This happened on v1 train during several hours of continuous stability testing. Sorry I don't have more details other than the crash stack, but didn't have anyone seeing it happen. Apparently the video app can't play anymore after this. Crash stack below. Crash reason: SIGSEGV Crash address: 0x0 Thread 0 (crashed) 0 0x0 r0 = 0x43e871c0 r1 = 0x42cad670 r2 = 0x00000000 r3 = 0x00000000 r4 = 0xbeb1e820 r5 = 0xbeb1e820 r6 = 0x00000000 r7 = 0x00000000 r8 = 0x42caa060 r9 = 0x00000001 r10 = 0x00000000 fp = 0x413765ac sp = 0xbeb1e800 lr = 0x408b02af pc = 0x00000000 Found by: given as instruction pointer in context 1 libxul.so!nsDeque::ForEach [nsDeque.cpp : 374 + 0x7] sp = 0xbeb1e810 pc = 0x40c01c9f Found by: stack scanning 2 libxul.so!nsBuiltinDecoderReader::VideoQueueMemoryInUse [nsBuiltinDecoderReader.h : 342 + 0x9] r4 = 0x42b45400 r5 = 0xbeb1ead0 r6 = 0x00000000 sp = 0xbeb1e820 pc = 0x4087a59d Found by: call frame info 3 libxul.so!nsBuiltinDecoderStateMachine::VideoQueueMemoryInUse [nsBuiltinDecoderStateMachine.h : 192 + 0x5] r0 = 0x41429920 r1 = 0xbeb1ead0 r2 = 0x00000000 r3 = 0x00000000 r4 = 0x00000000 r5 = 0xbeb1ead0 r6 = 0x00000000 sp = 0xbeb1e838 pc = 0x4087a3db Found by: call frame info 4 libxul.so!nsBuiltinDecoder::VideoQueueMemoryInUse [nsBuiltinDecoder.h : 591 + 0x5] r4 = 0x00000000 r5 = 0xbeb1ead0 r6 = 0x00000000 sp = 0xbeb1e840 pc = 0x4087a371 Found by: call frame info 5 libxul.so!mozilla::MemoryReporter_MediaDecodedVideoMemory::GetAmount [nsMediaDecoder.h : 499 + 0xd] r4 = 0x00000000 r5 = 0xbeb1ead0 r6 = 0x00000000 sp = 0xbeb1e848 pc = 0x408b3b8f Found by: call frame info 6 libxul.so!mozilla::MemoryInfoDumper::DumpMemoryReportsToFileImpl [MemoryInfoDumper.cpp : 864 + 0x7] r4 = 0xbeb1e930 r5 = 0x4384c230 r6 = 0x42caa270 r7 = 0x414df578 r8 = 0x00000000 sp = 0xbeb1e860 pc = 0x40c2c83f Found by: call frame info 7 libxul.so!mozilla::MemoryInfoDumper::DumpMemoryReportsToFile [MemoryInfoDumper.cpp : 590 + 0x5] r4 = 0x00000000 r5 = 0xbeb1eb38 r6 = 0xbeb1eb37 r7 = 0xbeb1eb38 r8 = 0xbeb1ee4c r9 = 0x00000000 r10 = 0x00000000 fp = 0x00000000 sp = 0xbeb1eb30 pc = 0x40c2ccf5 Found by: call frame info 8 libxul.so!mozilla::dom::ContentChild::RecvDumpMemoryReportsToFile [ContentChild.cpp : 508 + 0x7] r4 = 0x41b1b618 r5 = 0x40afad3d r6 = 0xbeb1ee50 r7 = 0xbeb1ee58 r8 = 0xbeb1ee4c r9 = 0x00000000 r10 = 0x00000000 fp = 0x00000000 sp = 0xbeb1eb68 pc = 0x40afad49 Found by: call frame info 9 libxul.so!mozilla::dom::PContentChild::OnMessageReceived [PContentChild.cpp : 2509 + 0xd] r4 = 0x41b1b618 r5 = 0x40afad3d r6 = 0xbeb1ee50 r7 = 0xbeb1ee58 r8 = 0xbeb1ee4c r9 = 0x00000000 r10 = 0x00000000 fp = 0x00000000 sp = 0xbeb1eb70 pc = 0x40b8d0bf Found by: call frame info 10 libxul.so!mozilla::ipc::AsyncChannel::OnDispatchMessage [AsyncChannel.cpp : 471 + 0x5] r4 = 0x41b1b624 r5 = 0xbeb1eeac r6 = 0xbeb1eeac r7 = 0xbeb1f8b0 r8 = 0xbeb1ef10 r9 = 0x41b06c0c r10 = 0x00000000 fp = 0x00000000 sp = 0xbeb1ee98 pc = 0x40b10bc3 Found by: call frame info 11 libxul.so!mozilla::ipc::RPCChannel::OnMaybeDequeueOne [RPCChannel.cpp : 402 + 0x7] r0 = 0x41b1b624 r1 = 0xbeb1eeac r4 = 0x41b1b624 r5 = 0xbeb1eeac r6 = 0xbeb1eeac r7 = 0xbeb1f8b0 r8 = 0xbeb1ef10 r9 = 0x41b06c0c r10 = 0x00000000 fp = 0x00000000 sp = 0xbeb1eea8 pc = 0x40b15a3f Found by: call frame info 12 libxul.so!RunnableMethod<IPC::ChannelProxy::Context, void (IPC::ChannelProxy::Context::*)(), Tuple0>::Run [tuple.h : 383 + 0x5] r4 = 0xbeb1f8a4 r5 = 0x4386a138 r6 = 0xbeb1ef18 r7 = 0xbeb1f8b0 r8 = 0xbeb1ef10 r9 = 0x41b06c0c r10 = 0x00000000 fp = 0x00000000 sp = 0xbeb1eee0 pc = 0x40af62c7 Found by: call frame info 13 libxul.so!mozilla::ipc::RPCChannel::DequeueTask::Run [RPCChannel.h : 425 + 0x9] r4 = 0xbeb1f8a4 r5 = 0x4386a138 r6 = 0xbeb1ef18 r7 = 0xbeb1f8b0 r8 = 0xbeb1ef10 r9 = 0x41b06c0c r10 = 0x00000000 fp = 0x00000000 sp = 0xbeb1eee8 pc = 0x40b143e9 Found by: call frame info 14 libxul.so!MessageLoop::RunTask [message_loop.cc : 337 + 0x5] r4 = 0xbeb1f8a4 r5 = 0x4386a138 r6 = 0xbeb1ef18 r7 = 0xbeb1f8b0 r8 = 0xbeb1ef10 r9 = 0x41b06c0c r10 = 0x00000000 fp = 0x00000000 sp = 0xbeb1eef0 pc = 0x40c434e5 Found by: call frame info 15 libxul.so!MessageLoop::DeferOrRunPendingTask [message_loop.cc : 345 + 0x5] r4 = 0x00000001 r5 = 0xbeb1ef08 r6 = 0xbeb1ef18 r7 = 0xbeb1f8b0 r8 = 0xbeb1ef10 r9 = 0x41b06c0c r10 = 0x00000000 fp = 0x00000000 sp = 0xbeb1ef00 pc = 0x40c44317 Found by: call frame info 16 libxul.so!MessageLoop::DoWork [message_loop.cc : 445 + 0x7] r4 = 0xbeb1f8a4 r5 = 0xbeb1ef08 r6 = 0xbeb1ef18 r7 = 0xbeb1f8b0 r8 = 0xbeb1ef10 r9 = 0x41b06c0c r10 = 0x00000000 fp = 0x00000000 sp = 0xbeb1ef08 pc = 0x40c44ef5 Found by: call frame info 17 libxul.so!mozilla::ipc::DoWorkRunnable::Run [MessagePump.cpp : 42 + 0x7] r4 = 0xbeb1f8a4 r5 = 0x00000001 r6 = 0x00000001 r7 = 0x00000001 r8 = 0xbeb1ef8f r9 = 0x41b06c0c r10 = 0x00000000 fp = 0x00000000 sp = 0xbeb1ef38 pc = 0x40b13da5 Found by: call frame info 18 libxul.so!nsThread::ProcessNextEvent [nsThread.cpp : 620 + 0x5] r4 = 0x41b06be0 r5 = 0x00000000 r6 = 0x00000001 r7 = 0x00000001 r8 = 0xbeb1ef8f r9 = 0x41b06c0c r10 = 0x00000000 fp = 0x00000000 sp = 0xbeb1ef48 pc = 0x40c2152f Found by: call frame info 19 libxul.so!NS_ProcessNextEvent_P [nsThreadUtils.cpp : 237 + 0xb] r4 = 0x00000001 r5 = 0xbeb1f8a4 r6 = 0x41b02350 r7 = 0x00000000 r8 = 0x41b23000 r9 = 0x41b28000 r10 = 0x00000000 fp = 0x00000000 sp = 0xbeb1ef88 pc = 0x40c01907 Found by: call frame info 20 libxul.so!mozilla::ipc::MessagePump::Run [MessagePump.cpp : 117 + 0x7] r0 = 0x41b06be0 r1 = 0x01000001 r4 = 0x41b02340 r5 = 0xbeb1f8a4 r6 = 0x41b02350 r7 = 0x00000000 r8 = 0x41b23000 r9 = 0x41b28000 r10 = 0x00000000 fp = 0x00000000 sp = 0xbeb1ef98 pc = 0x40b13efb Found by: call frame info 21 libxul.so!mozilla::ipc::MessagePumpForChildProcess::Run [MessagePump.cpp : 231 + 0x7] r4 = 0xbeb1f8a4 r5 = 0x41b02340 r6 = 0xbeb1f8a4 r7 = 0x00000001 r8 = 0x41b23000 r9 = 0x41b28000 r10 = 0x00000000 fp = 0x00000000 sp = 0xbeb1efc0 pc = 0x40b13f67 Found by: call frame info 22 libxul.so!MessageLoop::RunInternal [message_loop.cc : 219 + 0x5] r4 = 0xbeb1f8a4 r5 = 0x4387d400 r6 = 0x41b06be0 r7 = 0x00000003 r8 = 0x41b23000 r9 = 0x41b28000 r10 = 0x00000000 fp = 0x00000000 sp = 0xbeb1efd8 pc = 0x40c434a1 Found by: call frame info 23 libxul.so!MessageLoop::Run [message_loop.cc : 212 + 0x5] r4 = 0xbeb1f8a4 r5 = 0x4387d400 r6 = 0x41b06be0 r7 = 0x00000003 r8 = 0x41b23000 r9 = 0x41b28000 r10 = 0x00000000 fp = 0x00000000 sp = 0xbeb1efe0 pc = 0x40c4354b Found by: call frame info 24 libxul.so!nsBaseAppShell::Run [nsBaseAppShell.cpp : 163 + 0x7] r0 = 0x00000002 r1 = 0x414ef900 r2 = 0xbeb1f8a4 r3 = 0xbeb1f040 r4 = 0x00000000 r5 = 0x4387d400 r6 = 0x41b06be0 r7 = 0x00000003 r8 = 0x41b23000 r9 = 0x41b28000 r10 = 0x00000000 fp = 0x00000000 sp = 0xbeb1eff8 pc = 0x40a98ca5 Found by: call frame info 25 libxul.so!XRE_RunAppShell [nsEmbedFunctions.cpp : 646 + 0x5] r4 = 0xbeb1f00c r5 = 0x41b02340 r6 = 0x00000002 r7 = 0x00000003 r8 = 0x41b23000 r9 = 0x41b28000 r10 = 0x00000000 fp = 0x00000000 sp = 0xbeb1f008 pc = 0x4042705d Found by: call frame info 26 libxul.so!mozilla::ipc::MessagePumpForChildProcess::Run [MessagePump.cpp : 198 + 0x3] r0 = 0x41b02340 r1 = 0x4387d400 r2 = 0x4385f1c0 r4 = 0xbeb1f8a4 r5 = 0x41b02340 r6 = 0x00000002 r7 = 0x00000003 r8 = 0x41b23000 r9 = 0x41b28000 r10 = 0x00000000 fp = 0x00000000 sp = 0xbeb1f020 pc = 0x40b13f35 Found by: call frame info 27 libxul.so!MessageLoop::RunInternal [message_loop.cc : 219 + 0x5] r4 = 0xbeb1f8a4 r5 = 0x41b1b600 r6 = 0x00000002 r7 = 0x00000003 r8 = 0x41b23000 r9 = 0x41b28000 r10 = 0x00000000 fp = 0x00000000 sp = 0xbeb1f038 pc = 0x40c434a1 Found by: call frame info 28 libxul.so!MessageLoop::Run [message_loop.cc : 212 + 0x5] r4 = 0xbeb1f8a4 r5 = 0x41b1b600 r6 = 0x00000002 r7 = 0x00000003 r8 = 0x41b23000 r9 = 0x41b28000 r10 = 0x00000000 fp = 0x00000000 sp = 0xbeb1f040 pc = 0x40c4354b Found by: call frame info 29 libxul.so!XRE_InitChildProcess [nsEmbedFunctions.cpp : 485 + 0xb] r0 = 0x00000001 r1 = 0x00000000 r2 = 0xbeb1f8a4 r3 = 0x00000000 r4 = 0xbeb1f8a4 r5 = 0x41b1b600 r6 = 0x00000002 r7 = 0x00000003 r8 = 0x41b23000 r9 = 0x41b28000 r10 = 0x00000000 fp = 0x00000000 sp = 0xbeb1f058 pc = 0x40427401 Found by: call frame info 30 plugin-container!main [MozillaRuntimeMain.cpp : 85 + 0x5] r4 = 0xbeb1fa14 r5 = 0x00000005 r6 = 0x00000012 r7 = 0xbeb1f9dc r8 = 0x00000000 r9 = 0x00000000 r10 = 0x00000000 fp = 0x00000000 sp = 0xbeb1f9d8 pc = 0x00008601 Found by: call frame info 31 libc.so!__libc_init [libc_init_dynamic.c : 114 + 0x7] r0 = 0x00000006 r1 = 0x41b06b80 r2 = 0xbeb1fa30 r4 = 0x00008574 r5 = 0xbeb1fa14 r6 = 0x00000006 r7 = 0xbeb1fa30 r8 = 0x00000000 r9 = 0x00000000 r10 = 0x00000000 fp = 0x00000000 sp = 0xbeb1f9f8 pc = 0x400fca77 Found by: call frame info 32 0xb00045a9 r4 = 0x00000000 r5 = 0x00000000 r6 = 0x00000000 r7 = 0x00000000 r8 = 0x00000000 r9 = 0x00000000 r10 = 0x00000000 fp = 0x00000000 sp = 0xbeb1fa10 pc = 0xb00045ab Found by: call frame info

(leo+. v1.1 stability regression over CS build)

There are similar crash reports on desktop https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&reason_type=contains&date=2013-07-02&range_value=28&range_unit=days&hang_type=any&process_type=any&signature=nsDeque%3A%3AForEach%28nsDequeFunctor%26%29

I am not sure following code related to the crash. But the code is not correct. It always assume image format is PLANAR_YCBCR. ----------------------------------------------- void* nsBuiltinDecoderReader::VideoQueueMemoryFunctor::operator()(void* anObject) { const VideoData* v = static_cast<const VideoData*>(anObject); if (!v->mImage) { return nullptr; } NS_ASSERTION(v->mImage->GetFormat() == PLANAR_YCBCR, "Wrong format?"); mozilla::layers::PlanarYCbCrImage* vi = static_cast<mozilla::layers::PlanarYCbCrImage*>(v->mImage.get()); mResult += vi->GetDataSize(); return nullptr; }

Some image formats are used in gecko media - PLANAR_YCBCR - GRALLOC_PLANAR_YCBCR // for gonk - GONK_IO_SURFACE // for gonk - D3D9_RGB32_TEXTURE // for windows

The crash reports referenced here that are in relation to desktop have comments all mentioning something about about:memory. Do we have any ideas on how memory analysis could play a role in invoking this crash?

I manually added MemoryInfoDumper::DumpMemoryReportsToFile() and confirmed that the crash happened. The crash caused by incorrect static_cast from GonkIOSurfaceImage to PlanarYCbCrImage.

Fix cast problem. The patch fix the crash by manual call of MemoryInfoDumper::DumpMemoryReportsToFile().

Diego, can you check if attachment 770381 [details] [diff] [review] fixes the crash?

I'm not sure how reproducible it was. I'll check with the testers.

Seeing the patch here, I'm pulling steps-wanted. If you still want better STR before landing this patch, then feel free to add the keyword back.

Comment on attachment 770381 [details] [diff] [review] patch - cast to PlanarYCbCrImage only when image format is PLANAR_YCBCR Looks like Robert last reviewed this area of code. I defer to him.

Comment on attachment 770381 [details] [diff] [review] patch - cast to PlanarYCbCrImage only when image format is PLANAR_YCBCR Review of attachment 770381 [details] [diff] [review]: ----------------------------------------------------------------- Yes!

Patch for master. Carry "roc: review+".

Patch for b2g18. Carry "roc: review+".