Closed Bug 750217 Opened 11 years ago Closed 11 years ago

Android crash in nsNPAPIPluginInstance::TimerWithID

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
ARM
Android
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(firefox15+, firefox16+ fixed, firefox17 fixed, firefox18 fixed, blocking-fennec1.0 -, fennec+)

Status:
RESOLVED FIXED
Milestone:
mozilla18
Tracking Flags:
Tracking Status
firefox15 + ---
firefox16 + fixed
firefox17 --- fixed
firefox18 --- fixed
blocking-fennec1.0 --- -
fennec + ---

People

(Reporter: scoobidiver, Assigned: snorp)

References

Details

(Keywords: crash, reproducible, topcrash, Whiteboard: [native-crash])

Crash Data

Attachments

(1 file)

Don't schedule plugin timers if the plugin isn't running
1.06 KB, patch
jaas
: review+
bajaj
: approval-mozilla-aurora+
bajaj
: approval-mozilla-beta+
Details | Diff | Splinter Review 
Signature 	nsNPAPIPluginInstance::TimerWithID More Reports Search
UUID	a49c0aac-2407-4a85-addb-fe9be2120430
Date Processed	2012-04-30 11:23:42
Uptime	246
Install Age	4.1 minutes since version was first installed.
Install Time	2012-04-30 11:19:27
Product	FennecAndroid
Version	14.0a2
Build ID	20120429042006
Release Channel	aurora
OS	Linux
OS Version	0.0.0 Linux 2.6.35.11-perf #1 SMP PREEMPT Tue Feb 14 18:02:08 KST 2012 armv7l
Build Architecture	arm
Build Architecture Info	
Crash Reason	SIGSEGV
Crash Address	0x0
App Notes 	
EGL? EGL+ AdapterVendorID: qcom, AdapterDeviceID: LG-MS840.
AdapterDescription: 'Android, Model: 'LG-MS840', Product: 'cayman_mpcs_us', Manufacturer: 'LGE', Hardware: 'qcom''.
GL Context? GL Context+ GL Layers? GL Layers+ 
LGE LG-MS840
lge/cayman_mpcs_us/cayman:2.3.6/GRK39F/MS840ZV8.47A73A3A:user/release-keys
EMCheckCompatibility	True

Frame 	Module 	Signature 	Source
0 	libxul.so 	nsNPAPIPluginInstance::TimerWithID 	nsTArray.h:224
1 	libxul.so 	PluginTimerCallback 	dom/plugins/base/nsNPAPIPluginInstance.cpp:1215
2 	libxul.so 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:508
3 	libxul.so 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:591
4 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:656
5 	libxul.so 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:245
6 	libxul.so 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:110
7 	libxul.so 	MessageLoop::RunInternal 	ipc/chromium/src/base/message_loop.cc:208
8 	libxul.so 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:201
9 	libxul.so 	nsBaseAppShell::Run 	widget/xpwidgets/nsBaseAppShell.cpp:189
10 	libxul.so 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:295
11 	libxul.so 	XREMain::XRE_mainRun 	toolkit/xre/nsAppRunner.cpp:3780
12 	libxul.so 	XREMain::XRE_main 	toolkit/xre/nsAppRunner.cpp:3857
13 	libxul.so 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3933
14 	libxul.so 	GeckoStart 	toolkit/xre/nsAndroidStartup.cpp:109
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsNPAPIPluginInstance%3A%3ATimerWithID
It's #15 top crasher in 14.0b6.
Now that some top crashers are fixed, it's #11 top crasher in 14.0b8.
Keywords: topcrash
blocking-fennec1.0: --- → ?
Keywords: needURLs, qawanted
tracking-fennec: --- → +
blocking-fennec1.0: ? → -
Keywords: reproducible
Cristian, what are the STR?
Summary: crash in nsNPAPIPluginInstance::TimerWithID → Android crash in nsNPAPIPluginInstance::TimerWithID
This looks a lot to me like we're tearing down the plugin instance from within the timer (it could also be calling a timer on a dead instance, but I'd expect that to normally crash earlier in the method) . The comment "Make sure we still have an instance and the timer is still alive" is scary. We should almost certainly be protecting against plugin teardown using a PluginDestructionGuard at the top of PluginTimerCallback. Do we have a good way of verifying hunches like that?
(In reply to Scoobidiver from comment #4)
> Cristian, what are the STR?

I was able to reproduce this crash always with the following STR, but I cannot anymore now on latest Nightly, Aurora or Beta builds.

STR:
1. Open Fennec
2. Go to http://www.adobe.com/software/flash/about/
3. Tap to activate flash plugin
4. Wait

Expected result:
No crash should occur.

Actual result:
This crash will occur.


On the latest builds, instead of this crash, I will get some libflashplayer.so crashes.

--
Device: Galaxy Nexus
OS: Android 4.0.4
Keywords: reproducible
It's now #3 top crasher in 15.0b6.
I am always able to reproduce this crash on the latest Nightly by following these STR:

1. Go to http://goo.gl/j3xAP (http://www.digisport.ro/Sport/FOTBAL/Competitii/Liga+1/fc+vaslui+steaua+live+text+video)
2. Tap on any video to enable the flash plug in
3. Tap on the Reader Mode icon from URL Bar

Expected result:
The page should be displayed in Reader Mode correctly.

Actual result:
https://crash-stats.mozilla.com/report/index/bp-ced8caed-1b5d-458c-83f3-82aed2120828

--
Firefox 18.0a1 (2012-08-28)
Device: Galaxy Note
OS: Android 4.0.4
status-firefox18: --- → affected
Keywords: reproducible
Version: 14 Branch → Trunk
tracking-firefox16: --- → ?
Snorp - do you have the time to look into this? If not, please hand this off to blassey to reassign.
Assignee: nobody → snorp
(In reply to Alex Keybl [:akeybl] from comment #9)
> Snorp - do you have the time to look into this? If not, please hand this off
> to blassey to reassign.

I can look at it.
(In reply to James Willcox (:snorp) (jwillcox@mozilla.com) from comment #11)
> Created attachment 659754 [details] [diff] [review]
> Don't schedule plugin timers if the plugin isn't running

How did you confirm that this patch works? Were you able to reproduce locally, and this patch fixed the problem, or is this a guess?
(In reply to Josh Aas (Mozilla Corporation) from comment #14)
> (In reply to James Willcox (:snorp) (jwillcox@mozilla.com) from comment #11)
> > Created attachment 659754 [details] [diff] [review]
> > Don't schedule plugin timers if the plugin isn't running
> 
> How did you confirm that this patch works? Were you able to reproduce
> locally, and this patch fixed the problem, or is this a guess?

Yes, I was able to reproduce it locally. This patch fixed it.
Attachment #659754 - Flags: review?(joshmoz) → review+
https://hg.mozilla.org/mozilla-central/rev/ef085eb72cd8
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
Please nominate for Aurora/Beta approval this week, once comfortable with the landed change.
No crashes since 9/9 build it looks like, which doesn't include my fix. Still, seems to be good now.
status-firefox15: affected → ---
status-firefox16: affected → ---
status-firefox17: affected → ---
status-firefox18: --- → affected
Target Milestone: mozilla18 → ---
Comment on attachment 659754 [details] [diff] [review]
Don't schedule plugin timers if the plugin isn't running

[Approval Request Comment]
Fixes prominent plugin crash, low-risk
Attachment #659754 - Flags: approval-mozilla-beta?
Attachment #659754 - Flags: approval-mozilla-aurora?
status-firefox18: affected → ---
Target Milestone: --- → mozilla18
Attachment #659754 - Flags: approval-mozilla-beta?
Attachment #659754 - Flags: approval-mozilla-beta+
Attachment #659754 - Flags: approval-mozilla-aurora?
Attachment #659754 - Flags: approval-mozilla-aurora+
It's not fully fixed because there are one crash in 18.0a1/20120919 and another in 17.0a2/20120920.
Do the same
> (In reply to Scoobidiver from comment #4)
> > Cristian, what are the STR?
> 
> I was able to reproduce this crash always with the following STR, but I
> cannot anymore now on latest Nightly, Aurora or Beta builds.
> 
> STR:
> 1. Open Fennec
> 2. Go to http://www.adobe.com/software/flash/about/
> 3. Tap to activate flash plugin
> 4. Wait
> 
> Expected result:
> No crash should occur.
> 
> Actual result:
> This crash will occur.
> 
> 
> On the latest builds, instead of this crash, I will get some
> libflashplayer.so crashes.
> 
> --
> Device: Galaxy Nexus
> OS: Android 4.0.4

But there're still crash page: http://truyenyy.com/doc-truyen/dinh-cap-luu-manh/chuong-957/ in 19.02 version.
Steve, this bug is fixed. In addition, the release version is 20.0.1.

If you experience crashes on that site, type about:crashes, click the crash report and scroll down to Related Bugs to see where there's a related bug.
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.