crash in nsNPAPIPluginInstance::Stop (Android)

REOPENED
Unassigned

Status

()

Core
Plug-ins
P3
critical
REOPENED
6 years ago
5 months ago

People

(Reporter: Scoobidiver (away), Unassigned)

Tracking

({crash})

Trunk
ARM
Android
crash
Points:
---

Firefox Tracking Flags

(firefox17 affected, firefox18 affected, firefox19 affected, firefox20 affected, firefox21 affected, firefox22 affected, firefox23 affected)

Details

(Whiteboard: [native-crash], crash signature)

(Reporter)

Description

6 years ago
It's #28 top crasher in 14.0b7.

Signature 	nsCOMPtr_base::~nsCOMPtr_base | nsTArray<nsCOMPtr<PluginEventRunnable>, nsTArrayDefaultAllocator>::RemoveElementsAt | nsNPAPIPluginInstance::Stop More Reports Search
UUID	15e080ed-06c7-4b74-8db9-b90f32120618
Date Processed	2012-06-18 04:58:16
Uptime	1122
Last Crash	10.2 hours before submission
Install Age	13.1 hours since version was first installed.
Install Time	2012-06-17 15:50:57
Product	FennecAndroid
Version	16.0a1
Build ID	20120617030532
Release Channel	nightly
OS	Linux
OS Version	0.0.0 Linux 2.6.35.11-T769UVLB7-CL946413 #2 SMP PREEMPT Sat Feb 18 15:41:28 KST 2012 armv7l
Build Architecture	arm
Build Architecture Info	
Crash Reason	SIGSEGV
Crash Address	0x740070
App Notes 	
AdapterVendorID: qcom, AdapterDeviceID: SGH-T769.
AdapterDescription: 'Model: 'SGH-T769', Product: 'SGH-T769', Manufacturer: 'samsung', Hardware: 'qcom''.
samsung SGH-T769
samsung/SGH-T769/SGH-T769:2.3.6/GINGERBREAD/UVLB7:user/release-keys
EMCheckCompatibility	True

Frame 	Module 	Signature 	Source
0 	libxul.so 	nsCOMPtr_base::~nsCOMPtr_base 	obj-firefox/xpcom/build/nsCOMPtr.cpp:48
1 	libxul.so 	nsTArray<nsCOMPtr<PluginEventRunnable>, nsTArrayDefaultAllocator>::RemoveElement 	nsCOMPtr.h:446
2 	libxul.so 	nsNPAPIPluginInstance::Stop 	nsTArray.h:942
3 	libxul.so 	nsPluginHost::StopPluginInstance 	dom/plugins/base/nsPluginHost.cpp:3084
4 	libxul.so 	nsObjectLoadingContent::DoStopPlugin 	content/base/src/nsObjectLoadingContent.cpp:2213
5 	libxul.so 	nsObjectLoadingContent::StopPluginInstance 	content/base/src/nsObjectLoadingContent.cpp:2244
6 	libxul.so 	nsObjectLoadingContent::NotifyOwnerDocumentActivityChanged 	content/base/src/nsObjectLoadingContent.cpp:736
7 	libxul.so 	NotifyActivityChanged 	content/base/src/nsDocument.cpp:3699
8 	libxul.so 	EnumerateFreezables 	content/base/src/nsDocument.cpp:7912
9 	libxul.so 	nsTHashtable<nsPtrHashKey<nsIContent> >::s_EnumStub 	nsTHashtable.h:486
10 	libxul.so 	PL_DHashTableEnumerate 	obj-firefox/xpcom/build/pldhash.cpp:715
11 	libxul.so 	nsIDocument::EnumerateFreezableElements 	nsTHashtable.h:237
12 	libxul.so 	nsDocument::RemovedFromDocShell 	content/base/src/nsDocument.cpp:6977
13 	libxul.so 	nsHTMLDocument::RemovedFromDocShell 	content/html/document/src/nsHTMLDocument.cpp:3465
14 	libxul.so 	DocumentViewerImpl::Close 	layout/base/nsDocumentViewer.cpp:1428
15 	libxul.so 	nsDocShell::SetupNewViewer 	docshell/base/nsDocShell.cpp:7786
16 	libxul.so 	nsDocShell::Embed 	docshell/base/nsDocShell.cpp:5889
17 	libxul.so 	nsDocShell::CreateContentViewer 	docshell/base/nsDocShell.cpp:7596
18 	libxul.so 	nsDSURIContentListener::DoContent 	docshell/base/nsDSURIContentListener.cpp:133
19 	libxul.so 	nsDocumentOpenInfo::TryContentListener 	uriloader/base/nsURILoader.cpp:677
20 	libxul.so 	nsDocumentOpenInfo::DispatchContent 	uriloader/base/nsURILoader.cpp:374
21 	libxul.so 	nsDocumentOpenInfo::OnStartRequest 	uriloader/base/nsURILoader.cpp:262
22 	libxul.so 	mozilla::net::nsHttpChannel::CallOnStartRequest 	netwerk/protocol/http/nsHttpChannel.cpp:954
23 	libxul.so 	mozilla::net::nsHttpChannel::ContinueProcessNormal 	netwerk/protocol/http/nsHttpChannel.cpp:1453
24 	libxul.so 	mozilla::net::nsHttpChannel::ProcessNormal 	netwerk/protocol/http/nsHttpChannel.cpp:1388
25 	libxul.so 	mozilla::net::nsHttpChannel::ProcessResponse 	netwerk/protocol/http/nsHttpChannel.cpp:1300
26 	libxul.so 	mozilla::net::nsHttpChannel::OnStartRequest 	netwerk/protocol/http/nsHttpChannel.cpp:4763
27 	libxul.so 	nsInputStreamPump::OnStateStart 	netwerk/base/src/nsInputStreamPump.cpp:416
28 	libxul.so 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:367
29 	libxul.so 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:82
30 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:624
31 	libxul.so 	NS_ProcessNextEvent_P 	obj-firefox/xpcom/build/nsThreadUtils.cpp:217
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsCOMPtr_base%3A%3A~nsCOMPtr_base+|+nsTArray%3CnsCOMPtr%3CPluginEventRunnable%3E%2C+nsTArrayDefaultAllocator%3E%3A%3ARemoveElementsAt+|+nsNPAPIPluginInstance%3A%3AStop

Comment 1

6 years ago
The actual crash site is probably http://hg.mozilla.org/mozilla-central/annotate/264f0a7a878c/dom/plugins/base/nsNPAPIPluginInstance.cpp#l225 which indicates some sort of refcounting problem with PluginEventRunnable instances. I don't know the design of that system at all, so cc'ing the correct suspects.
Summary: crash in nsNPAPIPluginInstance::Stop → crash in nsNPAPIPluginInstance::Stop (Android)
(Reporter)

Updated

6 years ago
Crash Signature: [@ nsCOMPtr_base::~nsCOMPtr_base | nsTArray<nsCOMPtr<PluginEventRunnable>, nsTArrayDefaultAllocator>::RemoveElementsAt | nsNPAPIPluginInstance::Stop] → [@ nsCOMPtr_base::~nsCOMPtr_base | nsTArray<nsCOMPtr<PluginEventRunnable>, nsTArrayDefaultAllocator>::RemoveElementsAt | nsNPAPIPluginInstance::Stop ] [@ @0x0 | nsTArray<nsCOMPtr<PluginEventRunnable> nsTArrayDefaultAllocator>::RemoveElementsAt | n&hellip;
(Reporter)

Updated

6 years ago
Crash Signature: [@ nsCOMPtr_base::~nsCOMPtr_base | nsTArray<nsCOMPtr<PluginEventRunnable>, nsTArrayDefaultAllocator>::RemoveElementsAt | nsNPAPIPluginInstance::Stop ] [@ @0x0 | nsTArray<nsCOMPtr<PluginEventRunnable> nsTArrayDefaultAllocator>::RemoveElementsAt | n&hellip; → [@ nsCOMPtr_base::~nsCOMPtr_base | nsTArray<nsCOMPtr<PluginEventRunnable>, nsTArrayDefaultAllocator>::RemoveElementsAt | nsNPAPIPluginInstance::Stop ] [@ @0x0 | nsTArray<nsCOMPtr<PluginEventRunnable> nsTArrayDefaultAllocator>::RemoveElementsAt | n&hellip;
(Reporter)

Updated

5 years ago
Crash Signature: [@ nsCOMPtr_base::~nsCOMPtr_base | nsTArray<nsCOMPtr<PluginEventRunnable>, nsTArrayDefaultAllocator>::RemoveElementsAt | nsNPAPIPluginInstance::Stop ] [@ @0x0 | nsTArray<nsCOMPtr<PluginEventRunnable> nsTArrayDefaultAllocator>::RemoveElementsAt | n&hellip; → [@ nsCOMPtr_base::~nsCOMPtr_base | nsTArray<nsCOMPtr<PluginEventRunnable>, nsTArrayDefaultAllocator>::RemoveElementsAt | nsNPAPIPluginInstance::Stop ] [@ @0x0 | nsTArray<nsCOMPtr<PluginEventRunnable> nsTArrayDefaultAllocator>::RemoveElementsAt | n&hellip;
(Reporter)

Updated

5 years ago
Crash Signature: [@ nsCOMPtr_base::~nsCOMPtr_base | nsTArray<nsCOMPtr<PluginEventRunnable>, nsTArrayDefaultAllocator>::RemoveElementsAt | nsNPAPIPluginInstance::Stop ] [@ @0x0 | nsTArray<nsCOMPtr<PluginEventRunnable> nsTArrayDefaultAllocator>::RemoveElementsAt | n&hellip; → [@ nsCOMPtr_base::~nsCOMPtr_base | nsTArray<nsCOMPtr<PluginEventRunnable>, nsTArrayDefaultAllocator>::RemoveElementsAt | nsNPAPIPluginInstance::Stop ] [@ @0x0 | nsTArray<nsCOMPtr<PluginEventRunnable> nsTArrayDefaultAllocator>::RemoveElementsAt | n&hellip;
status-firefox17: --- → affected
status-firefox18: --- → affected
status-firefox20: --- → affected
(Reporter)

Updated

5 years ago
Crash Signature: [@ nsCOMPtr_base::~nsCOMPtr_base | nsTArray<nsCOMPtr<PluginEventRunnable>, nsTArrayDefaultAllocator>::RemoveElementsAt | nsNPAPIPluginInstance::Stop ] [@ @0x0 | nsTArray<nsCOMPtr<PluginEventRunnable> nsTArrayDefaultAllocator>::RemoveElementsAt | n&hellip; → [@ nsCOMPtr_base::~nsCOMPtr_base | nsTArray<nsCOMPtr<PluginEventRunnable>, nsTArrayDefaultAllocator>::RemoveElementsAt | nsNPAPIPluginInstance::Stop ] [@ @0x0 | nsTArray<nsCOMPtr<PluginEventRunnable> nsTArrayDefaultAllocator>::RemoveElementsAt | n&hellip;
status-firefox19: --- → affected
status-firefox21: --- → affected
(Reporter)

Updated

5 years ago
Crash Signature: [@ nsCOMPtr_base::~nsCOMPtr_base | nsTArray<nsCOMPtr<PluginEventRunnable>, nsTArrayDefaultAllocator>::RemoveElementsAt | nsNPAPIPluginInstance::Stop ] [@ @0x0 | nsTArray<nsCOMPtr<PluginEventRunnable> nsTArrayDefaultAllocator>::RemoveElementsAt | n&hellip; → [@ nsCOMPtr_base::~nsCOMPtr_base | nsTArray<nsCOMPtr<PluginEventRunnable>, nsTArrayDefaultAllocator>::RemoveElementsAt | nsNPAPIPluginInstance::Stop ] [@ @0x0 | nsTArray<nsCOMPtr<PluginEventRunnable> nsTArrayDefaultAllocator>::RemoveElementsAt | n&hellip;
(Reporter)

Updated

5 years ago
Crash Signature: [@ nsCOMPtr_base::~nsCOMPtr_base | nsTArray<nsCOMPtr<PluginEventRunnable>, nsTArrayDefaultAllocator>::RemoveElementsAt | nsNPAPIPluginInstance::Stop ] [@ @0x0 | nsTArray<nsCOMPtr<PluginEventRunnable> nsTArrayDefaultAllocator>::RemoveElementsAt | n&hellip; → [@ nsCOMPtr_base::~nsCOMPtr_base | nsTArray<nsCOMPtr<PluginEventRunnable>, nsTArrayDefaultAllocator>::RemoveElementsAt | nsNPAPIPluginInstance::Stop ] [@ @0x0 | nsTArray<nsCOMPtr<PluginEventRunnable> nsTArrayDefaultAllocator>::RemoveElementsAt | n&hellip;

Comment 2

5 years ago
mozilla::RefPtr<mozilla::psm::(anonymous namespace)::CertErrorRunnable>::~RefPtr  occurs intermittently in Autophone robocop tests  testAwesomebar on a Nexus S

http://brasstacks.mozilla.com/autolog/?tree=mozilla-central&source=autolog&rev=55477ae32280
(Reporter)

Comment 3

5 years ago
The stack trace now looks like:
Frame 	Module 	Signature 	Source
0 	libxul.so 	mozilla::RefPtr<mozilla::psm::::CertErrorRunnable>::~RefPtr 	obj-firefox/dist/include/mozilla/RefPtr.h:166
1 	libxul.so 	nsTArray_Impl<mozilla::RefPtr<nsCertTreeDispInfo>, nsTArrayInfallibleAllocator>: 	obj-firefox/dist/include/nsTArray.h:515
2 	libxul.so 	nsNPAPIPluginInstance::Stop 	obj-firefox/dist/include/nsTArray.h:1110
3 	libmozglue.so 	arena_dalloc 	memory/mozjemalloc/jemalloc.c:4598
4 	libxul.so 	nsDocShellLoadInfo::GetSHEntry 	docshell/base/nsDocShellLoadInfo.cpp:120
5 	libxul.so 	nsPluginHost::StopPluginInstance 	dom/plugins/base/nsPluginHost.cpp:3122
6 	libxul.so 	nsObjectLoadingContent::DoStopPlugin 	content/base/src/nsObjectLoadingContent.cpp:2565
7 	libxul.so 	XPCJSRuntime::RemoveJSHolder 	obj-firefox/dist/include/nsTHashtable.h:195
8 	libxul.so 	nsObjectLoadingContent::StopPluginInstance 	content/base/src/nsObjectLoadingContent.cpp:2615
9 	libxul.so 	nsObjectLoadingContent::DestroyContent 	content/base/src/nsObjectLoadingContent.cpp:2143
10 	libxul.so 	mozilla::dom::HTMLObjectElement::DestroyContent 	content/html/content/src/HTMLObjectElement.cpp:438
11 	libxul.so 	mozilla::dom::FragmentOrElement::DestroyContent 	content/base/src/FragmentOrElement.cpp:955
12 	libxul.so 	mozilla::dom::FragmentOrElement::DestroyContent 	content/base/src/FragmentOrElement.cpp:955
13 	libxul.so 	mozilla::dom::FragmentOrElement::DestroyContent 	content/base/src/FragmentOrElement.cpp:955
14 	libxul.so 	mozilla::dom::FragmentOrElement::DestroyContent 	content/base/src/FragmentOrElement.cpp:955
15 	libxul.so 	mozilla::dom::FragmentOrElement::DestroyContent 	content/base/src/FragmentOrElement.cpp:955
16 	libxul.so 	mozilla::dom::FragmentOrElement::DestroyContent 	content/base/src/FragmentOrElement.cpp:955
17 	libxul.so 	nsDocument::Destroy 	content/base/src/nsDocument.cpp:7693
18 	libxul.so 	nsDocumentViewer::Destroy 	layout/base/nsDocumentViewer.cpp:1626
19 	libxul.so 	nsEventListenerManager::RemoveEventListener 	content/events/src/nsEventListenerManager.cpp:1049
20 	libxul.so 	nsDOMEventTargetHelper::RemoveEventListener 	content/events/src/nsDOMEventTargetHelper.cpp:140
21 	libxul.so 	nsDOMEventTargetHelper::RemoveSystemEventListener 	content/events/src/nsDOMEventTargetHelper.cpp:146
22 	libxul.so 	nsDocumentViewer::Close 	layout/base/nsDocumentViewer.cpp:1457
23 	libxul.so 	nsDocShell::Destroy 	docshell/base/nsDocShell.cpp:5035
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3ARefPtr%3Cmozilla%3A%3Apsm%3A%3A%28anonymous+namespace%29%3A%3ACertErrorRunnable%3E%3A%3A~RefPtr
https://crash-stats.mozilla.com/report/list?signature=%400x0+|+nsTArray_Impl%3Cmozilla%3A%3ARefPtr%3CnsCertTreeDispInfo%3E%2C+nsTArrayInfallibleAllocator%3E%3A%3ARemoveElementsAt%28unsigned+int%2C+unsigned+int%29
status-firefox22: --- → affected
status-firefox23: --- → affected

Updated

2 years ago
Crash Signature: [@ nsCOMPtr_base::~nsCOMPtr_base | nsTArray<nsCOMPtr<PluginEventRunnable>, nsTArrayDefaultAllocator>::RemoveElementsAt | nsNPAPIPluginInstance::Stop ] [@ @0x0 | nsTArray<nsCOMPtr<PluginEventRunnable>, nsTArrayDefaultAllocator>::RemoveElementsAt | &hellip; → [@ nsCOMPtr_base::~nsCOMPtr_base | nsTArray<nsCOMPtr<PluginEventRunnable>, nsTArrayDefaultAllocator>::RemoveElementsAt | nsNPAPIPluginInstance::Stop ] [@ @0x0 | nsTArray<nsCOMPtr<PluginEventRunnable>, nsTArrayDefaultAllocator>::RemoveElementsAt | &hellip;
I'm marking this bug as WORKSFORME as bug crashlog signature didn't appear from a long time (over half year) [except some obsolete <44 versions, no crashes starting since 44 version].
Status: NEW → RESOLVED
Last Resolved: 11 months ago
Resolution: --- → WORKSFORME
Ups, my bad and due to ( bug #1348631 ) looks like there are sill crashes, so reopening.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---

Updated

5 months ago
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.