Closed
Bug 994903
Opened 10 years ago
Closed 10 years ago
Camera app crashes during stability test in mozilla::layers::GrallocImage::~GrallocImage
Categories
(Firefox OS Graveyard :: Gaia::Camera, defect, P1)
Tracking
(blocking-b2g:1.4+, firefox29 wontfix, firefox30 fixed, firefox31 fixed, b2g-v1.4 fixed, b2g-v2.0 fixed)
People
(Reporter: tkundu, Assigned: sotaro)
Details
(Keywords: crash, Whiteboard: [caf-crash 171][caf priority: p1][CR 646525][b2g-crash])
Crash Data
Attachments
(2 files, 3 obsolete files)
STR: 1. Run stability test with Call, SMS, Browser, Camera, Camcorder, Music and video . 2. Receive MT calls, while running automation test cases. 3. After night run, mini dumps are generated in the phone.
Reporter | ||
Updated•10 years ago
|
blocking-b2g: --- → 1.4?
Comment 1•10 years ago
|
||
Sotaro, looks like another graphics buffer lifetime issue. Crash reason: SIGSEGV Crash address: 0x5a5a5a58 Thread 7 (crashed) 0 0x5a5a5a58 r4 = 0xb140a714 r5 = 0xb140a710 r6 = 0xc2c444fa r7 = 0x000014fc r8 = 0xc2c1c4ec r9 = 0x000014fc r10 = 0xb329f670 fp = 0xb1341d40 sp = 0xb3a01930 lr = 0xb5973ecb pc = 0x5a5a5a58 Found by: given as instruction pointer in context 1 libxul.so!mozilla::layers::GrallocImage::~GrallocImage() [RefPtr.h : 274 + 0x5] sp = 0xb3a01940 pc = 0xb59a14d1 Found by: stack scanning 2 libxul.so!mozilla::layers::GrallocImage::~GrallocImage() [GrallocImages.cpp : 74 + 0x3] r4 = 0xb1341ea0 r5 = 0x00000000 r6 = 0xc2c444fa sp = 0xb3a01988 pc = 0xb59a1501 Found by: call frame info 3 libxul.so!CSF::CC_Call::Release() + 0x17 r4 = 0xb1341ea0 r5 = 0x00000000 r6 = 0xc2c444fa sp = 0xb3a01990 pc = 0xb59002e9 Found by: call frame info 4 libxul.so!mozilla::VideoFrameContainer::SetCurrentFrame(nsIntSize const&, mozilla::layers::Image*, mozilla::TimeStamp) [nsAutoPtr.h : 900 + 0x5] r4 = 0xb1341ea0 r5 = 0x00000000 r6 = 0xc2c444fa sp = 0xb3a019a0 pc = 0xb5e8d7e3 Found by: call frame info 5 libxul.so!mozilla::CameraPreviewMediaStream::SetCurrentFrame(nsIntSize const&, mozilla::layers::Image*) [CameraPreviewMediaStream.cpp : 113 + 0xb] r4 = 0xc4bff438 r5 = 0x000014fc r6 = 0xb471e3d0 r7 = 0x00000000 r8 = 0xb32bfbc0 r9 = 0xb1341d40 r10 = 0xb3a01a30 fp = 0xb5d510ad sp = 0xb3a019e0 pc = 0xb5d51287 Found by: call frame info 6 libxul.so!mozilla::DOMCameraControlListener::OnNewPreviewFrame(mozilla::layers::Image*, unsigned int, unsigned int) [DOMCameraControlListener.cpp : 246 + 0x9] r4 = 0xb1341d40 r5 = 0x00000000 r6 = 0xb471e3d0 r7 = 0xb1341d40 r8 = 0x00000160 r9 = 0x00000120 r10 = 0x00000230 fp = 0xb3298258 sp = 0xb3a01a30 pc = 0xb5d53e4d Found by: call frame info 7 libxul.so!mozilla::CameraControlImpl::OnNewPreviewFrame(mozilla::layers::Image*, unsigned int, unsigned int) [CameraControlImpl.cpp : 224 + 0x9] r4 = 0x00000001 r5 = 0x00000000 r6 = 0xb471e3d0 r7 = 0xb1341d40 r8 = 0x00000160 r9 = 0x00000120 r10 = 0x00000230 fp = 0xb3298258 sp = 0xb3a01a40 pc = 0xb5d50a89 Found by: call frame info 8 libxul.so!mozilla::nsGonkCameraControl::OnNewPreviewFrame(mozilla::layers::GraphicBufferLocked*) [GonkCameraControl.cpp : 1381 + 0xb] r4 = 0xb1341d40 r5 = 0xb471e3d0 r6 = 0xb14fe5e0 r7 = 0xb3a01b48 r8 = 0x00000001 r9 = 0xb3298a70 r10 = 0x00000230 fp = 0xb3298258 sp = 0xb3a01a68 pc = 0xb5d55c23 Found by: call frame info 9 libxul.so!android::GonkCameraHardware::OnNewFrame() [GonkCameraHwMgr.cpp : 56 + 0x5] r4 = 0xb3a01a88 r5 = 0xb2ae5d40 r6 = 0xb3298a50 r7 = 0xb3a01b48 r8 = 0x00000001 r9 = 0xb3298a70 r10 = 0x00000230 fp = 0xb3298258 sp = 0xb3a01a88 pc = 0xb5d56d17 Found by: call frame info 10 libxul.so!android::GonkNativeWindow::onFrameAvailable() [GonkNativeWindowKK.cpp : 173 + 0x5] r4 = 0xb2add000 r5 = 0x00000007 r6 = 0xb3298a50 r7 = 0xb3a01b48 r8 = 0x00000001 r9 = 0xb3298a70 r10 = 0x00000230 fp = 0xb3298258 sp = 0xb3a01aa0 pc = 0xb5c047ed Found by: call frame info 11 libxul.so!android::GonkBufferQueue::ProxyConsumerListener::onFrameAvailable() [GonkBufferQueueKK.cpp : 1276 + 0x5] r4 = 0xb2c72e60 r5 = 0x00000007 r6 = 0xb3298a50 r7 = 0xb3a01b48 r8 = 0x00000001 r9 = 0xb3298a70 r10 = 0x00000230 fp = 0xb3298258 sp = 0xb3a01aa8 pc = 0xb5c0263d Found by: call frame info 12 libxul.so!android::GonkBufferQueue::queueBuffer(int, android::IGraphicBufferProducer::QueueBufferInput const&, android::IGraphicBufferProducer::QueueBufferOutput*) [GonkBufferQueueKK.cpp : 638 + 0x5] r4 = 0xb2c72e60 r5 = 0x00000007 r6 = 0xb3298a50 r7 = 0xb3a01b48 r8 = 0x00000001 r9 = 0xb3298a70 r10 = 0x00000230 fp = 0xb3298258 sp = 0xb3a01ab8 pc = 0xb5c0291f Found by: call frame info 13 libgui.so!android::BnGraphicBufferProducer::onTransact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int) [IGraphicBufferProducer.cpp : 246 + 0x3] r4 = 0xb5c02649 r5 = 0xb3a01cd4 r6 = 0xb3298000 r7 = 0xb3a01c10 r8 = 0x00000000 r9 = 0x00000007 r10 = 0xbee22c74 fp = 0xb6ec82ec sp = 0xb3a01bf0 pc = 0xb503a73b Found by: call frame info
Flags: needinfo?(sotaro.ikeda.g)
Assignee | ||
Comment 2•10 years ago
|
||
Hmm, GrallocImage is also thread safe referenced...
Flags: needinfo?(sotaro.ikeda.g)
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → sotaro.ikeda.g
Assignee | ||
Comment 3•10 years ago
|
||
Tapas, like Bug 985681, can you test again by applying Bug 988713 fix?
Flags: needinfo?(tkundu)
Updated•10 years ago
|
blocking-b2g: 1.4? → 1.4+
Assignee | ||
Comment 4•10 years ago
|
||
pc is causing the crash. It seems that during GrallocImage::~GrallocImage(), jump to incorrect pc address. -------------------------------- 0 0x5a5a5a58 r4 = 0xb140a714 r5 = 0xb140a710 r6 = 0xc2c444fa r7 = 0x000014fc r8 = 0xc2c1c4ec r9 = 0x000014fc r10 = 0xb329f670 fp = 0xb1341d40 sp = 0xb3a01930 lr = 0xb5973ecb pc = 0x5a5a5a58 Found by: given as instruction pointer in context 1 libxul.so!mozilla::layers::GrallocImage::~GrallocImage() [RefPtr.h : 274 + 0x5] sp = 0xb3a01940 pc = 0xb59a14d1 Found by: stack scanning
Assignee | ||
Comment 5•10 years ago
|
||
There seems a possibility that this bug is dup of Bug 985681. Bug 985681's crash calls stack also have GrallocImage::~GrallocImage().
Assignee | ||
Updated•10 years ago
|
Flags: needinfo?(tkundu)
Assignee | ||
Comment 6•10 years ago
|
||
(In reply to Sotaro Ikeda [:sotaro] from comment #3) > Tapas, like Bug 985681, can you test again by applying Bug 988713 fix? Sorry, I cancel the request. We found one problem on gecko source. :jrmuizel found it.
Assignee | ||
Comment 7•10 years ago
|
||
AtomicRefCountedWithFinalize::Release() has race condition problem. http://mxr.mozilla.org/mozilla-central/source/gfx/layers/AtomicRefCountedWithFinalize.h#31
Assignee | ||
Comment 8•10 years ago
|
||
So, this bug seems a different problem than Bug 985681.
Assignee | ||
Comment 9•10 years ago
|
||
If two threads are almost concurrently call Release(), the following part could be called after the object deletion. It could happen depends on thread scheduling.
> } else if (1 == currCount && mRecycleCallback) {
Assignee | ||
Comment 10•10 years ago
|
||
Only fix seems that changing AtomicRefCountedWithFinalize as recycling happen on count become 0. On current implementation recycling happens when count becomes 1. It is implemented like it just because of simplicity.
Assignee | ||
Comment 11•10 years ago
|
||
0x5a5a5a58 says that the code is trying to access already deleted(initialized) data.
Assignee | ||
Comment 12•10 years ago
|
||
This change request the followings to recycler. - Recycler needs to hold RefPtr<> during waiting recycling callback. - Recycler needs to call ClearRecycleCallback() before release object.
Assignee | ||
Comment 14•10 years ago
|
||
This seems simpler than previous one.
Attachment #8405022 -
Attachment is obsolete: true
Assignee | ||
Comment 15•10 years ago
|
||
Comment on attachment 8405025 [details] [diff] [review] patch v3 - Copy mRecycleCallback on top of Release() Jeff, can you review the patch?
Attachment #8405025 -
Flags: review?(jmuizelaar)
Comment 16•10 years ago
|
||
Comment on attachment 8405025 [details] [diff] [review] patch v3 - Copy mRecycleCallback on top of Release() Review of attachment 8405025 [details] [diff] [review]: ----------------------------------------------------------------- This seems like a reasonable short term solution. I'd suggest adding a comment that we read mRecycleCallback early so that it does not get set to deleted memory, if the object is goes away.
Attachment #8405025 -
Flags: review?(jmuizelaar) → review+
Assignee | ||
Comment 17•10 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=6cf1a80ca81f
Assignee | ||
Comment 18•10 years ago
|
||
Update a comment. Carry "r=jrmuizel".
Attachment #8405025 -
Attachment is obsolete: true
Attachment #8405405 -
Flags: review+
Assignee | ||
Comment 19•10 years ago
|
||
https://hg.mozilla.org/integration/b2g-inbound/rev/9778da56668b
Assignee | ||
Updated•10 years ago
|
Status: NEW → ASSIGNED
Updated•10 years ago
|
Attachment #8405405 -
Flags: review?(bgirard)
Updated•10 years ago
|
Attachment #8405405 -
Flags: review?(bgirard) → review+
Comment 20•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/9778da56668b
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → 1.5 S1 (9may)
Assignee | ||
Comment 21•10 years ago
|
||
Tapas, can you test again by applying attachment 8405405 [details] [diff] [review] in Bug 994903 and Bug 988713 fix?
Flags: needinfo?(tkundu)
Reporter | ||
Comment 22•10 years ago
|
||
(In reply to Sotaro Ikeda [:sotaro] from comment #21) > Tapas, can you test again by applying attachment 8405405 [details] [diff] [review] > [review] in Bug 994903 and Bug 988713 fix? Issue is still present even after applying this fix .
Status: RESOLVED → REOPENED
Flags: needinfo?(tkundu) → needinfo?(sotaro.ikeda.g)
Resolution: FIXED → ---
Assignee | ||
Comment 23•10 years ago
|
||
(In reply to Tapas Kumar Kundu from comment #22) > (In reply to Sotaro Ikeda [:sotaro] from comment #21) > > Tapas, can you test again by applying attachment 8405405 [details] [diff] [review] > > [review] in Bug 994903 and Bug 988713 fix? > > Issue is still present even after applying this fix . Tapas, can you provide the crash log? It is totally same as attachment 8404927 [details] in comment 0?
Flags: needinfo?(sotaro.ikeda.g)
Assignee | ||
Updated•10 years ago
|
Flags: needinfo?(tkundu)
Comment 24•10 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #20) > https://hg.mozilla.org/mozilla-central/rev/9778da56668b https://hg.mozilla.org/releases/mozilla-aurora/rev/2a597beb4be7
Target Milestone: 1.5 S1 (9may) → 1.4 S6 (25apr)
Reporter | ||
Comment 25•10 years ago
|
||
(In reply to Sotaro Ikeda [:sotaro] from comment #23) > (In reply to Tapas Kumar Kundu from comment #22) > > (In reply to Sotaro Ikeda [:sotaro] from comment #21) > > > Tapas, can you test again by applying attachment 8405405 [details] [diff] [review] > > > [review] in Bug 994903 and Bug 988713 fix? > > > > Issue is still present even after applying this fix . > > Tapas, can you provide the crash log? It is totally same as attachment > 8404927 [details] in comment 0? Sorry, #comment 22 is my misunderstanding. Our internal test team is still testing build with your fix. I will update here soon .
Reporter | ||
Comment 26•10 years ago
|
||
(In reply to Tapas Kumar Kundu from comment #25) > (In reply to Sotaro Ikeda [:sotaro] from comment #23) > > (In reply to Tapas Kumar Kundu from comment #22) > > > (In reply to Sotaro Ikeda [:sotaro] from comment #21) > > > > Tapas, can you test again by applying attachment 8405405 [details] [diff] [review] > > > > [review] in Bug 994903 and Bug 988713 fix? > > > > > > Issue is still present even after applying this fix . > > > > Tapas, can you provide the crash log? It is totally same as attachment > > 8404927 [details] in comment 0? > > Sorry, #comment 22 is my misunderstanding. Our internal test team is still > testing build with your fix. I will update here soon . It is not coming anymore in v1.4 tip of gaia/gecko. Sorry for re-opening it. It can be closed now. Thanks a lot for your work
Flags: needinfo?(tkundu)
Assignee | ||
Comment 27•10 years ago
|
||
Closed based on Comment 26.
Status: REOPENED → RESOLVED
Closed: 10 years ago → 10 years ago
Resolution: --- → FIXED
Updated•10 years ago
|
status-b2g-v1.4:
--- → fixed
status-b2g-v2.0:
--- → fixed
status-firefox29:
--- → wontfix
status-firefox30:
--- → fixed
status-firefox31:
--- → fixed
Updated•10 years ago
|
Whiteboard: [CR 646525][b2g-crash] → [caf priority: p1][CR 646525][b2g-crash]
Comment 28•10 years ago
|
||
Observed on: Device: Gonk Version: AU_LINUX_GECKO_B2G_KK_3.5.01.04.00.113.068 Moz BuildID: 20140331000202 B2G Version: 1.4 Gecko Version: 30.0a2 Gaia: http://git.mozilla.org/?p=releases/gaia.git;a=commit;h=4c3b2f57f4229c5f36f0d8fd399e65f4db88f104 Gecko: http://git.mozilla.org/?p=releases/gecko.git;a=commit;h=d02b9250ef7fedafc6c709dfcc899844b8624ab6
Updated•10 years ago
|
Whiteboard: [caf priority: p1][CR 646525][b2g-crash] → [caf-crash 171][caf priority: p1][CR 646525][b2g-crash]
Updated•10 years ago
|
Flags: in-moztrap?(bzumwalt)
Comment 29•10 years ago
|
||
STR involves automation processes that are unusable to create test case.
QA Whiteboard: [QAnalyst-Triage?]
Flags: needinfo?(ktucker)
Updated•10 years ago
|
QA Whiteboard: [QAnalyst-Triage?] → [QAnalyst-Triage+]
Flags: needinfo?(ktucker)
Flags: in-moztrap?(bzumwalt)
Flags: in-moztrap-
You need to log in
before you can comment on or make changes to this bug.
Description
•