Closed Bug 778442 Opened 12 years ago Closed 12 years ago

crash in nsPluginInstanceOwner::GetVisibleRect on Honeycomb, ICS and JB

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Version:
15 Branch
Platform:
ARM
Android
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(firefox16+ verified, firefox17 verified, firefox18 verified, fennec16+)

Status:
VERIFIED FIXED
Milestone:
mozilla18
Tracking Flags:
Tracking Status
firefox16 + verified
firefox17 --- verified
firefox18 --- verified
fennec 16+ ---

People

(Reporter: scoobidiver, Assigned: snorp)

References

(
URL
)

Details

(5 keywords, Whiteboard: [native-crash])

Crash Data

Attachments

(2 files)

Add some null guards in nsPluginInstanceOwner::GetVisibleRect
1.26 KB, patch
blassey
: review+
Details | Diff | Splinter Review
Cache the plugin size for ANPWindow::visibleRect
4.44 KB, patch
blassey
: review+
akeybl
: approval-mozilla-aurora+
akeybl
: approval-mozilla-beta+
Details | Diff | Splinter Review
It's #16 top crasher in 15.0b2 and first appeared in this build. The Beta regression range is: http://hg.mozilla.org/releases/mozilla-beta/pushloghtml?fromchange=695042299ec9&tochange=166ba24e4239 It's likely a regression from bug 687267. Signature nsPluginInstanceOwner::GetVisibleRect More Reports Search UUID 43b45aaa-2332-47e4-b059-1631c2120728 Date Processed 2012-07-28 10:00:23 Uptime 124 Install Age 2.1 minutes since version was first installed. Install Time 2012-07-28 09:58:05 Product FennecAndroid Version 15.0 Build ID 20120724190501 Release Channel beta OS Linux OS Version 0.0.0 Linux 2.6.39.4-00003-gafee6c5 #1 SMP PREEMPT Mon Jun 4 16:21:28 CST 2012 armv7l Build Architecture arm Build Architecture Info Crash Reason SIGSEGV Crash Address 0x18 App Notes AdapterVendorID: cardhu, AdapterDeviceID: ASUS Transformer Pad TF300T. AdapterDescription: 'Model: 'ASUS Transformer Pad TF300T', Product: 'US_epad', Manufacturer: 'asus', Hardware: 'cardhu''. EGL? EGL+ GL Context? GL Context+ GL Layers? GL Layers+ asus ASUS Transformer Pad TF300T asus/US_epad/TF300T:4.0.3/IML74K/US_epad-9.4.3.30-20120604:user/release-keys Processor Notes This dump is too long and has triggered the automatic truncation routine EMCheckCompatibility True Adapter Vendor ID cardhu Adapter Device ID ASUS Transformer Pad TF300T Frame Module Signature Source 0 libxul.so nsPluginInstanceOwner::GetVisibleRect dom/plugins/base/nsPluginInstanceOwner.cpp:1826 1 libxul.so anp_window_visibleRect dom/plugins/base/android/ANPWindow.cpp:107 2 libflashplayer.so libflashplayer.so@0x539227 3 libflashplayer.so libflashplayer.so@0x545d07 4 libflashplayer.so libflashplayer.so@0x759e5e 5 libflashplayer.so libflashplayer.so@0x29b8fb 6 libflashplayer.so libflashplayer.so@0x1637a3 7 dalvik-heap (deleted) dalvik-heap @0xfc4ffe 8 dalvik-heap (deleted) dalvik-heap @0xfc4ffe 9 libEGL.so libEGL.so@0xc4e3 10 app_process app_process@0x12f6 11 libEGL_tegra.so libEGL_tegra.so@0xb569 12 libEGL.so libEGL.so@0xc6b7 13 libEGL_tegra.so libEGL_tegra.so@0xb341 14 libicui18n.so uprv_decNumberNormalize_46 15 libflashplayer.so libflashplayer.so@0x759e5e 16 libflashplayer.so libflashplayer.so@0x2ad81b ... More reports at: https://crash-stats.mozilla.com/report/list?signature=nsPluginInstanceOwner%3A%3AGetVisibleRect
It's #6 non-fixed top crasher in 15.0b5.
Keywords: topcrash
I'm seeing this crash in a trunk build from 2012-08-18 on the TF101, Android 3.2.1 on this testcase: http://people.mozilla.org/~mwargers/tests/plugins/flash/flashembed_wrappedinlink.html Str: - Tap on the Flash embed under the "wrapped in link" text - Go back - Repeat steps 1 and 2 a couple of times
URL: http://people.mozilla.org/~mwargers/t...
Keywords: testcase
It's a top crash with a test case.
tracking-fennec: --- → ?
tracking-firefox16: --- → ?
Assignee: nobody → snorp
tracking-firefox16: ?+
tracking-fennec: ? → 16+
This seems to happen upon closing a tab that is playing flash content.
Keywords: reproducible
Attachment #659752 - Flags: review?(blassey.bugs) → review+
https://hg.mozilla.org/mozilla-central/rev/8bebc4a08179
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
Please nominate for aurora/beta uplift some time this week when comfortable with the changes baking on Nightly.
There's one crash in 18.0a1/20120912 that contains the fix: bp-cbf3c197-e135-46ab-bd8a-b98842120912.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(In reply to Scoobidiver from comment #9) > There's one crash in 18.0a1/20120912 that contains the fix: > bp-cbf3c197-e135-46ab-bd8a-b98842120912. Let's see if the crashes occur with anywhere near the same volume, since I'm assuming Snorp verified that he fixed the reproducible steps in this bug.
STR: 1. Open a new tab and go to: settings.adobe.com/flashplayer/mobile 2. Tap to enable the plugin 3. Open Tabs Sidebar 4. Swipe to close tab opened at step 1 Actual result: https://crash-stats.mozilla.com/report/index/bp-c95ef5f6-a68f-44ee-8356-bc1b42120918 Note: This crash is 100% reproducible on Honeycomb. I cannot reproduce it with these steps on ICS. -- Firefox 18.0a1 (2012-09-17) Device: Galaxy Tab 10.1 OS: Android 3.1
For whatever reason, the current PresShell is sometimes garbage when this gets called. The patch I just attached caches the plugin size so we don't have to ask the PresShell for scale values, eliminating the crash.
Attachment #662237 - Flags: review?(blassey.bugs) → review+
https://hg.mozilla.org/mozilla-central/rev/efd7b5216aa5
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Resolution: --- → FIXED
Comment on attachment 662237 [details] [diff] [review] Cache the plugin size for ANPWindow::visibleRect [Approval Request Comment] Low risk, actually fixes this bug
Attachment #662237 - Flags: approval-mozilla-beta?
Attachment #662237 - Flags: approval-mozilla-aurora?
Comment on attachment 662237 [details] [diff] [review] Cache the plugin size for ANPWindow::visibleRect [Triage Comment] Low risk fix for a new topcrash in FF15.
Attachment #662237 - Flags: approval-mozilla-beta?
Attachment #662237 - Flags: approval-mozilla-beta+
Attachment #662237 - Flags: approval-mozilla-aurora?
Attachment #662237 - Flags: approval-mozilla-aurora+
I cannot reproduce this issue on the latest Nightly and Beta build. Closing bug as verified fixed on: Firefox 18.0a1 (2012-09-20) Device: Galaxy Tab 10.1 OS: Android 3.1
Status: RESOLVED → VERIFIED
status-firefox16: fixedverified
status-firefox18: --- → verified
(In reply to Cristian Nicolae (:xti) from comment #20) > I cannot reproduce this issue on the latest Nightly and Beta build. The patch will land in 16.0b5.
There are no crashes after 17.0a2/20120920.
status-firefox17: fixedverified
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: