Closed Bug 738198 Opened 12 years ago Closed 12 years ago

crash in nsPluginInstanceOwner::~nsPluginInstanceOwner @ nsPluginInstanceOwner::RemovePluginView

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Version:
14 Branch
Platform:
ARM
Android
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(firefox14 affected, firefox15 affected, blocking-fennec1.0 -)

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox14 --- affected
firefox15 --- affected
blocking-fennec1.0 --- -

People

(Reporter: scoobidiver, Assigned: snorp)

References

Details

(5 keywords, Whiteboard: [native-crash])

Crash Data

Attachments

(1 file)

patch
3.36 KB, patch
snorp
: review+
Details | Diff | Splinter Review 
It first appeared in 14.0a1/20120320. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=58a2cd0203ee&tochange=ee554888d071
It's likely a regression from bug 737120.

Signature 	dvmAsmInstructionStart More Reports Search
UUID	705c59fc-e6ab-4b9c-b51f-815df2120322
Date Processed	2012-03-22 05:51:41
Uptime	760
Last Crash	1.1 days before submission
Install Age	12.7 minutes since version was first installed.
Install Time	2012-03-22 05:40:04
Product	FennecAndroid
Version	14.0a1
Build ID	20120321031151
Release Channel	nightly
OS	Linux
OS Version	0.0.0 Linux 2.6.32.9-perf #1 PREEMPT Wed Oct 19 09:31:26 2011 armv7l
Build Architecture	arm
Build Architecture Info	
Crash Reason	SIGSEGV
Crash Address	0x1c
App Notes 	
EGL? EGL+ AdapterVendorID: semc, AdapterDeviceID: MK16a.
AdapterDescription: 'Android, Model: 'MK16a', Product: 'MK16a_1250-3934', Manufacturer: 'Sony Ericsson', Hardware: 'semc''.
GL Context? GL Context+ GL Layers? GL Layers+ 
Sony Ericsson MK16a
SEMC/MK16a_1250-3934/MK16a:2.3.4/4.0.2.A.0.62/wf_v3w:user/release-keys
EMCheckCompatibility	True

Frame 	Module 	Signature [Expand] 	Source
0 	libdvm.so 	dvmAsmInstructionStart 	
1 	libdvm.so 	dvmMterpStd 	
2 	libdvm.so 	dvmInterpret 	
3 	libdvm.so 	dvmCallMethodV 	
4 	libdvm.so 	JNI_CreateJavaVM 	
5 	libxul.so 	_JNIEnv::CallStaticVoidMethod 	jni.h:778
6 	libxul.so 	nsPluginInstanceOwner::RemovePluginView 	dom/plugins/base/nsPluginInstanceOwner.cpp:1824
7 	libxul.so 	nsPluginInstanceOwner::~nsPluginInstanceOwner 	dom/plugins/base/nsPluginInstanceOwner.cpp:397
8 	libxul.so 	nsPluginInstanceOwner::~nsPluginInstanceOwner 	dom/plugins/base/nsPluginInstanceOwner.cpp:403
9 	libxul.so 	nsPluginInstanceOwner::Release 	dom/plugins/base/nsPluginInstanceOwner.cpp:405
10 	libxul.so 	nsEventListenerInfo::~nsEventListenerInfo 	nsAutoPtr.h:908
11 	libxul.so 	nsEventListenerInfo::~nsEventListenerInfo 	content/events/src/nsEventListenerService.h:58
12 	libxul.so 	nsEventListenerInfo::Release 	content/events/src/nsEventListenerService.cpp:68
13 	libxul.so 	XPCJSRuntime::GCCallback 	js/xpconnect/src/XPCJSRuntime.cpp:629
14 	libxul.so 	js::GCSlice 	js/src/jsgc.cpp:3745
15 	libxul.so 	js::IncrementalGC 	js/src/jsfriendapi.cpp:158
16 	libxul.so 	nsXPConnect::Collect 	js/xpconnect/src/nsXPConnect.cpp:425
17 	libxul.so 	nsXPConnect::GarbageCollect 	js/xpconnect/src/nsXPConnect.cpp:435
18 	libxul.so 	nsJSContext::GarbageCollectNow 	dom/base/nsJSEnvironment.cpp:2962
19 	libxul.so 	GCTimerFired 	dom/base/nsJSEnvironment.cpp:3123
20 	libxul.so 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:508
21 	libxul.so 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:591
22 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:657
23 	libxul.so 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:245
24 	libxul.so 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:110
25 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:208
26 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:201
27 	libxul.so 	nsBaseAppShell::Run 	widget/xpwidgets/nsBaseAppShell.cpp:189
28 	libxul.so 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:295
29 	libxul.so 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3703
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=dvmAsmInstructionStart
Crash Signature: [@ dvmAsmInstructionStart] → [@ dvmAsmInstructionStart] [@ dvmAsmSisterStart]
Summary: crash in nsPluginInstanceOwner::~nsPluginInstanceOwner @ dvmAsmInstructionStart → crash in nsPluginInstanceOwner::~nsPluginInstanceOwner
this is the gecko thread, so we shouldn't need to call GetJNIForThread() [https://mxr.mozilla.org/mozilla-central/source/dom/plugins/base/nsPluginInstanceOwner.cpp#1814]. The reason I'm eyeing that suspiciously is that it then creates a java vm on the thread.
Attached patch patchSplinter Review 
no idea if this will fix this crash, but moving the jni access out of dom/plugins and into the bridge is a bit of clean up I've been wanting to do anyway.
Attachment #609621 - Flags: review?(snorp)
The 6th topcrash on the list for 14.0a1
Keywords: topcrash
blocking-fennec1.0: --- → ?
Comment on attachment 609621 [details] [diff] [review]
patch

This changes it to use AndroidBridge::GetJNIEnv() instead of GetJNIForThread(), but I think that's ok. It's not clear to me that this will fix the crash, though.
Attachment #609621 - Flags: review?(snorp) → review+
blocking-fennec1.0: ? → +
pushed https://hg.mozilla.org/integration/mozilla-inbound/rev/0edeaa911e1c

(In reply to James Willcox (:snorp) (jwillcox@mozilla.com) from comment #5)
> This changes it to use AndroidBridge::GetJNIEnv() instead of
> GetJNIForThread(), but I think that's ok. It's not clear to me that this
> will fix the crash, though.

I agree. I hope this fixes it, but if not its still a change that we want to make so we'll leave the patch in and reopen the bug.
Whiteboard: [native-crash] → [native-crash][inbound]
Target Milestone: --- → mozilla14
https://hg.mozilla.org/mozilla-central/rev/0edeaa911e1c
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Whiteboard: [native-crash][inbound] → [native-crash]
There are still crashes after the patch landed.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Crash Signature: [@ dvmAsmInstructionStart] [@ dvmAsmSisterStart] → [@ dvmAsmInstructionStart] [@ dvmAsmSisterStart] [@ dalvik-jit-code-cache (deleted)@0x1f598]
Summary: crash in nsPluginInstanceOwner::~nsPluginInstanceOwner → crash in nsPluginInstanceOwner::~nsPluginInstanceOwner @ nsPluginInstanceOwner::RemovePluginView
Crash Signature: [@ dvmAsmInstructionStart] [@ dvmAsmSisterStart] [@ dalvik-jit-code-cache (deleted)@0x1f598] → [@ dvmAsmInstructionStart] [@ dvmAsmSisterStart] [@ dalvik-jit-code-cache (deleted)@0x1f598] [@ dalvik-LinearAlloc (deleted)@0x2206fa] [@ dalvik-LinearAlloc (deleted)@0x223602] [@ dalvik-LinearAlloc (deleted)@0x223bb2]
Depends on: 745343
#1 top crash right now
Assignee: nobody → snorp
Crash Signature: [@ dvmAsmInstructionStart] [@ dvmAsmSisterStart] [@ dalvik-jit-code-cache (deleted)@0x1f598] [@ dalvik-LinearAlloc (deleted)@0x2206fa] [@ dalvik-LinearAlloc (deleted)@0x223602] [@ dalvik-LinearAlloc (deleted)@0x223bb2] → [@ dvmAsmInstructionStart] [@ dvmAsmSisterStart] [@ dvmInterpretDbg] [@ dalvik-jit-code-cache (deleted)@0x1f598] [@ dalvik-LinearAlloc (deleted)@0x2206fa] [@ dalvik-LinearAlloc (deleted)@0x223602] [@ dalvik-LinearAlloc (deleted)@0x223bb2]
Crash Signature: [@ dvmAsmInstructionStart] [@ dvmAsmSisterStart] [@ dvmInterpretDbg] [@ dalvik-jit-code-cache (deleted)@0x1f598] [@ dalvik-LinearAlloc (deleted)@0x2206fa] [@ dalvik-LinearAlloc (deleted)@0x223602] [@ dalvik-LinearAlloc (deleted)@0x223bb2] → [@ dvmAsmInstructionStart] [@ dvmAsmSisterStart] [@ dvmInterpretDbg] [@ dvmHandleStackOverflow] [@ dalvik-jit-code-cache (deleted)@0x1f598] [@ dalvik-LinearAlloc (deleted)@0x2206fa] [@ dalvik-LinearAlloc (deleted)@0x223602] [@ dalvik-LinearAlloc (d…
I was able to reproduce the @dvmAsmSisterStart crash, which was duped to this one.

https://crash-stats.mozilla.com/report/index/bp-a578e360-fa2d-49f5-8c2f-4ddf32120424

STR
1) install 4-24-2012 nightly, HTC Sensation Android 2.3.4
2) visit full flash site: http://www.abc.net.au/iview
3) pan around, wait, crash.
Crash Signature: [@ dvmAsmInstructionStart] [@ dvmAsmSisterStart] [@ dvmInterpretDbg] [@ dvmHandleStackOverflow] [@ dalvik-jit-code-cache (deleted)@0x1f598] [@ dalvik-LinearAlloc (deleted)@0x2206fa] [@ dalvik-LinearAlloc (deleted)@0x223602] [@ dalvik-LinearAlloc (d… → [@ dvmAsmInstructionStart] [@ dvmAsmSisterStart] [@ dvmInterpretDbg] [@ dvmHandleStackOverflow] [@ dalvik-jit-code-cache (deleted)@0x1f598] [@ dalvik-LinearAlloc (deleted)@0x1eeabe] [@ dalvik-LinearAlloc (deleted)@0x1efb3e] [@ dalvik-LinearAlloc (d…
Target Milestone: mozilla14 → ---
I got this crash once with this testcase:
http://people.mozilla.org/~mwargers/tests/plugins/flash/flashembed_wrappedinlink.html
Str:
- Tap on the plugin placeholder
- Tap on the result flash circle

But I often get the libflashplayer crash, that way too.

Tested on the Samsung Galaxy SII.
Reproduced again, same STR as comment 10.

This time on a different device:  Nexus S, Android 2.3.3, 04-30-2012 latest-aurora branch build.

https://crash-stats.mozilla.com/report/index/a5487d10-8e9c-477e-b61b-e26342120430
Blocks: 746633
Keywords: reproducible
No longer depends on: 745343
QA can we try to nail down some more reliable STR here. I can't repro on current inbound with the steps in #10 or #11.
I can't repro either with steps in #10 using a Galaxy S2, Android 2.3.4 and build 15.0a1 20120508
Unable to reproduce the crash using the STR from Comment 10 and Comment 11 on Nightly 15.0a1 2012-05-08 using an HTC Desire (Android 2.2). Using the steps from Comment 11 i was able to reproduce the crash on Nightly 2012-05-01 - please see Comment 13 - which would suggest that this was fixed by the fix for another bug. 
On Aurora 14.0a2 2012-05-08 on http://people.mozilla.org/~mwargers/tests/plugins/flash/flashembed_wrappedinlink.html i get another crash - Bug 753276. This is specific to Aurora.
Based on crash stats, it's fixed in 15.0a1/20120507. The working range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=94ce5f33a9ea&tochange=448f554f6acb
I guess it's either bug 752001 or bug 752014 that have fixed it (not backported to Aurora).

It's not fixed in Aurora.
status-firefox14: --- → affected
status-firefox15: --- → unaffected
With the str, in comment 11, I now get bug 731288 (although it is a little bit more difficult to get the crash now, it seems).
Keywords: reproducible
no crashes since 5/11
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: --- → FIXED
Resolution: FIXED → WORKSFORME
There are still crashes in the trunk: bp-c77a3e1b-59de-4b5c-a50a-cecae2120514
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
no longer a topcrash, renoming and suggesting that this no longer blocks
blocking-fennec1.0: + → ?
(In reply to Brad Lassey [:blassey] from comment #21)
> no crashes since 5/11
It takes several days before a build becomes widespread.

(In reply to Brad Lassey [:blassey] from comment #24)
> no longer a topcrash, renoming and suggesting that this no longer blocks
With combined signatures, it's #2 top crasher in Aurora over the last day (#3 over the last 3 days, #1 over the last week)) from various users.
Keywords: topcrash
blocking-fennec1.0: ? → +
I cant reproduce this on a 5-14 aurora build.  need to keep investigating
Depends on: 741222
Depends on: 741315
Depends on: 731288
snorp, some patch that landed on trunk dropped the crash rate. Please figure out which patch that is and make sure it gets into the next beta build.
Maybe that the fix for bug 731288 will fix this too?
on 5-23-2012 nightly,

just talked with martijn , and he no longer sees this crash when running his testcase 
from comment 11.   I also dont see this crash from my url in comment 10.  

It's possibly that the libgui.so bug (bug 731288), may have fixed it.
(In reply to Martijn Wargers [:mw22] (QA - IRC nick: mw22) from comment #28)
> Maybe that the fix for bug 731288 will fix this too?
No. There are still crashes in Aurora after the fix of bug 731288: bp-e76de306-4ba6-4a98-be24-47abd2120523.
Bug 741222 would help to know its real rank.
QAwanted still valid - Looks like we need some new repro steps if that crash signature still exists in yesterday's aurora build.
I was able to reproduce this:
1. set plugins to enable
2. go to http://people.mozilla.org/~mwargers/tests/plugins/flash/flashembed_wrappedinlink_back_and_forth_2s.html
3. click on the middle flash button

Expected: no crash
Actual : dvmAsmInstructionSet crash

I was able to consistently produce this on Aurora 2012-05-30 build on Galaxy S II  
What happens is the keyboard seems to appear when it redirects to coming to this flash page after trying to redirect to google.com and crashes.
Keywords: testcase
Re-triaging to strip out non-OMG-ON-FIRE release blockers - pushing this to .N+ but we'd still love to look at a safe patch.
blocking-fennec1.0: + → .N+
With combined signatures, it's at least #6 top crasher in 14.0b5.
I can't seem to reproduce this bug in the latest nightly (6/6/2012) using comment 32 and HTC Desire
Crash Signature: (deleted)@0x2206fa] [@ dalvik-LinearAlloc (deleted)@0x223602] [@ dalvik-LinearAlloc (deleted)@0x223bb2] → (deleted)@0x2206fa] [@ dalvik-LinearAlloc (deleted)@0x223602] [@ dalvik-LinearAlloc (deleted)@0x223bb2] [@ dvmAsmInstructionStart | dvmMterpStd | dvmInterpret | dvmCallMethodV | JNI_CreateJavaVM | _JNIEnv::CallStaticVoidMethod | mozilla::AndroidBridge:…
(In reply to Scoobidiver from comment #34)
> With combined signatures, it's at least #6 top crasher in 14.0b5.

all these dvm* crash signatures are not good indicators that they are the same bug, which is why we've added dvm* to the skip list.
(In reply to Brad Lassey [:blassey] from comment #36)
> all these dvm* crash signatures are not good indicators that they are the
> same bug, which is why we've added dvm* to the skip list.
The 3 crash signatures use the same pattern:
* dvmAsmInstructionStart | pattern
* dvmAsmSisterStart | pattern
* dvmHandleStackOverflow | dvmAsmSisterStart | pattern
For me, it's the same crash.
It's different from bug 758898.
Crash Signature: mozilla::AndroidBridge::RemovePluginView] [@ dvmAsmSisterStart | dvmMterpStd | dvmInterpret | dvmCallMethodV | JNI_CreateJavaVM | _JNIEnv::CallStaticVoidMethod | mozilla::AndroidBridge::RemovePluginView] → mozilla::AndroidBridge::RemovePluginView] [@ dvmAsmSisterStart | dvmMterpStd | dvmInterpret | dvmCallMethodV | JNI_CreateJavaVM | _JNIEnv::CallStaticVoidMethod | mozilla::AndroidBridge::RemovePluginView] [@ dvmHandleStackOverflow | dvmAsmSisterStart | d…
nominating to remove from the .N+ list due to low crash volume.
blocking-fennec1.0: .N+ → ?
The latest crash happened in 14.0b5. There are no crashes in 14.0b6.
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: --- → WORKSFORME
blocking-fennec1.0: ? → -
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: