Closed
Bug 890590
Opened 11 years ago
Closed 11 years ago
crash in _JNIEnv::CallStaticVoidMethod | mozilla::AndroidBridge::SendThumbnail
Categories
(Core Graveyard :: Widget: Android, defect)
Tracking
(firefox24 unaffected, firefox25+ fixed, fennec25+)
RESOLVED
FIXED
mozilla25
Tracking | Status | |
---|---|---|
firefox24 | --- | unaffected |
firefox25 | + | fixed |
fennec | 25+ | --- |
People
(Reporter: scoobidiver, Assigned: bnicholson)
References
Details
(4 keywords, Whiteboard: [native-crash])
Crash Data
Attachments
(1 file)
3.56 KB,
patch
|
Details | Diff | Splinter Review |
There are five crashes in 25.0a1/20130705. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=dcbbfcdf7bb4&tochange=17fe59f6c54a I suspect bug 803299 in this range. Signature arena_malloc | arena_dalloc | _JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...) | mozilla::AndroidBridge::SendThumbnail(_jobject*, int, bool) More Reports Search UUID 4b09d4db-add4-47f0-be30-d157e2130705 Date Processed 2013-07-05 18:56:46.437126 Uptime 2115 Install Age 2115 since version was first installed. Install Time 2013-07-05 18:21:23 Product FennecAndroid Version 25.0a1 Build ID 20130705031151 Release Channel nightly OS Android OS Version 0.0.0 Linux 3.4.10-g4c37954 #1 SMP PREEMPT Sat May 4 14:17:28 CST 2013 armv7l brightstarus_wwe/m7/m7 Build Architecture arm Build Architecture Info ARMv0 | None Crash Reason SIGSEGV Crash Address 0x0 App Notes AdapterDescription: 'Qualcomm -- Adreno (TM) 320 -- OpenGL ES 2.0 V@4.1 AU@3.04.01.01.13.018 (CL@) -- Model: HTC One, Product: m7, Manufacturer: HTC, Hardware: m7' GL Layers! EGL? EGL+ GL Context? GL Context+ GL Layers+ HTC HTC One brightstarus_wwe/m7/m7:4.1.2/JZO54K/164689.16:user/release-keys Processor Notes sp-processor08_phx1_mozilla_com_12337:2012; non-integer value of "SecondsSinceLastCrash"; exploitability tool: ERROR: unable to analyze dump Adapter Vendor ID Qualcomm Adapter Device ID Adreno (TM) 320 Android CPU ABI armeabi-v7a Android Manufacturer HTC Android Model HTC One Android Version 16 (REL) Frame Module Signature Source 0 libandroid_runtime.so libandroid_runtime.so@0x75c7e ... 27 libdvm.so libdvm.so@0x4f383 28 libxul.so _JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...) android-ndk/platforms/android-9/arch-arm/usr/include/jni.h 29 libxul.so mozilla::AndroidBridge::SendThumbnail(_jobject*, int, bool) widget/android/AndroidBridge.cpp 30 libxul.so ThumbnailRunnable::Run() widget/android/nsAppShell.cpp 31 libxul.so RunnableMethod<IPC::ChannelProxy::Context, void (IPC::ChannelProxy::Context::*)(), Tuple0>::Run() ipc/chromium/src/base/tuple.h 32 libxul.so MessageLoop::RunTask(Task*) ipc/chromium/src/base/message_loop.cc 33 libxul.so MessageLoop::ProcessNextDelayedNonNestableTask() ipc/chromium/src/base/message_loop.cc 34 libxul.so MessageLoop::DoIdleWork() ipc/chromium/src/base/message_loop.cc 35 libxul.so mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp 36 libxul.so MessageLoop::RunInternal() ipc/chromium/src/base/message_loop.cc 37 libxul.so MessageLoop::Run() ipc/chromium/src/base/message_loop.cc 38 libxul.so nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp 39 libxul.so nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp 40 libxul.so XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp 41 libxul.so XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp 42 libxul.so XRE_main toolkit/xre/nsAppRunner.cpp More reports at: https://crash-stats.mozilla.com/report/list?product=FennecAndroid&signature=arena_malloc+|+arena_dalloc+|+_JNIEnv%3A%3ACallStaticVoidMethod%28_jclass*%2C+_jmethodID*%2C+...%29+|+mozilla%3A%3AAndroidBridge%3A%3ASendThumbnail%28_jobject*%2C+int%2C+bool%29 https://crash-stats.mozilla.com/report/list?product=FennecAndroid&signature=arena_malloc https://crash-stats.mozilla.com/report/list?product=FennecAndroid&signature=libc+malloc+%28deleted%29%400x4e826
Reporter | ||
Comment 1•11 years ago
|
||
Three more crashes found: https://crash-stats.mozilla.com/report/list?product=FennecAndroid&signature=_ZN17AutoDecoderCancel13RequestCancelEP8_jobject
tracking-fennec: --- → ?
Crash Signature: , bool)]
[@ arena_malloc ]
[@ libc malloc (deleted)@0x4e826 ]
[@ system@framework@framework.jar@classes.dex@0x685a61 ]
[@ system@framework@framework.jar@classes.dex@0x6863c7 ] → , bool)]
[@ _ZN17AutoDecoderCancel13RequestCancelEP8_jobject ]
[@ arena_malloc ]
[@ libc malloc (deleted)@0x4e826 ]
[@ system@framework@framework.jar@classes.dex@0x685a61 ]
[@ system@framework@framework.jar@classes.dex@0x6863c7 ]
tracking-firefox25:
--- → ?
Keywords: topcrash
Reporter | ||
Comment 2•11 years ago
|
||
Silly bug 865146.
Crash Signature: , bool)]
[@ _ZN17AutoDecoderCancel13RequestCancelEP8_jobject ]
[@ arena_malloc ]
[@ libc malloc (deleted)@0x4e826 ]
[@ system@framework@framework.jar@classes.dex@0x685a61 ]
[@ system@framework@framework.jar@classes.dex@0x6863c7 ] → , bool) ]
[@ _ZN17AutoDecoderCancel13RequestCancelEP8_jobject]
[@ arena_malloc]
[@ libc malloc (deleted)@0x4e826]
[@ system@framework@framework.jar@classes.dex@0x685a61]
[@ system@framework@framework.jar@classes.dex@0x6863c7]
Reporter | ||
Updated•11 years ago
|
Crash Signature: , bool) ]
[@ _ZN17AutoDecoderCancel13RequestCancelEP8_jobject]
[@ arena_malloc]
[@ libc malloc (deleted)@0x4e826]
[@ system@framework@framework.jar@classes.dex@0x685a61]
[@ system@framework@framework.jar@classes.dex@0x6863c7] → , bool) ]
[@ _ZN17AutoDecoderCancel13RequestCancelEP8_jobject]
[@ arena_malloc | arena_dalloc | nsTArray_Impl<nsCOMPtr<nsIAutoCompletePopup>, nsTArrayInfallibleAllocator>::RemoveElementsAt(unsigned int, unsigned int) ]
[@ nsQueryInterface::operator()(n…
Reporter | ||
Updated•11 years ago
|
Crash Signature: , unsigned int*) ]
[@ libc malloc (deleted)@0x4e826]
[@ system@framework@framework.jar@classes.dex@0x685a61]
[@ system@framework@framework.jar@classes.dex@0x6863c7] → , unsigned int*) ]
[@ libc malloc (deleted)@0x4e826]
[@ libc malloc (deleted)@0x1d1b6 ]
[@ libcutils.so@0x300f ]
[@ system@framework@framework.jar@classes.dex@0x685a61]
[@ system@framework@framework.jar@classes.dex@0x6863c7]
[@ system@framework@fram…
Updated•11 years ago
|
Assignee: nobody → bnicholson
tracking-fennec: ? → 25+
Updated•11 years ago
|
Assignee | ||
Comment 4•11 years ago
|
||
Looking through the crash reports, this only appears to be a problem on Nexus 4/7.
Summary: crash in _JNIEnv::CallStaticVoidMethod | mozilla::AndroidBridge::SendThumbnail → crash in _JNIEnv::CallStaticVoidMethod | mozilla::AndroidBridge::SendThumbnail on Nexus 4/7
Assignee | ||
Comment 5•11 years ago
|
||
I've had no luck reproducing this on a Nexus 4. Some STR would be helpful.
Keywords: steps-wanted
Reporter | ||
Comment 6•11 years ago
|
||
(In reply to Brian Nicholson (:bnicholson) from comment #4) > Looking through the crash reports, this only appears to be a problem on > Nexus 4/7. I disagree. There is bunch of signatures (more than the links in comment 0 and comment 1). It would be easier to aggregate them if bug 764756 and bug 893585 were fixed.
Crash Signature: system@framework@framework.jar@classes.dex@0x664d04] → system@framework@framework.jar@classes.dex@0x664d04]
[@ system@framework@framework.jar@classes.dex@0x6878e8]
[@ system@framework@framework.jar@classes.dex@0x687665]
[@ system@framework@framework.jar@classes.dex@0x43de91]
[@ system@framework@framework…
Depends on: 893585
Summary: crash in _JNIEnv::CallStaticVoidMethod | mozilla::AndroidBridge::SendThumbnail on Nexus 4/7 → crash in _JNIEnv::CallStaticVoidMethod | mozilla::AndroidBridge::SendThumbnail
Comment 7•11 years ago
|
||
I am able to reproduce this with some regularity by * setting Firefox to restore tabs on restart * quitting Firefox * starting Firefox * clicking on the tab switcher button quickly Not 100% but often this works.
Keywords: steps-wanted
Reporter | ||
Updated•11 years ago
|
Keywords: reproducible
Assignee | ||
Comment 8•11 years ago
|
||
It looks like the crash here is actually happening in Java. I found that the crash was always happening during the BGRA->ARGB conversion in processThumbnailData(), which was added as part of the 24-bit color support. Since we're holding onto the actual bitmap used in the BitmapDrawable shown in the tabs tray, I assume we're running into problems when updating the bitmap while it's simultaneously being shown in the UI. Rather than reusing the tab's existing bitmap, this patch creates a new one whenever we update the thumbnail. This seems to fix the crash for me, although I can't be completely sure since the crash is intermittent with the STR.
Attachment #779534 -
Flags: review?(bugmail.mozilla)
Assignee | ||
Updated•11 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Comment 9•11 years ago
|
||
Comment on attachment 779534 [details] [diff] [review] Don't reuse tab's bitmap when updating thumbnail After spending all day debugging this, Chris just posted a patch that removes the BGRA->ARGB code from Java altogether and moves the logic to Gecko. So much for this patch.
Attachment #779534 -
Flags: review?(bugmail.mozilla)
Assignee | ||
Comment 10•11 years ago
|
||
I think bug 896822 will fix this, but leaving open for now to be sure the crash disappears.
Depends on: 896822
Reporter | ||
Updated•11 years ago
|
Crash Signature: [@ arena_malloc | arena_dalloc | _JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...) | mozilla::AndroidBridge::SendThumbnail(_jobject*, int, bool) ]
[@ _ZN17AutoDecoderCancel13RequestCancelEP8_jobject]
[@ arena_malloc | arena_dalloc | nsTArray_Imp… → [@ arena_malloc | arena_dalloc | _JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...) | mozilla::AndroidBridge::SendThumbnail(_jobject*, int, bool) ]
[@ arena_malloc | arena_dalloc | _JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...) ]
[@ _Z…
Reporter | ||
Comment 11•11 years ago
|
||
(In reply to Brian Nicholson (:bnicholson) from comment #10) > I think bug 896822 will fix this, but leaving open for now to be sure the > crash disappears. There have been no crashes since 25.0a1/20130725 so it's indeed fixed by that patch.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
Updated•3 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•