Closed Bug 922336 Opened 11 years ago Closed 11 years ago

Crash in mozilla::gl::SharedSurface_Gralloc::~SharedSurface_Gralloc

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 914823

People

(Reporter: gwagner, Unassigned)

References

Details

(Keywords: crash, regression, reproducible) 

Seen on nexus4 --enable-debug build with current b2g-inbound trunk and gaia tip.

hg tip
changeset:   149256:70398298d610
tag:         tip
user:        Gaia Pushbot <release+gaiajson@mozilla.com>
date:        Mon Sep 30 12:10:53 2013 -0700

reproduces 100% with
STR: Open Marketplace, install https://marketplace.firefox.com/app/notesplus
Open App
Long press on home button and close app -> Child crashes

BT:
Child:
Program received signal SIGSEGV, Segmentation fault.
0xb5bd4bbe in mozilla::gl::SharedSurface_Gralloc::~SharedSurface_Gralloc (this=0xb1d19b80, __in_chrg=<optimized out>) at ../../../gfx/gl/SharedSurfaceGralloc.cpp:135
135	    mAllocator->DestroySharedSurface(&desc);
(gdb) bt
#0  0xb5bd4bbe in mozilla::gl::SharedSurface_Gralloc::~SharedSurface_Gralloc (this=0xb1d19b80, __in_chrg=<optimized out>) at ../../../gfx/gl/SharedSurfaceGralloc.cpp:135
#1  0xb5bd4bf0 in mozilla::gl::SharedSurface_Gralloc::~SharedSurface_Gralloc (this=0xb1d19b80, __in_chrg=<optimized out>) at ../../../gfx/gl/SharedSurfaceGralloc.cpp:136
#2  0xb5be4e88 in mozilla::gfx::SurfaceStream::Delete (this=<optimized out>, surf=@0xb1ce8308) at ../../../gfx/gl/SurfaceStream.cpp:85
#3  0xb5be4ecc in mozilla::gfx::SurfaceStream::~SurfaceStream (this=0xb1ce8300, __in_chrg=<optimized out>) at ../../../gfx/gl/SurfaceStream.cpp:144
#4  0xb5be502a in mozilla::gfx::SurfaceStream_SingleBuffer::~SurfaceStream_SingleBuffer (this=0xb1ce8300, __in_chrg=<optimized out>) at ../../../gfx/gl/SurfaceStream.cpp:206
#5  0xb5be503c in mozilla::gfx::SurfaceStream_SingleBuffer::~SurfaceStream_SingleBuffer (this=0xb1ce8300, __in_chrg=<optimized out>) at ../../../gfx/gl/SurfaceStream.cpp:206
#6  0xb5bdf31a in mozilla::gl::GLScreenBuffer::~GLScreenBuffer (this=0xb1d19b00, __in_chrg=<optimized out>) at ../../../gfx/gl/GLScreenBuffer.cpp:69
#7  0xb5bdf348 in mozilla::gl::GLScreenBuffer::~GLScreenBuffer (this=0xb1d19b00, __in_chrg=<optimized out>) at ../../../gfx/gl/GLScreenBuffer.cpp:80
#8  0xb5bd86bc in mozilla::gl::GLContext::DestroyScreenBuffer (this=0xb1dab000) at ../../../gfx/gl/GLContext.cpp:3435
#9  0xb5bddbe2 in mozilla::gl::GLContext::MarkDestroyed (this=0xb1dab000) at ../../../gfx/gl/GLContext.cpp:1797
#10 0xb5bd66c4 in mozilla::gl::GLContextEGL::~GLContextEGL (this=0xb1dab000, __in_chrg=<optimized out>) at ../../../gfx/gl/GLContextProviderEGL.cpp:301
#11 0xb5bd6754 in mozilla::gl::GLContextEGL::~GLContextEGL (this=0xb1dab000, __in_chrg=<optimized out>) at ../../../gfx/gl/GLContextProviderEGL.cpp:317
#12 0xb5bd54c4 in mozilla::detail::GenericRefCounted<(mozilla::detail::RefCountAtomicity)0>::Release (this=<optimized out>) at ../../dist/include/mozilla/GenericRefCounted.h:66
#13 0xb5bb9b1e in mozilla::RefPtr<mozilla::gl::GLContext>::unref (t=<optimized out>) at ../../dist/include/mozilla/RefPtr.h:203
#14 0xb5d90c36 in ~RefPtr (this=0xb1cb2b60, __in_chrg=<optimized out>) at ../../dist/include/mozilla/RefPtr.h:153
#15 mozilla::gfx::DrawTargetSkia::~DrawTargetSkia (this=0xb1cb2b20, __in_chrg=<optimized out>) at ../../../gfx/2d/DrawTargetSkia.cpp:146
#16 0xb5d90c4c in mozilla::gfx::DrawTargetSkia::~DrawTargetSkia (this=0xb1cb2b20, __in_chrg=<optimized out>) at ../../../gfx/2d/DrawTargetSkia.cpp:146
#17 0xb4f78366 in Release (this=<optimized out>) at ../../dist/include/mozilla/RefPtr.h:82
#18 mozilla::RefPtr<mozilla::gfx::DrawTarget>::unref (t=<optimized out>) at ../../dist/include/mozilla/RefPtr.h:203
#19 0xb520afd4 in assign (t=<optimized out>, this=0xb1d10834) at ../../../dist/include/mozilla/RefPtr.h:189
#20 operator= (t=0x0, this=0xb1d10834) at ../../../dist/include/mozilla/RefPtr.h:164
#21 mozilla::dom::CanvasRenderingContext2D::Reset (this=0xb1d10800) at ../../../../content/canvas/src/CanvasRenderingContext2D.cpp:616
#22 0xb5211912 in mozilla::dom::CanvasRenderingContext2D::~CanvasRenderingContext2D (this=0xb1d10800, __in_chrg=<optimized out>) at ../../../../content/canvas/src/CanvasRenderingContext2D.cpp:546
#23 0xb52119c4 in mozilla::dom::CanvasRenderingContext2D::~CanvasRenderingContext2D (this=0xb1d10800, __in_chrg=<optimized out>) at ../../../../content/canvas/src/CanvasRenderingContext2D.cpp:559
#24 0xb5209174 in mozilla::dom::CanvasRenderingContext2D::DeleteCycleCollectable (this=<optimized out>) at ../../../../content/canvas/src/CanvasRenderingContext2D.cpp:463
#25 0xb520b150 in mozilla::dom::CanvasRenderingContext2D::cycleCollection::DeleteCycleCollectable (this=<optimized out>, p=<optimized out>) at ../../../../content/canvas/src/CanvasRenderingContext2D.h:407
#26 0xb5b39406 in SnowWhiteKiller::~SnowWhiteKiller (this=0xbebc3ea4, __in_chrg=<optimized out>) at ../../../xpcom/base/nsCycleCollector.cpp:1988
#27 0xb5b39474 in nsCycleCollector::FreeSnowWhite (this=0xb3f87000, aUntilNoSWInPurpleBuffer=<optimized out>) at ../../../xpcom/base/nsCycleCollector.cpp:2097
#28 0xb5b395d2 in nsCycleCollector::BeginCollection (this=0xb3f87000, aCCType=ShutdownCC, aManualListener=0x0) at ../../../xpcom/base/nsCycleCollector.cpp:2763
#29 0xb5b396a6 in Collect (aManualListener=0x0, aResults=0x0, aWhiteNodes=0xbebc3f8c, aCCType=ShutdownCC, this=0xb3f87000) at ../../../xpcom/base/nsCycleCollector.cpp:2693
#30 nsCycleCollector::Collect (this=0xb3f87000, aCCType=ShutdownCC, aWhiteNodes=0xbebc3f8c, aResults=0x0, aManualListener=0x0) at ../../../xpcom/base/nsCycleCollector.cpp:2680
#31 0xb5b397c8 in nsCycleCollector::ShutdownCollect (this=0xb3f87000) at ../../../xpcom/base/nsCycleCollector.cpp:2673
#32 0xb5b3984a in nsCycleCollector_shutdown () at ../../../xpcom/base/nsCycleCollector.cpp:3169
#33 0xb5b028ec in mozilla::ShutdownXPCOM (servMgr=<optimized out>) at ../../../xpcom/build/nsXPComInit.cpp:751
#34 0xb4daf8d8 in XRE_TermEmbedding () at ../../../toolkit/xre/nsEmbedFunctions.cpp:199
#35 0xb582dac2 in mozilla::ipc::ScopedXREEmbed::Stop (this=0xb3f44a28) at ../../../ipc/glue/ScopedXREEmbed.cpp:110
#36 0xb4db001e in XRE_InitChildProcess (aArgc=5, aArgv=<optimized out>, aProcess=<optimized out>) at ../../../toolkit/xre/nsEmbedFunctions.cpp:555
#37 0x0000876e in main (argc=6, argv=0xbebc89f4) at ../../../ipc/app/MozillaRuntimeMain.cpp:116
(gdb) l
130	
131	    mGL->MakeCurrent();
132	    mGL->fDeleteTextures(1, (GLuint*)&mProdTex);
133	
134	    SurfaceDescriptor desc(mDesc);
135	    mAllocator->DestroySharedSurface(&desc);
136	}
137	
138	void
139	SharedSurface_Gralloc::Fence()
(gdb) p mAllocator
$1 = (mozilla::layers::ISurfaceAllocator * const) 0xb2f57260
(gdb) p *mAllocator
$2 = {_vptr.ISurfaceAllocator = 0x5a5a5a5a}
(gdb)
blocking-b2g: --- → koi?
This is Nexus 4 only, right?  1.3
blocking-b2g: koi? → 1.3+
(In reply to Milan Sreckovic [:milan] from comment #1)
> This is Nexus 4 only, right?  1.3

I haven't tried on another device.
If it does happen elsewhere, please renominate for koi.
Doesn't reproduce on regular (non-debug) B2G v1.2 hamachi.
(In reply to Benoit Jacob [:bjacob] from comment #4)
> Doesn't reproduce on regular (non-debug) B2G v1.2 hamachi.

Crash stats actually still shows this present on 1.2 - see https://crash-stats.mozilla.com/report/index/5cd82083-76dc-48c2-8773-646f92130930 as an example. Does Gregor's STR reproduce on a 1.2 debug build?
See https://crash-stats.mozilla.com/report/list?product=B2G&signature=mozilla%3A%3Agl%3A%3ASharedSurface_Gralloc%3A%3A~SharedSurface_Gralloc. Crash stats is showing evidence that this crash is reproducing on 1.2.
blocking-b2g: 1.3+ → koi?
Blocks: GFXB2G1.2
I'm very sorry. It turns out that my fix for bug 914823 was misguided. I got confused by my own debugging helpers. Let's reopen 914823, and dupe the present one.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
blocking-b2g: koi? → ---
You need to log in before you can comment on or make changes to this bug.