976656 - crash in mozilla::gfx::DrawTargetCairo::CreateSourceSurfaceFromNativeSurface(mozilla::gfx::NativeSurface const&) const

Status: RESOLVED WORKSFORME

(Core :: Graphics, defect)

Description

[Naoki Hirata :nhirata (please use needinfo instead of cc)]

This bug was filed from the Socorro interface and is 
report bp-4703a685-bf73-4522-a7c9-358772140224.
=============================================================
Frame 	Module 	Signature 	Source
0 	libc.so 	libc.so@0xe300 	
1 	libxul.so 	mozilla::gfx::DrawTargetCairo::CreateSourceSurfaceFromNativeSurface(mozilla::gfx::NativeSurface const&) const 	/home/geeksphone/FOS/keon/gecko/gfx/2d/DrawTargetCairo.cpp
2 		@0x40178042 	
3 	libxul.so 	js::jit::LIRGenerator::visitStoreSlot(js::jit::MStoreSlot*) 	/home/geeksphone/FOS/keon/gecko/js/src/jit/Lowering.cpp
4 		@0x4342e722 	

More Signatures : 
https://crash-stats.mozilla.com/report/list?product=B2G&signature=mozilla%3A%3Agfx%3A%3ADrawTargetCairo%3A%3ACreateSourceSurfaceFromNativeSurface%28mozilla%3A%3Agfx%3A%3ANativeSurface+const%26%29+const#tab-reports

Note: seems to only affect Geeksphone devices

Comment 1

[James Zhang (Spreadtrum)]

Tarako monkey test also meet a lot of the similar crash.

[FFOS minidump: mtlog-now-sp6821a_gonk-131-custom_hudson-shtemp169ubtpc-1402250610/dump_parse (the top 10 stack info)]
0  libc.so + 0xe40c
1  libxul.so!mozilla::gfx::DrawTargetCairo::CreateSourceSurfaceFromNativeSurface(mozilla::gfx::NativeSurface const&) const [DrawTargetCairo.cpp : 1110 + 0x7]
2  0x4015b042
3  libmozglue.so!__wrap_pthread_mutex_lock [Nuwa.cpp : 1075 + 0x5]

Comment 2

[thomas tsai]

This is a common issue. CJ can you help?

Comment 3

[Vincent Liu[:vliu]]

Building up monkey test environment is in progress. Hopefully we can also reproduce these kind of problems in our side.

Comment 4

[Solomon Chiu [:schiu]]

Attachment: Add debug log for DrawTargetCairo::CreateSourceSurfaceFromNativeSurface

Comment 5

[Solomon Chiu [:schiu]]

I just upload a local patch to add log for DrawTargetCairo::CreateSourceSurfaceFromNativeSurface, and will use it to perform our monkey test.

Comment 6

[Jason Smith [:jsmith]]

There really isn't anything to go off of here to use as hints for STR. We need more information before we try doing a STR hunt.

Comment 7

[Steven Yang [:styang]]

will nominate to 1.3T+ if it happens again.

Comment 8

[Peipei Cheng (needinfo if you need my action)]

I saw this crash again.
https://crash-stats.mozilla.com/report/index/fffb844b-2e68-4014-87b5-52fe42140331

Comment 9

[Peipei Cheng (needinfo if you need my action)]

(In reply to pcheng from comment #8)
> I saw this crash again.
> https://crash-stats.mozilla.com/report/index/fffb844b-2e68-4014-87b5-
> 52fe42140331

Build
-------------------------------------------------------------------
Gaia 14ef4fcdf9199f04f7678755c917dc77f51e13ba
Gecko https://hg.mozilla.org/releases/mozilla-b2g28_v1_3t/rev/b574a7967338
BuildID 20140329004002
Version 28.1
ro.build.version.incremental=70
ro.build.date=Fri Mar 28 06:17:40 CST 2014

Comment 10

[Peipei Cheng (needinfo if you need my action)]

I saw this crash again on latest build.
Gaia      c418ec10d1e1d53c6757ad12b2320c204808d251
Gecko     https://hg.mozilla.org/releases/mozilla-b2g28_v1_3t/rev/36b1279ef6df
BuildID   20140402164000
Version   28.1
ro.build.version.incremental=eng.cltbld.20140402.202437
ro.build.date=Wed Apr  2 20:24:44 EDT 2014

Crash report: https://crash-stats.mozilla.com/report/index/044100ec-d463-46f4-9611-c6ae92140403

Comment 11

[Peipei Cheng (needinfo if you need my action)]

(In reply to pcheng from comment #10)
> I saw this crash again on latest build.
> Gaia      c418ec10d1e1d53c6757ad12b2320c204808d251
> Gecko    
> https://hg.mozilla.org/releases/mozilla-b2g28_v1_3t/rev/36b1279ef6df
> BuildID   20140402164000
> Version   28.1
> ro.build.version.incremental=eng.cltbld.20140402.202437
> ro.build.date=Wed Apr  2 20:24:44 EDT 2014
> 
> Crash report:
> https://crash-stats.mozilla.com/report/index/044100ec-d463-46f4-9611-
> c6ae92140403

I saw this crash following the steps bellow:
1. Launch Music
2. Switch to Song list
3. Swipe up and down and select one song to play.
4. Repeat 2~3 for several times, you will see Music crash.

The reproduce rate is about 1/10.

Comment 12

[Sotaro Ikeda [:sotaro]]

Bug 989937 seems similar crash.

Comment 13

[Peipei Cheng (needinfo if you need my action)]

Attachment: adb logcat

This crash has higher reproduce rate in recent build. Could any one take a look?

I attached the adb logcat here.

Comment 14

[James Zhang (Spreadtrum)]

peipei, see spreadtrum bug, there is STR
http://bugzilla.spreadtrum.com/bugzilla/show_bug.cgi?id=296491

Comment 15

[Peipei Cheng (needinfo if you need my action)]

(In reply to James Zhang from comment #14)
> peipei, see spreadtrum bug, there is STR
> http://bugzilla.spreadtrum.com/bugzilla/show_bug.cgi?id=296491

Yes, but it's not consistently reproduced. It could appear when browsing Music and SMS.

Comment 16

[Peipei Cheng (needinfo if you need my action)]

Here is a STR video: https://mozilla.box.com/s/rk1bwvrk8atosv3jtocc

Steps:
1. Prepare a long list of messages in SMS(or a lot of music in Music Song list)
2. Launch SMS
3. Swipe up and down to browse messages
   --> SMS is very easy to crash. Similar behavior happens to Music

Comment 17

[Joe Cheng [:jcheng] (please needinfo)]

(In reply to pcheng from comment #16)
> Here is a STR video: https://mozilla.box.com/s/rk1bwvrk8atosv3jtocc
> 
> Steps:
> 1. Prepare a long list of messages in SMS(or a lot of music in Music Song
> list)
> 2. Launch SMS
> 3. Swipe up and down to browse messages
>    --> SMS is very easy to crash. Similar behavior happens to Music

very easy -> can you comment on the reproduce rate? thanks 
let's not block on tarako with this but we may consider uplifts when there is a fix
Solomon, can you continue to look at this?

Thanks

Comment 18

[Solomon Chiu [:schiu]]

(In reply to Joe Cheng [:jcheng] from comment #17)
> (In reply to pcheng from comment #16)
> > Here is a STR video: https://mozilla.box.com/s/rk1bwvrk8atosv3jtocc
> > 
> > Steps:
> > 1. Prepare a long list of messages in SMS(or a lot of music in Music Song
> > list)
> > 2. Launch SMS
> > 3. Swipe up and down to browse messages
> >    --> SMS is very easy to crash. Similar behavior happens to Music
> 
> very easy -> can you comment on the reproduce rate? thanks 
> let's not block on tarako with this but we may consider uplifts when there
> is a fix
> Solomon, can you continue to look at this?
> 
> Thanks

James, 

I checked the log, the error message that I add in the patch seems didn't be printed. Can you confirm if the patch that I provided be used in recent build?

Joe,

I am trying to borrow a Tarako, will start to look into this issue after I get the device.

Comment 19

[James Zhang (Spreadtrum)]

(In reply to Solomon Chiu [:schiu] from comment #18)
> (In reply to Joe Cheng [:jcheng] from comment #17)
> > (In reply to pcheng from comment #16)
> > > Here is a STR video: https://mozilla.box.com/s/rk1bwvrk8atosv3jtocc
> > > 
> > > Steps:
> > > 1. Prepare a long list of messages in SMS(or a lot of music in Music Song
> > > list)
> > > 2. Launch SMS
> > > 3. Swipe up and down to browse messages
> > >    --> SMS is very easy to crash. Similar behavior happens to Music
> > 
> > very easy -> can you comment on the reproduce rate? thanks 
> > let's not block on tarako with this but we may consider uplifts when there
> > is a fix
> > Solomon, can you continue to look at this?
> > 
> > Thanks
> 
> James, 
> 
> I checked the log, the error message that I add in the patch seems didn't be
> printed. Can you confirm if the patch that I provided be used in recent
> build?
> 
> Joe,
> 
> I am trying to borrow a Tarako, will start to look into this issue after I
> get the device.

Please see peipei's adb logcat.

Comment 20

[Steven Yang [:styang]]

It's found many times during our partner's testing.

Comment 22

[Jason Smith [:jsmith]]

(In reply to Joe Cheng [:jcheng] from comment #17)
> (In reply to pcheng from comment #16)
> > Here is a STR video: https://mozilla.box.com/s/rk1bwvrk8atosv3jtocc
> > 
> > Steps:
> > 1. Prepare a long list of messages in SMS(or a lot of music in Music Song
> > list)
> > 2. Launch SMS
> > 3. Swipe up and down to browse messages
> >    --> SMS is very easy to crash. Similar behavior happens to Music
> 
> very easy -> can you comment on the reproduce rate? thanks 
> let's not block on tarako with this but we may consider uplifts when there
> is a fix
> Solomon, can you continue to look at this?
> 
> Thanks

When shipping phones, you are required to meet a MTBF metric in order to ship the phone (typically > 100 hours). This is established to ensure that users don't get exposed to critical bugs during basic use of the phone. Apparently this is prominent on Tarako in a far more greater fashion than 1.3, as there's been multiple comments indicating that this crash has been hit. The dupe here (bug 991406) actually provides reproducible STR to hit this crash, which now makes this 1) easily actionable to fix 2) proof that this blocks a couple of basic user flows on the phone.

As such, this is an obvious blocker for Tarako, as this is a common crash on that phone in multiple places, has consistent STR to block a couple of basic user flows in the dupe, and will seriously impact us from being able to hit a releasable MTBF.

Comment 23

[Joe Cheng [:jcheng] (please needinfo)]

triage: high occurrence, 1.3T+ partner blocker

Comment 24

[Joe Cheng [:jcheng] (please needinfo)]

ni? Solomon for update on the bug. thanks

Comment 25

[Peipei Cheng (needinfo if you need my action)]

Attachment: Music.zip

Here ishow to reproduce this crash using Music app. Since it's uneasy to create a long list of sms.

To do this:
1. Download attached music
2. Put these music to SD card
3. Launch Music
4. Switch to Song list
5. Switch to the first page of Music again
    --> It's very easy to reproduce this crash. I saw it every time on my device. If you could not reproduce, just repeat 4~5 for several times.

Comment 26

[Solomon Chiu [:schiu]]

1. I tried several times of Peipei's reproducing steps, seems all crashed with the same signature of Bug#989989 - [tarako] crash in BufferUnrotate(unsigned char*, int, int, int, int, int), which different from the crash signature in this bug.
2. I got a script from QA which can make bulk SMS/MMS/contact in DUT. I will try to pack the relative files into package and provide to Peipei, to see if she can find ways to trigger the crash of this bug faster.
3. The crash point is located on 7th byte of machine code from the start address of CreateSourceSurfaceFromNativeSurface(), which is on preparing the stack for this function. In other words, the crash occurs before the actual code of this function is executed. I think there should exist problems other than the function itself.

Comment 27

[Peipei Cheng (needinfo if you need my action)]

It's weird that I followed the same steps but triggered crash call stack for this bug instead of bug 989989.

Here is the crash report: 
https://crash-stats.mozilla.com/report/index/e8897f78-c07b-468e-ba6b-6657d2140407

Is it possible that it has other crash point?

Comment 28

[Peipei Cheng (needinfo if you need my action)]

Another way to reproduce:

1. Go to Settings->Screen lock
2. Enable passcode lock and create a new passcode
    --> Crash may happen here
3. If no crash at step 2, then go back to Screen lock
4. Try to disable passcode lock
   --> Crash may happen here

Here is the crash report.

https://crash-stats.mozilla.com/report/index/baf9b4ac-0c07-414c-8b12-8b5bb2140408

Comment 29

[Bingqing Li]

(In reply to pcheng from comment #28)
> Another way to reproduce:
> 
> 1. Go to Settings->Screen lock
> 2. Enable passcode lock and create a new passcode
>     --> Crash may happen here
> 3. If no crash at step 2, then go back to Screen lock
> 4. Try to disable passcode lock
>    --> Crash may happen here
> 
> Here is the crash report.
> 
> https://crash-stats.mozilla.com/report/index/baf9b4ac-0c07-414c-8b12-
> 8b5bb2140408

Environment:
----------------------------------------------------
Gaia      9afe8145b5d309bdf2ef196b559e6dfd997faeeb
Gecko     https://hg.mozilla.org/releases/mozilla-b2g28_v1_3t/rev/c2a0ee7b4d58
BuildID   20140407164002
Version   28.1
ro.build.version.incremental=eng.cltbld.20140407.202457
ro.build.date=Mon Apr  7 20:25:04 EDT 2014

Comment 30

[Naoki Hirata :nhirata (please use needinfo instead of cc)]

Hi Solomon: please see comment 28

Comment 31

[Solomon Chiu [:schiu]]

I tried many times of above steps, most of the test results to the symptom of Bug#989989 -  [tarako] crash in BufferUnrotate(unsigned char*, int, int, int, int, int). Since the clues relative to BufferUnrotate is more clear than this bug, I will look into Bug#989989 first.

Comment 32

[Solomon Chiu [:schiu]]

(In reply to Solomon Chiu [:schiu] from comment #31)
> I tried many times of above steps, most of the test results to the symptom
> of Bug#989989 -  [tarako] crash in BufferUnrotate(unsigned char*, int, int,
> int, int, int). Since the clues relative to BufferUnrotate is more clear
> than this bug, I will look into Bug#989989 first.

Bug#989989 was set to duplicated with Bug#970007.

Comment 33

[John Hammink]

I could very easily reproduce this crash using at least some of the STRs from Peipei and Binquing.   

Gaia      643f3e6676cbb89c62708a9f7cbef2edc795a552
Gecko     https://hg.mozilla.org/releases/mozilla-b2g28_v1_3t/rev/e757fdd55426
BuildID   20140409004001
Version   28.1
ro.build.version.incremental=215
ro.build.date=Mon Mar 31 10:11:50 CST 2014

Not quite a smoketest blocker, but pretty annoying when trying to use any of the above functions.

Comment 34

[John Hammink]

Note that I've updated to the latest PAC and I'm still seeing this issue.

Comment 35

[Solomon Chiu [:schiu]]

Attachment: bug_970007.patch

WIP patch from bug#970007

Comment 36

[Bingqing Li]

Slog:
https://www.dropbox.com/s/6lw8ex0fb6nb6d0/296491.zip

Comment 37

[Ross Kuhlman (rkuhlman@qanalydocs.com)]

I am seeing this issue constantly in the latest build.

Repro Steps:
1) Launch Music app.
2) Start playing a song.
3) Tap on 'Artists' or 'Albums' tab and tap on an item from the resulting list.

Result:
Music app crashes.


v1.3T Environmental Variables:
Device: Tarako v1.3T Spreadtrum RIL
BuildID: 20140411004003
Gaia: 27a0e773e01eed74e20709bdcab6894469f42a72
Gecko: 257dd37da601
Version: 28.1
Firmware Version: SP6821a

Comment 38

[Solomon Chiu [:schiu]]

(In reply to rkuhlman from comment #37)
> I am seeing this issue constantly in the latest build.
> 
> Repro Steps:
> 1) Launch Music app.
> 2) Start playing a song.
> 3) Tap on 'Artists' or 'Albums' tab and tap on an item from the resulting
> list.
> 
> Result:
> Music app crashes.
> 
> 
> v1.3T Environmental Variables:
> Device: Tarako v1.3T Spreadtrum RIL
> BuildID: 20140411004003
> Gaia: 27a0e773e01eed74e20709bdcab6894469f42a72
> Gecko: 257dd37da601
> Version: 28.1
> Firmware Version: SP6821a

Could you please provide the crash report? Because the same step also probably results in bug#970007.
Thanks.

Comment 39

[Vincent Liu[:vliu]]

(In reply to rkuhlman from comment #37)
> I am seeing this issue constantly in the latest build.
> 
> Repro Steps:
> 1) Launch Music app.
> 2) Start playing a song.
> 3) Tap on 'Artists' or 'Albums' tab and tap on an item from the resulting
> list.
> 
> Result:
> Music app crashes.
> 
> 
> v1.3T Environmental Variables:
> Device: Tarako v1.3T Spreadtrum RIL
> BuildID: 20140411004003
> Gaia: 27a0e773e01eed74e20709bdcab6894469f42a72
> Gecko: 257dd37da601
> Version: 28.1
> Firmware Version: SP6821a

I can reproduce the issue by your steps. But from the adb log, the crash happens because mediaserver died.

E/OMXNodeInstance(   89): !!! Observer died. Quickly, do something, ... anything...
I/Gecko   (   84): 
I/Gecko   (   84): ###!!! [Parent][MessageChannel] Error: Channel error: cannot send/recv
I/Gecko   (   84): 
I/Gecko   (   84): ############ ErrorPage.js

Can you confirm that the detailed log from your crash report? We need make sure the issue is the same with the original one.

Comment 40

[Ross Kuhlman (rkuhlman@qanalydocs.com)]

https://crash-stats.mozilla.com/report/index/ae9a88dd-e723-42bd-a6d8-5149f2140414
^ Here is a link to the crash report that is generated by my repro steps.

If this does not contain the information you seek, please let me know and I will get whatever you need.

Comment 41

[James Zhang (Spreadtrum)]

Can we land this patch? I think it works well.

Comment 42

[Natalya Kot [:nkot]]

This crash no longer reproduces on today's build. We were unable to get it to repro on four devices following any of the STR provided in this bug, and it was really easy to reproduce earlier, even on yesterday's build..

BuildID: 20140416004007
Gaia: 718a06816327fcb6a18095f677cfff4b86adc292
Gecko: 9ef12c19ddc9
Version: 28.1
base: sp6821

Comment 43

[[:fabrice] Fabrice Desré]

ok then... I'm still curious to know what fixed that though.

Comment 44

[Sotaro Ikeda [:sotaro]]

(In reply to Fabrice Desré [:fabrice] from comment #43)
> ok then... I'm still curious to know what fixed that though.

Bug 970007 might fix this.

Comment 45

[James Zhang (Spreadtrum)]

(In reply to Sotaro Ikeda [:sotaro] from comment #44)
> (In reply to Fabrice Desré [:fabrice] from comment #43)
> > ok then... I'm still curious to know what fixed that though.
> 
> Bug 970007 might fix this.

Yes