[fugu][monkey test]b2g crash in SnowWhiteKiller::Visit

RESOLVED INCOMPLETE

Status

RESOLVED INCOMPLETE
5 years ago
5 years ago

People

(Reporter: ying.xu, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Created attachment 818878 [details]
detail log : mtlog-7710-custom_hudson-xinheyanubt-1310172131.tar.bz2

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.56 Safari/537.17

Steps to reproduce:

happened during monkey test, unknown operation sequences.


Actual results:

b2g process crashed
Crash reason:  SIGSEGV
Crash address: 0x0

Thread 0 (crashed)
 0  libxul.so!SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) [nsCycleCollector.cpp : 2002 + 0x0]
     r4 = 0xbea136fc    r5 = 0x40380050    r6 = 0x40380c64    r7 = 0x40380c64
     r8 = 0x41f3dd84    r9 = 0x40380000   r10 = 0x00000000    fp = 0x40384054
     sp = 0xbea136b8    lr = 0x41718a5b    pc = 0x41718968
    Found by: given as instruction pointer in context
 1  libxul.so!nsCycleCollector::FreeSnowWhite(bool) [nsCycleCollector.cpp : 689 + 0x9]
     r4 = 0xbea136fc    r5 = 0x40380054    r6 = 0x41f3df0a    r7 = 0x40380c64
     r8 = 0x41f3dd84    r9 = 0x40380000   r10 = 0x00000000    fp = 0x40384054
     sp = 0xbea136e0    pc = 0x41718a5b
    Found by: call frame info
 2  libxul.so!nsCycleCollector_doDeferredDeletion() [nsCycleCollector.cpp : 3153 + 0x7]
     r4 = 0x429212d0    r5 = 0x00000000    r6 = 0x2bece49f    r7 = 0x0000009d
     r8 = 0xbea1379f    r9 = 0x403df96c   r10 = 0xbea13938    fp = 0x00000000
     sp = 0xbea13728    pc = 0x41718abd
    Found by: call frame info
 3  libxul.so!AsyncFreeSnowWhite::Run() [XPCJSRuntime.cpp : 231 + 0x3]
     r4 = 0x429212d0    r5 = 0x00000000    r6 = 0x2bece49f    r7 = 0x0000009d
     r8 = 0xbea1379f    r9 = 0x403df96c   r10 = 0xbea13938    fp = 0x00000000
     sp = 0xbea13730    pc = 0x4131cde7
    Found by: call frame info
 4  libxul.so!nsThread::ProcessNextEvent(bool, bool*) [nsThread.cpp : 622 + 0x5]
     r4 = 0x403df940    r5 = 0x00000000    r6 = 0x00000000    r7 = 0x00000001
     r8 = 0xbea1379f    r9 = 0x403df96c   r10 = 0xbea13938    fp = 0x00000000
     sp = 0xbea13758    pc = 0x417125c5
    Found by: call frame info
(Reporter)

Comment 1

5 years ago
I found that the class AsyncFreeSnowWhite was added in bug https://bugzilla.mozilla.org/show_bug.cgi?id=845545.And it's an asynchronous event handlement.

I'm wondering if there were some race conditions such as FreeSnowWhite twice, to cause this bug?
Crash Signature: SnowWhiteKiller::Visit nsCycleCollector::FreeSnowWhite nsCycleCollector_doDeferredDeletion AsyncFreeSnowWhite::Run
OS: All → Gonk (Firefox OS)
Hardware: All → ARM

Comment 2

5 years ago
Hi Kyle,

Would you mind to give some suggestion on this since that section was added by you?

Thanks.
Flags: needinfo?(khuey)
All I did was copy and paste that code (from https://hg.mozilla.org/mozilla-central/rev/d18e1e6db0dc#l4.60 to https://hg.mozilla.org/mozilla-central/rev/d18e1e6db0dc#l1.12).

What version of Gecko did this happen in?
Flags: needinfo?(khuey) → needinfo?(ying.xu)
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #3)
> All I did was copy and paste that code (from
> https://hg.mozilla.org/mozilla-central/rev/d18e1e6db0dc#l4.60 to
> https://hg.mozilla.org/mozilla-central/rev/d18e1e6db0dc#l1.12).
> 
> What version of Gecko did this happen in?

v1.2 branch latest
Ok, it looks like aEntry or aEntry->mRefCnt are null in SnowWhiteKiller::Visit.  smaug?
Flags: needinfo?(ying.xu) → needinfo?(bugs)
(In reply to James Zhang from comment #4)
> v1.2 branch latest
v1.2 Gecko is like ...10 years old ;)

What is v1.2 b2g based on? Gecko 26 or 27 ?
Flags: needinfo?(bugs)

Comment 7

5 years ago
(In reply to Olli Pettay [:smaug] from comment #6)
> (In reply to James Zhang from comment #4)
> > v1.2 branch latest
> v1.2 Gecko is like ...10 years old ;)
> 
> What is v1.2 b2g based on? Gecko 26 or 27 ?
yup it is b2g v1.2, gecko 26
(In reply to Alan Huang [:ahuang] from comment #7)
> (In reply to Olli Pettay [:smaug] from comment #6)
> > (In reply to James Zhang from comment #4)
> > > v1.2 branch latest
> > v1.2 Gecko is like ...10 years old ;)
> > 
> > What is v1.2 b2g based on? Gecko 26 or 27 ?
> yup it is b2g v1.2, gecko 26

Yes, b2g v1.2
aEntry and aEntry->mRefCnt really shouldn't point to anything null.

Do we have any cycle collectable binary components in B2g which aren't in mozilla-central?
We can't reproduce this issue two weeks.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.