975472 - [B2G][Camera] crash in mozalloc_abort(char const*) | abort | nsAString_internal::Assign(nsAString_internal const&)

Status: RESOLVED FIXED

(Firefox OS Graveyard :: Gaia::Camera, defect)

Description

[Salem Elkabule]

Attachment: New crash logcat.txt

This bug was filed from the Socorro interface and is 
report bp-d3f6c4e5-7cf4-49e5-b524-44e1a2140221.
=============================================================

Description:
If the device is connected to the computer with USB storage turned on and the user repeatedly opens the camera app and goes home, a crash will occur. 

Prerequisites: Device connected to computer with USB storage turned on and Camera Geolocation permission set to "always ask".

Repro Steps:
1) Updated Buri to Build ID: 20140221040202
2) Open Camera 
3) Press the Home button to exit 
4) Open the Camera again (Repeat steps 2 and 3 until encountering the crash)

Actual:
Firefox OS will crash. 

Expected:
The Firefox OS should not crash. 

Environmental Variables
Device: Buri MOZ RIL Build ID: 20140221040202
Gecko: https://hg.mozilla.org/mozilla-central/rev/7010ab83a06e
Gaia: 35365feace970bfc51276428f40a477c9c86b7bb
Platform Version: 30.0a1
Firmware Version: V1.2-device.cfg


Repro frequency: 100%
See attached: logcat

Comment 1

[Salem Elkabule]

This issue does not reproduce on 1.3

Environmental Variables
Device: buri 1.3 MOZ RIL
Build ID: 20140221004002
Gecko: https://hg.mozilla.org/releases/mozilla-b2g28_v1_3/rev/e5f25becc0e7
Gaia: 8039a5cb7519adfa81677df577f494c6a4de6140
Platform Version: 28.0
Firmware Version: V1.2-device.cfg

The Firefox OS does not crash

Comment 2

[Mike Habicher [:mikeh] (high bugzilla latency)]

With the following build:

Gaia      35365feace970bfc51276428f40a477c9c86b7bb
Gecko     https://hg.mozilla.org/mozilla-central/rev/7010ab83a06e
BuildID   20140221040202
Version   30.0a1
ro.build.version.incremental=eng.cltbld.20140122.035944
ro.build.date=Wed Jan 22 04:22:01 EST 2014

I don't see any crashes. I do, however, see that every second time I switch to the camera, the preview doesn't start. Returning to the Homescreen then back to the Camera starts it properly.

Diego--could this be bad state somewhere in the app?

Comment 3

[Mike Habicher [:mikeh] (high bugzilla latency)]

Update, I am able to easily reproduce this crash with:
- gecko: b2g-inbound:169896:aee74e1d4958
- gaia: fdc8e4beba5c8279f32083bc4e702348ef22f211

Comment 4

[Mike Habicher [:mikeh] (high bugzilla latency)]

Program received signal SIGSEGV, Segmentation fault.
0x417b1b2a in mozalloc_abort (msg=<value optimized out>) at /home/mikeh/dev/mozilla/m-c/b2g-inbound/memory/mozalloc/mozalloc_abort.cpp:30
30	    MOZ_CRASH();
(gdb) bt
#0  0x417b1b2a in mozalloc_abort (msg=<value optimized out>) at /home/mikeh/dev/mozilla/m-c/b2g-inbound/memory/mozalloc/mozalloc_abort.cpp:30
#1  0x417b1b42 in abort () at /home/mikeh/dev/mozilla/m-c/b2g-inbound/memory/mozalloc/mozalloc_abort.cpp:39
#2  0x40dc9758 in mozilla::nsDOMCameraControl::OnError (this=0x443909d0, aContext=mozilla::CameraControlListener::kInUnspecified, aError=...) at /home/mikeh/dev/mozilla/m-c/b2g-inbound/dom/camera/DOMCameraControl.cpp:1216
#3  0x40dc9e6c in RunCallback (this=0x434025c0, aDOMCameraControl=0x443909d0) at /home/mikeh/dev/mozilla/m-c/b2g-inbound/dom/camera/DOMCameraControlListener.cpp:340
#4  0x40dc9b08 in mozilla::DOMCameraControlListener::DOMCallback::Run (this=0x434025c0) at /home/mikeh/dev/mozilla/m-c/b2g-inbound/dom/camera/DOMCameraControlListener.cpp:53
#5  0x406e08ac in nsThread::ProcessNextEvent (this=0x403c5f60, mayWait=true, result=0xbed87f4f) at /home/mikeh/dev/mozilla/m-c/b2g-inbound/xpcom/threads/nsThread.cpp:643
#6  0x406b0414 in NS_ProcessNextEvent (thread=0x46, mayWait=true) at /home/mikeh/dev/mozilla/m-c/b2g-inbound/xpcom/glue/nsThreadUtils.cpp:263
#7  0x40818740 in mozilla::ipc::MessagePump::Run (this=0x40301af0, aDelegate=0xbed8885c) at /home/mikeh/dev/mozilla/m-c/b2g-inbound/ipc/glue/MessagePump.cpp:136
#8  0x408187ba in mozilla::ipc::MessagePumpForChildProcess::Run (this=0x40301af0, aDelegate=0xbed8885c) at /home/mikeh/dev/mozilla/m-c/b2g-inbound/ipc/glue/MessagePump.cpp:283
#9  0x4080e378 in MessageLoop::RunInternal (this=0x1000001) at /home/mikeh/dev/mozilla/m-c/b2g-inbound/ipc/chromium/src/base/message_loop.cc:226
#10 0x4080e3f6 in MessageLoop::RunHandler (this=0xbed8885c) at /home/mikeh/dev/mozilla/m-c/b2g-inbound/ipc/chromium/src/base/message_loop.cc:219
#11 MessageLoop::Run (this=0xbed8885c) at /home/mikeh/dev/mozilla/m-c/b2g-inbound/ipc/chromium/src/base/message_loop.cc:193
#12 0x40c62d7c in nsBaseAppShell::Run (this=0x4336f760) at /home/mikeh/dev/mozilla/m-c/b2g-inbound/widget/xpwidgets/nsBaseAppShell.cpp:164
#13 0x412832ba in XRE_RunAppShell () at /home/mikeh/dev/mozilla/m-c/b2g-inbound/toolkit/xre/nsEmbedFunctions.cpp:679
#14 0x40818788 in mozilla::ipc::MessagePumpForChildProcess::Run (this=0x40301af0, aDelegate=0xbed8885c) at /home/mikeh/dev/mozilla/m-c/b2g-inbound/ipc/glue/MessagePump.cpp:253
#15 0x4080e378 in MessageLoop::RunInternal (this=0x4336f760) at /home/mikeh/dev/mozilla/m-c/b2g-inbound/ipc/chromium/src/base/message_loop.cc:226
#16 0x4080e3f6 in MessageLoop::RunHandler (this=0xbed8885c) at /home/mikeh/dev/mozilla/m-c/b2g-inbound/ipc/chromium/src/base/message_loop.cc:219
#17 MessageLoop::Run (this=0xbed8885c) at /home/mikeh/dev/mozilla/m-c/b2g-inbound/ipc/chromium/src/base/message_loop.cc:193
#18 0x41283748 in XRE_InitChildProcess (aArgc=-1093105160, aArgv=0xbed8896c, aProcess=1077210112) at /home/mikeh/dev/mozilla/m-c/b2g-inbound/toolkit/xre/nsEmbedFunctions.cpp:516
#19 0x000087a0 in main (argc=8, argv=0xbed889f4) at /home/mikeh/dev/mozilla/m-c/b2g-inbound/ipc/app/MozillaRuntimeMain.cpp:149

Comment 5

[Mike Habicher [:mikeh] (high bugzilla latency)]

Attachment: Don't crash on async setter errors, v1

Comment 6

[Michael Wu [:mwu]]

Comment on attachment 8379991 [details] [diff] [review]
Don't crash on async setter errors, v1

Fixes my crash. Thanks!

Comment 8

[Mike Habicher [:mikeh] (high bugzilla latency)]

Attachment: Don't crash on async method errors, v2

try-server push: https://tbpl.mozilla.org/?tree=Try&rev=76d6a5847dca&showall=1

Comment 9

[Dave Hylands [:dhylands]]

Comment on attachment 8380124 [details] [diff] [review]
Don't crash on async method errors, v2

Review of attachment 8380124 [details] [diff] [review]:
-----------------------------------------------------------------

Looks reasonable to me.

Comment 10

[Mike Habicher [:mikeh] (high bugzilla latency)]

Attachment: Don't crash on async method errors, v3

This version fixes the assertion when stuffing StartRecordingHelper into nsCOMPtr<nsIDOMEventHandler>.

try-server push: https://tbpl.mozilla.org/?tree=Try&rev=fbf549e196ce&showall=1

Comment 11

[Dave Hylands [:dhylands]]

Comment on attachment 8380352 [details] [diff] [review]
Don't crash on async method errors, v3

Review of attachment 8380352 [details] [diff] [review]:
-----------------------------------------------------------------

r+ - There was just the one-line change from the last review right?

Comment 13

[Mike Habicher [:mikeh] (high bugzilla latency)]

(In reply to Dave Hylands [:dhylands] from comment #11)
> 
> r+ - There was just the one-line change from the last review right?

Thanks, Dave--yes. I completely missed the other r+, or I wouldn't have bothered you with this one.

Comment 14

[Mike Habicher [:mikeh] (high bugzilla latency)]

https://hg.mozilla.org/integration/b2g-inbound/rev/4b6103d24d1e

Comment 15

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/4b6103d24d1e