Closed Bug 915095 Opened 11 years ago Closed 11 years ago

crash in nsXPCOMCycleCollectionParticipant::Unroot(void*)

Categories

(Core :: Graphics: Layers, defect)

Product:
Core
Component:
Graphics: Layers
Platform:
All
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 912725

People

(Reporter: nhirata, Unassigned)

Details

(Keywords: crash, Whiteboard: b2g-crash)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-e7d13a87-eceb-49b7-a710-f83842130911.
=============================================================
Frame 	Module 	Signature 	Source
0 	libxul.so 	nsXPCOMCycleCollectionParticipant::Unroot(void*) 	/builds/slave/b2g_m-cen_leo_ntly-00000000000/build/objdir-gecko/xpcom/build/nsCycleCollectionParticipant.cpp
1 	libxul.so 	mozilla::layers::GrallocBufferActor::ActorDestroy(mozilla::ipc::IProtocolManager<mozilla::ipc::RPCChannel::RPCListener>::ActorDestroyReason) 	gfx/layers/ipc/ShadowLayerUtilsGralloc.cpp
2 	libxul.so 	mozilla::docshell::POfflineCacheUpdateParent::DestroySubtree(mozilla::ipc::IProtocolManager<mozilla::ipc::RPCChannel::RPCListener>::ActorDestroyReason) 	/builds/slave/b2g_m-cen_leo_ntly-00000000000/build/objdir-gecko/ipc/ipdl/POfflineCacheUpdateParent.cpp
3 	libxul.so 	mozilla::layers::PGrallocBufferParent::OnMessageReceived(IPC::Message const&) 	/builds/slave/b2g_m-cen_leo_ntly-00000000000/build/objdir-gecko/ipc/ipdl/PGrallocBufferParent.cpp
4 	libxul.so 	mozilla::layers::PCompositorParent::OnMessageReceived(IPC::Message const&) 	/builds/slave/b2g_m-cen_leo_ntly-00000000000/build/objdir-gecko/ipc/ipdl/PCompositorParent.cpp
5 	libxul.so 	mozilla::ipc::AsyncChannel::OnDispatchMessage(IPC::Message const&) 	ipc/glue/AsyncChannel.cpp
6 	libxul.so 	mozilla::ipc::RPCChannel::OnMaybeDequeueOne() 	ipc/glue/RPCChannel.cpp
7 	libxul.so 	RunnableMethod<WebCore::ReverbConvolver, void (WebCore::ReverbConvolver::*)(), Tuple0>::Run() 	ipc/chromium/src/base/tuple.h
8 	libxul.so 	mozilla::ipc::RPCChannel::DequeueTask::Run() 	/builds/slave/b2g_m-cen_leo_ntly-00000000000/build/objdir-gecko/ipc/glue/../../dist/include/mozilla/ipc/RPCChannel.h
9 	libxul.so 	MessageLoop::RunTask(Task*) 	ipc/chromium/src/base/message_loop.cc
10 	libxul.so 	MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) 	ipc/chromium/src/base/message_loop.cc
11 	libxul.so 	MessageLoop::DoWork() 	ipc/chromium/src/base/message_loop.cc
12 	libxul.so 	base::MessagePumpDefault::Run(base::MessagePump::Delegate*) 	ipc/chromium/src/base/message_pump_default.cc
13 	libxul.so 	MessageLoop::RunInternal() 	ipc/chromium/src/base/message_loop.cc
14 	libxul.so 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
15 	libxul.so 	base::Thread::ThreadMain() 	ipc/chromium/src/base/thread.cc
16 	libxul.so 	ThreadFunc 	ipc/chromium/src/base/platform_thread_posix.cc
17 	libc.so 	__thread_entry 	bionic/libc/bionic/pthread.c
18 	libc.so 	pthread_create 	bionic/libc/bionic/pthread.c

More Crashes : 
https://crash-stats.mozilla.com/report/list?product=B2G&signature=nsXPCOMCycleCollectionParticipant%3A%3AUnroot%28void*%29

I also crashed w/ https://crash-stats.mozilla.com/report/index/06c08492-9b6b-43db-8ff6-47bcf2130911

STR:
1. launch Usage app
2. go through the FTE with default values
3. select settings
4. toggle on the data use alert
5. toggle off the data use alert right after

Expected: no crash
Actual: crash (see above)
Note: this happens on leo and buri
Component: Gaia::Cost Control → Graphics: Layers
Product: Boot2Gecko → Core
Component: Graphics: Layers → IPC
Component: IPC → Graphics
Component: Graphics → IPC
Whiteboard: b2g-crash
Component: IPC → Graphics: Layers
huh, why does a compositor-side class have cycle collection?
The stack in

 https://crash-stats.mozilla.com/report/index/06c08492-9b6b-43db-8ff6-47bcf2130911

shows the crash in

 http://hg.mozilla.org/mozilla-central/annotate/be1053dc223b/gfx/layers/ipc/ShadowLayerUtilsGralloc.cpp#l274

which is the same crash as in bug 912725 and has nothing to do with cycle collection.

It appears that the symbol

  nsXPCOMCycleCollectionParticipant::Unroot(void*)

is just wrong, an error typically caused by Identical Code Folding (ICF) which can be locally disabled with --disable-icf.

Bug 912725 is fixed so this should not happen again. It landed on Sep. 11, so let me know if you see this crash again in builds from Sep. 12 or newer. Otherwise, please close this bug.
Closing this bug as a duplicate based on comment 3
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.