Last Comment Bug 720400 - Crash in nsPluginInstanceOwner::RemovePluginView @ mozilla::AndroidBridge::EnsureJNIThread
: Crash in nsPluginInstanceOwner::RemovePluginView @ mozilla::AndroidBridge::En...
[mobile-crash][has patch]
: crash, regression, reproducible, topcrash
Product: Fennec Graveyard
Classification: Graveyard
Component: General (show other bugs)
: Firefox 11
: ARM Android
-- critical (vote)
: Firefox 12
Assigned To: Matt Brubeck (:mbrubeck)
Depends on:
Blocks: 707886
  Show dependency treegraph
Reported: 2012-01-23 09:58 PST by Scoobidiver (away)
Modified: 2013-12-10 10:00 PST (History)
13 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---

patch (2.79 KB, patch)
2012-01-28 16:23 PST, Matt Brubeck (:mbrubeck)
blassey.bugs: review+
Details | Diff | Splinter Review
patch for Aurora (850 bytes, patch)
2012-01-28 16:51 PST, Matt Brubeck (:mbrubeck)
mbrubeck: review+
akeybl: approval‑mozilla‑aurora+
Details | Diff | Splinter Review

Description User image Scoobidiver (away) 2012-01-23 09:58:55 PST
It's #1 top crasher in Fennec 11.0a2 (97% of all crashes!) and 12.0a1 (76% of all crashes).

Signature 	mozilla::AndroidBridge::EnsureJNIThread More Reports Search
UUID	1e9cd6dc-8d47-4e81-a731-43e4f2120122
Date Processed	2012-01-22 19:39:33
Process Type	content
Uptime	100
Install Age	21.8 minutes since version was first installed.
Install Time	2012-01-22 19:17:48
Product	Fennec
Version	12.0a1
Build ID	20120122031050
Release Channel	nightly
OS	Linux
OS Version	0.0.0 Linux #1 SMP PREEMPT Wed Sep 7 21:26:24 KST 2011 armv7l
Build Architecture	arm
Build Architecture Info	
Crash Reason	SIGSEGV
Crash Address	0x0
App Notes 	
AdapterVendorID: , AdapterDeviceID: .
AdapterDescription: 'Android'.
Processor Notes 	WARNING: JSON file missing Add-ons
EMCheckCompatibility	True

Frame 	Module 	Signature 	Source
0 	mozilla::AndroidBridge::EnsureJNIThread 	widget/android/AndroidBridge.cpp:261
1 	mozilla::AndroidBridge::AutoLocalJNIFrame::AutoLocalJNIFrame 	AndroidBridge.h:116
2 	nsPluginInstanceOwner::RemovePluginView 	dom/plugins/base/nsPluginInstanceOwner.cpp:1736
3 	nsPluginInstanceOwner::UpdateWindowPositionAndClipRect 	dom/plugins/base/nsPluginInstanceOwner.cpp:3598
4 	nsObjectFrame::FixupWindow 	layout/generic/nsObjectFrame.cpp:782
5 	nsObjectFrame::Instantiate 	layout/generic/nsObjectFrame.cpp:2240
6 	nsObjectLoadingContent::Instantiate 	content/base/src/nsObjectLoadingContent.cpp:1900
7 	nsAsyncInstantiateEvent::Run 	content/base/src/nsObjectLoadingContent.cpp:169
8 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:657
9 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:245
10 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:110
11 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:229
12 	MessageLoop::RunInternal 	ipc/chromium/src/base/
13 	MessageLoop::Run 	ipc/chromium/src/base/
14 	nsBaseAppShell::Run 	widget/xpwidgets/nsBaseAppShell.cpp:189
15 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp:674
16 	mozilla::ipc::MessagePumpForChildProcess::Run 	ipc/glue/MessagePump.cpp:215
17 	MessageLoop::RunInternal 	ipc/chromium/src/base/
18 	MessageLoop::Run 	ipc/chromium/src/base/
19 	XRE_InitChildProcess 	toolkit/xre/nsEmbedFunctions.cpp:513
20 	restore_non_core_regs 	unwind-arm.c:192
21 		@0xbeab06aa 	
22 	main 	ipc/app/MozillaRuntimeMainAndroid.cpp:68
23 	__libc_init 	
24 		@0xb0004589 

More reports at:
Comment 1 User image Kevin Brosnan [:kbrosnan] 2012-01-25 22:14:03 PST
This is trivial to reproduce in an XUL build. Opening any complex page ex. or can cause this crash.
Comment 2 User image Kevin Brosnan [:kbrosnan] 2012-01-25 23:02:41 PST
Regression range
Good Firefox Nightly XUL 2011-12-14 -
Bad Firefox Nightly XUL 2011-12-15 -

CC'ed mobile devs that checked in or approved code during the above range.
Comment 3 User image Chris Lord [:cwiiis] 2012-01-26 02:37:17 PST
Ccing snorp, as it's plug-in/flash related.

Looking at the stack, it looks as if mJavaVM in AndroidBridge has become invalid, but as far as I can tell, this would only happen if you quit the browser, or the Java side bailed out?

It would be good to get the logcat output from around when the crash happens, to see if there are any errors on the Java side, but I don't have a gingerbread device handy at the moment.
Comment 4 User image Chris Lord [:cwiiis] 2012-01-26 02:38:48 PST
Sorry, I didn't realise this was a XUL build... My previous comment may or may not be valid. (I'd have thought it was, but the circumstances are quite different)
Comment 5 User image Scoobidiver (away) 2012-01-27 00:07:40 PST
These crashes occur only on XUL Fennec. It's a Beta blocker for XUL Fennec, not Native Fennec.
Comment 6 User image Erin Lancaster [:elan] 2012-01-27 17:08:12 PST
you are right, thank you. kw removed.
Comment 7 User image Erin Lancaster [:elan] 2012-01-27 17:08:30 PST
you are right, thank you. kw removed.
Comment 8 User image Matt Brubeck (:mbrubeck) 2012-01-28 09:05:26 PST
I'll start bisecting to find the precise cause of the regression.
Comment 9 User image Matt Brubeck (:mbrubeck) 2012-01-28 15:21:41 PST
The first bad revision is:
Margaret Leibovic <>
Bug 707886 - Platform support for non-e10s click-to-play plugins. r=jst,blassey
Comment 10 User image Matt Brubeck (:mbrubeck) 2012-01-28 16:23:01 PST
Created attachment 592450 [details] [diff] [review]

The AutoLocalJNIFrame crash from comment 0 was happening because we were constructing the frame in the content process.  This patch avoids that crash by checking the JNI environment before constructing the frame.

After that was fixed, my XUL fennec build was still crashing within  I fixed that by reverting part of bug 707886, to again disable plugin loading in the content process.
Comment 11 User image Brad Lassey [:blassey] (use needinfo?) 2012-01-28 16:28:20 PST
Comment on attachment 592450 [details] [diff] [review]

Review of attachment 592450 [details] [diff] [review]:

::: dom/plugins/base/nsPluginInstanceOwner.cpp
@@ +1741,5 @@
>      void* surface = mInstance->GetJavaSurface();
>      if (surface) {
>        JNIEnv* env = GetJNIForThread();
>        if (env) {

make the surface and env null checks early returns
Comment 12 User image Matt Brubeck (:mbrubeck) 2012-01-28 16:51:02 PST
Created attachment 592451 [details] [diff] [review]
patch for Aurora

This patch just sets the plugin.disable pref for XUL Fennec.  This seems to be sufficient to work around this crash.  I think this is the best fix to push to Aurora for Firefox 11.  r=blassey on IRC.

[Approval Request Comment]
Regression caused by (bug #): bug 707886

User impact if declined: Frequent crashes on many web sites.

Testing completed (on m-c, etc.): Not landed on m-c.  We'd like to land a more complete fix on m-c (the other patch attached to this bug).

Risk to taking this patch (and alternatives if risky): Patch is XUL-fennec-only, and only flips a pref to disable a new feature that was never fully implemented in XUL Fennec and is now causing crashes.
Comment 13 User image Matt Brubeck (:mbrubeck) 2012-01-28 17:04:49 PST
Pushed to Try to make sure these don't break any tests: (Aurora patch)
Comment 15 User image Scoobidiver (away) 2012-01-28 22:30:14 PST
Will Flash be enabled in XUL Fx 11 for Android?
Comment 16 User image Phil Ringnalda (:philor) 2012-01-29 11:09:42 PST
Comment 17 User image Alex Keybl [:akeybl] 2012-01-30 16:48:53 PST
Comment on attachment 592451 [details] [diff] [review]
patch for Aurora

[Triage Comment]
Approved for Aurora. Please land ASAP.
Comment 18 User image Matt Brubeck (:mbrubeck) 2012-01-30 16:56:13 PST
Comment 19 User image Scoobidiver (away) 2012-01-31 14:54:16 PST
I have seen no crashes in 12.0a1/20120130 and above.

Note You need to log in before you can comment on or make changes to this bug.