Closed
Bug 738198
Opened 14 years ago
Closed 13 years ago
crash in nsPluginInstanceOwner::~nsPluginInstanceOwner @ nsPluginInstanceOwner::RemovePluginView
Categories
(Core Graveyard :: Plug-ins, defect)
Tracking
(firefox14 affected, firefox15 affected, blocking-fennec1.0 -)
RESOLVED
WORKSFORME
People
(Reporter: scoobidiver, Assigned: snorp)
References
Details
(5 keywords, Whiteboard: [native-crash])
Crash Data
Attachments
(1 file)
|
3.36 KB,
patch
|
snorp
:
review+
|
Details | Diff | Splinter Review |
It first appeared in 14.0a1/20120320. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=58a2cd0203ee&tochange=ee554888d071
It's likely a regression from bug 737120.
Signature dvmAsmInstructionStart More Reports Search
UUID 705c59fc-e6ab-4b9c-b51f-815df2120322
Date Processed 2012-03-22 05:51:41
Uptime 760
Last Crash 1.1 days before submission
Install Age 12.7 minutes since version was first installed.
Install Time 2012-03-22 05:40:04
Product FennecAndroid
Version 14.0a1
Build ID 20120321031151
Release Channel nightly
OS Linux
OS Version 0.0.0 Linux 2.6.32.9-perf #1 PREEMPT Wed Oct 19 09:31:26 2011 armv7l
Build Architecture arm
Build Architecture Info
Crash Reason SIGSEGV
Crash Address 0x1c
App Notes
EGL? EGL+ AdapterVendorID: semc, AdapterDeviceID: MK16a.
AdapterDescription: 'Android, Model: 'MK16a', Product: 'MK16a_1250-3934', Manufacturer: 'Sony Ericsson', Hardware: 'semc''.
GL Context? GL Context+ GL Layers? GL Layers+
Sony Ericsson MK16a
SEMC/MK16a_1250-3934/MK16a:2.3.4/4.0.2.A.0.62/wf_v3w:user/release-keys
EMCheckCompatibility True
Frame Module Signature [Expand] Source
0 libdvm.so dvmAsmInstructionStart
1 libdvm.so dvmMterpStd
2 libdvm.so dvmInterpret
3 libdvm.so dvmCallMethodV
4 libdvm.so JNI_CreateJavaVM
5 libxul.so _JNIEnv::CallStaticVoidMethod jni.h:778
6 libxul.so nsPluginInstanceOwner::RemovePluginView dom/plugins/base/nsPluginInstanceOwner.cpp:1824
7 libxul.so nsPluginInstanceOwner::~nsPluginInstanceOwner dom/plugins/base/nsPluginInstanceOwner.cpp:397
8 libxul.so nsPluginInstanceOwner::~nsPluginInstanceOwner dom/plugins/base/nsPluginInstanceOwner.cpp:403
9 libxul.so nsPluginInstanceOwner::Release dom/plugins/base/nsPluginInstanceOwner.cpp:405
10 libxul.so nsEventListenerInfo::~nsEventListenerInfo nsAutoPtr.h:908
11 libxul.so nsEventListenerInfo::~nsEventListenerInfo content/events/src/nsEventListenerService.h:58
12 libxul.so nsEventListenerInfo::Release content/events/src/nsEventListenerService.cpp:68
13 libxul.so XPCJSRuntime::GCCallback js/xpconnect/src/XPCJSRuntime.cpp:629
14 libxul.so js::GCSlice js/src/jsgc.cpp:3745
15 libxul.so js::IncrementalGC js/src/jsfriendapi.cpp:158
16 libxul.so nsXPConnect::Collect js/xpconnect/src/nsXPConnect.cpp:425
17 libxul.so nsXPConnect::GarbageCollect js/xpconnect/src/nsXPConnect.cpp:435
18 libxul.so nsJSContext::GarbageCollectNow dom/base/nsJSEnvironment.cpp:2962
19 libxul.so GCTimerFired dom/base/nsJSEnvironment.cpp:3123
20 libxul.so nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:508
21 libxul.so nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:591
22 libxul.so nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:657
23 libxul.so NS_ProcessNextEvent_P obj-firefox/xpcom/build/nsThreadUtils.cpp:245
24 libxul.so mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:110
25 libxul.so MessageLoop::RunInternal ipc/chromium/src/base/message_loop.cc:208
26 libxul.so MessageLoop::Run ipc/chromium/src/base/message_loop.cc:201
27 libxul.so nsBaseAppShell::Run widget/xpwidgets/nsBaseAppShell.cpp:189
28 libxul.so nsAppStartup::Run toolkit/components/startup/nsAppStartup.cpp:295
29 libxul.so XRE_main toolkit/xre/nsAppRunner.cpp:3703
...
More reports at:
https://crash-stats.mozilla.com/report/list?signature=dvmAsmInstructionStart
|
Reporter | |
Updated•14 years ago
|
Crash Signature: [@ dvmAsmInstructionStart] → [@ dvmAsmInstructionStart]
[@ dvmAsmSisterStart]
Summary: crash in nsPluginInstanceOwner::~nsPluginInstanceOwner @ dvmAsmInstructionStart → crash in nsPluginInstanceOwner::~nsPluginInstanceOwner
|
||
Comment 2•14 years ago
|
||
this is the gecko thread, so we shouldn't need to call GetJNIForThread() [https://mxr.mozilla.org/mozilla-central/source/dom/plugins/base/nsPluginInstanceOwner.cpp#1814]. The reason I'm eyeing that suspiciously is that it then creates a java vm on the thread.
|
|
||
Comment 3•14 years ago
|
||
no idea if this will fix this crash, but moving the jni access out of dom/plugins and into the bridge is a bit of clean up I've been wanting to do anyway.
Attachment #609621 -
Flags: review?(snorp)
The 6th topcrash on the list for 14.0a1
Keywords: topcrash
|
|
||
Updated•14 years ago
|
blocking-fennec1.0: --- → ?
|
Assignee | |
Comment 5•14 years ago
|
||
Comment on attachment 609621 [details] [diff] [review]
patch
This changes it to use AndroidBridge::GetJNIEnv() instead of GetJNIForThread(), but I think that's ok. It's not clear to me that this will fix the crash, though.
Attachment #609621 -
Flags: review?(snorp) → review+
|
|
||
Updated•14 years ago
|
blocking-fennec1.0: ? → +
|
|
||
Comment 6•14 years ago
|
||
pushed https://hg.mozilla.org/integration/mozilla-inbound/rev/0edeaa911e1c
(In reply to James Willcox (:snorp) (jwillcox@mozilla.com) from comment #5)
> This changes it to use AndroidBridge::GetJNIEnv() instead of
> GetJNIForThread(), but I think that's ok. It's not clear to me that this
> will fix the crash, though.
I agree. I hope this fixes it, but if not its still a change that we want to make so we'll leave the patch in and reopen the bug.
Whiteboard: [native-crash] → [native-crash][inbound]
Target Milestone: --- → mozilla14
|
||
Comment 7•14 years ago
|
||
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Whiteboard: [native-crash][inbound] → [native-crash]
|
|
Reporter | |
Comment 8•14 years ago
|
||
There are still crashes after the patch landed.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Reporter | |
Updated•14 years ago
|
Crash Signature: [@ dvmAsmInstructionStart]
[@ dvmAsmSisterStart] → [@ dvmAsmInstructionStart]
[@ dvmAsmSisterStart]
[@ dalvik-jit-code-cache (deleted)@0x1f598]
Summary: crash in nsPluginInstanceOwner::~nsPluginInstanceOwner → crash in nsPluginInstanceOwner::~nsPluginInstanceOwner @ nsPluginInstanceOwner::RemovePluginView
|
|
Reporter | |
Updated•14 years ago
|
Crash Signature: [@ dvmAsmInstructionStart]
[@ dvmAsmSisterStart]
[@ dalvik-jit-code-cache (deleted)@0x1f598] → [@ dvmAsmInstructionStart]
[@ dvmAsmSisterStart]
[@ dalvik-jit-code-cache (deleted)@0x1f598]
[@ dalvik-LinearAlloc (deleted)@0x2206fa]
[@ dalvik-LinearAlloc (deleted)@0x223602]
[@ dalvik-LinearAlloc (deleted)@0x223bb2]
|
|
Reporter | |
Updated•14 years ago
|
Crash Signature: [@ dvmAsmInstructionStart]
[@ dvmAsmSisterStart]
[@ dalvik-jit-code-cache (deleted)@0x1f598]
[@ dalvik-LinearAlloc (deleted)@0x2206fa]
[@ dalvik-LinearAlloc (deleted)@0x223602]
[@ dalvik-LinearAlloc (deleted)@0x223bb2] → [@ dvmAsmInstructionStart]
[@ dvmAsmSisterStart]
[@ dvmInterpretDbg]
[@ dalvik-jit-code-cache (deleted)@0x1f598]
[@ dalvik-LinearAlloc (deleted)@0x2206fa]
[@ dalvik-LinearAlloc (deleted)@0x223602]
[@ dalvik-LinearAlloc (deleted)@0x223bb2]
|
|
Reporter | |
Updated•14 years ago
|
Crash Signature: [@ dvmAsmInstructionStart]
[@ dvmAsmSisterStart]
[@ dvmInterpretDbg]
[@ dalvik-jit-code-cache (deleted)@0x1f598]
[@ dalvik-LinearAlloc (deleted)@0x2206fa]
[@ dalvik-LinearAlloc (deleted)@0x223602]
[@ dalvik-LinearAlloc (deleted)@0x223bb2] → [@ dvmAsmInstructionStart]
[@ dvmAsmSisterStart]
[@ dvmInterpretDbg]
[@ dvmHandleStackOverflow]
[@ dalvik-jit-code-cache (deleted)@0x1f598]
[@ dalvik-LinearAlloc (deleted)@0x2206fa]
[@ dalvik-LinearAlloc (deleted)@0x223602]
[@ dalvik-LinearAlloc (d…
|
|
||
Comment 10•14 years ago
|
||
I was able to reproduce the @dvmAsmSisterStart crash, which was duped to this one.
https://crash-stats.mozilla.com/report/index/bp-a578e360-fa2d-49f5-8c2f-4ddf32120424
STR
1) install 4-24-2012 nightly, HTC Sensation Android 2.3.4
2) visit full flash site: http://www.abc.net.au/iview
3) pan around, wait, crash.
|
|
Reporter | |
Updated•14 years ago
|
Crash Signature: [@ dvmAsmInstructionStart]
[@ dvmAsmSisterStart]
[@ dvmInterpretDbg]
[@ dvmHandleStackOverflow]
[@ dalvik-jit-code-cache (deleted)@0x1f598]
[@ dalvik-LinearAlloc (deleted)@0x2206fa]
[@ dalvik-LinearAlloc (deleted)@0x223602]
[@ dalvik-LinearAlloc (d… → [@ dvmAsmInstructionStart]
[@ dvmAsmSisterStart]
[@ dvmInterpretDbg]
[@ dvmHandleStackOverflow]
[@ dalvik-jit-code-cache (deleted)@0x1f598]
[@ dalvik-LinearAlloc (deleted)@0x1eeabe]
[@ dalvik-LinearAlloc (deleted)@0x1efb3e]
[@ dalvik-LinearAlloc (d…
|
||
Updated•14 years ago
|
Target Milestone: mozilla14 → ---
|
||
Comment 11•14 years ago
|
||
I got this crash once with this testcase:
http://people.mozilla.org/~mwargers/tests/plugins/flash/flashembed_wrappedinlink.html
Str:
- Tap on the plugin placeholder
- Tap on the result flash circle
But I often get the libflashplayer crash, that way too.
Tested on the Samsung Galaxy SII.
|
|
||
Comment 12•14 years ago
|
||
Reproduced again, same STR as comment 10.
This time on a different device: Nexus S, Android 2.3.3, 04-30-2012 latest-aurora branch build.
https://crash-stats.mozilla.com/report/index/a5487d10-8e9c-477e-b61b-e26342120430
|
|
Reporter | |
Updated•14 years ago
|
Keywords: reproducible
|
|
||
Comment 13•14 years ago
|
||
On a Motorola Droid Pro running Android 2.3.4 on Nightly/15.0a1 2012-05-01 on http://people.mozilla.org/~mwargers/tests/plugins/flash/flashembed_wrappedinlink.html i got 3 crashes which seem to be the same/related to this:
https://crash-stats.mozilla.com/report/index/bp-9cfd68c6-e5f0-434c-8081-4d10f2120502
https://crash-stats.mozilla.com/report/index/bp-7d6e709c-3f71-419a-bac8-de74e2120502
https://crash-stats.mozilla.com/report/index/bp-657dac4f-d747-4d21-b3b8-0526d2120502
|
|
Assignee | |
Comment 15•14 years ago
|
||
QA can we try to nail down some more reliable STR here. I can't repro on current inbound with the steps in #10 or #11.
|
||
Comment 16•14 years ago
|
||
I can't repro either with steps in #10 using a Galaxy S2, Android 2.3.4 and build 15.0a1 20120508
|
|
||
Comment 17•14 years ago
|
||
Unable to reproduce the crash using the STR from Comment 10 and Comment 11 on Nightly 15.0a1 2012-05-08 using an HTC Desire (Android 2.2). Using the steps from Comment 11 i was able to reproduce the crash on Nightly 2012-05-01 - please see Comment 13 - which would suggest that this was fixed by the fix for another bug.
On Aurora 14.0a2 2012-05-08 on http://people.mozilla.org/~mwargers/tests/plugins/flash/flashembed_wrappedinlink.html i get another crash - Bug 753276. This is specific to Aurora.
|
|
Reporter | |
Comment 18•14 years ago
|
||
Based on crash stats, it's fixed in 15.0a1/20120507. The working range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=94ce5f33a9ea&tochange=448f554f6acb
I guess it's either bug 752001 or bug 752014 that have fixed it (not backported to Aurora).
It's not fixed in Aurora.
status-firefox14:
--- → affected
status-firefox15:
--- → unaffected
|
|
||
Comment 19•14 years ago
|
||
With the str, in comment 11, I now get bug 731288 (although it is a little bit more difficult to get the crash now, it seems).
|
|
Reporter | |
Updated•14 years ago
|
Keywords: reproducible
|
|
Reporter | |
Comment 20•14 years ago
|
||
(In reply to Scoobidiver from comment #18)
> Based on crash stats, it's fixed in 15.0a1/20120507.
I talked too fast. There are still crashes in the trunk but at a lower volume:
https://crash-stats.mozilla.com/report/list?product=FennecAndroid&version=FennecAndroid%3A15.0a1&query_search=signature&query_type=contains&reason_type=contains&range_value=28&range_unit=days&do_query=1&signature=dvmAsmInstructionStart#graph
https://crash-stats.mozilla.com/report/list?product=FennecAndroid&version=FennecAndroid%3A15.0a1&query_search=signature&query_type=contains&reason_type=contains&range_value=28&range_unit=days&do_query=1&signature=dvmAsmSisterStart#graph
With combined signatures, it's #6 top crasher in 14.0a2 and #1 top unfixed crasher.
|
|
||
Comment 21•14 years ago
|
||
no crashes since 5/11
Status: REOPENED → RESOLVED
Closed: 14 years ago → 14 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Updated•14 years ago
|
Resolution: FIXED → WORKSFORME
|
|
Reporter | |
Comment 22•14 years ago
|
||
There are still crashes in Aurora at a low level:
https://crash-stats.mozilla.com/report/list?product=FennecAndroid&version=FennecAndroid%3A14.0a2&query_search=signature&query_type=contains&reason_type=contains&range_value=28&range_unit=days&do_query=1&signature=dvmAsmInstructionStart#graph
Keywords: topcrash
|
|
Reporter | |
Comment 23•14 years ago
|
||
There are still crashes in the trunk: bp-c77a3e1b-59de-4b5c-a50a-cecae2120514
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
|
|
||
Comment 24•14 years ago
|
||
no longer a topcrash, renoming and suggesting that this no longer blocks
blocking-fennec1.0: + → ?
|
|
Reporter | |
Comment 25•14 years ago
|
||
(In reply to Brad Lassey [:blassey] from comment #21)
> no crashes since 5/11
It takes several days before a build becomes widespread.
(In reply to Brad Lassey [:blassey] from comment #24)
> no longer a topcrash, renoming and suggesting that this no longer blocks
With combined signatures, it's #2 top crasher in Aurora over the last day (#3 over the last 3 days, #1 over the last week)) from various users.
Keywords: topcrash
|
||
Updated•14 years ago
|
blocking-fennec1.0: ? → +
|
|
||
Comment 26•14 years ago
|
||
I cant reproduce this on a 5-14 aurora build. need to keep investigating
|
|
||
Comment 27•14 years ago
|
||
snorp, some patch that landed on trunk dropped the crash rate. Please figure out which patch that is and make sure it gets into the next beta build.
|
|
||
Comment 28•13 years ago
|
||
Maybe that the fix for bug 731288 will fix this too?
|
|
||
Comment 29•13 years ago
|
||
on 5-23-2012 nightly,
just talked with martijn , and he no longer sees this crash when running his testcase
from comment 11. I also dont see this crash from my url in comment 10.
It's possibly that the libgui.so bug (bug 731288), may have fixed it.
|
|
Reporter | |
Comment 30•13 years ago
|
||
(In reply to Martijn Wargers [:mw22] (QA - IRC nick: mw22) from comment #28)
> Maybe that the fix for bug 731288 will fix this too?
No. There are still crashes in Aurora after the fix of bug 731288: bp-e76de306-4ba6-4a98-be24-47abd2120523.
Bug 741222 would help to know its real rank.
QAwanted still valid - Looks like we need some new repro steps if that crash signature still exists in yesterday's aurora build.
I was able to reproduce this:
1. set plugins to enable
2. go to http://people.mozilla.org/~mwargers/tests/plugins/flash/flashembed_wrappedinlink_back_and_forth_2s.html
3. click on the middle flash button
Expected: no crash
Actual : dvmAsmInstructionSet crash
I was able to consistently produce this on Aurora 2012-05-30 build on Galaxy S II
What happens is the keyboard seems to appear when it redirects to coming to this flash page after trying to redirect to google.com and crashes.
|
|
||
Updated•13 years ago
|
Keywords: reproducible
|
|
||
Comment 33•13 years ago
|
||
Re-triaging to strip out non-OMG-ON-FIRE release blockers - pushing this to .N+ but we'd still love to look at a safe patch.
blocking-fennec1.0: + → .N+
|
|
Reporter | |
Comment 34•13 years ago
|
||
With combined signatures, it's at least #6 top crasher in 14.0b5.
I can't seem to reproduce this bug in the latest nightly (6/6/2012) using comment 32 and HTC Desire
|
|
Reporter | |
Updated•13 years ago
|
Crash Signature: (deleted)@0x2206fa]
[@ dalvik-LinearAlloc (deleted)@0x223602]
[@ dalvik-LinearAlloc (deleted)@0x223bb2] → (deleted)@0x2206fa]
[@ dalvik-LinearAlloc (deleted)@0x223602]
[@ dalvik-LinearAlloc (deleted)@0x223bb2]
[@ dvmAsmInstructionStart | dvmMterpStd | dvmInterpret | dvmCallMethodV | JNI_CreateJavaVM | _JNIEnv::CallStaticVoidMethod | mozilla::AndroidBridge:…
|
|
||
Comment 36•13 years ago
|
||
(In reply to Scoobidiver from comment #34)
> With combined signatures, it's at least #6 top crasher in 14.0b5.
all these dvm* crash signatures are not good indicators that they are the same bug, which is why we've added dvm* to the skip list.
|
|
Reporter | |
Comment 37•13 years ago
|
||
(In reply to Brad Lassey [:blassey] from comment #36)
> all these dvm* crash signatures are not good indicators that they are the
> same bug, which is why we've added dvm* to the skip list.
The 3 crash signatures use the same pattern:
* dvmAsmInstructionStart | pattern
* dvmAsmSisterStart | pattern
* dvmHandleStackOverflow | dvmAsmSisterStart | pattern
For me, it's the same crash.
It's different from bug 758898.
Crash Signature: mozilla::AndroidBridge::RemovePluginView]
[@ dvmAsmSisterStart | dvmMterpStd | dvmInterpret | dvmCallMethodV | JNI_CreateJavaVM | _JNIEnv::CallStaticVoidMethod | mozilla::AndroidBridge::RemovePluginView] → mozilla::AndroidBridge::RemovePluginView]
[@ dvmAsmSisterStart | dvmMterpStd | dvmInterpret | dvmCallMethodV | JNI_CreateJavaVM | _JNIEnv::CallStaticVoidMethod | mozilla::AndroidBridge::RemovePluginView]
[@ dvmHandleStackOverflow | dvmAsmSisterStart | d…
|
|
||
Comment 38•13 years ago
|
||
nominating to remove from the .N+ list due to low crash volume.
blocking-fennec1.0: .N+ → ?
|
|
Reporter | |
Comment 39•13 years ago
|
||
The latest crash happened in 14.0b5. There are no crashes in 14.0b6.
Status: REOPENED → RESOLVED
Closed: 14 years ago → 13 years ago
Resolution: --- → WORKSFORME
|
|
||
Updated•13 years ago
|
blocking-fennec1.0: ? → -
|
||
Updated•4 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•