Crash in nsPluginInstanceOwner::RemovePluginView @ mozilla::AndroidBridge::EnsureJNIThread

RESOLVED FIXED in Firefox 12

Status

Fennec Graveyard
General
--
critical
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: Scoobidiver (away), Assigned: mbrubeck)

Tracking

(4 keywords)

Firefox 11
Firefox 12
ARM
Android
crash, regression, reproducible, topcrash

Details

(Whiteboard: [mobile-crash][has patch], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
It's #1 top crasher in Fennec 11.0a2 (97% of all crashes!) and 12.0a1 (76% of all crashes).

Signature 	mozilla::AndroidBridge::EnsureJNIThread More Reports Search
UUID	1e9cd6dc-8d47-4e81-a731-43e4f2120122
Date Processed	2012-01-22 19:39:33
Process Type	content
Uptime	100
Install Age	21.8 minutes since version was first installed.
Install Time	2012-01-22 19:17:48
Product	Fennec
Version	12.0a1
Build ID	20120122031050
Release Channel	nightly
OS	Linux
OS Version	0.0.0 Linux 2.6.36.3 #1 SMP PREEMPT Wed Sep 7 21:26:24 KST 2011 armv7l
Build Architecture	arm
Build Architecture Info	
Crash Reason	SIGSEGV
Crash Address	0x0
App Notes 	
EGL? EGL+
AdapterVendorID: , AdapterDeviceID: .
AdapterDescription: 'Android'.
Processor Notes 	WARNING: JSON file missing Add-ons
EMCheckCompatibility	True

Frame 	Module 	Signature 	Source
0 	libxul.so 	mozilla::AndroidBridge::EnsureJNIThread 	widget/android/AndroidBridge.cpp:261
1 	libxul.so 	mozilla::AndroidBridge::AutoLocalJNIFrame::AutoLocalJNIFrame 	AndroidBridge.h:116
2 	libxul.so 	nsPluginInstanceOwner::RemovePluginView 	dom/plugins/base/nsPluginInstanceOwner.cpp:1736
3 	libxul.so 	nsPluginInstanceOwner::UpdateWindowPositionAndClipRect 	dom/plugins/base/nsPluginInstanceOwner.cpp:3598
4 	libxul.so 	nsObjectFrame::FixupWindow 	layout/generic/nsObjectFrame.cpp:782
5 	libxul.so 	nsObjectFrame::Instantiate 	layout/generic/nsObjectFrame.cpp:2240
6 	libxul.so 	nsObjectLoadingContent::Instantiate 	content/base/src/nsObjectLoadingContent.cpp:1900
7 	libxul.so 	nsAsyncInstantiateEvent::Run 	content/base/src/nsObjectLoadingContent.cpp:169
8 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:657
9 	libxul.so 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:245
10 	libxul.so 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:110
11 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:229
12 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:208
13 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:201
14 	libxul.so 	nsBaseAppShell::Run 	widget/xpwidgets/nsBaseAppShell.cpp:189
15 	libxul.so 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp:674
16 	libxul.so 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:215
17 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:208
18 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:201
19 	libxul.so 	XRE_InitChildProcess 	toolkit/xre/nsEmbedFunctions.cpp:513
20 	libmozglue.so 	restore_non_core_regs 	unwind-arm.c:192
21 		@0xbeab06aa 	
22 	libplugin-container.so 	main 	ipc/app/MozillaRuntimeMainAndroid.cpp:68
23 	libc.so 	__libc_init 	
24 		@0xb0004589 

More reports at:
https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3AAndroidBridge%3A%3AEnsureJNIThread
(Reporter)

Updated

6 years ago
tracking-fennec: --- → ?
This is trivial to reproduce in an XUL build. Opening any complex page ex. http://arstechinca.com or http://engadget.com can cause this crash.
Regression range
Good Firefox Nightly XUL 2011-12-14 - http://hg.mozilla.org/mozilla-central/rev/221eccfa6a3f
Bad Firefox Nightly XUL 2011-12-15 - http://hg.mozilla.org/mozilla-central/rev/beac16509534

http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=221eccfa6a3f&tochange=beac16509534

CC'ed mobile devs that checked in or approved code during the above range.
(Reporter)

Updated

6 years ago
Keywords: regression
Version: Trunk → Firefox 11

Comment 3

6 years ago
Ccing snorp, as it's plug-in/flash related.

Looking at the stack, it looks as if mJavaVM in AndroidBridge has become invalid, but as far as I can tell, this would only happen if you quit the browser, or the Java side bailed out?

It would be good to get the logcat output from around when the crash happens, to see if there are any errors on the Java side, but I don't have a gingerbread device handy at the moment.

Comment 4

6 years ago
Sorry, I didn't realise this was a XUL build... My previous comment may or may not be valid. (I'd have thought it was, but the circumstances are quite different)

Updated

6 years ago
Keywords: fennecnative-betablocker

Updated

6 years ago
tracking-firefox11: --- → +
(Reporter)

Comment 5

6 years ago
These crashes occur only on XUL Fennec. It's a Beta blocker for XUL Fennec, not Native Fennec.
you are right, thank you. kw removed.
Keywords: fennecnative-betablocker
you are right, thank you. kw removed.
(Assignee)

Comment 8

6 years ago
I'll start bisecting to find the precise cause of the regression.
Assignee: nobody → mbrubeck
(Assignee)

Comment 9

6 years ago
The first bad revision is: https://hg.mozilla.org/mozilla-central/rev/bc84b3376e14
Margaret Leibovic <margaret.leibovic@gmail.com>
Bug 707886 - Platform support for non-e10s click-to-play plugins. r=jst,blassey
Blocks: 707886
(Assignee)

Comment 10

6 years ago
Created attachment 592450 [details] [diff] [review]
patch

The AutoLocalJNIFrame crash from comment 0 was happening because we were constructing the frame in the content process.  This patch avoids that crash by checking the JNI environment before constructing the frame.

After that was fixed, my XUL fennec build was still crashing within libflashplayer.so.  I fixed that by reverting part of bug 707886, to again disable plugin loading in the content process.
Attachment #592450 - Flags: review?(blassey.bugs)
Comment on attachment 592450 [details] [diff] [review]
patch

Review of attachment 592450 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/plugins/base/nsPluginInstanceOwner.cpp
@@ +1741,5 @@
>  
>      void* surface = mInstance->GetJavaSurface();
>      if (surface) {
>        JNIEnv* env = GetJNIForThread();
>        if (env) {

make the surface and env null checks early returns
Attachment #592450 - Flags: review?(blassey.bugs) → review+
(Assignee)

Comment 12

6 years ago
Created attachment 592451 [details] [diff] [review]
patch for Aurora

This patch just sets the plugin.disable pref for XUL Fennec.  This seems to be sufficient to work around this crash.  I think this is the best fix to push to Aurora for Firefox 11.  r=blassey on IRC.

[Approval Request Comment]
Regression caused by (bug #): bug 707886

User impact if declined: Frequent crashes on many web sites.

Testing completed (on m-c, etc.): Not landed on m-c.  We'd like to land a more complete fix on m-c (the other patch attached to this bug).

Risk to taking this patch (and alternatives if risky): Patch is XUL-fennec-only, and only flips a pref to disable a new feature that was never fully implemented in XUL Fennec and is now causing crashes.
Attachment #592451 - Flags: review+
Attachment #592451 - Flags: approval-mozilla-aurora?
(Assignee)

Comment 13

6 years ago
Pushed to Try to make sure these don't break any tests:
https://tbpl.mozilla.org/?tree=Try&rev=80ccaeca6302
https://tbpl.mozilla.org/?tree=Try&rev=3367e84935d0 (Aurora patch)
Status: NEW → ASSIGNED
Whiteboard: [mobile-crash] → [mobile-crash][has patch]
(Assignee)

Comment 14

6 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/3a6ece55c68c
status-firefox12: affected → fixed
Target Milestone: --- → Firefox 12
(Reporter)

Updated

6 years ago
Keywords: reproducible
(Reporter)

Comment 15

6 years ago
Will Flash be enabled in XUL Fx 11 for Android?
See: https://wiki.mozilla.org/Fennec/Features/Plugins
https://hg.mozilla.org/mozilla-central/rev/3a6ece55c68c
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Comment on attachment 592451 [details] [diff] [review]
patch for Aurora

[Triage Comment]
Approved for Aurora. Please land ASAP.
Attachment #592451 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(Assignee)

Comment 18

6 years ago
https://hg.mozilla.org/releases/mozilla-aurora/rev/a26d9110e7f2
status-firefox11: affected → fixed
(Reporter)

Comment 19

6 years ago
I have seen no crashes in 12.0a1/20120130 and above.
status-firefox12: fixed → verified
tracking-fennec: ? → ---
You need to log in before you can comment on or make changes to this bug.