Closed Bug 934142 Opened 11 years ago Closed 10 years ago

Assertion: aParams.blobParams().type() == ChildBlobConstructorParams::TMysteryBlobConstructorParams at /Blob.cpp:1081

Categories

(Core :: IPC, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla30

People

(Reporter: gwagner, Assigned: bent.mozilla)

Details

Attachments

(1 file)

On unagi with gecko and gaia tip.
1) Open sms app
2) add attachment -> camera -> take and select picture
3) back in sms app -> tap on pic and view it.

We seem to use a dead blob.

Program received signal SIGSEGV, Segmentation fault.
0x41a412fe in mozilla::dom::ipc::RemoteBlob<(mozilla::dom::ipc::ActorFlavorEnum)0>::MaybeSetInputStream (this=0xa9, aParams=<value optimized out>)
    at /Users/Gregor/moz/ws0/dom/ipc/Blob.cpp:1081
1081	    MOZ_ASSERT(aParams.blobParams().type() ==
(gdb) bt
#0  0x41a412fe in mozilla::dom::ipc::RemoteBlob<(mozilla::dom::ipc::ActorFlavorEnum)0>::MaybeSetInputStream (this=0xa9, aParams=<value optimized out>)
    at /Users/Gregor/moz/ws0/dom/ipc/Blob.cpp:1081
#1  0x41a45398 in Blob (this=0x4729eb80, aManager=<value optimized out>, aParams=...) at /Users/Gregor/moz/ws0/dom/ipc/Blob.cpp:1155
#2  0x41a45680 in mozilla::dom::ipc::Blob<(mozilla::dom::ipc::ActorFlavorEnum)0>::Create (aManager=0x45aa3400, aParams=...)
    at /Users/Gregor/moz/ws0/dom/ipc/Blob.cpp:1176
#3  0x41a4590c in mozilla::dom::ipc::RemoteBlob<(mozilla::dom::ipc::ActorFlavorEnum)0>::SliceHelper::RunInternal (this=0x472aa330, aNotify=false)
    at /Users/Gregor/moz/ws0/dom/ipc/Blob.cpp:965
#4  0x41a45bd0 in mozilla::dom::ipc::RemoteBlob<(mozilla::dom::ipc::ActorFlavorEnum)0>::SliceHelper::GetSlice (this=<value optimized out>, aStart=0, 
    aLength=1024, aContentType=...) at /Users/Gregor/moz/ws0/dom/ipc/Blob.cpp:913
#5  mozilla::dom::ipc::RemoteBlob<(mozilla::dom::ipc::ActorFlavorEnum)0>::CreateSlice (this=<value optimized out>, aStart=0, aLength=1024, aContentType=...)
    at /Users/Gregor/moz/ws0/dom/ipc/Blob.cpp:1040
#6  0x41286ae0 in nsDOMFileBase::Slice (this=0x46bfc980, aStart=0, aEnd=<value optimized out>, aContentType=..., optional_argc=3 '\003', aBlob=0xbefc6ad0)
    at /Users/Gregor/moz/ws0/content/base/src/nsDOMFile.cpp:256
#7  0x41a4573a in mozilla::dom::ipc::Blob<(mozilla::dom::ipc::ActorFlavorEnum)0>::Create (aManager=0x47e87c00, aParams=...)
    at /Users/Gregor/moz/ws0/dom/ipc/Blob.cpp:1188
#8  0x41a4ba70 in mozilla::dom::ContentParent::AllocPBlobParent (this=0x47e87c00, aParams=...) at /Users/Gregor/moz/ws0/dom/ipc/ContentParent.cpp:2228
#9  0x41ae04d0 in mozilla::dom::PContentParent::OnMessageReceived (this=0x47e87c00, __msg=...)
    at /Users/Gregor/moz/ws0/debunagibuild/ipc/ipdl/PContentParent.cpp:1960
#10 0x41a79af2 in mozilla::ipc::MessageChannel::DispatchAsyncMessage (this=0x47e87c30, aMsg=...) at /Users/Gregor/moz/ws0/ipc/glue/MessageChannel.cpp:971
#11 0x41a7b086 in mozilla::ipc::MessageChannel::DispatchMessage (this=0x47e87c30, aMsg=...) at /Users/Gregor/moz/ws0/ipc/glue/MessageChannel.cpp:889
#12 0x41a7b160 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne (this=<value optimized out>) at /Users/Gregor/moz/ws0/ipc/glue/MessageChannel.cpp:872
#13 0x41a7c2de in DispatchToMethod<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)()> (this=<value optimized out>)
    at /Users/Gregor/moz/ws0/ipc/chromium/src/base/tuple.h:383
#14 RunnableMethod<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)(), Tuple0>::Run (this=<value optimized out>)
    at /Users/Gregor/moz/ws0/ipc/chromium/src/base/task.h:307
#15 0x41a7c3fe in mozilla::ipc::MessageChannel::RefCountedTask::Run (this=0x469e9d80) at ../../dist/include/mozilla/ipc/MessageChannel.h:440
#16 mozilla::ipc::MessageChannel::DequeueTask::Run (this=0x469e9d80) at ../../dist/include/mozilla/ipc/MessageChannel.h:457
---Type <return> to continue, or q <return> to quit---
#17 0x41ed4eec in MessageLoop::RunTask (this=0x4033d0c0, task=0x469e9d80) at /Users/Gregor/moz/ws0/ipc/chromium/src/base/message_loop.cc:338
#18 0x41ed545a in MessageLoop::DeferOrRunPendingTask (this=0x469e9d80, pending_task=<value optimized out>)
    at /Users/Gregor/moz/ws0/ipc/chromium/src/base/message_loop.cc:346
#19 0x41ed57e0 in MessageLoop::DoWork (this=0x4033d0c0) at /Users/Gregor/moz/ws0/ipc/chromium/src/base/message_loop.cc:446
#20 0x41a7ddc4 in mozilla::ipc::DoWorkRunnable::Run (this=<value optimized out>) at /Users/Gregor/moz/ws0/ipc/glue/MessagePump.cpp:45
#21 0x41e95230 in nsThread::ProcessNextEvent (this=0x403024e0, mayWait=<value optimized out>, result=0xbefc7767)
    at /Users/Gregor/moz/ws0/xpcom/threads/nsThread.cpp:622
#22 0x41e5ca72 in NS_ProcessNextEvent (thread=0x403024e0, mayWait=true) at /Users/Gregor/moz/ws0/xpcom/glue/nsThreadUtils.cpp:251
#23 0x41a7dfde in mozilla::ipc::MessagePump::Run (this=0x40301d00, aDelegate=0x4033d0c0) at /Users/Gregor/moz/ws0/ipc/glue/MessagePump.cpp:124
#24 0x41ed5296 in MessageLoop::RunInternal (this=0x4033d0c0) at /Users/Gregor/moz/ws0/ipc/chromium/src/base/message_loop.cc:220
#25 0x41ed52da in MessageLoop::RunHandler (this=0x4033d0c0) at /Users/Gregor/moz/ws0/ipc/chromium/src/base/message_loop.cc:213
#26 MessageLoop::Run (this=0x4033d0c0) at /Users/Gregor/moz/ws0/ipc/chromium/src/base/message_loop.cc:187
#27 0x419ef5fa in nsBaseAppShell::Run (this=0x4451fd00) at /Users/Gregor/moz/ws0/widget/xpwidgets/nsBaseAppShell.cpp:161
#28 0x418dbe22 in nsAppStartup::Run (this=0x4436beb0) at /Users/Gregor/moz/ws0/toolkit/components/startup/nsAppStartup.cpp:268
#29 0x40dbfb0e in XREMain::XRE_mainRun (this=0xbefc79b4) at /Users/Gregor/moz/ws0/toolkit/xre/nsAppRunner.cpp:3976
#30 0x40dc2992 in XREMain::XRE_main (this=0xbefc79b4, argc=<value optimized out>, argv=<value optimized out>, aAppData=0x22250)
    at /Users/Gregor/moz/ws0/toolkit/xre/nsAppRunner.cpp:4044
#31 0x40dc2b04 in XRE_main (argc=1, argv=0xbefc9ba4, aAppData=0x22250, aFlags=<value optimized out>) at /Users/Gregor/moz/ws0/toolkit/xre/nsAppRunner.cpp:4246
#32 0x00009978 in do_main (argc=1, argv=0xbefc9ba4) at /Users/Gregor/moz/ws0/b2g/app/nsBrowserApp.cpp:168
#33 main (argc=1, argv=0xbefc9ba4) at /Users/Gregor/moz/ws0/b2g/app/nsBrowserApp.cpp:261
(gdb) p this
$1 = (struct mozilla::dom::ipc::RemoteBlob<(mozilla::dom::ipc::ActorFlavorEnum)0> * const) 0xa9
(gdb) p *this
Cannot access memory at address 0xa9
(gdb) p aParams
$2 = <value optimized out>
(gdb) l
1076	      OptionalInputStreamParams::TInputStreamParams) {
1077	    mInputStreamParams =
1078	      aParams.optionalInputStreamParams().get_InputStreamParams();
1079	  }
1080	  else {
1081	    MOZ_ASSERT(aParams.blobParams().type() ==
1082	               ChildBlobConstructorParams::TMysteryBlobConstructorParams);
1083	  }
1084	}
1085	
(gdb) up
#1  0x41a45398 in Blob (this=0x4729eb80, aManager=<value optimized out>, aParams=...) at /Users/Gregor/moz/ws0/dom/ipc/Blob.cpp:1155
1155	  remoteBlob->MaybeSetInputStream(aParams);
(gdb) p this
$3 = (mozilla::dom::ipc::Blob<(mozilla::dom::ipc::ActorFlavorEnum)0> * const) 0x4729eb80
(gdb) p *this
$4 = {<mozilla::dom::ipc::BlobTraits<(mozilla::dom::ipc::ActorFlavorEnum)0>::BaseType> = {<mozilla::dom::PBlobParent> = {<mozilla::ipc::IProtocol> = {<mozilla::ipc::MessageListener> = {<mozilla::ipc::HasResultCodes> = {<No data fields>}, <mozilla::SupportsWeakPtr<mozilla::ipc::MessageListener>> = {<mozilla::SupportsWeakPtrBase<mozilla::ipc::MessageListener, mozilla::detail::WeakReference<mozilla::ipc::MessageListener> >> = {weakRef = {ptr = 0x0}}, <No data fields>}, 
          _vptr.MessageListener = 0x430a0878}, <No data fields>}, <mozilla::ipc::IProtocolManager<mozilla::ipc::IProtocol>> = {
        _vptr.IProtocolManager = 0x430a0914}, mChannel = 0xa5a5a5a5, mManager = 0xa5a5a5a5, mId = 0, mState = mozilla::dom::PBlob::__Dead, 
      mManagedPBlobStreamParent = warning: can't find linker symbol for virtual table for `nsTArray<mozilla::dom::PBlobStreamParent*>' value
warning:   found `EmptyEnumeratorImpl::GetInstance()::kInstance' instead

{<nsTArray_Impl<mozilla::dom::PBlobStreamParent*, nsTArrayInfallibleAllocator>> = {<nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>> = {
            mHdr = 0x43148f44}, <nsTArray_TypedBase<mozilla::dom::PBlobStreamParent*, nsTArray_Impl<mozilla::dom::PBlobStreamParent*, nsTArrayInfallibleAllocator> >> = {<nsTArray_SafeElementAtHelper<mozilla::dom::PBlobStreamParent*, nsTArray_Impl<mozilla::dom::PBlobStreamParent*, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>}, <No data fields>}, <No data fields>}}, mOpenStreamRunnables = warning: can't find linker symbol for virtual table for `nsTArray<nsRevocableEventPtr<mozilla::dom::ipc::BlobTraits<(mozilla::dom::ipc::ActorFlavorEnum)0>::BaseType::OpenStreamRunnable> >' value
warning:   found `EmptyEnumeratorImpl::GetInstance()::kInstance' instead

{<nsTArray_Impl<nsRevocableEventPtr<mozilla::dom::ipc::BlobTraits<(mozilla::dom::ipc::ActorFlavorEnum)0>::BaseType::OpenStreamRunnable>, nsTArrayInfallibleAllocator>> = {<nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>> = {
          mHdr = 0x43148f44}, <nsTArray_TypedBase<nsRevocableEventPtr<mozilla::dom::ipc::BlobTraits<(mozilla::dom::ipc::ActorFlavorEnum)0>::BaseType::OpenStreamRunnable>, nsTArray_Impl<nsRevocableEventPtr<mozilla::dom::ipc::BlobTraits<(mozilla::dom::ipc::ActorFlavorEnum)0>::BaseType::OpenStreamRunnable>, nsTArrayInfallibleAllocator> >> = {<nsTArray_SafeElementAtHelper<nsRevocableEventPtr<mozilla::dom::ipc::BlobTraits<(mozilla::dom::ipc::ActorFlavorEnum)0>::BaseType::OpenStreamRunnable>, nsTArray_Impl<nsRevocableEventPtr<mozilla::dom::ipc::BlobTraits<(mozilla::dom::ipc::ActorFlavorEnum)0>::BaseType::OpenStreamRunnable>, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>}, <No data fields>}, <No data fields>}}, mBlob = 0x0, mRemoteBlob = 0x0, mOwnsBlob = false, 
  mBlobIsFile = false, mManager = {mRawPtr = 0x45aa3400}}
Still reproducible.
(gdb) up
#1  0xb4af54a4 in mozilla::dom::ipc::Blob<(mozilla::dom::ipc::ActorFlavorEnum)0>::Blob (this=0xae9c8cc0, aManager=<optimized out>, aParams=...) at ../../../dom/ipc/Blob.cpp:1155
1155	  remoteBlob->MaybeSetInputStream(aParams);
(gdb) p this
$2 = (mozilla::dom::ipc::Blob<(mozilla::dom::ipc::ActorFlavorEnum)0> * const) 0xae9c8cc0
(gdb) p *this
$3 = {<mozilla::dom::ipc::BlobTraits<(mozilla::dom::ipc::ActorFlavorEnum)0>::BaseType> = {
    <mozilla::dom::PBlobParent> = {<mozilla::ipc::IProtocol> = {<mozilla::ipc::MessageListener> = {<mozilla::ipc::HasResultCodes> = {<No data fields>}, <mozilla::SupportsWeakPtr<mozilla::ipc::MessageListener>> = {<mozilla::SupportsWeakPtrBase<mozilla::ipc::MessageListener, mozilla::detail::WeakReference<mozilla::ipc::MessageListener> >> = {weakRef = {ptr = 0x0}}, <No data fields>}, 
          _vptr.MessageListener = 0xb6311e38}, <No data fields>}, <mozilla::ipc::IProtocolManager<mozilla::ipc::IProtocol>> = {_vptr.IProtocolManager = 0xb6311ed4}, mChannel = 0xa5a5a5a5, 
      mManager = 0xa5a5a5a5, mId = 0, mState = mozilla::dom::PBlob::__Dead, 
      mManagedPBlobStreamParent = {<nsTArray_Impl<mozilla::dom::PBlobStreamParent*, nsTArrayInfallibleAllocator>> = {<nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>> = {
            mHdr = 0xb648e6a8}, <nsTArray_TypedBase<mozilla::dom::PBlobStreamParent*, nsTArray_Impl<mozilla::dom::PBlobStreamParent*, nsTArrayInfallibleAllocator> >> = {<nsTArray_SafeElementAtHelper<mozilla::dom::PBlobStreamParent*, nsTArray_Impl<mozilla::dom::PBlobStreamParent*, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>}, <No data fields>}, <No data fields>}}, 
    mOpenStreamRunnables = {<nsTArray_Impl<nsRevocableEventPtr<mozilla::dom::ipc::BlobTraits<(mozilla::dom::ipc::ActorFlavorEnum)0>::BaseType::OpenStreamRunnable>, nsTArrayInfallibleAllocator>> = {<nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>> = {
          mHdr = 0xb648e6a8}, <nsTArray_TypedBase<nsRevocableEventPtr<mozilla::dom::ipc::BlobTraits<(mozilla::dom::ipc::ActorFlavorEnum)0>::BaseType::OpenStreamRunnable>, nsTArray_Impl<nsRevocableEventPtr<mozilla::dom::ipc::BlobTraits<(mozilla::dom::ipc::ActorFlavorEnum)0>::BaseType::OpenStreamRunnable>, nsTArrayInfallibleAllocator> >> = {<nsTArray_SafeElementAtHelper<nsRevocableEventPtr<mozilla::dom::ipc::BlobTraits<(mozilla::dom::ipc::ActorFlavorEnum)0>::BaseType::OpenStreamRunnable>, nsTArray_Impl<nsRevocableEventPtr<mozilla::dom::ipc::BlobTraits<(mozilla::dom::ipc::ActorFlavorEnum)0>::BaseType::OpenStreamRunnable>, nsTArrayInfallibleAllocator> >> = {<No data fields>}, <No data fields>}, <No data fields>}, <No data fields>}}, mBlob = 0x0, mRemoteBlob = 0x0, 
  mOwnsBlob = false, mBlobIsFile = false, mManager = {mRawPtr = 0xa8452c00}}
blocking-b2g: --- → 1.3?
Not repro in production builds hence minus, per triage
blocking-b2g: 1.3? → -
We have to get this fixed. It prevents me from debugging 1.3 blockers.
blocking-b2g: - → 1.4?
Gregor,

Can't block a release for this? Can you please request 1.4 gaia approval on this?
Flags: needinfo?(anygregor)
(In reply to Preeti Raghunath(:Preeti) from comment #5)
> Gregor,
> 
> Can't block a release for this? Can you please request 1.4 gaia approval on
> this?

Am I missing something here? This needs to get on someones radar to fix. Why are you talking about gaia approval? I filed this bug in November and we still haven't fixed it. What else do I have to do besides saying this is blocking me from debugging 1.3 blockers to make it important enough to fix?
Flags: needinfo?(anygregor)
I was asking for the gaia approval flag because we wouldn't need to make this a blocker.

I understand this is severe enough to prevent debugging
I'll get to this monday.
Attached patch Patch, v1Splinter Review
Unfortunately this is just a bad assertion.

The idea is that we should always receive InputStreamParams when a blob is constructed in the child->parent direction, and if we don't receive them then we must have a mystery blob. That's still always true.

The difference is in this case we're not actually receiving a new blob from the child; we're slicing a parent blob instead. When we slice we take the same code path as when we receive a blob from the child but we already know all the details about the blob so it's not a mystery.

Slicing is weird :(
Assignee: nobody → bent.mozilla
Status: NEW → ASSIGNED
Attachment #8384952 - Flags: review?(khuey)
https://hg.mozilla.org/mozilla-central/rev/84fc1ef355f8
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
blocking-b2g: 1.4? → ---
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: