Closed Bug 778442 Opened 7 years ago Closed 7 years ago

crash in nsPluginInstanceOwner::GetVisibleRect on Honeycomb, ICS and JB

Categories

(Core :: Plug-ins, defect, critical)

15 Branch
ARM
Android
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla18
Tracking Status
firefox16 + verified
firefox17 --- verified
firefox18 --- verified
fennec 16+ ---

People

(Reporter: scoobidiver, Assigned: snorp)

References

()

Details

(5 keywords, Whiteboard: [native-crash])

Crash Data

Attachments

(2 files)

It's #16 top crasher in 15.0b2 and first appeared in this build. The Beta regression range is:
http://hg.mozilla.org/releases/mozilla-beta/pushloghtml?fromchange=695042299ec9&tochange=166ba24e4239
It's likely a regression from bug 687267.

Signature 	nsPluginInstanceOwner::GetVisibleRect More Reports Search
UUID	43b45aaa-2332-47e4-b059-1631c2120728
Date Processed	2012-07-28 10:00:23
Uptime	124
Install Age	2.1 minutes since version was first installed.
Install Time	2012-07-28 09:58:05
Product	FennecAndroid
Version	15.0
Build ID	20120724190501
Release Channel	beta
OS	Linux
OS Version	0.0.0 Linux 2.6.39.4-00003-gafee6c5 #1 SMP PREEMPT Mon Jun 4 16:21:28 CST 2012 armv7l
Build Architecture	arm
Build Architecture Info	
Crash Reason	SIGSEGV
Crash Address	0x18
App Notes 	
AdapterVendorID: cardhu, AdapterDeviceID: ASUS Transformer Pad TF300T.
AdapterDescription: 'Model: 'ASUS Transformer Pad TF300T', Product: 'US_epad', Manufacturer: 'asus', Hardware: 'cardhu''.
EGL? EGL+ GL Context? GL Context+ GL Layers? GL Layers+ 
asus ASUS Transformer Pad TF300T
asus/US_epad/TF300T:4.0.3/IML74K/US_epad-9.4.3.30-20120604:user/release-keys
Processor Notes 	This dump is too long and has triggered the automatic truncation routine
EMCheckCompatibility	True
Adapter Vendor ID	cardhu
Adapter Device ID	ASUS Transformer Pad TF300T

Frame 	Module 	Signature 	Source
0 	libxul.so 	nsPluginInstanceOwner::GetVisibleRect 	dom/plugins/base/nsPluginInstanceOwner.cpp:1826
1 	libxul.so 	anp_window_visibleRect 	dom/plugins/base/android/ANPWindow.cpp:107
2 	libflashplayer.so 	libflashplayer.so@0x539227 	
3 	libflashplayer.so 	libflashplayer.so@0x545d07 	
4 	libflashplayer.so 	libflashplayer.so@0x759e5e 	
5 	libflashplayer.so 	libflashplayer.so@0x29b8fb 	
6 	libflashplayer.so 	libflashplayer.so@0x1637a3 	
7 	dalvik-heap (deleted) 	dalvik-heap @0xfc4ffe 	
8 	dalvik-heap (deleted) 	dalvik-heap @0xfc4ffe 	
9 	libEGL.so 	libEGL.so@0xc4e3 	
10 	app_process 	app_process@0x12f6 	
11 	libEGL_tegra.so 	libEGL_tegra.so@0xb569 	
12 	libEGL.so 	libEGL.so@0xc6b7 	
13 	libEGL_tegra.so 	libEGL_tegra.so@0xb341 	
14 	libicui18n.so 	uprv_decNumberNormalize_46 	
15 	libflashplayer.so 	libflashplayer.so@0x759e5e 	
16 	libflashplayer.so 	libflashplayer.so@0x2ad81b 
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsPluginInstanceOwner%3A%3AGetVisibleRect
It's #6 non-fixed top crasher in 15.0b5.
Keywords: topcrash
I'm seeing this crash in a trunk build from 2012-08-18 on the TF101, Android 3.2.1 on this testcase: http://people.mozilla.org/~mwargers/tests/plugins/flash/flashembed_wrappedinlink.html
Str:
- Tap on the Flash embed under the "wrapped in link" text
- Go back
- Repeat steps 1 and 2 a couple of times
Keywords: testcase
It's a top crash with a test case.
tracking-fennec: --- → ?
Assignee: nobody → snorp
tracking-fennec: ? → 16+
This seems to happen upon closing a tab that is playing flash content.
Keywords: reproducible
Attachment #659752 - Flags: review?(blassey.bugs) → review+
https://hg.mozilla.org/mozilla-central/rev/8bebc4a08179
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
Please nominate for aurora/beta uplift some time this week when comfortable with the changes baking on Nightly.
There's one crash in 18.0a1/20120912 that contains the fix: bp-cbf3c197-e135-46ab-bd8a-b98842120912.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(In reply to Scoobidiver from comment #9)
> There's one crash in 18.0a1/20120912 that contains the fix:
> bp-cbf3c197-e135-46ab-bd8a-b98842120912.

Let's see if the crashes occur with anywhere near the same volume, since I'm assuming Snorp verified that he fixed the reproducible steps in this bug.
STR:
1. Open a new tab and go to: settings.adobe.com/flashplayer/mobile
2. Tap to enable the plugin
3. Open Tabs Sidebar
4. Swipe to close tab opened at step 1

Actual result: https://crash-stats.mozilla.com/report/index/bp-c95ef5f6-a68f-44ee-8356-bc1b42120918

Note: This crash is 100% reproducible on Honeycomb. I cannot reproduce it with these steps on ICS.
--
Firefox 18.0a1 (2012-09-17)
Device: Galaxy Tab 10.1
OS: Android 3.1
For whatever reason, the current PresShell is sometimes garbage when this gets called. The patch I just attached caches the plugin size so we don't have to ask the PresShell for scale values, eliminating the crash.
Attachment #662237 - Flags: review?(blassey.bugs) → review+
https://hg.mozilla.org/mozilla-central/rev/efd7b5216aa5
Status: REOPENED → RESOLVED
Closed: 7 years ago7 years ago
Resolution: --- → FIXED
Comment on attachment 662237 [details] [diff] [review]
Cache the plugin size for ANPWindow::visibleRect

[Approval Request Comment]
Low risk, actually fixes this bug
Attachment #662237 - Flags: approval-mozilla-beta?
Attachment #662237 - Flags: approval-mozilla-aurora?
Comment on attachment 662237 [details] [diff] [review]
Cache the plugin size for ANPWindow::visibleRect

[Triage Comment]
Low risk fix for a new topcrash in FF15.
Attachment #662237 - Flags: approval-mozilla-beta?
Attachment #662237 - Flags: approval-mozilla-beta+
Attachment #662237 - Flags: approval-mozilla-aurora?
Attachment #662237 - Flags: approval-mozilla-aurora+
I cannot reproduce this issue on the latest Nightly and Beta build. Closing bug as verified fixed on:

Firefox 18.0a1 (2012-09-20)
Device: Galaxy Tab 10.1
OS: Android 3.1
Status: RESOLVED → VERIFIED
(In reply to Cristian Nicolae (:xti) from comment #20)
> I cannot reproduce this issue on the latest Nightly and Beta build.
The patch will land in 16.0b5.
There are no crashes after 17.0a2/20120920.
You need to log in before you can comment on or make changes to this bug.