Closed
Bug 807925
Opened 12 years ago
Closed 12 years ago
crash in nsNPAPIPluginInstance::GetImageSize
Categories
(Core Graveyard :: Plug-ins, defect)
Tracking
(firefox18 unaffected, firefox19 fixed)
RESOLVED
FIXED
mozilla19
| Tracking | Status | |
|---|---|---|
| firefox18 | --- | unaffected |
| firefox19 | --- | fixed |
People
(Reporter: scoobidiver, Assigned: karlt)
References
Details
(Keywords: crash, regression, topcrash, Whiteboard: [native-crash])
Crash Data
Attachments
(1 file)
|
1.73 KB,
patch
|
roc
:
review+
|
Details | Diff | Splinter Review |
It first appeared in 19.0a1/20121101 and has been hit by 2 users. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=bed18790882f&tochange=5bd5bb168eb1 It might be a regression from bug 797568. Signature nsNPAPIPluginInstance::GetImageSize(nsIntSize*) More Reports Search UUID 1d9e7e62-c443-4b8a-835f-dc3a42121101 Date Processed 2012-11-01 19:52:52 Uptime 19 Last Crash 23 seconds before submission Install Age 7.7 hours since version was first installed. Install Time 2012-11-01 12:10:31 Product FennecAndroid Version 19.0a1 Build ID 20121101030705 Release Channel nightly OS Android OS Version 0.0.0 Linux 2.6.39.4+ #1 SMP PREEMPT Thu Mar 29 23:01:48 CST 2012 armv7l acer/a500_ww_gen1/picasso:4.0.3/IML74K/1333032611:user/release-keys Build Architecture arm Build Architecture Info Crash Reason SIGSEGV Crash Address 0x2c App Notes AdapterDescription: 'NVIDIA Corporation -- NVIDIA Tegra -- OpenGL ES 2.0 14.01002 -- Model: A500, Product: a500_ww_gen1, Manufacturer: Acer, Hardware: picasso' EGL? EGL+ GL Context? GL Context+ GL Layers? GL Layers+ Acer A500 acer/a500_ww_gen1/picasso:4.0.3/IML74K/1333032611:user/release-keys EMCheckCompatibility True Adapter Vendor ID NVIDIA Corporation Adapter Device ID NVIDIA Tegra Device Acer A500 Android API Version 15 (REL) Android CPU ABI armeabi-v7a Frame Module Signature Source 0 libxul.so nsNPAPIPluginInstance::GetImageSize nsNPAPIPluginInstance.cpp:1213 1 libxul.so nsPluginInstanceOwner::IsUpToDate nsPluginInstanceOwner.h:255 2 libxul.so nsPluginInstanceOwner::NotifyPaintWaiter nsPluginInstanceOwner.cpp:144 3 libxul.so nsObjectFrame::BuildLayer nsObjectFrame.cpp:1615 4 libxul.so nsDisplayPlugin::BuildLayer nsObjectFrame.h:331 5 libxul.so mozilla::::ContainerState::ProcessDisplayItems FrameLayerBuilder.cpp:2058 6 libxul.so mozilla::::ContainerState::ProcessDisplayItems FrameLayerBuilder.cpp:1989 7 libxul.so mozilla::::ContainerState::ProcessDisplayItems FrameLayerBuilder.cpp:1989 8 libxul.so mozilla::FrameLayerBuilder::BuildContainerLayerFor FrameLayerBuilder.cpp:2870 9 libxul.so nsDisplayScrollLayer::BuildLayer nsDisplayList.cpp:2900 10 libxul.so mozilla::::ContainerState::ProcessDisplayItems FrameLayerBuilder.cpp:2058 11 libxul.so mozilla::FrameLayerBuilder::BuildContainerLayerFor FrameLayerBuilder.cpp:2870 12 libxul.so nsDisplayOwnLayer::BuildLayer nsDisplayList.cpp:2752 13 libxul.so mozilla::::ContainerState::ProcessDisplayItems FrameLayerBuilder.cpp:2058 14 libxul.so mozilla::::ContainerState::ProcessDisplayItems FrameLayerBuilder.cpp:1989 15 libxul.so mozilla::::ContainerState::ProcessDisplayItems FrameLayerBuilder.cpp:1989 16 libxul.so mozilla::FrameLayerBuilder::BuildContainerLayerFor FrameLayerBuilder.cpp:2870 17 libxul.so nsDisplayList::PaintForFrame const nsDisplayList.cpp:1063 18 libxul.so nsDisplayList::PaintRoot const nsDisplayList.cpp:983 19 libxul.so nsLayoutUtils::PaintFrame nsLayoutUtils.cpp:1853 20 libxul.so PresShell::Paint nsPresShell.cpp:5351 21 libxul.so nsViewManager::ProcessPendingUpdatesForView nsViewManager.cpp:439 22 libxul.so nsViewManager::ProcessPendingUpdates nsViewManager.cpp:1214 23 libxul.so nsRefreshDriver::Notify nsRefreshDriver.cpp:432 24 libxul.so nsTimerImpl::Fire nsTimerImpl.cpp:485 ... More reports at: https://crash-stats.mozilla.com/report/list?signature=nsNPAPIPluginInstance%3A%3AGetImageSize%28nsIntSize*%29
|
Assignee | |
Comment 1•12 years ago
|
||
"Crash Address" 0x2c is consistent with the offset of mRunning and a null nsNPAPIPluginInstance at http://hg.mozilla.org/mozilla-central/annotate/a7537715edf9/dom/plugins/base/nsNPAPIPluginInstance.cpp#l1213 http://hg.mozilla.org/mozilla-central/rev/caad55e54b0b changed the order so that the null check on |container| is now after the NotifyPaintWaiter() call. |container| is null when there is no instance.
Assignee: nobody → karlt
Blocks: 797568
|
|
Assignee | |
Comment 2•12 years ago
|
||
Restoring the previous order of method calls, but still only calling GetImageContainer if the container is likely to be used.
Attachment #678974 -
Flags: review?(roc)
Attachment #678974 -
Flags: review?(roc) → review+
|
|
Assignee | |
Comment 3•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/f64ee963d915 I haven't tried to write a test. This seems specific to Android, perhaps because of the in-process image container model there. I'm guessing that getting into this situation would involve some race conditions with plugin destruction, but I don't know STR. Probably better value for time than adding new tests for Android would be to start running existing tests, such as dom/plugins/test/mochitest.
Flags: in-testsuite-
|
Reporter | |
Comment 4•12 years ago
|
||
It's #2 top crasher over the last three days.
|
||
Comment 5•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/f64ee963d915
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
|
|
Reporter | |
Updated•12 years ago
|
|
||
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•