Closed
Bug 867996
Opened 12 years ago
Closed 12 years ago
Crash in GraphicBuffer::flatten()
Categories
(Firefox OS Graveyard :: General, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: mikeh, Assigned: mikeh)
References
Details
(Keywords: crash, Whiteboard: [b2g-crash])
Crash Data
Attachments
(1 file, 2 obsolete files)
I'm filing this bug so that any discussions/findings/comments/reviews will be free from >600 TBPL notifications.
What we know so far (thanks, :marshall_law):
- crash only happens on TBPL, so far unable to reproduce locally
- with this patch[1] applied,
- we see this output[2] (scroll to the bottom for logcat output)
1. https://hg.mozilla.org/try/rev/16abce400930
2. https://tbpl.mozilla.org/php/getParsedLog.php?id=21950180&tree=Try&full=1#error1
- crash happens when we call |flattenable->flatten(data, nbytes, fds, nfds)| [3], which is part of the AOSP layer
- TBPL uses a custom toolchain that we can't easily modify (see [4])
3. https://hg.mozilla.org/try/rev/16abce400930#l1.41
4. https://bugzilla.mozilla.org/show_bug.cgi?id=818103#c416
Assignee | ||
Updated•12 years ago
|
Status: NEW → ASSIGNED
Updated•12 years ago
|
Comment 1•12 years ago
|
||
I noticed that the crash is occuring at address 0x44400000
It would be useful to know if this is supposed to be beginning of the buffer (which would indicate that it was probably already freed), or if the buffer is earlier in memory and we're going past the end (and triggering the segfault on the first byte of a non-mapped page).
Assignee | ||
Comment 2•12 years ago
|
||
dhylands, that's easy enough to test.
Another data point: apparently this doesn't happen on the b2g18 branch, only on mozilla-central.
Comment 3•12 years ago
|
||
Another data point, we started seeing this sometime around New Years +/- a week. We didn't have crash detection back then, but I think it was the same problem. All I know for sure is that this didn't use to happen, and then it did.
Assignee | ||
Comment 4•12 years ago
|
||
dhylands, the buffer that the header+data is written into is allocated on the stack:
https://hg.mozilla.org/try/rev/16abce400930#l1.37
I've looked through this code a dozen times, and it seems to me that unless one of the GraphicBuffer members is modified asynchronously, this crash can't happen.
Comment 5•12 years ago
|
||
Bug 820316 might be related.
Assignee | ||
Comment 6•12 years ago
|
||
(In reply to Kan-Ru Chen [:kanru] from comment #5)
>
> Bug 820316 might be related.
I can't see that bug. CC me?
Assignee | ||
Comment 7•12 years ago
|
||
Exercising a potential emulator fix:
https://tbpl.mozilla.org/?tree=Try&rev=a229b5394bb1
Assignee | ||
Comment 8•12 years ago
|
||
Drop this patch into $B2G/development and:
patch -p1 < 867996_2013-05-13.patch
Attachment #748961 -
Flags: feedback?(jgriffin)
Assignee | ||
Comment 9•12 years ago
|
||
Comment on attachment 748961 [details] [diff] [review]
Emulator patch
Never mind--git grabbed the wrong file. Stand by.
Attachment #748961 -
Attachment is obsolete: true
Attachment #748961 -
Flags: feedback?(jgriffin)
Assignee | ||
Comment 10•12 years ago
|
||
Drop this patch into $B2G/development and:
patch -p1 < 867996_2013-05-13.patch
Attachment #748964 -
Flags: feedback?(jgriffin)
Assignee | ||
Updated•12 years ago
|
Attachment #748964 -
Attachment description: Emulator patch → Emulator patch (v2)
Assignee | ||
Comment 11•12 years ago
|
||
Comment 12•12 years ago
|
||
Comment on attachment 748964 [details] [diff] [review]
Emulator patch (v2)
Review of attachment 748964 [details] [diff] [review]:
-----------------------------------------------------------------
Clearing f? since I've made the emulator with this patch.
Attachment #748964 -
Flags: feedback?(jgriffin)
Assignee | ||
Comment 13•12 years ago
|
||
Migrate the fix to this bug, since bug 818103's history is pretty messy.
Attachment #748964 -
Attachment is obsolete: true
Attachment #749432 -
Flags: review?(mwu)
Updated•12 years ago
|
Attachment #749432 -
Flags: review?(mwu) → review+
Assignee | ||
Comment 15•12 years ago
|
||
Bug 818103 will remain open to track uploading a new emulator build to the tinderbox.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•