Closed
Bug 934142
Opened 11 years ago
Closed 10 years ago
Assertion: aParams.blobParams().type() == ChildBlobConstructorParams::TMysteryBlobConstructorParams at /Blob.cpp:1081
Categories
(Core :: IPC, defect)
Tracking
()
RESOLVED
FIXED
mozilla30
People
(Reporter: gwagner, Assigned: bent.mozilla)
Details
Attachments
(1 file)
713 bytes,
patch
|
khuey
:
review+
|
Details | Diff | Splinter Review |
On unagi with gecko and gaia tip. 1) Open sms app 2) add attachment -> camera -> take and select picture 3) back in sms app -> tap on pic and view it. We seem to use a dead blob. Program received signal SIGSEGV, Segmentation fault. 0x41a412fe in mozilla::dom::ipc::RemoteBlob<(mozilla::dom::ipc::ActorFlavorEnum)0>::MaybeSetInputStream (this=0xa9, aParams=<value optimized out>) at /Users/Gregor/moz/ws0/dom/ipc/Blob.cpp:1081 1081 MOZ_ASSERT(aParams.blobParams().type() == (gdb) bt #0 0x41a412fe in mozilla::dom::ipc::RemoteBlob<(mozilla::dom::ipc::ActorFlavorEnum)0>::MaybeSetInputStream (this=0xa9, aParams=<value optimized out>) at /Users/Gregor/moz/ws0/dom/ipc/Blob.cpp:1081 #1 0x41a45398 in Blob (this=0x4729eb80, aManager=<value optimized out>, aParams=...) at /Users/Gregor/moz/ws0/dom/ipc/Blob.cpp:1155 #2 0x41a45680 in mozilla::dom::ipc::Blob<(mozilla::dom::ipc::ActorFlavorEnum)0>::Create (aManager=0x45aa3400, aParams=...) at /Users/Gregor/moz/ws0/dom/ipc/Blob.cpp:1176 #3 0x41a4590c in mozilla::dom::ipc::RemoteBlob<(mozilla::dom::ipc::ActorFlavorEnum)0>::SliceHelper::RunInternal (this=0x472aa330, aNotify=false) at /Users/Gregor/moz/ws0/dom/ipc/Blob.cpp:965 #4 0x41a45bd0 in mozilla::dom::ipc::RemoteBlob<(mozilla::dom::ipc::ActorFlavorEnum)0>::SliceHelper::GetSlice (this=<value optimized out>, aStart=0, aLength=1024, aContentType=...) at /Users/Gregor/moz/ws0/dom/ipc/Blob.cpp:913 #5 mozilla::dom::ipc::RemoteBlob<(mozilla::dom::ipc::ActorFlavorEnum)0>::CreateSlice (this=<value optimized out>, aStart=0, aLength=1024, aContentType=...) at /Users/Gregor/moz/ws0/dom/ipc/Blob.cpp:1040 #6 0x41286ae0 in nsDOMFileBase::Slice (this=0x46bfc980, aStart=0, aEnd=<value optimized out>, aContentType=..., optional_argc=3 '\003', aBlob=0xbefc6ad0) at /Users/Gregor/moz/ws0/content/base/src/nsDOMFile.cpp:256 #7 0x41a4573a in mozilla::dom::ipc::Blob<(mozilla::dom::ipc::ActorFlavorEnum)0>::Create (aManager=0x47e87c00, aParams=...) at /Users/Gregor/moz/ws0/dom/ipc/Blob.cpp:1188 #8 0x41a4ba70 in mozilla::dom::ContentParent::AllocPBlobParent (this=0x47e87c00, aParams=...) at /Users/Gregor/moz/ws0/dom/ipc/ContentParent.cpp:2228 #9 0x41ae04d0 in mozilla::dom::PContentParent::OnMessageReceived (this=0x47e87c00, __msg=...) at /Users/Gregor/moz/ws0/debunagibuild/ipc/ipdl/PContentParent.cpp:1960 #10 0x41a79af2 in mozilla::ipc::MessageChannel::DispatchAsyncMessage (this=0x47e87c30, aMsg=...) at /Users/Gregor/moz/ws0/ipc/glue/MessageChannel.cpp:971 #11 0x41a7b086 in mozilla::ipc::MessageChannel::DispatchMessage (this=0x47e87c30, aMsg=...) at /Users/Gregor/moz/ws0/ipc/glue/MessageChannel.cpp:889 #12 0x41a7b160 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne (this=<value optimized out>) at /Users/Gregor/moz/ws0/ipc/glue/MessageChannel.cpp:872 #13 0x41a7c2de in DispatchToMethod<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)()> (this=<value optimized out>) at /Users/Gregor/moz/ws0/ipc/chromium/src/base/tuple.h:383 #14 RunnableMethod<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)(), Tuple0>::Run (this=<value optimized out>) at /Users/Gregor/moz/ws0/ipc/chromium/src/base/task.h:307 #15 0x41a7c3fe in mozilla::ipc::MessageChannel::RefCountedTask::Run (this=0x469e9d80) at ../../dist/include/mozilla/ipc/MessageChannel.h:440 #16 mozilla::ipc::MessageChannel::DequeueTask::Run (this=0x469e9d80) at ../../dist/include/mozilla/ipc/MessageChannel.h:457 ---Type <return> to continue, or q <return> to quit--- #17 0x41ed4eec in MessageLoop::RunTask (this=0x4033d0c0, task=0x469e9d80) at /Users/Gregor/moz/ws0/ipc/chromium/src/base/message_loop.cc:338 #18 0x41ed545a in MessageLoop::DeferOrRunPendingTask (this=0x469e9d80, pending_task=<value optimized out>) at /Users/Gregor/moz/ws0/ipc/chromium/src/base/message_loop.cc:346 #19 0x41ed57e0 in MessageLoop::DoWork (this=0x4033d0c0) at /Users/Gregor/moz/ws0/ipc/chromium/src/base/message_loop.cc:446 #20 0x41a7ddc4 in mozilla::ipc::DoWorkRunnable::Run (this=<value optimized out>) at /Users/Gregor/moz/ws0/ipc/glue/MessagePump.cpp:45 #21 0x41e95230 in nsThread::ProcessNextEvent (this=0x403024e0, mayWait=<value optimized out>, result=0xbefc7767) at /Users/Gregor/moz/ws0/xpcom/threads/nsThread.cpp:622 #22 0x41e5ca72 in NS_ProcessNextEvent (thread=0x403024e0, mayWait=true) at /Users/Gregor/moz/ws0/xpcom/glue/nsThreadUtils.cpp:251 #23 0x41a7dfde in mozilla::ipc::MessagePump::Run (this=0x40301d00, aDelegate=0x4033d0c0) at /Users/Gregor/moz/ws0/ipc/glue/MessagePump.cpp:124 #24 0x41ed5296 in MessageLoop::RunInternal (this=0x4033d0c0) at /Users/Gregor/moz/ws0/ipc/chromium/src/base/message_loop.cc:220 #25 0x41ed52da in MessageLoop::RunHandler (this=0x4033d0c0) at /Users/Gregor/moz/ws0/ipc/chromium/src/base/message_loop.cc:213 #26 MessageLoop::Run (this=0x4033d0c0) at /Users/Gregor/moz/ws0/ipc/chromium/src/base/message_loop.cc:187 #27 0x419ef5fa in nsBaseAppShell::Run (this=0x4451fd00) at /Users/Gregor/moz/ws0/widget/xpwidgets/nsBaseAppShell.cpp:161 #28 0x418dbe22 in nsAppStartup::Run (this=0x4436beb0) at /Users/Gregor/moz/ws0/toolkit/components/startup/nsAppStartup.cpp:268 #29 0x40dbfb0e in XREMain::XRE_mainRun (this=0xbefc79b4) at /Users/Gregor/moz/ws0/toolkit/xre/nsAppRunner.cpp:3976 #30 0x40dc2992 in XREMain::XRE_main (this=0xbefc79b4, argc=<value optimized out>, argv=<value optimized out>, aAppData=0x22250) at /Users/Gregor/moz/ws0/toolkit/xre/nsAppRunner.cpp:4044 #31 0x40dc2b04 in XRE_main (argc=1, argv=0xbefc9ba4, aAppData=0x22250, aFlags=<value optimized out>) at /Users/Gregor/moz/ws0/toolkit/xre/nsAppRunner.cpp:4246 #32 0x00009978 in do_main (argc=1, argv=0xbefc9ba4) at /Users/Gregor/moz/ws0/b2g/app/nsBrowserApp.cpp:168 #33 main (argc=1, argv=0xbefc9ba4) at /Users/Gregor/moz/ws0/b2g/app/nsBrowserApp.cpp:261 (gdb) p this $1 = (struct mozilla::dom::ipc::RemoteBlob<(mozilla::dom::ipc::ActorFlavorEnum)0> * const) 0xa9 (gdb) p *this Cannot access memory at address 0xa9 (gdb) p aParams $2 = <value optimized out> (gdb) l 1076 OptionalInputStreamParams::TInputStreamParams) { 1077 mInputStreamParams = 1078 aParams.optionalInputStreamParams().get_InputStreamParams(); 1079 } 1080 else { 1081 MOZ_ASSERT(aParams.blobParams().type() == 1082 ChildBlobConstructorParams::TMysteryBlobConstructorParams); 1083 } 1084 } 1085 (gdb) up #1 0x41a45398 in Blob (this=0x4729eb80, aManager=<value optimized out>, aParams=...) at /Users/Gregor/moz/ws0/dom/ipc/Blob.cpp:1155 1155 remoteBlob->MaybeSetInputStream(aParams); (gdb) p this $3 = (mozilla::dom::ipc::Blob<(mozilla::dom::ipc::ActorFlavorEnum)0> * const) 0x4729eb80 (gdb) p *this $4 = {<mozilla::dom::ipc::BlobTraits<(mozilla::dom::ipc::ActorFlavorEnum)0>::BaseType> = {<mozilla::dom::PBlobParent> = {<mozilla::ipc::IProtocol> = {<mozilla::ipc::MessageListener> = {<mozilla::ipc::HasResultCodes> = {<No data fields>}, <mozilla::SupportsWeakPtr<mozilla::ipc::MessageListener>> = {<mozilla::SupportsWeakPtrBase<mozilla::ipc::MessageListener, mozilla::detail::WeakReference<mozilla::ipc::MessageListener> >> = {weakRef = {ptr = 0x0}}, <No data fields>}, _vptr.MessageListener = 0x430a0878}, <No data fields>}, <mozilla::ipc::IProtocolManager<mozilla::ipc::IProtocol>> = { _vptr.IProtocolManager = 0x430a0914}, mChannel = 0xa5a5a5a5, mManager = 0xa5a5a5a5, mId = 0, mState = mozilla::dom::PBlob::__Dead, mManagedPBlobStreamParent = warning: can't find linker symbol for virtual table for `nsTArray<mozilla::dom::PBlobStreamParent*>' value warning: found `EmptyEnumeratorImpl::GetInstance()::kInstance' instead {<nsTArray_Impl<mozilla::dom::PBlobStreamParent*, nsTArrayInfallibleAllocator>> = {<nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>> = { mHdr = 0x43148f44}, <nsTArray_TypedBase<mozilla::dom::PBlobStreamParent*, nsTArray_Impl<mozilla::dom::PBlobStreamParent*, nsTArrayInfallibleAllocator> >> = {<nsTArray_SafeElementAtHelper<mozilla::dom::PBlobStreamParent*, nsTArray_Impl<mozilla::dom::PBlobStreamParent*, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>}, <No data fields>}, <No data fields>}}, mOpenStreamRunnables = warning: can't find linker symbol for virtual table for `nsTArray<nsRevocableEventPtr<mozilla::dom::ipc::BlobTraits<(mozilla::dom::ipc::ActorFlavorEnum)0>::BaseType::OpenStreamRunnable> >' value warning: found `EmptyEnumeratorImpl::GetInstance()::kInstance' instead {<nsTArray_Impl<nsRevocableEventPtr<mozilla::dom::ipc::BlobTraits<(mozilla::dom::ipc::ActorFlavorEnum)0>::BaseType::OpenStreamRunnable>, nsTArrayInfallibleAllocator>> = {<nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>> = { mHdr = 0x43148f44}, <nsTArray_TypedBase<nsRevocableEventPtr<mozilla::dom::ipc::BlobTraits<(mozilla::dom::ipc::ActorFlavorEnum)0>::BaseType::OpenStreamRunnable>, nsTArray_Impl<nsRevocableEventPtr<mozilla::dom::ipc::BlobTraits<(mozilla::dom::ipc::ActorFlavorEnum)0>::BaseType::OpenStreamRunnable>, nsTArrayInfallibleAllocator> >> = {<nsTArray_SafeElementAtHelper<nsRevocableEventPtr<mozilla::dom::ipc::BlobTraits<(mozilla::dom::ipc::ActorFlavorEnum)0>::BaseType::OpenStreamRunnable>, nsTArray_Impl<nsRevocableEventPtr<mozilla::dom::ipc::BlobTraits<(mozilla::dom::ipc::ActorFlavorEnum)0>::BaseType::OpenStreamRunnable>, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>}, <No data fields>}, <No data fields>}}, mBlob = 0x0, mRemoteBlob = 0x0, mOwnsBlob = false, mBlobIsFile = false, mManager = {mRawPtr = 0x45aa3400}}
Reporter | ||
Comment 1•11 years ago
|
||
Still reproducible.
Reporter | ||
Comment 2•10 years ago
|
||
(gdb) up #1 0xb4af54a4 in mozilla::dom::ipc::Blob<(mozilla::dom::ipc::ActorFlavorEnum)0>::Blob (this=0xae9c8cc0, aManager=<optimized out>, aParams=...) at ../../../dom/ipc/Blob.cpp:1155 1155 remoteBlob->MaybeSetInputStream(aParams); (gdb) p this $2 = (mozilla::dom::ipc::Blob<(mozilla::dom::ipc::ActorFlavorEnum)0> * const) 0xae9c8cc0 (gdb) p *this $3 = {<mozilla::dom::ipc::BlobTraits<(mozilla::dom::ipc::ActorFlavorEnum)0>::BaseType> = { <mozilla::dom::PBlobParent> = {<mozilla::ipc::IProtocol> = {<mozilla::ipc::MessageListener> = {<mozilla::ipc::HasResultCodes> = {<No data fields>}, <mozilla::SupportsWeakPtr<mozilla::ipc::MessageListener>> = {<mozilla::SupportsWeakPtrBase<mozilla::ipc::MessageListener, mozilla::detail::WeakReference<mozilla::ipc::MessageListener> >> = {weakRef = {ptr = 0x0}}, <No data fields>}, _vptr.MessageListener = 0xb6311e38}, <No data fields>}, <mozilla::ipc::IProtocolManager<mozilla::ipc::IProtocol>> = {_vptr.IProtocolManager = 0xb6311ed4}, mChannel = 0xa5a5a5a5, mManager = 0xa5a5a5a5, mId = 0, mState = mozilla::dom::PBlob::__Dead, mManagedPBlobStreamParent = {<nsTArray_Impl<mozilla::dom::PBlobStreamParent*, nsTArrayInfallibleAllocator>> = {<nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>> = { mHdr = 0xb648e6a8}, <nsTArray_TypedBase<mozilla::dom::PBlobStreamParent*, nsTArray_Impl<mozilla::dom::PBlobStreamParent*, nsTArrayInfallibleAllocator> >> = {<nsTArray_SafeElementAtHelper<mozilla::dom::PBlobStreamParent*, nsTArray_Impl<mozilla::dom::PBlobStreamParent*, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>}, <No data fields>}, <No data fields>}}, mOpenStreamRunnables = {<nsTArray_Impl<nsRevocableEventPtr<mozilla::dom::ipc::BlobTraits<(mozilla::dom::ipc::ActorFlavorEnum)0>::BaseType::OpenStreamRunnable>, nsTArrayInfallibleAllocator>> = {<nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>> = { mHdr = 0xb648e6a8}, <nsTArray_TypedBase<nsRevocableEventPtr<mozilla::dom::ipc::BlobTraits<(mozilla::dom::ipc::ActorFlavorEnum)0>::BaseType::OpenStreamRunnable>, nsTArray_Impl<nsRevocableEventPtr<mozilla::dom::ipc::BlobTraits<(mozilla::dom::ipc::ActorFlavorEnum)0>::BaseType::OpenStreamRunnable>, nsTArrayInfallibleAllocator> >> = {<nsTArray_SafeElementAtHelper<nsRevocableEventPtr<mozilla::dom::ipc::BlobTraits<(mozilla::dom::ipc::ActorFlavorEnum)0>::BaseType::OpenStreamRunnable>, nsTArray_Impl<nsRevocableEventPtr<mozilla::dom::ipc::BlobTraits<(mozilla::dom::ipc::ActorFlavorEnum)0>::BaseType::OpenStreamRunnable>, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>}, <No data fields>}, <No data fields>}}, mBlob = 0x0, mRemoteBlob = 0x0, mOwnsBlob = false, mBlobIsFile = false, mManager = {mRawPtr = 0xa8452c00}}
Reporter | ||
Updated•10 years ago
|
blocking-b2g: --- → 1.3?
Comment 3•10 years ago
|
||
Not repro in production builds hence minus, per triage
blocking-b2g: 1.3? → -
Reporter | ||
Comment 4•10 years ago
|
||
We have to get this fixed. It prevents me from debugging 1.3 blockers.
blocking-b2g: - → 1.4?
Comment 5•10 years ago
|
||
Gregor, Can't block a release for this? Can you please request 1.4 gaia approval on this?
Flags: needinfo?(anygregor)
Reporter | ||
Comment 6•10 years ago
|
||
(In reply to Preeti Raghunath(:Preeti) from comment #5) > Gregor, > > Can't block a release for this? Can you please request 1.4 gaia approval on > this? Am I missing something here? This needs to get on someones radar to fix. Why are you talking about gaia approval? I filed this bug in November and we still haven't fixed it. What else do I have to do besides saying this is blocking me from debugging 1.3 blockers to make it important enough to fix?
Flags: needinfo?(anygregor)
Comment 7•10 years ago
|
||
I was asking for the gaia approval flag because we wouldn't need to make this a blocker. I understand this is severe enough to prevent debugging
Assignee | ||
Comment 8•10 years ago
|
||
I'll get to this monday.
Assignee | ||
Comment 9•10 years ago
|
||
Unfortunately this is just a bad assertion. The idea is that we should always receive InputStreamParams when a blob is constructed in the child->parent direction, and if we don't receive them then we must have a mystery blob. That's still always true. The difference is in this case we're not actually receiving a new blob from the child; we're slicing a parent blob instead. When we slice we take the same code path as when we receive a blob from the child but we already know all the details about the blob so it's not a mystery. Slicing is weird :(
Attachment #8384952 -
Flags: review?(khuey) → review+
Assignee | ||
Comment 10•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/84fc1ef355f8
Comment 11•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/84fc1ef355f8
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
Updated•10 years ago
|
blocking-b2g: 1.4? → ---
You need to log in
before you can comment on or make changes to this bug.
Description
•