Closed Bug 758259 Opened 7 years ago Closed 3 years ago

libstagefright crash in _ZN7android8OMXCodec14configureCodecERKNS_2spINS_8MetaDataEEEj with Flash on Samsung GT-I9100G with Gingerbread

Categories

(Firefox for Android :: General, defect, P5, critical)

14 Branch
ARM
Android
defect

Tracking

()

RESOLVED INVALID
Tracking Status
firefox14 --- affected
firefox15 --- affected
firefox16 --- affected
firefox17 --- affected
blocking-fennec1.0 --- -
fennec + ---

People

(Reporter: nhirata, Unassigned, Mentored)

References

Details

(Keywords: crash, flashplayer, Whiteboard: [native-crash])

Crash Data

Attachments

(1 file, 1 obsolete file)

This bug was filed from the Socorro interface and is 
report bp-d06a7fce-2e4f-4485-8670-ab67a2120523 .
============================================================= 
Crashing Thread
Frame 	Module 	Signature 	Source
0 	libc.so 	__libc_android_abort 	
1 	liblog.so 	__android_log_assert 	
2 	libstagefright.so 	libstagefright.so@0x58181 	
3 	libflashplayer.so 	libflashplayer.so@0x55d2ff 	
4 	libdvm.so 	dvmRemoveFromReferenceTable 	
5 	libdvm.so 	dvmReleaseTrackedAlloc 	
6 		@0x541a 	
7 	libdvm.so 	dexDataMapAlloc 	
8 	libdvm.so 	dexDataMapAlloc 	
9 	libflashplayer.so 	libflashplayer.so@0x560f7b 	
10 	libflashplayer.so 	libflashplayer.so@0x55d5eb 	
11 	libflashplayer.so 	libflashplayer.so@0x560655 	
12 	libflashplayer.so 	libflashplayer.so@0x75a556 	
13 	dalvik-heap (deleted) 	dalvik-heap @0x27864ff 	
14 	libc.so 	setjmp 	
15 		@0xffffe 	
16 	app_process 	app_process@0x56a 	
17 	libflashplayer.so 	libflashplayer.so@0x560623

More crashes:
https://crash-stats.mozilla.com/report/list?product=FennecAndroid&version=FennecAndroid%3A14.0b2&query_search=signature&query_type=contains&query=__libc_android_abort%20|%20__android_log_assert&reason_type=contains&date=05%2F24%2F2012%2016%3A34%3A30&range_value=1&range_unit=weeks&hang_type=any&process_type=any&do_query=1&admin=1&signature=__libc_android_abort%20|%20__android_log_assert

Note:
From : http://mxr.mozilla.org/comm-central/source/mozilla/dom/plugins/base/nsPluginsDirUnix.cpp#216
217     // It appears that if you load
218     // 'libstagefright_honeycomb.so' on froyo, or
219     // 'libstagefright_froyo.so' on honeycomb, we will abort.
220     // Since these are just helper libs, we can ignore.
URL ( Adult Content and Private info was manually filtered out of this list ) :
2 	http://www.n24.de/
2 	http://www.movie2k.to/Der-Diktator-online-film-1364588.html
2 	http://www.youtube.com/watch?v=2ihiOO4s5oM&feature=youtube_gdata_player
2 	http://www.youtube.com/watch?v=nxmvbvQKT2U&feature=related
1 	http://korben.info/
1 	http://www.lequipe.fr/Football/Actualites/Paris-cherche-trois-joueurs/285584
1 	http://vnexpress.net/gl/xa-hoi/2012/05/hang-nghin-xe-may-nam-cho-bien-thanh-sat-
1 	http://www.zing.vn/news/tennis/phuc-thu-djokovic-nadal-lan-thu-6-vo-dich-rome-ma
1 	http://www.youtube.com/watch?v=DAmv84wNDv8&sns=em
1 	http://www.youtube.com/watch?v=7NgguVjcq3Y&feature=g-logo
1 	http://www.youtube.com/watch?v=vIsAgR6twIE&feature=related
1 	http://www.tinhte.vn/threads/941601/
1 	http://www.youtube.com/watch?v=unfzfe8f9NI
1 	http://www.phimvu.com/index.php#Play,13285,phim%20cap%203%20em%20xinh.html
1 	http://phimvang.org/xem-phim/gio-cao-diem-2-rush-hour-2-2001/20201205.html
1 	http://www.aghnam.com.sa/vb/showthread.php?t=163572
1 	http://v1vn.com/xem-phim/nguoi-dan-ong-tu-xich-dao-3019.html
1 	http://www.megatvonline.org/iframe/msn.php?canal=hbovip
1 	http://www.youtube.com/watch?v=eNAohtjG14c&feature=share
1 	http://www.youtube.com/watch?v=T7HbiKfV_DA&feature=g-logo
1 	http://www.tinhte.vn/threads/1261483/
1 	http://www.phimvu.com/index.php#Play,13286
1 	http://www.youtube.com/watch?v=l1kybtckt0c&list=UUWuzA2iYRxlaAUO4VttfZJA&index=1
1 	http://www.youtube.com/watch?v=0EvvVWM_TS8&feature=youtube_gdata_player
1 	http://www.cvnrw.de/cvnrw_livestream-201205.htm
1 	http://www.youtube.com/watch?v=vHJAUuicC0Q
1 	http://www.youtube.com/watch?v=LHpTzm4K14Y&feature=endscreen
1 	http://www.dardarkom.com/13216-watch-and-download-the-lucky-one-2012-ts-online.h
1 	http://v1vn.com/xem-phim/sinh-tu-me-cuc-3110.html
1 	http://topphim.net/xem-phim/doi-quan-xac-chet-nazis-at-the-center-of-the-earth-2
1 	http://hespress.com/sport/54397.html
1 	http://news.m.zing.vn/detail/view/cat/am-nhac/id/a251632?ver=t
nomed, this crash is new to beta.
blocking-fennec1.0: --- → ?
Keywords: topcrash
(In reply to Naoki Hirata :nhirata from comment #2)
> nomed, this crash is new to beta.
It happens also in Nightly and Aurora.
OS: All → Android
Hardware: All → ARM
Summary: crash in __libc_android_abort → crash in __libc_android_abort | __android_log_assert on Gingerbread
Whiteboard: [native-crash]
qawanted for STR. Also, this might be related to bug 758010.
blocking-fennec1.0: ? → +
Keywords: qawanted
Keywords: flashplayer
Summary: crash in __libc_android_abort | __android_log_assert on Gingerbread → libstagefright crash in __libc_android_abort | __android_log_assert on Gingerbread
snorp, have you seen any Flash crashes like this before? This crash looks like we are trying to unload Flash while playing a video and then Flash hit a fatal assert in Android's Stagefright video decoding library.
Depends on: 741315
(In reply to Chris Peterson (:cpeterson) from comment #5)
> snorp, have you seen any Flash crashes like this before? This crash looks
> like we are trying to unload Flash while playing a video and then Flash hit
> a fatal assert in Android's Stagefright video decoding library.

No, I haven't seen this crash myself. I'd agree that it could possibly be shutdown related. I think we'll need to get some STR to make much progress on it, though.
I've sent Ted symbols and CFI information for the the copy of libstagefright where this seems most prevalent. That might help us get a better idea of what's happening here.

In 9f434fa0-238f-4009-a1e8-9bcb72120524 and d5104eda-9456-45ac-ae5c-85e9c2120524 we seem to be crashing in android::OMXCodec::configureCodec(android::sp<android::MetaData> const&, unsigned int)
So we have more a stack now: https://crash-stats.mozilla.com/report/index/5e6f19ff-86a5-4dce-93c0-22bd62120603

But it seems sort of bogus and isn't necessarily more helpful.
(In reply to Jeff Muizelaar [:jrmuizel] from comment #8)
> So we have more a stack now:
> https://crash-stats.mozilla.com/report/index/5e6f19ff-86a5-4dce-93c0-
> 22bd62120603
> 
> But it seems sort of bogus and isn't necessarily more helpful.

Yeah, it looks like it's claiming to decode ogg vorbis, which is not a supported media type in Flash...
We discussed this on IRC, but since these are only publicly exported symbols, the actual function names in the stack are not always correct. If you look at the raw dump you can see that the code offsets are pretty huge, indicating that the function is not reliable.

The symbols are still useful because they get us usable unwind info.
tracking-fennec: --- → 15+
blocking-fennec1.0: + → -
Crash Signature: [@ __libc_android_abort | __android_log_assert] → [@ __libc_android_abort | __android_log_assert] [@ __libc_android_abort | __android_log_assert | _ZN7android8OMXCodec14configureCodecERKNS_2spINS_8MetaDataEEEj]
Interestingly, this page is about firefox for android : 
http://www.tinhte.vn/threads/1261483/

Device Listings: 
Samsung GT-I9100G
Samsung GT-N7000
Motorola XT910 	
Motorola DROID RAZR
HTC Sensation Z710e 	
HTC Sensation XE with Beats Audio Z715e
Samsung GT-I9100
Samsung Nexus S
HTC EVO 3D X515m
Unknown T10A
Samsung YP-G1
Samsung SGH-T989
Sony Ericsson LT26i
HTC_Amaze_4G
HTC T-Mobile G2
HTC PG86100
HTC Sensation XL with Beats Audio X315e
HTC One X

I haven't seen the crash listed since 6/1/2012 in any channel.  Maybe the beta 5 patch also reduced the chances of getting to this bug.  Scoobi, can you confirm please?please?
(In reply to Naoki Hirata :nhirata from comment #11)
> I haven't seen the crash listed since 6/1/2012 in any channel.  Maybe the
> beta 5 patch also reduced the chances of getting to this bug.  Scoobi, can
> you confirm please?please?
Don't see bug 752368 everywhere and don't forget the skiplist: https://crash-stats.mozilla.com/report/list?signature=__libc_android_abort+|+__android_log_assert+|+_ZN7android8OMXCodec14configureCodecERKNS_2spINS_8MetaDataEEEj
I've sent symbols for libmedia.so with the hope that it will improve the quality of the stack. The current one doesn't make sense (i.e. _ZNK7android7RefBase9incStrongEPKv calling into random symbol and then libstagefright)
It's #2 top crasher in 14.0b7 with 2.7% of all crashes. Nevertheless, there are many dupes and it affects only 12 out of 29,000 ADU.
I uploaded the symbols Jeff sent me.
The symbols I sent were wrong. I've sent the correct ones this time.
Based on device correlations, it happens only on Samsung GT-I9100G.
Summary: libstagefright crash in __libc_android_abort | __android_log_assert on Gingerbread → libstagefright crash in _ZN7android8OMXCodec14configureCodecERKNS_2spINS_8MetaDataEEEj on Samsung GT-I9100G with Gingerbread
The new symbol we get from libmedia is _ZN7android13BnOMXObserver10onTransactEjRKNS_6ParcelEPS1_j
android::BnOMXObserver::onTransact(unsigned int, android::Parcel const&, android::Parcel*, unsigned int)

But it doesn't seem to be the real symbol for this crash but is just the closest nearby.

This also removes the weird libstagefright.so -> libmedia.so -> libstagefright.so transition but leaves a weird 0x56affcd2,0x53dffcd2 etc. frame.

So it's still really unclear what's happening here from the stack.
Have you run these dumps through the dump-lookup tool to get an exhaustive view of the stack?
Attached file logcat ics
related to bug 770359?
I think this might have to do with being in ICS.  I did bug 770359 using ICS and got a crash in libfright (not in fennec, but in a different process)
This is the #3 crash in early 14.0.1 data even though it's only happening with one device ID.
It's #4 top crasher in 14.0.1, #53 in 15.0b3, and #73 in 16.0a2.
Hi, I do not know about libflashplayer.so, but have experince in stagefright.

There might be a possibility of mismatch happens between "header files referenced from libflashplayer.so" and "implementations of libstagefright.so/libmedia.so". It seems that libflashplayer.so uses some private media APIs(like IOMX, OMXCodec) directly. The private media APIs could be different depending on platforms/products. For example, IOMXObserver is different betweeen MSM and OMAP in gingerbread. MSM has IOMXObserver::registerBuffers(const sp<IMemoryHeap> &mem). But OMAP do not have the function.

http://git.omapzoom.org/?p=platform/frameworks/base.git;a=blob;f=include/media/IOMX.h;h=f79476677f4bb41c64c088893064fdbf7a8cec0b;hb=gingerbread

https://www.codeaurora.org/gitweb/quic/la/?p=platform/frameworks/base.git;a=blob;f=include/media/IOMX.h;h=462b087ff6c799d61d09119437acec691c62bae2;hb=gingerbread_chocolate
(In reply to Sotaro Ikeda [:sotaro] from comment #24)
> Hi, I do not know about libflashplayer.so, but have experince in stagefright.

GT-I9100G support flash video, therefore my comment is useless...
(In reply to Naoki Hirata :nhirata from comment #21)
> Created attachment 638520 [details]
> logcat ics
> 
> related to bug 770359?
> I think this might have to do with being in ICS.  I did bug 770359 using ICS
> and got a crash in libfright (not in fennec, but in a different process)

From my experince, how to play flash video on ICS is different than gingerbread. flash use OpenMAX AL API for Video Playback, and OpenMAX AL use NuPlayer within mediaserver. NuPlayer uses stagefrights classes.
About attachment 638520 [details], NuPlayer::Renderer kill mediaserver process, because of precondition check within NuPlayer::Renderer::signalTimeDiscontinuity().
It's code is following. 

>void NuPlayer::Renderer::signalTimeDiscontinuity() {
>    CHECK(mAudioQueue.empty());
>    CHECK(mVideoQueue.empty());
>    mAnchorTimeMediaUs = -1;
>    mAnchorTimeRealUs = -1;
>    mSyncQueues = mHasAudio && mHasVideo;
>}

There are two "CHECK" macros. If a condition fails, the "CHECK" macro call abort and then the current process is killed.
It seems that it happens when NuPlayer's shut down sequence is not as expected order.

There are a lot of "CHECK" mecros within stagefright and NuPlayer...
If faut was called within OMXCodec::configureCodec(const sp<MetaData> &meta), "CHECK" macros could be a reason of fault. There are a lot of "CHECK" macros in the fucntion. If the function's argument "MetaData" contains invalid metadata, fault is called in the function. But the MetaData is provided by flashplayer in gingerbread...
It's #30 top crasher in 15.0 and #50 in 16.0b1.
Keywords: topcrash
Assignee: nobody → chris.double
tracking-fennec: 15+ → 17+
Just to confirm, this crash only happens on Gingerbread? If so, the fix will be not to load the stagefright support on Gingerbread until bug 787228 is done.
(In reply to Scoobidiver from comment #31)
> (In reply to Chris Double (:doublec) from comment #30)
> > Just to confirm, this crash only happens on Gingerbread?
> More than that because only GT-I9100G is affected.

I'm unable to parse that sentence. Is it only devices with Gingerbread affected by this bug? Or is it (GT-I9100G on gingerbread) plus (other devices on ICS/JB)?
(In reply to Chris Double (:doublec) from comment #32) 
> I'm unable to parse that sentence. Is it only devices with Gingerbread
> affected by this bug? Or is it (GT-I9100G on gingerbread) plus (other
> devices on ICS/JB)?
Sorry. The summary of the bug is clearer: GT-I9100G on gingerbread.
I'm a little confused what this bug is about. All the comments seem to refer to Flash which I know nothing about. We do get this particular load error on GB devices that try to load our libomxplugin.so file though so this attached patch stops loading this on GB. Does this resolve the issue?
Attachment #673074 - Flags: review?(cpeterson)
(In reply to Chris Double (:doublec) from comment #34)
> We do get this particular load error on GB devices that try to load our 
> libomxplugin.so file though so this attached patch stops loading this on GB.
You remove the ability of any devices on Froyo and Gingerbread to load libomxplugin.so while only Samsung GT-I9100G is affected. It seems oversized.
(In reply to Scoobidiver from comment #35)
> You remove the ability of any devices on Froyo and Gingerbread to load
> libomxplugin.so while only Samsung GT-I9100G is affected. It seems oversized.

Correct, that's because the libomxplugin only works on ICS devices.
For Gingerbread support see bug 787228. FroYo is not currently planned.
What about Honeycomb?
(In reply to Scoobidiver from comment #38)
> What about Honeycomb?

It's planned. There should be a bug opened for it within a few days.
Comment on attachment 673074 [details] [diff] [review]
Don't load libomxplugin on GB devices

Review of attachment 673074 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM!
Attachment #673074 - Flags: review?(cpeterson) → review+
Chris, why hasn't this landed? Should we still be tracking it?
tracking-fennec: 17+ → ?
Flags: needinfo?(chris.double)
(In reply to Brad Lassey [:blassey] from comment #41)
> Chris, why hasn't this landed? Should we still be tracking it?

Because it's based on the patch in bug 787319 which is now obsolete. Instead this would be fixed by the  blacklist/whitelist the android team are implementing. Presumably it's already fixed by the landing of that bug  and someone needs to check that.
Flags: needinfo?(chris.double)
tracking-fennec: ? → +
Comment on attachment 673074 [details] [diff] [review]
Don't load libomxplugin on GB devices

Patch no longer needed. Replaced by whitelist functionality.
Attachment #673074 - Attachment is obsolete: true
(In reply to Chris Double (:doublec) from comment #42)
> Instead this would be fixed by the  blacklist/whitelist the android team are
> implementing. Presumably it's already fixed by the landing of that bug  and
> someone needs to check that.
Those crashes happen in versions without SW and HW StageFright decoding so bug 806369 hasn't fixed it. See the crash volume in Beta (difference in duration of each Beta build):
FennecAndroid 	17.0b3 	84
FennecAndroid 	17.0b4 	58
FennecAndroid 	17.0b5 	35   <-- bug 806369
(In reply to Scoobidiver from comment #44)

> Those crashes happen in versions without SW and HW StageFright decoding so
> bug 806369 hasn't fixed it. See the crash volume in Beta (difference in
> duration of each Beta build):

Can you point me to a crash report in a build that includes the whitelist that shows this crash so I can investigate?
(In reply to Chris Double (:doublec) from comment #45)
> Can you point me to a crash report in a build that includes the whitelist
> that shows this crash so I can investigate?
Here is crash report in 17.0b6: bp-1d40a69b-568e-49e6-a03f-7a7ae2121115.
(In reply to Scoobidiver from comment #46)
> (In reply to Chris Double (:doublec) from comment #45)
> Here is crash report in 17.0b6: bp-1d40a69b-568e-49e6-a03f-7a7ae2121115.

This appears to be a flash plugin crash, not related to our media stagefright implementation. libflashplayer.so is in the stacktrace.
Sorry, I didn't realise this was flash related since it had been assigned to me I thought it was our media engine. I'm unassigning myself as I have nothing useful to offer here.
Assignee: chris.double → nobody
Summary: libstagefright crash in _ZN7android8OMXCodec14configureCodecERKNS_2spINS_8MetaDataEEEj on Samsung GT-I9100G with Gingerbread → libstagefright crash in _ZN7android8OMXCodec14configureCodecERKNS_2spINS_8MetaDataEEEj with Flash on Samsung GT-I9100G with Gingerbread
(In reply to Naoki Hirata :nhirata (please use needinfo instead of cc) from comment #1)
> URL (Contenu pour adultes et informations privées a été manuellement
> filtrées sur cette liste):
> 2 	http://www.n24.de/
> 2 	http://www.movie2k.to/Der-Diktator-online-film-1364588.html
> 2 	http://www.youtube.com/watch?v=2ihiOO4s5oM&feature=youtube_gdata_player
> 2 	http://www.youtube.com/watch?v=nxmvbvQKT2U&feature=related
> 1 	http://korben.info/
> 1 	http://bonjourbastien.com/
> 1 	http://letruckenplus.com
> 1 
> http://www.lequipe.fr/Football/Actualites/Paris-cherche-trois-joueurs/285584
> 1 
> http://vnexpress.net/gl/xa-hoi/2012/05/hang-nghin-xe-may-nam-cho-bien-thanh-
> sat-
> 1 
> http://www.zing.vn/news/tennis/phuc-thu-djokovic-nadal-lan-thu-6-vo-dich-
> rome-ma
> 1 	http://www.youtube.com/watch?v=DAmv84wNDv8&sns=em
> 1 	http://www.youtube.com/watch?v=7NgguVjcq3Y&feature=g-logo
> 1 	http://www.youtube.com/watch?v=vIsAgR6twIE&feature=related
> 1 	http://www.tinhte.vn/threads/941601/
> 1 	http://www.youtube.com/watch?v=unfzfe8f9NI
> 1 	http://www.phimvu.com/index.php#Play,13285,phim%20cap%203%20em%20xinh.html
> 1 	http://phimvang.org/xem-phim/gio-cao-diem-2-rush-hour-2-2001/20201205.html
> 1 	http://www.aghnam.com.sa/vb/showthread.php?t=163572
> 1 	http://v1vn.com/xem-phim/nguoi-dan-ong-tu-xich-dao-3019.html
> 1 	http://www.megatvonline.org/iframe/msn.php?canal=hbovip
> 1 	http://www.youtube.com/watch?v=eNAohtjG14c&feature=share
> 1 	http://www.youtube.com/watch?v=T7HbiKfV_DA&feature=g-logo
> 1 	http://www.tinhte.vn/threads/1261483/
> 1 	http://www.phimvu.com/index.php#Play,13286
> 1 
> http://www.youtube.com/
> watch?v=l1kybtckt0c&list=UUWuzA2iYRxlaAUO4VttfZJA&index=1
> 1 	http://www.youtube.com/watch?v=0EvvVWM_TS8&feature=youtube_gdata_player
> 1 	http://www.cvnrw.de/cvnrw_livestream-201205.htm
> 1 	http://www.youtube.com/watch?v=vHJAUuicC0Q
> 1 	http://www.youtube.com/watch?v=LHpTzm4K14Y&feature=endscreen
> 1 
> http://www.dardarkom.com/13216-watch-and-download-the-lucky-one-2012-ts-
> online.h
> 1 	http://v1vn.com/xem-phim/sinh-tu-me-cuc-3110.html
> 1 
> http://topphim.net/xem-phim/doi-quan-xac-chet-nazis-at-the-center-of-the-
> earth-2
> 1 	http://hespress.com/sport/54397.html
> 1 	http://news.m.zing.vn/detail/view/cat/am-nhac/id/a251632?ver=t
Whiteboard: [native-crash] → [native-crash][mentor=snorp]
Mentor: snorp
Whiteboard: [native-crash][mentor=snorp] → [native-crash]
filter on [mass-p5]
Priority: -- → P5
i can see This bug in this site too http://el7l.co/
Summary: libstagefright crash in _ZN7android8OMXCodec14configureCodecERKNS_2spINS_8MetaDataEEEj on Samsung GT-I9100G with Gingerbread → libstagefright crash in _ZN7android8OMXCodec14configureCodecERKNS_2spINS_8MetaDataEEEj with Flash on Samsung GT-I9100G with Gingerbread
We don't support Android 2.3 any more. Locking from unprivileged edits due to spam.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INVALID
Restrict Comments: true
You need to log in before you can comment on or make changes to this bug.