.response,
//          deleteMe: filename
        });
//      });

You have to do a make reset-gaia to get the new app and its activity handler registered.

Then, go to the settings app, click on sound, and try to change the alert tone.  It worked for me the first time, but then crashed on the second alert tone change.

When I change the ringtone with System Ringtones the Done button works for me so I'm not sure what was causing that for you.

Setting needinfo again so you see this response
Flags: needinfo?(fabrice)
I got it to crash only once on a keon, with the following stack trace, which l
#0  0x41cc387e in mozalloc_abort (msg=<value optimized out>) at /home/fabrice/dev/birch/memory/mozalloc/mozalloc_abort.cpp:30
#1  0x41631b18 in Abort (aSeverity=<value optimized out>, aStr=0x41d3f321 "actor has been |delete|d", aExpr=<value optimized out>, aFile=<value optimized out>, 
    aLine=378) at /home/fabrice/dev/birch/xpcom/base/nsDebugImpl.cpp:431
#2  NS_DebugBreak (aSeverity=<value optimized out>, aStr=0x41d3f321 "actor has been |delete|d", aExpr=<value optimized out>, aFile=<value optimized out>, aLine=378)
    at /home/fabrice/dev/birch/xpcom/base/nsDebugImpl.cpp:388
#3  0x413fcbae in mozilla::layers::PGrallocBufferParent::Write (this=<value optimized out>, __v=<value optimized out>, __msg=0x457cd500, __nullable=true)
    at /home/fabrice/dev/b2g/B2G/objdir-gecko/ipc/ipdl/PGrallocBufferParent.cpp:378
#4  0x413fcdac in mozilla::layers::PGrallocBufferParent::Send__delete__ (actor=0x475c698c)
    at /home/fabrice/dev/b2g/B2G/objdir-gecko/ipc/ipdl/PGrallocBufferParent.cpp:73
#5  0x41675560 in mozilla::layers::ISurfaceAllocator::PlatformDestroySharedSurface (aSurface=0x473241c0)
    at /home/fabrice/dev/birch/gfx/layers/ipc/ShadowLayerUtilsGralloc.cpp:321
#6  0x4168f4ea in mozilla::layers::ISurfaceAllocator::DestroySharedSurface (this=0x457558a8, aSurface=0x452f7318)
    at /home/fabrice/dev/birch/gfx/layers/ipc/ISurfaceAllocator.cpp:120
#7  0x416a23cc in ~DeprecatedTextureHost (this=0x47324180, __in_chrg=<value optimized out>) at /home/fabrice/dev/birch/gfx/layers/composite/TextureHost.cpp:192
#8  0x416a3d1c in ~GrallocDeprecatedTextureHostOGL (this=0x47324180, __in_chrg=<value optimized out>)
    at /home/fabrice/dev/birch/gfx/layers/opengl/TextureHostOGL.cpp:1192
#9  0x416a3d2c in ~GrallocDeprecatedTextureHostOGL (this=0xa5, __in_chrg=<value optimized out>) at /home/fabrice/dev/birch/gfx/layers/opengl/TextureHostOGL.cpp:1192
#10 0x40d981c4 in mozilla::detail::RefCounted<mozilla::gfx::GradientStops, (mozilla::detail::RefCountAtomicity)1>::Release (this=0x4620abb4, t=0x0)
    at ../../dist/include/mozilla/RefPtr.h:82
#11 mozilla::RefPtr<mozilla::gfx::GradientStops>::unref (this=0x4620abb4, t=0x0) at ../../dist/include/mozilla/RefPtr.h:203
#12 mozilla::RefPtr<mozilla::gfx::GradientStops>::assign (this=0x4620abb4, t=0x0) at ../../dist/include/mozilla/RefPtr.h:189
#13 0x40f2d7aa in mozilla::RefPtr<mozilla::gfx::PathBuilder>::operator= (this=0xa5, t=<value optimized out>) at ../../../dist/include/mozilla/RefPtr.h:164
#14 0x4168e3fe in mozilla::layers::ContentHostDoubleBuffered::DestroyTextures (this=0x4620ab30) at /home/fabrice/dev/birch/gfx/layers/composite/ContentHost.cpp:419
#15 0x4168e420 in ~ContentHostDoubleBuffered (this=0xa5, __in_chrg=<value optimized out>) at /home/fabrice/dev/birch/gfx/layers/composite/ContentHost.cpp:357
#16 0x4168e458 in ~ContentHostDoubleBuffered (this=0xa5, __in_chrg=<value optimized out>) at /home/fabrice/dev/birch/gfx/layers/composite/ContentHost.cpp:359
#17 0x40d53fda in mozilla::detail::RefCounted<imgDecoderObserver, (mozilla::detail::RefCountAtomicity)1>::Release (this=0x4732411c, __in_chrg=<value optimized out>)
    at ../../dist/include/mozilla/RefPtr.h:82
#18 mozilla::RefPtr<imgDecoderObserver>::unref (this=0x4732411c, __in_chrg=<value optimized out>) at ../../dist/include/mozilla/RefPtr.h:203
#19 ~RefPtr (this=0x4732411c, __in_chrg=<value optimized out>) at ../../dist/include/mozilla/RefPtr.h:153
#20 0x41684d2a in ~CompositableParent (this=0x47324100, __in_chrg=<value optimized out>) at /home/fabrice/dev/birch/gfx/layers/composite/CompositableHost.cpp:259
#21 0x41684d40 in ~CompositableParent (this=0xa5, __in_chrg=<value optimized out>) at /home/fabrice/dev/birch/gfx/layers/composite/CompositableHost.cpp:259
#22 0x40ce8ddc in mozilla::net::NeckoParent::DeallocPCookieServiceParent (this=<value optimized out>, cs=0x452f7318)
    at /home/fabrice/dev/birch/netwerk/ipc/NeckoParent.cpp:471
#23 0x4140857e in mozilla::layers::PLayerTransactionParent::DeallocSubtree (this=0x45755880)
    at /home/fabrice/dev/b2g/B2G/objdir-gecko/ipc/ipdl/PLayerTransactionParent.cpp:897
#24 0x413fc478 in mozilla::layers::PCompositorParent::DeallocSubtree (this=0x45ff9a00) at /home/fabrice/dev/b2g/B2G/objdir-gecko/ipc/ipdl/PCompositorParent.cpp:870
#25 0x413fc54c in mozilla::layers::PCompositorParent::OnChannelError (this=0x45ff9a00) at /home/fabrice/dev/b2g/B2G/objdir-gecko/ipc/ipdl/PCompositorParent.cpp:733
#26 0x4138551a in mozilla::ipc::AsyncChannel::NotifyMaybeChannelError (this=0x45ff9a0c) at /home/fabrice/dev/birch/ipc/glue/AsyncChannel.cpp:583
#27 0x413857ca in mozilla::ipc::AsyncChannel::OnNotifyMaybeChannelError (this=0x45ff9a0c) at /home/fabrice/dev/birch/ipc/glue/AsyncChannel.cpp:548
#28 0x40fe89da in DispatchToMethod<WebCore::ReverbConvolver, void (WebCore::ReverbConvolver::*)()> (this=<value optimized out>)
    at /home/fabrice/dev/birch/ipc/chromium/src/base/tuple.h:383
#29 RunnableMethod<WebCore::ReverbConvolver, void (WebCore::ReverbConvolver::*)(), Tuple0>::Run (this=<value optimized out>)
    at /home/fabrice/dev/birch/ipc/chromium/src/base/task.h:307
#30 0x416464d4 in MessageLoop::RunTask (this=0x452f7dec, task=0x0) at /home/fabrice/dev/birch/ipc/chromium/src/base/message_loop.cc:338
---Type <return> to continue, or q <return> to quit---
#31 0x41647242 in MessageLoop::DeferOrRunPendingTask (this=0x45ff9a0c, pending_task=<value optimized out>)
    at /home/fabrice/dev/birch/ipc/chromium/src/base/message_loop.cc:346
#32 0x41647e00 in MessageLoop::DoWork (this=0x452f7dec) at /home/fabrice/dev/birch/ipc/chromium/src/base/message_loop.cc:446
#33 0x41648090 in base::MessagePumpDefault::Run (this=0x442dc760, delegate=0x452f7dec) at /home/fabrice/dev/birch/ipc/chromium/src/base/message_pump_default.cc:23
#34 0x416464a0 in MessageLoop::RunInternal (this=0x4) at /home/fabrice/dev/birch/ipc/chromium/src/base/message_loop.cc:220
#35 0x41646516 in MessageLoop::RunHandler (this=0x452f7dec) at /home/fabrice/dev/birch/ipc/chromium/src/base/message_loop.cc:213
#36 MessageLoop::Run (this=0x452f7dec) at /home/fabrice/dev/birch/ipc/chromium/src/base/message_loop.cc:187
#37 0x41649056 in base::Thread::ThreadMain (this=0x44169c10) at /home/fabrice/dev/birch/ipc/chromium/src/base/thread.cc:160
#38 0x41649c48 in ThreadFunc (closure=0x1) at /home/fabrice/dev/birch/ipc/chromium/src/base/platform_thread_posix.cc:39
#39 0x400d2114 in __thread_entry (func=0x41649c41 <ThreadFunc>, arg=0x44169c10, tls=<value optimized out>) at bionic/libc/bionic/pthread.c:217
#40 0x400d1c68 in pthread_create (thread_out=<value optimized out>, attr=0xbeb403a0, start_routine=0x41649c41 <ThreadFunc>, arg=0x44169c10)
    at bionic/libc/bionic/pthread.c:357
#41 0x00000000 in ?? ()

David, can you catch your crash in gdb?
Flags: needinfo?(fabrice)
(Reporter)

Comment 5

5 years ago
Fabrice,

I can reproduce the crash in gdb, but I don't get a usable stack trace.  This is on a Unagi with a a build of gecko that is somewhat out of date.  Is it normal that gdb tells me "cannot access memory at address 0x0?"

mozbook-2:B2G djf$ adb shell b2g-info
                          |     megabytes    |
           NAME  PID NICE  USS  PSS  RSS VSIZE OOM_ADJ USER    
            b2g 1428    0 48.5 52.3 63.7 171.9       0 root    
          Usage 1479   18 12.0 15.6 26.8  66.9       6 app_1479
     Homescreen 1488    1 16.2 20.0 31.5  74.4       2 app_1488
(Preallocated a 1579   18  8.7 11.8 22.2  62.5       6 root    

System memory info:

            Total 183.8 MB
     Used - cache 100.2 MB
  B2G procs (PSS)  99.6 MB
    Non-B2G procs   0.6 MB
     Free + cache  83.6 MB
             Free  11.0 MB
            Cache  72.6 MB

Low-memory killer parameters:

  notify_trigger -1 KB

  oom_adj min_free
        0  4096 KB
        1  5120 KB
        2  6144 KB
        3  7168 KB
        4  8192 KB
        6 20480 KB
mozbook-2:B2G djf$ 
mozbook-2:B2G djf$ ./run-gdb.sh attach 1428
Attached; pid = 1428
Listening on port 11929
prebuilt/darwin-x86/toolchain/arm-linux-androideabi-4.4.x/bin/arm-linux-androideabi-gdb -x /tmp/b2g.gdbinit.djf.24369 out/target/product/otoro/symbols/system/b2g/b2g
GNU gdb (GDB) 7.1-android-gg2
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "--host=i686-apple-darwin --target=arm-elf-linux".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
out/target/product/otoro/symbols/system/b2g/b2g: No such file or directory.
Remote debugging from host 127.0.0.1
0x4002d330 in ?? ()
(gdb) c
Continuing.
Cannot access memory at address 0x0

Program received signal SIGSEGV, Segmentation fault.
0x413c259a in ?? ()
(gdb) bt
#0  0x413c259a in ?? ()
#1  0x413c259a in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb)
Flags: needinfo?(fabrice)
Indeed you backtrace is unusable, but your build looks a bit broken (look at the 'out/target/product/otoro/symbols/system/b2g/b2g: No such file or directory.' line).

I know it's time consuming, but getting a fresh build with debug symbols would be really helpful.
Flags: needinfo?(fabrice)
Not sure what is actionable in this bug, or if it's still a problem? Please re-ni? me if I can help.
Flags: needinfo?(bent.mozilla)
(Reporter)

Comment 8

5 years ago
The crash doesn't reproduce for me anymore, so closing this bug.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.