Closed Bug 721654 Opened 10 years ago Closed 10 years ago

Crash in mozilla::AndroidBridge::HandleGeckoMessage

Categories

(Core Graveyard :: Widget: Android, defect, P1)

Product:
Core Graveyard
Component:
Widget: Android
Platform:
ARM
Android
Type:
defect

Tracking

(firefox14 verified, firefox15 verified, blocking-fennec1.0 +)

Status:
VERIFIED FIXED
Milestone:
mozilla14
Tracking Flags:
Tracking Status
firefox14 --- verified
firefox15 --- verified
blocking-fennec1.0 --- +

People

(Reporter: scoobidiver, Assigned: blassey)

References

Details

(Keywords: crash, reproducible, Whiteboard: [native-crash])

Crash Data

Attachments

(3 files)

patch
676 bytes, patch
kats
: review+
Details | Diff | Splinter Review
follow up patch
3.82 KB, patch
kats
: review+
Details | Diff | Splinter Review
new OOM crash
16.74 KB, text/plain
Details 
It first appeared in 12.0a1/20120117 and 11.0a2/20120121.
It's #17 top crasher in 11.0a2 and #26 in 12.0a1.

bp-803f9ce1-9362-4161-8fc0-0c1522120126

Frame 	Module 	Signature 	Source
0 	libdvm.so 	dvmStringLen 	
1 	libdvm.so 	JNI_CreateJavaVM 	
2 	libxul.so 	mozilla::nsJNIString::nsJNIString 	jni.h:834
3 	libxul.so 	mozilla::AndroidBridge::HandleGeckoMessage 	widget/android/AndroidBridge.cpp:1309
4 	libxul.so 	nsAndroidBridge::HandleGeckoMessage 	widget/android/AndroidBridge.cpp:1605
5 	libxul.so 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp:194
6 	libxul.so 	XPCWrappedNative::CallMethod 	js/xpconnect/src/XPCWrappedNative.cpp:2895
7 	libxul.so 	XPC_WN_CallMethod 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1539
8 	libxul.so 	js::Interpret 	js/src/jscntxtinlines.h:311
9 	libxul.so 	js::RunScript 	js/src/jsinterp.cpp:475
10 	libxul.so 	js::Invoke 	js/src/jsinterp.cpp:538
11 	libxul.so 	JS_CallFunctionValue 	js/src/jsapi.cpp:5460
12 	libxul.so 	nsXPCWrappedJSClass::CallMethod 	js/xpconnect/src/XPCWrappedJSClass.cpp:1510
13 	libxul.so 	nsXPCWrappedJS::CallMethod 	js/xpconnect/src/XPCWrappedJS.cpp:617
14 	libxul.so 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_arm.cpp:138
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=dvmStringLen%20|%20JNI_CreateJavaVM%20|%20mozilla%3A%3AnsJNIString%3A%3AnsJNIString
https://crash-stats.mozilla.com/report/index/6d7f2ddf-a726-4288-ac72-0225f2120128 shows a crash on HTC Desire w/ web page : URL	http://www.4players.de/ w/ 20120126031113 nightly

https://crash-stats.mozilla.com/report/index/8dc0e5c8-682e-4815-b041-dd55f2120124
http://www.shakespearetavern.com/ with build : aurora 20120123042009 on a droid x

Earliest I see this crash in Soccoro: 20120111031049
tracking-fennec: --- → ?
Priority: -- → P1
tracking-fennec: ? → ---
Duplicate of this bug: 722770
Crash Signature: [@ dvmStringLen | JNI_CreateJavaVM | mozilla::nsJNIString::nsJNIString] → [@ dvmStringLen | JNI_CreateJavaVM | mozilla::nsJNIString::nsJNIString] [@ dvmAbort | dvmLookupClass] [@ mozilla::nsJNIString::nsJNIString]
status-firefox11: affected → ---
status-firefox12: affected → ---
Component: General → Widget: Android
Keywords: regression
Product: Fennec Native → Core
QA Contact: general → android
Summary: Crash in mozilla::AndroidBridge::HandleGeckoMessage @ dvmStringLen | JNI_CreateJavaVM | mozilla::nsJNIString::nsJNIString → Crash in mozilla::AndroidBridge::HandleGeckoMessage
Crash Signature: [@ dvmStringLen | JNI_CreateJavaVM | mozilla::nsJNIString::nsJNIString] [@ dvmAbort | dvmLookupClass] [@ mozilla::nsJNIString::nsJNIString] → [@ dvmStringLen | JNI_CreateJavaVM | mozilla::nsJNIString::nsJNIString] [@ dvmAbort | dvmLookupClass] [@ mozilla::nsJNIString::nsJNIString] [@ mozilla::AndroidBridge::HandleGeckoMessage]
Crash Signature: [@ dvmStringLen | JNI_CreateJavaVM | mozilla::nsJNIString::nsJNIString] [@ dvmAbort | dvmLookupClass] [@ mozilla::nsJNIString::nsJNIString] [@ mozilla::AndroidBridge::HandleGeckoMessage] → [@ dvmStringLen | JNI_CreateJavaVM | mozilla::nsJNIString::nsJNIString] [@ dvmAbort | dvmLookupClass] [@ dvmAbort | JNI_CreateJavaVM | JNI_CreateJavaVM | mozilla::AndroidBridge::HandleGeckoMessage] [@ mozilla::nsJNIString::nsJNIString] [@ mozilla::And…
I got this crash twice now after a while with this testcase:
http://people.mozilla.com/~mwargers/tests/videos/interrogation_winopenclose.htm
Tap on the button, it opens a bunch of windows.
After 10 seconds, Fennec will block the windows, make sure that you choose "Always show" to let the testcase run indefinetely.
Then, reload the page and tap on the button again.

After 5 minutes or so, I got a crash.
https://crash-stats.mozilla.com/report/index/bp-74329974-1413-4428-8e35-638432120416
This was on the HTC Desire HD.
Perhaps, with the str it might be possible to get this fixed (if it reproduces for others too).
blocking-fennec1.0: --- → ?
Keywords: reproducible
Assignee: nobody → blassey.bugs
blocking-fennec1.0: ? → +
Attached patch patchSplinter Review
Attachment #615470 - Flags: review?(bugmail.mozilla)
Attachment #615470 - Flags: review?(bugmail.mozilla) → review+
Attached patch follow up patchSplinter Review 
this generally makes me not want to allow creating an nsJNIString without passing a JNIEnv, here's a patch to remove that possibility.
Attachment #615500 - Flags: review?(bugmail.mozilla)
Attachment #615500 - Flags: review?(bugmail.mozilla) → review+
Attached file new OOM crash 
with this patch, these STR still crash the browser, but now it is fairly strait forward OOM it look like we're leaking ReadWriteDirectByteBuffers, which are a subclass of ByteBuffer
https://hg.mozilla.org/mozilla-central/rev/8c3acc122469
https://hg.mozilla.org/mozilla-central/rev/fbcc959f5616
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla14
Duplicate of this bug: 746926
(In reply to Brad Lassey [:blassey] from comment #7)
> Created attachment 615595 [details]
> new OOM crash
> 
> with this patch, these STR still crash the browser, but now it is fairly
> strait forward OOM it look like we're leaking ReadWriteDirectByteBuffers,
> which are a subclass of ByteBuffer

I filed bug 751588 for this.
This crash doesn't occur anymore on the latest Nightly and Aurora builds, if suggestions from comment #3 are followed. 
Closing bug as verified fixed on:

Firefox 15.0a1 (2012-05-29)
Firefox 14.0a2 (2012-05-29)

Device: Galaxy Nexus
OS: Android 4.0.2
Status: RESOLVED → VERIFIED
status-firefox14: --- → verified
status-firefox15: --- → verified
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.