937199 - Startup Crash on nexus4 with debug build around BluetoothRilListener.cpp

Status: RESOLVED FIXED

(Core :: DOM: Device Interfaces, defect)

Description

[Gregor Wagner [:gwagner]]

gwagner:ib2g idefix$ hg tip
changeset:   154375:26407a874057
tag:         tip
user:        Ben Tian <btian@mozilla.com>
date:        Mon Nov 11 14:16:28 2013 +0800
summary:     Bug 935573 - [bluedroid] Add Connect/Disconnect api, r=echou

probably related to tip landing?

WARNING: Trying to SendCommand() without a SLC: file ../../../dom/bluetooth/BluetoothHfpManager.cpp, line 1227
WARNING: Trying to SendCommand() without a SLC: file ../../../dom/bluetooth/BluetoothHfpManager.cpp, line 1227
WARNING: Trying to SendCommand() without a SLC: file ../../../dom/bluetooth/BluetoothHfpManager.cpp, line 1227
WARNING: Trying to SendCommand() without a SLC: file ../../../dom/bluetooth/BluetoothHfpManager.cpp, line 1227
WARNING: Trying to SendCommand() without a SLC: file ../../../dom/bluetooth/BluetoothHfpManager.cpp, line 1227
WARNING: Failed to get relSignalStrength in BluetoothHfpManager: file ../../../dom/bluetooth/BluetoothHfpManager.cpp, line 620

Program received signal SIGSEGV, Segmentation fault.
0xb6efefbc in jemalloc_crash () at ../../../memory/mozjemalloc/jemalloc.c:1572
1572		MOZ_CRASH();
(gdb) bt
#0  0xb6efefbc in jemalloc_crash ()
    at ../../../memory/mozjemalloc/jemalloc.c:1572
#1  0xb6efffe4 in arena_dalloc (ptr=<optimized out>, offset=<optimized out>)
    at ../../../memory/mozjemalloc/jemalloc.c:4627
#2  0xb6f0298a in free (ptr=0xafeb09a8)
    at ../../../memory/mozjemalloc/jemalloc.c:6545
#3  0xb4c499c2 in operator delete (ptr=0xafeb09a8)
    at ../../dist/include/mozilla/mozalloc.h:225
#4  Release (this=0xafeb09a8)
    at ../../../dom/bluetooth/BluetoothRilListener.cpp:21
#5  mozilla::dom::bluetooth::IccListener::Release (this=0xafeb09a8)
    at ../../../dom/bluetooth/BluetoothRilListener.cpp:21
#6  0xb521220c in ReleaseSliceNow (aSlice=<optimized out>, aData=0xb1a90750)
    at ../../../xpcom/base/CycleCollectedJSRuntime.cpp:988
#7  0xb5211f90 in mozilla::IncrementalFinalizeRunnable::ReleaseNow (
    this=0xb1a90740, aLimited=<optimized out>)
    at ../../../xpcom/base/CycleCollectedJSRuntime.cpp:1060
#8  0xb52123e4 in mozilla::CycleCollectedJSRuntime::FinalizeDeferredThings (
    this=0xb2405160, aType=mozilla::CycleCollectedJSRuntime::FinalizeNow)
    at ../../../xpcom/base/CycleCollectedJSRuntime.cpp:1110
#9  0xb5212454 in mozilla::CycleCollectedJSRuntime::OnGC (this=0xb2405160, 
    aStatus=JSGC_END) at ../../../xpcom/base/CycleCollectedJSRuntime.cpp:1136
#10 0xb56e5d24 in Collect (rt=0xb240c000, incremental=<optimized out>, 
---Type <return> to continue, or q <return> to quit---
    budget=0, gckind=js::GC_NORMAL, reason=JS::gcreason::LAST_DITCH)
    at ../../../js/src/jsgc.cpp:4724
#11 0xb56e5eda in js::GC (rt=<optimized out>, gckind=<optimized out>, 
    reason=<optimized out>) at ../../../js/src/jsgc.cpp:4744
#12 0xb56e5f36 in RunLastDitchGC (cx=0xb6ac5bc0, zone=0xb22e9c00, 
    thingKind=js::gc::FINALIZE_STRING) at ../../../js/src/jsgc.cpp:1508
#13 0xb56e6018 in js::gc::ArenaLists::refillFreeList<(js::AllowGC)1> (
    cx=0xb6ac5bc0, thingKind=js::gc::FINALIZE_STRING)
    at ../../../js/src/jsgc.cpp:1537
#14 0xb575a0c6 in js::gc::NewGCThing<JSString, (js::AllowGC)1> (cx=0xb6ac5bc0, 
    kind=js::gc::FINALIZE_STRING, thingSize=16, heap=<optimized out>)
    at ../../../js/src/jsgcinlines.h:441
#15 0xb575a1fc in js_NewGCString<(js::AllowGC)1> (cx=<optimized out>)
    at ../../../js/src/jsgcinlines.h:470
#16 JSStableString::new_<(js::AllowGC)1> (cx=<optimized out>, 
    chars=0xaff70c20 u"description", length=11)
    at ../../../js/src/vm/String-inl.h:243
#17 0xb57f3f06 in JSStructuredCloneReader::readString (this=0xbecad3b0, 
    nchars=11) at ../../../js/src/vm/StructuredClone.cpp:1108
#18 0xb57f3fc4 in JSStructuredCloneReader::readId (this=0xbecad3b0, 
    idp=0xbecad358) at ../../../js/src/vm/StructuredClone.cpp:1447
#19 0xb57f4fea in JSStructuredCloneReader::read (this=0xbecad3b0, 
    vp=<optimized out>) at ../../../js/src/vm/StructuredClone.cpp:1535
---Type <return> to continue, or q <return> to quit---
#20 0xb57f5290 in js::ReadStructuredClone (cx=<optimized out>, 
    data=<optimized out>, nbytes=<optimized out>, vp=..., cb=0xb6433980, 
    cbClosure=0xbecad770) at ../../../js/src/vm/StructuredClone.cpp:331
#21 0xb57f5424 in JS_ReadStructuredClone (cx=0xb6ac5bc0, buf=0xad581000, 
    nbytes=478176, version=2, vp=..., optionalCallbacks=0xb6433980, 
    closure=0xbecad770) at ../../../js/src/vm/StructuredClone.cpp:1570
#22 0xb4ed29e8 in mozilla::dom::ReadStructuredClone (aCx=<optimized out>, 
    aData=<optimized out>, aDataLength=<optimized out>, 
    aClosure=<optimized out>, aClone=...)
    at ../../../dom/ipc/StructuredCloneUtils.cpp:171
#23 0xb48bc0f6 in ReadStructuredClone (aClone=<optimized out>, aData=..., 
    aCx=<optimized out>)
    at ../../../dist/include/mozilla/dom/StructuredCloneUtils.h:47
#24 nsFrameMessageManager::ReceiveMessage (this=0xb0c20dc0, 
    aTarget=0xb0c20dc0, aMessage=..., aIsSync=<optimized out>, 
    aCloneData=0xbecad768, aCpows=0xbecad774, aPrincipal=0x0, aJSONRetVal=0x0)
    at ../../../../content/base/src/nsFrameMessageManager.cpp:925
#25 0xb48bd498 in nsAsyncMessageToSameProcessChild::Run (this=0xad62d380)
    at ../../../../content/base/src/nsFrameMessageManager.cpp:1539
#26 0xb520cca6 in nsThread::ProcessNextEvent (this=0xb6a02390, 
    mayWait=<optimized out>, result=0xbecad7ff)
    at ../../../xpcom/threads/nsThread.cpp:610
#27 0xb51de8d6 in NS_ProcessNextEvent (thread=0xb6a02390, 
---Type <return> to continue, or q <return> to quit---
    mayWait=<optimized out>) at ../../../xpcom/glue/nsThreadUtils.cpp:251
#28 0xb4ef3ee6 in mozilla::ipc::MessagePump::Run (this=0xb6a01dc0, 
    aDelegate=0xb6a4e1a0) at ../../../ipc/glue/MessagePump.cpp:85
#29 0xb522ed26 in MessageLoop::RunInternal (this=0xb6a4e1a0)
    at ../../../ipc/chromium/src/base/message_loop.cc:220
#30 0xb522ed3e in RunHandler (this=0xb6a4e1a0)
    at ../../../ipc/chromium/src/base/message_loop.cc:213
#31 MessageLoop::Run (this=0xb6a4e1a0)
    at ../../../ipc/chromium/src/base/message_loop.cc:187
#32 0xb4e88c66 in nsBaseAppShell::Run (this=0xb1f39e80)
    at ../../../widget/xpwidgets/nsBaseAppShell.cpp:161
#33 0xb4dbbc48 in nsAppStartup::Run (this=0xb6ad8cd0)
    at ../../../../toolkit/components/startup/nsAppStartup.cpp:267
#34 0xb44cbcb0 in XREMain::XRE_mainRun (this=0xbecad98c)
    at ../../../toolkit/xre/nsAppRunner.cpp:3976
#35 0xb44cbe88 in XREMain::XRE_main (this=0xbecad98c, argc=<optimized out>, 
    argv=<optimized out>, aAppData=<optimized out>)
    at ../../../toolkit/xre/nsAppRunner.cpp:4044
#36 0xb44cbfd8 in XRE_main (argc=1, argv=0xbecafb44, aAppData=0x23948, 
    aFlags=<optimized out>) at ../../../toolkit/xre/nsAppRunner.cpp:4246
#37 0x0000a45c in do_main (argv=0xbecafb44, argc=1)
    at ../../../b2g/app/nsBrowserApp.cpp:168
#38 main (argc=<optimized out>, argv=<optimized out>)
---Type <return> to continue, or q <return> to quit---
    at ../../../b2g/app/nsBrowserApp.cpp:261
(gdb) up
#1  0xb6efffe4 in arena_dalloc (ptr=<optimized out>, offset=<optimized out>)
    at ../../../memory/mozjemalloc/jemalloc.c:4627
4627		RELEASE_ASSERT(arena->magic == ARENA_MAGIC);
(gdb) up
#2  0xb6f0298a in free (ptr=0xafeb09a8)
    at ../../../memory/mozjemalloc/jemalloc.c:6545
6545			arena_dalloc(ptr, offset);
(gdb) up
#3  0xb4c499c2 in operator delete (ptr=0xafeb09a8)
    at ../../dist/include/mozilla/mozalloc.h:225
225	    return moz_free(ptr);
(gdb) up
#4  Release (this=0xafeb09a8)
    at ../../../dom/bluetooth/BluetoothRilListener.cpp:21
21	NS_IMPL_ISUPPORTS1(IccListener, nsIIccListener)
(gdb) p this
$1 = (mozilla::dom::bluetooth::IccListener * const) 0xafeb09a8
(gdb) p *this
$2 = {<nsIIccListener> = {<nsISupports> = {
      _vptr.nsISupports = 0x5a5a5a5a}, <No data fields>}, mRefCnt = {
    static isThreadSafe = false, mValue = 1515870810}, _mOwningThread = {
    mThread = 0x5a5a5a5a}, mOwner = 0x5a5a5a5a}

Comment 1

[Gregor Wagner [:gwagner]]

Should be fixed by backout of 935573 and 921991.
Will reopen if not.