Closed
Bug 827171
Opened 10 years ago
Closed 10 years ago
crash in nsPluginStreamListenerPeer::OnStartRequest
Categories
(Core Graveyard :: Plug-ins, defect, P1)
Tracking
(firefox20+ verified, firefox21 verified, firefox22 verified, fennec20+)
RESOLVED
FIXED
mozilla22
People
(Reporter: scoobidiver, Assigned: snorp)
References
()
Details
(4 keywords, Whiteboard: [native-crash])
Crash Data
It's #6 top crasher in 20.0a1 and first showed up in 20.0a1/20130103. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a812ef63de87&tochange=6955309291ee Signature nsPluginStreamListenerPeer::OnStartRequest(nsIRequest*, nsISupports*) More Reports Search UUID 9d50bf74-69cb-4acc-be58-3c5412130106 Date Processed 2013-01-06 17:33:10 Uptime 627 Install Age 57.1 minutes since version was first installed. Install Time 2013-01-06 16:35:58 Product FennecAndroid Version 20.0a1 Build ID 20130106030902 Release Channel nightly OS Android OS Version 0.0.0 Linux 3.0.8-02784-g4dbe869 #1 SMP PREEMPT Wed Dec 5 01:54:41 UTC 2012 armv7l Android/tate/tate:4.0.3/IML74K/7.2.3_user_2330720:user/release-keys Build Architecture arm Build Architecture Info Crash Reason SIGSEGV Crash Address 0x5e005000 App Notes AdapterDescription: 'Imagination Technologies -- PowerVR SGX 540 -- OpenGL ES 2.0 build 1.8@785978 -- Model: KFTT, Product: Kindle Fire, Manufacturer: Amazon, Hardware: bowser' EGL? EGL+ GL Context? GL Context+ GL Layers? GL Layers+ Amazon KFTT Android/tate/tate:4.0.3/IML74K/7.2.3_user_2330720:user/release-keys Processor Notes /data/socorro/stackwalk/bin/exploitable: ERROR: unable to analyze dump EMCheckCompatibility True Adapter Vendor ID Imagination Technologies Adapter Device ID PowerVR SGX 540 Device Amazon KFTT Android API Version 15 (REL) Android CPU ABI armeabi-v7a Frame Module Signature Source 0 libxul.so nsPluginStreamListenerPeer::OnStartRequest sps_sampler.h:348 1 libxul.so mozilla::net::nsHttpChannel::CallOnStartRequest nsHttpChannel.cpp:959 2 libxul.so mozilla::net::nsHttpChannel::ContinueProcessNormal nsHttpChannel.cpp:1452 3 libxul.so mozilla::net::nsHttpChannel::ProcessNormal nsHttpChannel.cpp:1387 4 libxul.so mozilla::net::nsHttpChannel::ProcessResponse nsHttpChannel.cpp:1300 5 libxul.so mozilla::net::nsHttpChannel::OnStartRequest nsHttpChannel.cpp:4839 6 libxul.so nsInputStreamPump::OnStateStart nsInputStreamPump.cpp:417 7 libxul.so nsInputStreamPump::OnInputStreamReady nsInputStreamPump.cpp:368 8 libxul.so nsInputStreamReadyEvent::Run nsStreamUtils.cpp:82 9 libxul.so nsThread::ProcessNextEvent nsThread.cpp:627 10 libxul.so NS_ProcessNextEvent_P nsThreadUtils.cpp:237 11 libxul.so mozilla::ipc::MessagePump::Run MessagePump.cpp:82 12 libxul.so MessageLoop::RunInternal message_loop.cc:215 13 libxul.so MessageLoop::Run message_loop.cc:208 14 libxul.so nsBaseAppShell::Run nsBaseAppShell.cpp:163 15 libxul.so nsAppStartup::Run nsAppStartup.cpp:288 16 libxul.so XREMain::XRE_mainRun nsAppRunner.cpp:3823 17 libxul.so XREMain::XRE_main nsAppRunner.cpp:3890 18 libxul.so XRE_main nsAppRunner.cpp:4093 19 libxul.so GeckoStart nsAndroidStartup.cpp:73 More reports at: https://crash-stats.mozilla.com/report/list?signature=nsPluginStreamListenerPeer%3A%3AOnStartRequest%28nsIRequest*%2C+nsISupports*%29
|
||
Comment 1•10 years ago
|
||
kairo : any co-relations to devices or urls to help reproduce will be helpful here. Also adding qawanted to help here to help with the above & find the bug which may have regressed this given the regression reange.
|
||
Comment 2•10 years ago
|
||
URLs - there are few: 3 http://m.imdb.com/video/imdb/vi1891149081 2 http://search.handycafe.com/?id 1 http://www.telegraph.co.uk/news/uknews/crime/9786052/Footage-of-moment-man-is-kn 1 http://www.twitch.tv/manvsgame 1 http://www.telematics4u.in/jsps/login_jsps/System_4/loginGMT.jsp?channel=true&la 1 http://www.gazeteoku.com/ 1 http://apps.facebook.com/moodweather/Ticket.aspx?showTicket=true 1 http://www.tv-links.eu/tv-shows/Awake_30717/season_1/episode_7/ 1 http://www.google.com/url?q=http://roisun.wordpress.com/2011/11/15/tips-trik-win 1 http://www.mma-core.com/videos/interviews/Don_Frye_Dan_Henderson_is_an_ahole_fig 1 http://sportsillustrated.cnn.com/2012_swimsuit/models/michelle-vawer/12_michelle
Keywords: needURLs
|
||
Comment 3•10 years ago
|
||
Devices this has been seen on in the last week on Nightly: nsPluginStreamListenerPeer::OnStartRequest(nsIRequest*, nsISupports*) 43 Amazon KFTT 14 Asus Nexus 7 11 Samsung GT-I9100 6 HTC Desire X 3 Amazon KFOT 3 Samsung GT-P7510 1 Samsung GT-S6102 1 LGE Nexus 4 1 Acer A510 1 HTC One X 1 Asus Transformer Prime TF201 1
|
||
Updated•10 years ago
|
tracking-fennec: ? → 20+
|
||
Comment 4•10 years ago
|
||
Noting the KFTT looks like it's the new Kindle Fire HD
|
Reporter | |
Comment 5•10 years ago
|
||
It should be easy to reproduce as it's #1 top crasher in 20.0a2 and #2 in 21.0a1. There's bug 814718 about MediaStreamListeners in the regression range.
PluginStreamListener and MediaStreamListener are completely unrelated things, sorry :-).
|
||
Comment 7•10 years ago
|
||
Seems that opening a second stream of flash on a Android 4.2 crashes. http://www.youtube.com/watch?v=HbqGGq91Lms Will work on a regression range tomorrow.
|
|
||
Comment 8•10 years ago
|
||
This is dominating the 20.a2 top crash list with >20% of all crashes on Aurora. Any chance we get some progress here?
|
||
Comment 9•10 years ago
|
||
bug 767633 touches this code and would be a good suspect for bisecting. *might* be bug 832032
|
|
||
Comment 10•10 years ago
|
||
bug 832032 just landed, this is high volume enough that it should be easy to tell if it was the culprit with tonight's nightly.
|
|
||
Comment 11•10 years ago
|
||
Unfortunately this has happened twice already in today's nightly, so bug 832032 is not the culprit.
Keywords: testcase-wanted
|
|
Reporter | |
Comment 12•10 years ago
|
||
(In reply to John Schoenick [:johns] from comment #11) > Unfortunately this has happened twice already in today's nightly, so bug > 832032 is not the culprit. Instead of being the fix, it might be the culprit of the spike since 21.0a1/20130125: https://crash-stats.mozilla.com/report/list?product=FennecAndroid&version=FennecAndroid%3A21.0a1&do_query=1&signature=nsPluginStreamListenerPeer%3A%3AOnStartRequest%28nsIRequest*%2C%20nsISupports*%29
QA Wanted: verify regression range using STR from Comment 7
Flags: needinfo?(kbrosnan)
|
||
Comment 14•10 years ago
|
||
snorp, can you have a look, especially at the URL from comment 7 and see if there is anything from logcat that would help?
Assignee: nobody → snorp
Priority: -- → P1
|
|
Reporter | |
Comment 15•10 years ago
|
||
(In reply to Naoki Hirata :nhirata from comment #13) > QA Wanted: verify regression range using STR from Comment 7 I confirm it based on crash stats. It has been hit by three users in 20.0a1/20130103 and continuously since that: https://crash-stats.mozilla.com/report/list?version=FennecAndroid%3A20.0a1&date=2013-01-07&range_value=4&range_unit=weeks&signature=nsPluginStreamListenerPeer%3A%3AOnStartRequest%28nsIRequest*%2C%20nsISupports*%29 In addition, there were almost the same number of Nightly users at the beginning of the year, that is around 1400 ADU, so I don't think the first potential occurrence was missed.
|
Assignee | |
Comment 16•10 years ago
|
||
Looks like I can repro by just going to http://www.youtubedoubler.com/
|
|
Assignee | |
Comment 17•10 years ago
|
||
Strangely, I cannot reproduce it with my local build, only nightly.
|
|
Assignee | |
Comment 18•10 years ago
|
||
Nothing interesting in the logcat. Just the standard messages from Flash when it starts up.
|
|
Assignee | |
Comment 19•10 years ago
|
||
D/GeckoApp( 6872): Got a document start event. I/GeckoToolbar( 6872): zerdatime 232754870 - Throbber start I/GeckoApp( 6872): Security Mode - unknown I/GeckoToolbar( 6872): zerdatime 232757078 - Throbber start D/GeckoFavicons( 6872): Requesting cancelation of favicon load (5) E/GeckoLinker( 6872): /data/app-lib/com.adobe.flashplayer-1/libflashplayer.so: Text relocations are not supported I/GeckoPlugins( 6872): get log interface I/GeckoPlugins( 6872): get event interface I/GeckoPlugins( 6872): get system interface v1 I/GeckoPlugins( 6872): get system interface v2 I/GeckoPlugins( 6872): get Window interface V2 I/GeckoPlugins( 6872): get native window interface v0 I/GeckoPlugins( 6872): get video interface I/GeckoPlugins( 6872): get context I/GeckoPlugins( 6872): get typeface interface I/GeckoPlugins( 6872): get paint interface I/GeckoPlugins( 6872): get canvas interface I/GeckoPlugins( 6872): get surface interface I/GeckoPlugins( 6872): get window interface I/GeckoPlugins( 6872): get audio interface v1 I/GeckoPlugins( 6872): get audio interface I/GeckoPlugins( 6872): getApplicationDataDirectory return /data/data/org.mozilla.fennec/app_plugins I/GeckoPlugins( 6872): getApplicationDataDirectory return /data/data/org.mozilla.fennec/app_plugins I/GeckoPlugins( 6872): getApplicationDataDirectory return /data/data/org.mozilla.fennec/app_plugins I/GeckoPlugins( 6872): getApplicationDataDirectory return /data/data/org.mozilla.fennec/app_plugins I/GeckoPlugins( 6872): getApplicationDataDirectory return /data/data/org.mozilla.fennec/app_plugins I/GeckoPlugins( 6872): getApplicationDataDirectory return /data/data/org.mozilla.fennec/app_plugins I/GeckoPlugins( 6872): getApplicationDataDirectory return /data/data/org.mozilla.fennec/app_plugins I/GeckoPlugins( 6872): getApplicationDataDirectory return /data/data/org.mozilla.fennec/app_plugins I/GeckoPlugins( 6872): getApplicationDataDirectory return /data/data/org.mozilla.fennec/app_plugins I/GeckoPlugins( 6872): getApplicationDataDirectory return /data/data/org.mozilla.fennec/app_plugins I/GeckoPlugins( 6872): _jclass* anp_system_loadJavaClass(NPP, char const*) I/GeckoPlugins( 6872): _jclass* anp_system_loadJavaClass(NPP, char const*) D/dalvikvm( 6872): GC_CONCURRENT freed 1529K, 12% free 12913K/14592K, paused 2ms+8ms, total 36ms D/GeckoApp( 6872): State - 786448 D/GeckoApp( 6872): Got a document stop event. I/GeckoToolbar( 6872): zerdatime 232763683 - Throbber stop D/dalvikvm( 664): GC_CONCURRENT freed 448K, 10% free 8691K/9636K, paused 2ms+10ms, total 52ms D/GeckoLayerClient( 6872): Window-size changed to (800,637) D/GeckoLayerClient( 6872): Window-size changed to (800,1098) D/GeckoLayerClient( 6872): Aborting draw due to resolution change E/libEGL ( 6872): call to OpenGL ES API with no current context (logged once per thread) E/GeckoConsole( 6872): SDK Loader major version = 3 D/NvOsDebugPrintf( 129): NvMMLiteOpen : Block : BlockType = 267 D/NvOsDebugPrintf( 129): ++++++ NvAvpOpen +++++++ D/NvOsDebugPrintf( 129): ++++++++++++ TVMRFrameDelivery +++++++++++++++ D/NvOsDebugPrintf( 129): NvMMLiteBlockCreate : Block : BlockType = 267 D/NvOsDebugPrintf( 129): NvMMDecTVMRDestroyParser Begin D/NvOsDebugPrintf( 129): --------- Closing TVMR Frame Delivery Thread ------------- D/NvOsDebugPrintf( 129): ------- NvAvpClose ------- D/NvOsDebugPrintf( 129): NvMMDecTVMRDestroyParser Done D/NvOsDebugPrintf( 129): NvMMLiteTVMRDecPrivateClose Done D/NvOsDebugPrintf( 129): NvMMLiteOpen : Block : BlockType = 260 D/NvOsDebugPrintf( 129): ++++++ NvAvpOpen +++++++ D/NvOsDebugPrintf( 129): ++++++++++++ TVMRFrameDelivery +++++++++++++++ D/NvOsDebugPrintf( 129): NvMMLiteBlockCreate : Block : BlockType = 260 D/NvOsDebugPrintf( 129): NvMMDecTVMRDestroyParser Begin D/NvOsDebugPrintf( 129): --------- Closing TVMR Frame Delivery Thread ------------- D/NvOsDebugPrintf( 129): ------- NvAvpClose ------- D/NvOsDebugPrintf( 129): NvMMDecTVMRDestroyParser Done D/NvOsDebugPrintf( 129): NvMMLiteTVMRDecPrivateClose Done D/NvOsDebugPrintf( 129): NvMMLiteOpen : Block : BlockType = 260 D/NvOsDebugPrintf( 129): ++++++ NvAvpOpen +++++++ D/NvOsDebugPrintf( 129): NvMMLiteBlockCreate : Block : BlockType = 260 D/NvOsDebugPrintf( 129): ++++++++++++ TVMRFrameDelivery +++++++++++++++ D/NvOsDebugPrintf( 129): NvMMDecTVMRDestroyParser Begin D/NvOsDebugPrintf( 129): --------- Closing TVMR Frame Delivery Thread ------------- D/NvOsDebugPrintf( 129): ------- NvAvpClose ------- D/NvOsDebugPrintf( 129): NvMMDecTVMRDestroyParser Done D/NvOsDebugPrintf( 129): NvMMLiteTVMRDecPrivateClose Done D/NvOsDebugPrintf( 129): NvxLiteH264DecoderInit : Opening TVMR H264 block D/NvOsDebugPrintf( 129): NvMMLiteOpen : Block : BlockType = 261 D/NvOsDebugPrintf( 129): ++++++ NvAvpOpen +++++++ D/NvOsDebugPrintf( 129): ++++++++++++ TVMRFrameDelivery +++++++++++++++ D/NvOsDebugPrintf( 129): NvMMLiteBlockCreate : Block : BlockType = 261 D/NvOsDebugPrintf( 129): NvMMDecTVMRDestroyParser Begin D/NvOsDebugPrintf( 129): --------- Closing TVMR Frame Delivery Thread ------------- D/NvOsDebugPrintf( 129): ------- NvAvpClose ------- D/NvOsDebugPrintf( 129): NvMMDecTVMRDestroyParser Done D/NvOsDebugPrintf( 129): NvMMLiteTVMRDecPrivateClose Done E/GeckoPlugins( 6872): !!!!!!!!!!!!!! void anp_video_setFramerateCallback(NPP, ANPNativeWindow, ANPVideoFrameCallbackProc) not implemented ../../../../../dom/plugins/base/android/ANPVideo.cpp, 46 I/OMXClient( 6872): Using client-side OMX mux. I/SoftAAC2( 6872): Reconfiguring decoder: 44100 Hz, 2 channels I/GeckoPlugins( 6872): getApplicationDataDirectory return /data/data/org.mozilla.fennec/app_plugins I/ESQueue ( 129): found AAC codec config (44100 Hz, 2 channels) I/avc_utils( 129): found AVC codec config (640 x 360, Main-profile level 3.0) D/NvOsDebugPrintf( 129): NvxLiteH264DecoderInit : Opening TVMR H264 block E/OMXNodeInstance( 129): OMX_GetExtensionIndex failed I/SoftAAC2( 129): Reconfiguring decoder: 44100 Hz, 2 channels D/NvOsDebugPrintf( 129): NvMMLiteOpen : Block : BlockType = 261 D/NvOsDebugPrintf( 129): ++++++ NvAvpOpen +++++++ D/NvOsDebugPrintf( 129): ++++++++++++ TVMRFrameDelivery +++++++++++++++ D/NvOsDebugPrintf( 129): NvMMLiteBlockCreate : Block : BlockType = 261 D/NvOsDebugPrintf( 129): BeginSequence 640x368 D/NvOsDebugPrintf( 129): pnvsi->nDecodeBuffers = 4 D/NvOsDebugPrintf( 129): Display Resolution : (640x360) D/NvOsDebugPrintf( 129): Display Aspect Ratio : (640x360) D/NvOsDebugPrintf( 129): cbBeginSequence@428: SurfaceLayout = 2 D/NvOsDebugPrintf( 129): pStreamInfo->NumOfSurfaces = 8, MaxDPB = 24, InteraceStream = 0, InterlaceEnabled = 0 D/NvOsDebugPrintf( 129): Allocating new output: 640x368 (x 10) E/GeckoConsole( 6872): SDK Version = 3.0.47 E/GeckoConsole( 6872): Loaded from a trusted youtube host: http://s.ytimg.com/yts/swfbin/ad3-vflETDQh6.swf E/GeckoConsole( 6872): Loading xlb file for locale - en E/GeckoConsole( 6872): Loaded xlb file for locale - en succeed E/GeckoConsole( 6872): en_US is not supported. Attempting to trim locale. E/GeckoConsole( 6872): Loading xlb file for locale - en E/GeckoConsole( 6872): Loaded xlb file for locale - en succeed W/libOpenSLES( 6872): Missed SL_PLAYEVENT_HEADATNEWPOS for position 3400; current position 4357 W/AudioTrack( 6872): releaseBuffer() track 0x67016228 name=0x4 disabled, restarting D/Zygote ( 127): Process 6872 terminated by signal (11)
|
|
Reporter | |
Comment 20•10 years ago
|
||
Can Kevin narrow down the regression range of comment 0 with those STR?
Keywords: qawanted → reproducible
|
|
||
Comment 21•10 years ago
|
||
(In reply to James Willcox (:snorp) (jwillcox@mozilla.com) from comment #17) > Strangely, I cannot reproduce it with my local build, only nightly. Does your build have --enable-profiling? The crash apparently happening inside SAMPLE_LABEL() which does stalk black magic, and this regression range included a compiler version bump...
|
|
||
Comment 22•10 years ago
|
||
stack* black magic, rather
|
|
Assignee | |
Comment 23•10 years ago
|
||
I do not build with --enable-profiling, no, so maybe that explains it.
|
||
Comment 24•10 years ago
|
||
Are you official builds built with --enable-profiling??
|
|
Assignee | |
Comment 25•10 years ago
|
||
Yeah, this has got to be some wonky side-effect from SAMPLE_LABEL(). I don't know how that stuff works. Benoit, who is best to look at that stuff?
Flags: needinfo?(bgirard)
|
||
Comment 26•10 years ago
|
||
SAMPLE_LABEL is orthogonal to enable-profiling. Have you been able to catch this in a debugger? Having the value mStackPointer/this would find the cause.
Flags: needinfo?(bgirard)
|
|
Assignee | |
Comment 27•10 years ago
|
||
(In reply to Benoit Girard (:BenWa) from comment #26) > SAMPLE_LABEL is orthogonal to enable-profiling. Right. Also, I found that mobile nightlies don't have --enable-profiling anyway. > Have you been able to catch this in a debugger? Having the value > mStackPointer/this would find the cause. Not as of yet.
|
|
Assignee | |
Comment 28•10 years ago
|
||
I still can't reproduce this with a local build, so I'm not sure what to do. We could remove the SAMPLE_LABEL, but that's just a bandaid.
|
|
||
Comment 29•10 years ago
|
||
So in the middle of this checkin from comment 0 I see Kartikaya Gupta — Bug 825151 - Bump ARMv7 mozconfigs to use NDK r8c and GCC 4.6. r=blassey,ted I can crash Flash by opening several instances using a 1-1-2013 build. http://crash-stats.mozilla.com/report/index/bp-4f70c785-1802-4592-8ae3-98f262130214 Is it possible this signature morphed with the compiler change?
Flags: needinfo?(kbrosnan)
|
|
Reporter | |
Comment 30•10 years ago
|
||
(In reply to Kevin Brosnan [:kbrosnan] from comment #29) > Is it possible this signature morphed with the compiler change? I don't think so I compared the number of libflashplayer.so crashes in 20.0a1 before December 31 (they are 45) and the number of those in 21.0a1 (they are 106).
|
|
Reporter | |
Comment 31•10 years ago
|
||
Here are recent correlations per device in Aurora: Asus Nexus 7 173 Amazon KFTT 9 Samsung GT-P7500 7 Acer A500 6 Samsung GT-P5100 6 Samsung GT-P7510 2 Samsung SC-03E 2 Amazon Kindle Fire 2 HTC One X 2 Telechips Android for Telechips M801 Evaluation Board 1 TOSHIBA AT100 1 Samsung SPH-L710 1 Samsung SCH-I905 1 Samsung GT-I9100 1 LENOVO K1 1 HUAWEI MediaPad 1 LGE L-01E 1 LGE L-06C 1 Samsung GT-I9300 1 ASUS Pad TF700T 1 Samsung GT-N7000 1
|
|
Reporter | |
Comment 32•10 years ago
|
||
Crashes stopped after 21.0a2/20120225 and 22.0a1/20130221 matching the landing of the patch of bug 842687.
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox21:
--- → verified
status-firefox22:
--- → verified
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
|
||
Updated•10 years ago
|
Keywords: regressionwindow-wanted,
testcase-wanted
|
|
Reporter | |
Comment 33•10 years ago
|
||
There are no crashes in 20.0b2 and above.
|
||
Updated•10 months ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•