Closed
Bug 798980
Opened 12 years ago
Closed 12 years ago
[b2g] Crash when opening an inline Activity
Categories
(Core :: IPC, defect, P1)
Core
IPC
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox17 | --- | unaffected |
| firefox18 | --- | fixed |
| firefox19 | --- | fixed |
People
(Reporter: vingtetun, Assigned: cpeterson)
References
Details
Attachments
(1 file)
|
(deleted),
patch
|
cjones
:
review+
|
Details | Diff | Splinter Review |
Step to reproduce:
- launch gaia on b2g desktop / device.
- unlock the lock screen
- on the homescreen do a long press (if this is a b2g desktop build you can simply hold the left button of the mouse)
- see a screen coming in and choose 'camera'
Actual result: something goes wrong and the device restart / the desktop build crash
Expected result: the 'camera' app is launched.
Here is what I can see on a desktop build:
Program received signal SIGSEGV, Segmentation fault.
mozilla::layout::GetFrom (aFrameLoader=0x0) at /home/vivien/Devel/mozilla/b2g/desktop/src/layout/ipc/RenderFrameParent.cpp:472
472 nsIDocument* doc = aFrameLoader->GetOwnerDoc();
(gdb)
(gdb) bt
#0 mozilla::layout::GetFrom (aFrameLoader=0x0) at /home/vivien/Devel/mozilla/b2g/desktop/src/layout/ipc/RenderFrameParent.cpp:472
#1 0x00007ffff3396a25 in RenderFrameParent (this=0x7fffc77cdcc0, aFrameLoader=<value optimized out>, aScrollingBehavior=<value optimized out>,
aBackendType=0x7fffffffb404, aMaxTextureSize=0x7fffffffb400, aId=0x7fffffffb2d8)
at /home/vivien/Devel/mozilla/b2g/desktop/src/layout/ipc/RenderFrameParent.cpp:558
#2 0x00007ffff3feb5da in mozilla::dom::TabParent::AllocPRenderFrame (this=<value optimized out>, aScrolling=0x7fffffffb408, aBackend=0x7fffffffb404,
aMaxTextureSize=0x7fffffffb400, aLayersId=0x7fffffffb2d8) at /home/vivien/Devel/mozilla/b2g/desktop/src/dom/ipc/TabParent.cpp:1022
#3 0x00007ffff405738d in mozilla::dom::PBrowserParent::OnMessageReceived (this=0x7fffc7bc0c80, __msg=<value optimized out>, __reply=@0x7fffffffb738)
at /home/vivien/Devel/mozilla/b2g/desktop/build/ipc/ipdl/PBrowserParent.cpp:1748
#4 0x00007ffff4068dd5 in mozilla::dom::PContentParent::OnMessageReceived (this=0x7fffc8077c00, __msg=..., __reply=@0x7fffffffb738)
at /home/vivien/Devel/mozilla/b2g/desktop/build/ipc/ipdl/PContentParent.cpp:2274
#5 0x00007ffff401f0a3 in mozilla::ipc::SyncChannel::OnDispatchMessage (this=0x7fffc8077c10, msg=...)
at /home/vivien/Devel/mozilla/b2g/desktop/src/ipc/glue/SyncChannel.cpp:144
#6 0x00007ffff401c696 in mozilla::ipc::RPCChannel::OnMaybeDequeueOne (this=0x7fffc8077c10)
at /home/vivien/Devel/mozilla/b2g/desktop/src/ipc/glue/RPCChannel.cpp:400
#7 0x00007ffff421ab55 in MessageLoop::RunTask (this=0x7ffff6deb240, task=0x7fffc88fc0e0)
at /home/vivien/Devel/mozilla/b2g/desktop/src/ipc/chromium/src/base/message_loop.cc:326
#8 0x00007ffff421ab8e in MessageLoop::DeferOrRunPendingTask (this=0x0, pending_task=<value optimized out>)
at /home/vivien/Devel/mozilla/b2g/desktop/src/ipc/chromium/src/base/message_loop.cc:334
#9 0x00007ffff421ae12 in MessageLoop::DoWork (this=0x7ffff6deb240) at /home/vivien/Devel/mozilla/b2g/desktop/src/ipc/chromium/src/base/message_loop.cc:434
#10 0x00007ffff40197e4 in mozilla::ipc::DoWorkRunnable::Run (this=<value optimized out>)
at /home/vivien/Devel/mozilla/b2g/desktop/src/ipc/glue/MessagePump.cpp:42
#11 0x00007ffff41e6683 in nsThread::ProcessNextEvent (this=0x7ffff6d5b300, mayWait=true, result=0x7fffffffb99f)
at /home/vivien/Devel/mozilla/b2g/desktop/src/xpcom/threads/nsThread.cpp:612
#12 0x00007ffff419ef04 in NS_ProcessNextEvent_P (thread=0x0, mayWait=true) at /home/vivien/Devel/mozilla/b2g/desktop/build/xpcom/build/nsThreadUtils.cpp:220
#13 0x00007ffff4019a9c in mozilla::ipc::MessagePump::Run (this=0x7ffff6dea600, aDelegate=0x7ffff6deb240)
at /home/vivien/Devel/mozilla/b2g/desktop/src/ipc/glue/MessagePump.cpp:117
#14 0x00007ffff421b118 in MessageLoop::RunInternal (this=0x7ffff6deb240)
at /home/vivien/Devel/mozilla/b2g/desktop/src/ipc/chromium/src/base/message_loop.cc:208
#15 0x00007ffff421b164 in MessageLoop::RunHandler (this=0x0) at /home/vivien/Devel/mozilla/b2g/desktop/src/ipc/chromium/src/base/message_loop.cc:201
#16 MessageLoop::Run (this=0x0) at /home/vivien/Devel/mozilla/b2g/desktop/src/ipc/chromium/src/base/message_loop.cc:175
#17 0x00007ffff3f0c10f in nsBaseAppShell::Run (this=0x7fffe32b6430) at /home/vivien/Devel/mozilla/b2g/desktop/src/widget/xpwidgets/nsBaseAppShell.cpp:163
#18 0x00007ffff3d45195 in nsAppStartup::Run (this=0x7fffe3282150)
at /home/vivien/Devel/mozilla/b2g/desktop/src/toolkit/components/startup/nsAppStartup.cpp:290
#19 0x00007ffff30640e4 in XREMain::XRE_mainRun (this=0x7fffffffbdf0) at /home/vivien/Devel/mozilla/b2g/desktop/src/toolkit/xre/nsAppRunner.cpp:3782
#20 0x00007ffff30681dd in XREMain::XRE_main (this=0x7fffffffbdf0, argc=<value optimized out>, argv=0x7fffffffe1f8, aAppData=0x61c030)
at /home/vivien/Devel/mozilla/b2g/desktop/src/toolkit/xre/nsAppRunner.cpp:3848
#21 0x00007ffff30683f1 in XRE_main (argc=3, argv=0x7fffffffe1f8, aAppData=0x61c030, aFlags=<value optimized out>)
at /home/vivien/Devel/mozilla/b2g/desktop/src/toolkit/xre/nsAppRunner.cpp:3923
#22 0x0000000000402a0d in do_main (argc=3, argv=0x7fffffffe1f8) at /home/vivien/Devel/mozilla/b2g/desktop/src/b2g/app/nsBrowserApp.cpp:154
---Type <return> to continue, or q <return> to quit---
#23 main (argc=3, argv=0x7fffffffe1f8) at /home/vivien/Devel/mozilla/b2g/desktop/src/b2g/app/nsBrowserApp.cpp:239
(gdb)
Jet: Can you help find an owner.
Assignee: nobody → bugs
blocking-basecamp: ? → +
|
Reporter | |
Comment 2•12 years ago
|
||
This bug hurts the Smoke Tests and make it impossible to go thought multiple applications.
|
|
Reporter | |
Updated•12 years ago
|
Severity: normal → critical
Priority: -- → P1
|
||
Comment 5•12 years ago
|
||
Looks like a null dereference here...
/home/vivien/Devel/mozilla/b2g/desktop/src/layout/ipc/RenderFrameParent.cpp:472
472 nsIDocument* doc = aFrameLoader->GetOwnerDoc();
(gdb)
(gdb) bt
#0 mozilla::layout::GetFrom (aFrameLoader=0x0) at /home/vivien/Devel/mozilla/b2g/desktop/src/layout/ipc/RenderFrameParent.cpp:472
|
Assignee | |
Comment 6•12 years ago
|
||
This is Jet's band-aid patch to check for a null FrameLoader. With this patch, the Camera app will "close with a problem", but at least the phone won't crash.
|
|
||
Comment 7•12 years ago
|
||
Comment on attachment 669616 [details] [diff] [review]
crash-camera-not-phone.patch
Seems to be a valid case for GetFrameLoader() to return null, so we should guard for that.
Attachment #669616 -
Flags: review?(roc)
There's a less band-aid'y patch developing in bug 796293, but it's probably worth taking this too.
Comment on attachment 669616 [details] [diff] [review]
crash-camera-not-phone.patch
Brace { } the consequent and drop in an NS_ERROR("Can't allocate graphics resources, aborting subprocess");
r=me with that
Attachment #669616 -
Flags: review?(roc) → review+
|
|
||
Comment 10•12 years ago
|
||
To Chris for the landing...
Assignee: bugs → cpeterson
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 11•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/4aa947bc6364
btw, here is another case where GetFrameLoader()'s return value is used without a null check:
https://hg.mozilla.org/mozilla-central/file/22d192c5d1fd/dom/ipc/TabParent.cpp#l437
status-firefox19:
--- → fixed
Target Milestone: --- → mozilla19
That code is only called during event dispatch, and the way the event-dispatch code finds the TabParent is through its nsFrameLoader. So that one is fine.
|
||
Updated•12 years ago
|
Whiteboard: [needs-checkin-aurora]
|
||
Comment 13•12 years ago
|
||
Whiteboard: [needs-checkin-aurora]
|
||
Comment 14•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Updated•12 years ago
|
status-firefox17:
--- → unaffected
status-firefox18:
--- → fixed
You need to log in
before you can comment on or make changes to this bug.
Description
•