Closed Bug 1205979 Opened 9 years ago Closed 8 years ago

Java plugin crash in mozilla::plugins::AssertPluginThread()

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
Windows
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(firefox42 affected, firefox43 affected, firefox48 wontfix, firefox49+ wontfix, firefox51+ wontfix)

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
firefox42 --- affected
firefox43 --- affected
firefox48 --- wontfix
firefox49 + wontfix
firefox51 + wontfix

People

(Reporter: ananuti, Unassigned)

References

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Java versions.txt
1.09 KB, text/plain
Details 
This bug was filed from the Socorro interface and is 
report bp-580ba68d-13d8-42c1-855f-0bdc72150918.
=============================================================

STR:

1. Run java https://www.java.com/verify
2. Closed tab
3. Open about:crashes. you'll see 3 reports in there.

Plugin works fine, fake reports maybe?

Cannot reproduce in Beta.
Flags: needinfo?(benjamin)
This is a real plugin-process crash which happens when tearing down a plugin instance. It's caused by a threading error in the Java plugin, and we recently became more strict about crashing on these threading bugs instead of ignoring them and hoping everything works out.

If you had multiple Java tabs open, you'd see the Java in the second tab crash when you closed the first tab.

Mozilla is not going to "fix" this bug: you need to report it to Oracle and they need to fix it within the Java plugin.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(benjamin)
Resolution: --- → WONTFIX
bsmedberg, these AssertPluginThread() Java crashes seem to have recently spiked in Nightly 50 (rank #3) and Aurora 49 (rank #5), but don't show up in the top 50 crashes for Beta 48 or Firefox 47.

Bug 1222036 comment 15 says Oracle has fixed this _releaseobject thread bug. Should we blocklist older unfixed Java versions?

https://bugs.openjdk.java.net/browse/JDK-8133523

e.g. bp-eea8c897-2523-4717-89b8-067882160624
Flags: needinfo?(benjamin)
Summary: crash in mozilla::plugins::AssertPluginThread() → Java plugin crash in mozilla::plugins::AssertPluginThread()
See Also: → 1282776
In general we should blocklist all known-insecure versions of Java. Do you have a proposed minimum Java version we should target? My understanding is that this was fixed in Java 9, but there are still supported versions of Java 8 that we typically would not blocklist. Perhaps though we should encourage upgrade for affected users using Shield.
Flags: needinfo?(benjamin)
Oracle fixed this bug in Java 8 Update 66 according to bug 1140616 comment 84 and OpenJDK bug JDK-8133523 [1]. According to AMO [2] and bug 1259458, we block (click-to-play) Java 8 Update 76 and below. The latest version of Java 8 is Update 92.

Do we already have a mechanism in Shield to encourage people to update their plugins? How do we do that?

[1] https://bugs.openjdk.java.net/browse/JDK-8133523
[2] https://addons.mozilla.org/en-US/firefox/blocked/p1144
No, but if we've already issued a plugin block there is very little we can do. And we also care not-at-all.
Benjamin, with the last beta or 48 and 49.0b1, this is causing a huge spike in term of startup crashes:
https://crash-analysis.mozilla.com/rkaiser/crash-report-tools/longtermgraph/?fxbeta-bcat

Is there anything we can do here?
It seems that it is impacting VLC & the JVM
Status: RESOLVED → REOPENED
Flags: needinfo?(benjamin)
Resolution: WONTFIX → ---
All of the crashes seem to point the same release assert in NPN_ReleaseObject. We could just change that one release assert to a debug assert and return from the function early. Leaking an object is preferable to crashing.

https://hg.mozilla.org/integration/mozilla-inbound/annotate/51377a641589/dom/plugins/ipc/PluginModuleChild.cpp#l2300
Tracking this for 49 at least. Is this really a startup crash ? How can we tell?
status-firefox48: --- → affected
status-firefox49: --- → affected
tracking-firefox49: --- → +
From discussion on IRC it sounds like the uptime is process uptime, so this may be the plugin process. 
Is there some change in how we are counting plugin crashes in crash-stats? i.e. we catch these in crash stats now when we failed to in the past?
This is not a "startup crash" according to our standard definition. It's a plugin-process crash.

I do not believe that leaking is preferable to crashing in this case: leaking means gradual slowdown while crashes are immediate and provide feedback.

I strongly believe we should not make any Firefox changes here. If this is happening in current versions of Oracle Java, we should reach out to them: old versions are already blocklisted so there's not a lot we can do if users keep choosing to use those versions.

As for VLC, you could reach out to the developers but we'd reach the point of diminishing returns very quickly.
Status: REOPENED → RESOLVED
Closed: 9 years ago8 years ago
Flags: needinfo?(benjamin)
Resolution: --- → WONTFIX
Are we seeing the spike in crash-stats move from nightly to aurora to beta to release, because of some change in how plugin crashes are reported, then?
Benjamin, can we completely disallow (not just "This plugin is vulnerable" soft block that still allows click-to-play [1]) Java versions older than the known-fixed version? Or can we reset everyone's Java "Allow and Remember" setting?

According to bug 1140616 comment 84, Oracle says fixed this bug in Java 8 Update 66. I looked at a dozen of these Java crash reports and the most recent crashing version appears to be 8.0.650.17, which looks like a version right before the fixed Java 8 Update 66.

We already soft block (click-to-play) Java 8 Update 76 and below (bug 1259458), so users are manually activating and crashing old plugins or they set Java's click-to-play setting as "Allow and Remember".

[1] https://support.mozilla.org/en-US/kb/why-do-i-have-click-activate-plugins#w_how-click-to-activate-works
Flags: needinfo?(benjamin)
(In reply to Chris Peterson [:cpeterson] from comment #14)
> Benjamin, can we completely disallow (not just "This plugin is vulnerable"
> soft block that still allows click-to-play [1]) Java versions older than the
> known-fixed version?

We can but we shouldn't. Enterprise Java deployments are very slow to update, and only a minority of users/Java applets are affected by this bug.
Flags: needinfo?(benjamin)
(In reply to Benjamin Smedberg [:bsmedberg] from comment #15)
> We can but we shouldn't. Enterprise Java deployments are very slow to
> update, and only a minority of users/Java applets are affected by this bug.

This is our #1 topcrash in Beta 49. I think some external change has triggered this spike.

When I search for the number of AssertPluginThread crashes in Beta versions *restricted to their six-week release cycle dates*:

Beta 46 =  3110
Beta 47 =  1232
Beta 48 =  1458 https://is.gd/pl7KGZ
Beta 49 = 25557 in just one week! https://is.gd/hyABIl

And laggards still running Beta 48 over the last week = 139163 crashes! https://is.gd/ChqUC6
OS: Windows 10 → Windows
i think bug 1269998 landing in 49.0b triggered the spike, since 99.8% of these reports are currently coming from the infobar submission mechanism.
Philipp, you are suggesting that we had this bug for a long time and the implementation of bug 1269998 increased the submission rate?
yes, if you just look at the reports submitted through the normal crash reporting process (by excluding crashes submitted from the infobar), the numbers for 49.0b are not out of the ordinary and in line with what we have seen in older versions as well: http://bit.ly/2aK1eZA
Off topic but maybe, if we can, we should annotate these crashes to know that we didn't get them much in the past and that they are now pushed thanks to  bug 1269998
A relatively small number of users (e.g. 1560 installations on 49.0b1) is generating a huge number of crash reports (e.g. 29620 reports on 49.0b1)
Crash Signature: [@ mozilla::plugins::AssertPluginThread()] → [@ mozilla::plugins::AssertPluginThread()] [@ mozilla::plugins::AssertPluginThread]
Looks like now we won't get those (for beta 2) because we turned off the submission interface for beta and release channels, post beta 1 in bug 1291277.
Note also Marco is checking these reports to see the versions of Java used.
status-firefox48: affectedwontfix
status-firefox49: affectedwontfix
Jorge, how can I tell which versions of Java we  have blocklisted already? Marco's list above shows the versions that are currently showing up as crashing most often. So if we haven't blocklisted the worst offenders there, maybe we should do that now.
Flags: needinfo?(jorge)
Are these even real crashes a user might notice? The other crashes that bug 1269998 has tended to get reports generated for are slow shutdown issues that don't even look like crashes. It seems bad to block somebody from using Java for an issue they aren't even noticing.
The full list of blocked add-ons and plugins can be found here: https://addons.mozilla.org/en-US/firefox/blocked/

For Java, we should be blocking Java Plugin 8 update 76 and lower, and Java Plugin 7 update 97 and lower. I don't know how those map to the extended version numbers in comment #24.
Flags: needinfo?(jorge)
(In reply to Jorge Villalobos [:jorgev] from comment #27)
> The full list of blocked add-ons and plugins can be found here:
> https://addons.mozilla.org/en-US/firefox/blocked/
> 
> For Java, we should be blocking Java Plugin 8 update 76 and lower, and Java
> Plugin 7 update 97 and lower. I don't know how those map to the extended
> version numbers in comment #24.

There do seem to be versions in the list that are supposedly blocked.
For example, 7.0.510.13 (7U51) is the top one with ~4000 crashes.
There are also versions starting with 6.

If it works like I think it works (MAJOR.0.UPDATE0.??? or MAJOR.0.UPDATE.???),
then all those versions should be blocked.
That's not surprising. Users can override the plugin blocks, and it's amazingly common for enterprises to never update their Java.
(In reply to Benjamin Smedberg [:bsmedberg] from comment #29)
> That's not surprising. Users can override the plugin blocks, and it's
> amazingly common for enterprises to never update their Java.

It is interesting though that most crashes with this signature are coming from Aurora (from a
small number of installations).
These are definitely a lot of enterprise apps. Many of the non-empty crash URLs are intranet IP addresses, file:/// URLs, and various countries' .gov sites.

Benjamin said in comment 12 that crashing immediately is better than a leak leading to a gradual slowdown. But the crash stops the user from completing their enterprise task, while the leak would be limited to the plugin process, which is reaped when the plugin is no longer in use. That seems like a reasonable trade-off to me. To minimize the slowdown issue, we could also reap unused Java plugin processes more frequently than other plugin processes.
(In reply to Chris Peterson [:cpeterson] from comment #31)
> These are definitely a lot of enterprise apps. Many of the non-empty crash
> URLs are intranet IP addresses, file:/// URLs, and various countries' .gov
> sites.
> 
> Benjamin said in comment 12 that crashing immediately is better than a leak
> leading to a gradual slowdown. But the crash stops the user from completing
> their enterprise task, while the leak would be limited to the plugin
> process, which is reaped when the plugin is no longer in use. That seems
> like a reasonable trade-off to me. To minimize the slowdown issue, we could
> also reap unused Java plugin processes more frequently than other plugin
> processes.

~98% of the crashes have an empty URL (in Aurora ~100% of the crashes).

It still seems very strange to me that this crash has been #1 in the top
crashers list for Aurora for a while, since I wouldn't expect enterprise
users to use Aurora.

I've noticed this crash was not a top-crasher before we had the infobar
to submit crashes, and indeed basically all crashes with this signature
on Aurora have submitted_from_infobar=true.
(In reply to Marco Castelluccio [:marco] from comment #32)
> I've noticed this crash was not a top-crasher before we had the infobar
> to submit crashes, and indeed basically all crashes with this signature
> on Aurora have submitted_from_infobar=true.

Oh, philipp already noticed this before (comment 19).
[Tracking Requested - why for this release]: This was mentioned as a top crasher in the channel meeting today.
status-firefox51: --- → affected
tracking-firefox51: --- → ?
Track for 51+ as the volume is getting larger.
tracking-firefox51: ?+
Mark 51 fix-optional as the volume of installation of the crash is low.
status-firefox51: affectedfix-optional
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: