Android crash in nsNPAPIPluginInstance::TimerWithID

RESOLVED FIXED in Firefox 16

Status

()

Core
Plug-ins
--
critical
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: Scoobidiver (away), Assigned: snorp)

Tracking

({crash, reproducible, topcrash})

Trunk
mozilla18
ARM
Android
crash, reproducible, topcrash
Points:
---

Firefox Tracking Flags

(firefox15+, firefox16+ fixed, firefox17 fixed, firefox18 fixed, blocking-fennec1.0 -, fennec+)

Details

(Whiteboard: [native-crash], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Signature 	nsNPAPIPluginInstance::TimerWithID More Reports Search
UUID	a49c0aac-2407-4a85-addb-fe9be2120430
Date Processed	2012-04-30 11:23:42
Uptime	246
Install Age	4.1 minutes since version was first installed.
Install Time	2012-04-30 11:19:27
Product	FennecAndroid
Version	14.0a2
Build ID	20120429042006
Release Channel	aurora
OS	Linux
OS Version	0.0.0 Linux 2.6.35.11-perf #1 SMP PREEMPT Tue Feb 14 18:02:08 KST 2012 armv7l
Build Architecture	arm
Build Architecture Info	
Crash Reason	SIGSEGV
Crash Address	0x0
App Notes 	
EGL? EGL+ AdapterVendorID: qcom, AdapterDeviceID: LG-MS840.
AdapterDescription: 'Android, Model: 'LG-MS840', Product: 'cayman_mpcs_us', Manufacturer: 'LGE', Hardware: 'qcom''.
GL Context? GL Context+ GL Layers? GL Layers+ 
LGE LG-MS840
lge/cayman_mpcs_us/cayman:2.3.6/GRK39F/MS840ZV8.47A73A3A:user/release-keys
EMCheckCompatibility	True

Frame 	Module 	Signature 	Source
0 	libxul.so 	nsNPAPIPluginInstance::TimerWithID 	nsTArray.h:224
1 	libxul.so 	PluginTimerCallback 	dom/plugins/base/nsNPAPIPluginInstance.cpp:1215
2 	libxul.so 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:508
3 	libxul.so 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:591
4 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:656
5 	libxul.so 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:245
6 	libxul.so 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:110
7 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:208
8 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:201
9 	libxul.so 	nsBaseAppShell::Run 	widget/xpwidgets/nsBaseAppShell.cpp:189
10 	libxul.so 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:295
11 	libxul.so 	XREMain::XRE_mainRun 	toolkit/xre/nsAppRunner.cpp:3780
12 	libxul.so 	XREMain::XRE_main 	toolkit/xre/nsAppRunner.cpp:3857
13 	libxul.so 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3933
14 	libxul.so 	GeckoStart 	toolkit/xre/nsAndroidStartup.cpp:109
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsNPAPIPluginInstance%3A%3ATimerWithID
(Reporter)

Comment 1

5 years ago
It's #15 top crasher in 14.0b6.
(Reporter)

Comment 2

5 years ago
Now that some top crashers are fixed, it's #11 top crasher in 14.0b8.
Keywords: topcrash
(Reporter)

Updated

5 years ago
blocking-fennec1.0: --- → ?

Updated

5 years ago
Keywords: needURLs, qawanted
URLs listed:
4 	http://www.adobe.com/software/flash/about/
2 	http://37092.com/supplyself/Shanghai-Automation-Instrumentation-Far-East-Instr_3
1 	http://www.kicker.de/news/fussball/bundesliga/spieltag/1-bundesliga/2012-13/1/ta
1 	http://www.borsaitaliana.it/borsa/azioni/listino-a-z.html?initial=E
1 	http://www.ynet.co.il/home/0,7340,L-8,00.html
1 	http://www.nrg.co.il/online/HP_29.html
1 	http://truyen.hixx.info/truyen/truyen-kiem-hiep/105326/Vinh-Sinh.html
1 	http://www.ynet.co.il/articles/0,7340,L-4246000,00.html
1 	http://www.amazon.co.uk/product-reviews/B000Q36488/ref=cm_cr_dp_hist_5?ie=UTF8&s
1 	http://www.mangareader.net/damned
1 	http://www.dynatron-corp.com/en/products.aspx
Keywords: needURLs, qawanted
tracking-fennec: --- → +
blocking-fennec1.0: ? → -
Keywords: reproducible
(Reporter)

Comment 4

5 years ago
Cristian, what are the STR?
Summary: crash in nsNPAPIPluginInstance::TimerWithID → Android crash in nsNPAPIPluginInstance::TimerWithID
This looks a lot to me like we're tearing down the plugin instance from within the timer (it could also be calling a timer on a dead instance, but I'd expect that to normally crash earlier in the method) . The comment "Make sure we still have an instance and the timer is still alive" is scary. We should almost certainly be protecting against plugin teardown using a PluginDestructionGuard at the top of PluginTimerCallback. Do we have a good way of verifying hunches like that?
(In reply to Scoobidiver from comment #4)
> Cristian, what are the STR?

I was able to reproduce this crash always with the following STR, but I cannot anymore now on latest Nightly, Aurora or Beta builds.

STR:
1. Open Fennec
2. Go to http://www.adobe.com/software/flash/about/
3. Tap to activate flash plugin
4. Wait

Expected result:
No crash should occur.

Actual result:
This crash will occur.


On the latest builds, instead of this crash, I will get some libflashplayer.so crashes.

--
Device: Galaxy Nexus
OS: Android 4.0.4
Keywords: reproducible
(Reporter)

Comment 7

5 years ago
It's now #3 top crasher in 15.0b6.
I am always able to reproduce this crash on the latest Nightly by following these STR:

1. Go to http://goo.gl/j3xAP (http://www.digisport.ro/Sport/FOTBAL/Competitii/Liga+1/fc+vaslui+steaua+live+text+video)
2. Tap on any video to enable the flash plug in
3. Tap on the Reader Mode icon from URL Bar

Expected result:
The page should be displayed in Reader Mode correctly.

Actual result:
https://crash-stats.mozilla.com/report/index/bp-ced8caed-1b5d-458c-83f3-82aed2120828

--
Firefox 18.0a1 (2012-08-28)
Device: Galaxy Note
OS: Android 4.0.4
status-firefox18: --- → affected
Keywords: reproducible
Version: 14 Branch → Trunk
(Reporter)

Updated

5 years ago
tracking-firefox16: --- → ?

Updated

5 years ago
tracking-firefox15: --- → +
tracking-firefox16: ? → +

Comment 9

5 years ago
Snorp - do you have the time to look into this? If not, please hand this off to blassey to reassign.
Assignee: nobody → snorp
(In reply to Alex Keybl [:akeybl] from comment #9)
> Snorp - do you have the time to look into this? If not, please hand this off
> to blassey to reassign.

I can look at it.
Created attachment 659754 [details] [diff] [review]
Don't schedule plugin timers if the plugin isn't running
Attachment #659754 - Flags: review?(joshmoz)
Duplicate of this bug: 732059
Duplicate of this bug: 759109

Comment 14

5 years ago
(In reply to James Willcox (:snorp) (jwillcox@mozilla.com) from comment #11)
> Created attachment 659754 [details] [diff] [review]
> Don't schedule plugin timers if the plugin isn't running

How did you confirm that this patch works? Were you able to reproduce locally, and this patch fixed the problem, or is this a guess?
(In reply to Josh Aas (Mozilla Corporation) from comment #14)
> (In reply to James Willcox (:snorp) (jwillcox@mozilla.com) from comment #11)
> > Created attachment 659754 [details] [diff] [review]
> > Don't schedule plugin timers if the plugin isn't running
> 
> How did you confirm that this patch works? Were you able to reproduce
> locally, and this patch fixed the problem, or is this a guess?

Yes, I was able to reproduce it locally. This patch fixed it.

Updated

5 years ago
Attachment #659754 - Flags: review?(joshmoz) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/ef085eb72cd8
https://hg.mozilla.org/mozilla-central/rev/ef085eb72cd8
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
(Reporter)

Updated

5 years ago
status-firefox15: --- → affected
status-firefox16: --- → affected
status-firefox17: --- → affected
status-firefox18: affected → ---
Please nominate for Aurora/Beta approval this week, once comfortable with the landed change.
No crashes since 9/9 build it looks like, which doesn't include my fix. Still, seems to be good now.
status-firefox15: affected → ---
status-firefox16: affected → ---
status-firefox17: affected → ---
status-firefox18: --- → affected
Target Milestone: mozilla18 → ---
Comment on attachment 659754 [details] [diff] [review]
Don't schedule plugin timers if the plugin isn't running

[Approval Request Comment]
Fixes prominent plugin crash, low-risk
Attachment #659754 - Flags: approval-mozilla-beta?
Attachment #659754 - Flags: approval-mozilla-aurora?
(Reporter)

Updated

5 years ago
status-firefox18: affected → ---
Target Milestone: --- → mozilla18

Updated

5 years ago
Attachment #659754 - Flags: approval-mozilla-beta?
Attachment #659754 - Flags: approval-mozilla-beta+
Attachment #659754 - Flags: approval-mozilla-aurora?
Attachment #659754 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/293fddc7db0c
https://hg.mozilla.org/releases/mozilla-beta/rev/705cb96776a1
status-firefox16: --- → fixed
status-firefox17: --- → fixed
status-firefox18: --- → fixed
(Reporter)

Comment 23

5 years ago
It's not fully fixed because there are one crash in 18.0a1/20120919 and another in 17.0a2/20120920.

Comment 24

4 years ago
Do the same
> (In reply to Scoobidiver from comment #4)
> > Cristian, what are the STR?
> 
> I was able to reproduce this crash always with the following STR, but I
> cannot anymore now on latest Nightly, Aurora or Beta builds.
> 
> STR:
> 1. Open Fennec
> 2. Go to http://www.adobe.com/software/flash/about/
> 3. Tap to activate flash plugin
> 4. Wait
> 
> Expected result:
> No crash should occur.
> 
> Actual result:
> This crash will occur.
> 
> 
> On the latest builds, instead of this crash, I will get some
> libflashplayer.so crashes.
> 
> --
> Device: Galaxy Nexus
> OS: Android 4.0.4

But there're still crash page: http://truyenyy.com/doc-truyen/dinh-cap-luu-manh/chuong-957/ in 19.02 version.
(Reporter)

Comment 25

4 years ago
Steve, this bug is fixed. In addition, the release version is 20.0.1.

If you experience crashes on that site, type about:crashes, click the crash report and scroll down to Related Bugs to see where there's a related bug.
You need to log in before you can comment on or make changes to this bug.