Closed
Bug 827171
Opened 12 years ago
Closed 12 years ago
crash in nsPluginStreamListenerPeer::OnStartRequest
Categories
(Core Graveyard :: Plug-ins, defect, P1)
Tracking
(firefox20+ verified, firefox21 verified, firefox22 verified, fennec20+)
RESOLVED
FIXED
mozilla22
People
(Reporter: scoobidiver, Assigned: snorp)
References
()
Details
(4 keywords, Whiteboard: [native-crash])
Crash Data
It's #6 top crasher in 20.0a1 and first showed up in 20.0a1/20130103. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a812ef63de87&tochange=6955309291ee
Signature nsPluginStreamListenerPeer::OnStartRequest(nsIRequest*, nsISupports*) More Reports Search
UUID 9d50bf74-69cb-4acc-be58-3c5412130106
Date Processed 2013-01-06 17:33:10
Uptime 627
Install Age 57.1 minutes since version was first installed.
Install Time 2013-01-06 16:35:58
Product FennecAndroid
Version 20.0a1
Build ID 20130106030902
Release Channel nightly
OS Android
OS Version 0.0.0 Linux 3.0.8-02784-g4dbe869 #1 SMP PREEMPT Wed Dec 5 01:54:41 UTC 2012 armv7l Android/tate/tate:4.0.3/IML74K/7.2.3_user_2330720:user/release-keys
Build Architecture arm
Build Architecture Info
Crash Reason SIGSEGV
Crash Address 0x5e005000
App Notes
AdapterDescription: 'Imagination Technologies -- PowerVR SGX 540 -- OpenGL ES 2.0 build 1.8@785978 -- Model: KFTT, Product: Kindle Fire, Manufacturer: Amazon, Hardware: bowser'
EGL? EGL+ GL Context? GL Context+ GL Layers? GL Layers+
Amazon KFTT
Android/tate/tate:4.0.3/IML74K/7.2.3_user_2330720:user/release-keys
Processor Notes /data/socorro/stackwalk/bin/exploitable: ERROR: unable to analyze dump
EMCheckCompatibility True
Adapter Vendor ID Imagination Technologies
Adapter Device ID PowerVR SGX 540
Device Amazon KFTT
Android API Version 15 (REL)
Android CPU ABI armeabi-v7a
Frame Module Signature Source
0 libxul.so nsPluginStreamListenerPeer::OnStartRequest sps_sampler.h:348
1 libxul.so mozilla::net::nsHttpChannel::CallOnStartRequest nsHttpChannel.cpp:959
2 libxul.so mozilla::net::nsHttpChannel::ContinueProcessNormal nsHttpChannel.cpp:1452
3 libxul.so mozilla::net::nsHttpChannel::ProcessNormal nsHttpChannel.cpp:1387
4 libxul.so mozilla::net::nsHttpChannel::ProcessResponse nsHttpChannel.cpp:1300
5 libxul.so mozilla::net::nsHttpChannel::OnStartRequest nsHttpChannel.cpp:4839
6 libxul.so nsInputStreamPump::OnStateStart nsInputStreamPump.cpp:417
7 libxul.so nsInputStreamPump::OnInputStreamReady nsInputStreamPump.cpp:368
8 libxul.so nsInputStreamReadyEvent::Run nsStreamUtils.cpp:82
9 libxul.so nsThread::ProcessNextEvent nsThread.cpp:627
10 libxul.so NS_ProcessNextEvent_P nsThreadUtils.cpp:237
11 libxul.so mozilla::ipc::MessagePump::Run MessagePump.cpp:82
12 libxul.so MessageLoop::RunInternal message_loop.cc:215
13 libxul.so MessageLoop::Run message_loop.cc:208
14 libxul.so nsBaseAppShell::Run nsBaseAppShell.cpp:163
15 libxul.so nsAppStartup::Run nsAppStartup.cpp:288
16 libxul.so XREMain::XRE_mainRun nsAppRunner.cpp:3823
17 libxul.so XREMain::XRE_main nsAppRunner.cpp:3890
18 libxul.so XRE_main nsAppRunner.cpp:4093
19 libxul.so GeckoStart nsAndroidStartup.cpp:73
More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsPluginStreamListenerPeer%3A%3AOnStartRequest%28nsIRequest*%2C+nsISupports*%29
|
||
Comment 1•12 years ago
|
||
kairo : any co-relations to devices or urls to help reproduce will be helpful here.
Also adding qawanted to help here to help with the above & find the bug which may have regressed this given the regression reange.
|
||
Comment 2•12 years ago
|
||
URLs - there are few:
3 http://m.imdb.com/video/imdb/vi1891149081
2 http://search.handycafe.com/?id
1 http://www.telegraph.co.uk/news/uknews/crime/9786052/Footage-of-moment-man-is-kn
1 http://www.twitch.tv/manvsgame
1 http://www.telematics4u.in/jsps/login_jsps/System_4/loginGMT.jsp?channel=true&la
1 http://www.gazeteoku.com/
1 http://apps.facebook.com/moodweather/Ticket.aspx?showTicket=true
1 http://www.tv-links.eu/tv-shows/Awake_30717/season_1/episode_7/
1 http://www.google.com/url?q=http://roisun.wordpress.com/2011/11/15/tips-trik-win
1 http://www.mma-core.com/videos/interviews/Don_Frye_Dan_Henderson_is_an_ahole_fig
1 http://sportsillustrated.cnn.com/2012_swimsuit/models/michelle-vawer/12_michelle
Keywords: needURLs
|
||
Comment 3•12 years ago
|
||
Devices this has been seen on in the last week on Nightly:
nsPluginStreamListenerPeer::OnStartRequest(nsIRequest*, nsISupports*) 43
Amazon KFTT 14
Asus Nexus 7 11
Samsung GT-I9100 6
HTC Desire X 3
Amazon KFOT 3
Samsung GT-P7510 1
Samsung GT-S6102 1
LGE Nexus 4 1
Acer A510 1
HTC One X 1
Asus Transformer Prime TF201 1
|
||
Updated•12 years ago
|
tracking-fennec: ? → 20+
|
||
Comment 4•12 years ago
|
||
Noting the KFTT looks like it's the new Kindle Fire HD
|
Reporter | |
Comment 5•12 years ago
|
||
It should be easy to reproduce as it's #1 top crasher in 20.0a2 and #2 in 21.0a1.
There's bug 814718 about MediaStreamListeners in the regression range.
PluginStreamListener and MediaStreamListener are completely unrelated things, sorry :-).
|
||
Comment 7•12 years ago
|
||
Seems that opening a second stream of flash on a Android 4.2 crashes. http://www.youtube.com/watch?v=HbqGGq91Lms
Will work on a regression range tomorrow.
|
|
||
Comment 8•12 years ago
|
||
This is dominating the 20.a2 top crash list with >20% of all crashes on Aurora. Any chance we get some progress here?
|
||
Comment 9•12 years ago
|
||
bug 767633 touches this code and would be a good suspect for bisecting. *might* be bug 832032
|
|
||
Comment 10•12 years ago
|
||
bug 832032 just landed, this is high volume enough that it should be easy to tell if it was the culprit with tonight's nightly.
|
|
||
Comment 11•12 years ago
|
||
Unfortunately this has happened twice already in today's nightly, so bug 832032 is not the culprit.
Keywords: testcase-wanted
|
|
Reporter | |
Comment 12•12 years ago
|
||
(In reply to John Schoenick [:johns] from comment #11)
> Unfortunately this has happened twice already in today's nightly, so bug
> 832032 is not the culprit.
Instead of being the fix, it might be the culprit of the spike since 21.0a1/20130125: https://crash-stats.mozilla.com/report/list?product=FennecAndroid&version=FennecAndroid%3A21.0a1&do_query=1&signature=nsPluginStreamListenerPeer%3A%3AOnStartRequest%28nsIRequest*%2C%20nsISupports*%29
QA Wanted: verify regression range using STR from Comment 7
Flags: needinfo?(kbrosnan)
|
||
Comment 14•12 years ago
|
||
snorp, can you have a look, especially at the URL from comment 7 and see if there is anything from logcat that would help?
Assignee: nobody → snorp
Priority: -- → P1
|
|
Reporter | |
Comment 15•12 years ago
|
||
(In reply to Naoki Hirata :nhirata from comment #13)
> QA Wanted: verify regression range using STR from Comment 7
I confirm it based on crash stats. It has been hit by three users in 20.0a1/20130103 and continuously since that: https://crash-stats.mozilla.com/report/list?version=FennecAndroid%3A20.0a1&date=2013-01-07&range_value=4&range_unit=weeks&signature=nsPluginStreamListenerPeer%3A%3AOnStartRequest%28nsIRequest*%2C%20nsISupports*%29
In addition, there were almost the same number of Nightly users at the beginning of the year, that is around 1400 ADU, so I don't think the first potential occurrence was missed.
|
Assignee | |
Comment 16•12 years ago
|
||
Looks like I can repro by just going to http://www.youtubedoubler.com/
|
|
Assignee | |
Comment 17•12 years ago
|
||
Strangely, I cannot reproduce it with my local build, only nightly.
|
|
Assignee | |
Comment 18•12 years ago
|
||
Nothing interesting in the logcat. Just the standard messages from Flash when it starts up.
|
|
Assignee | |
Comment 19•12 years ago
|
||
D/GeckoApp( 6872): Got a document start event.
I/GeckoToolbar( 6872): zerdatime 232754870 - Throbber start
I/GeckoApp( 6872): Security Mode - unknown
I/GeckoToolbar( 6872): zerdatime 232757078 - Throbber start
D/GeckoFavicons( 6872): Requesting cancelation of favicon load (5)
E/GeckoLinker( 6872): /data/app-lib/com.adobe.flashplayer-1/libflashplayer.so: Text relocations are not supported
I/GeckoPlugins( 6872): get log interface
I/GeckoPlugins( 6872): get event interface
I/GeckoPlugins( 6872): get system interface v1
I/GeckoPlugins( 6872): get system interface v2
I/GeckoPlugins( 6872): get Window interface V2
I/GeckoPlugins( 6872): get native window interface v0
I/GeckoPlugins( 6872): get video interface
I/GeckoPlugins( 6872): get context
I/GeckoPlugins( 6872): get typeface interface
I/GeckoPlugins( 6872): get paint interface
I/GeckoPlugins( 6872): get canvas interface
I/GeckoPlugins( 6872): get surface interface
I/GeckoPlugins( 6872): get window interface
I/GeckoPlugins( 6872): get audio interface v1
I/GeckoPlugins( 6872): get audio interface
I/GeckoPlugins( 6872): getApplicationDataDirectory return /data/data/org.mozilla.fennec/app_plugins
I/GeckoPlugins( 6872): getApplicationDataDirectory return /data/data/org.mozilla.fennec/app_plugins
I/GeckoPlugins( 6872): getApplicationDataDirectory return /data/data/org.mozilla.fennec/app_plugins
I/GeckoPlugins( 6872): getApplicationDataDirectory return /data/data/org.mozilla.fennec/app_plugins
I/GeckoPlugins( 6872): getApplicationDataDirectory return /data/data/org.mozilla.fennec/app_plugins
I/GeckoPlugins( 6872): getApplicationDataDirectory return /data/data/org.mozilla.fennec/app_plugins
I/GeckoPlugins( 6872): getApplicationDataDirectory return /data/data/org.mozilla.fennec/app_plugins
I/GeckoPlugins( 6872): getApplicationDataDirectory return /data/data/org.mozilla.fennec/app_plugins
I/GeckoPlugins( 6872): getApplicationDataDirectory return /data/data/org.mozilla.fennec/app_plugins
I/GeckoPlugins( 6872): getApplicationDataDirectory return /data/data/org.mozilla.fennec/app_plugins
I/GeckoPlugins( 6872): _jclass* anp_system_loadJavaClass(NPP, char const*)
I/GeckoPlugins( 6872): _jclass* anp_system_loadJavaClass(NPP, char const*)
D/dalvikvm( 6872): GC_CONCURRENT freed 1529K, 12% free 12913K/14592K, paused 2ms+8ms, total 36ms
D/GeckoApp( 6872): State - 786448
D/GeckoApp( 6872): Got a document stop event.
I/GeckoToolbar( 6872): zerdatime 232763683 - Throbber stop
D/dalvikvm( 664): GC_CONCURRENT freed 448K, 10% free 8691K/9636K, paused 2ms+10ms, total 52ms
D/GeckoLayerClient( 6872): Window-size changed to (800,637)
D/GeckoLayerClient( 6872): Window-size changed to (800,1098)
D/GeckoLayerClient( 6872): Aborting draw due to resolution change
E/libEGL ( 6872): call to OpenGL ES API with no current context (logged once per thread)
E/GeckoConsole( 6872): SDK Loader major version = 3
D/NvOsDebugPrintf( 129): NvMMLiteOpen : Block : BlockType = 267
D/NvOsDebugPrintf( 129): ++++++ NvAvpOpen +++++++
D/NvOsDebugPrintf( 129): ++++++++++++ TVMRFrameDelivery +++++++++++++++
D/NvOsDebugPrintf( 129): NvMMLiteBlockCreate : Block : BlockType = 267
D/NvOsDebugPrintf( 129): NvMMDecTVMRDestroyParser Begin
D/NvOsDebugPrintf( 129): --------- Closing TVMR Frame Delivery Thread -------------
D/NvOsDebugPrintf( 129): ------- NvAvpClose -------
D/NvOsDebugPrintf( 129): NvMMDecTVMRDestroyParser Done
D/NvOsDebugPrintf( 129): NvMMLiteTVMRDecPrivateClose Done
D/NvOsDebugPrintf( 129): NvMMLiteOpen : Block : BlockType = 260
D/NvOsDebugPrintf( 129): ++++++ NvAvpOpen +++++++
D/NvOsDebugPrintf( 129): ++++++++++++ TVMRFrameDelivery +++++++++++++++
D/NvOsDebugPrintf( 129): NvMMLiteBlockCreate : Block : BlockType = 260
D/NvOsDebugPrintf( 129): NvMMDecTVMRDestroyParser Begin
D/NvOsDebugPrintf( 129): --------- Closing TVMR Frame Delivery Thread -------------
D/NvOsDebugPrintf( 129): ------- NvAvpClose -------
D/NvOsDebugPrintf( 129): NvMMDecTVMRDestroyParser Done
D/NvOsDebugPrintf( 129): NvMMLiteTVMRDecPrivateClose Done
D/NvOsDebugPrintf( 129): NvMMLiteOpen : Block : BlockType = 260
D/NvOsDebugPrintf( 129): ++++++ NvAvpOpen +++++++
D/NvOsDebugPrintf( 129): NvMMLiteBlockCreate : Block : BlockType = 260
D/NvOsDebugPrintf( 129): ++++++++++++ TVMRFrameDelivery +++++++++++++++
D/NvOsDebugPrintf( 129): NvMMDecTVMRDestroyParser Begin
D/NvOsDebugPrintf( 129): --------- Closing TVMR Frame Delivery Thread -------------
D/NvOsDebugPrintf( 129): ------- NvAvpClose -------
D/NvOsDebugPrintf( 129): NvMMDecTVMRDestroyParser Done
D/NvOsDebugPrintf( 129): NvMMLiteTVMRDecPrivateClose Done
D/NvOsDebugPrintf( 129): NvxLiteH264DecoderInit : Opening TVMR H264 block
D/NvOsDebugPrintf( 129): NvMMLiteOpen : Block : BlockType = 261
D/NvOsDebugPrintf( 129): ++++++ NvAvpOpen +++++++
D/NvOsDebugPrintf( 129): ++++++++++++ TVMRFrameDelivery +++++++++++++++
D/NvOsDebugPrintf( 129): NvMMLiteBlockCreate : Block : BlockType = 261
D/NvOsDebugPrintf( 129): NvMMDecTVMRDestroyParser Begin
D/NvOsDebugPrintf( 129): --------- Closing TVMR Frame Delivery Thread -------------
D/NvOsDebugPrintf( 129): ------- NvAvpClose -------
D/NvOsDebugPrintf( 129): NvMMDecTVMRDestroyParser Done
D/NvOsDebugPrintf( 129): NvMMLiteTVMRDecPrivateClose Done
E/GeckoPlugins( 6872): !!!!!!!!!!!!!! void anp_video_setFramerateCallback(NPP, ANPNativeWindow, ANPVideoFrameCallbackProc) not implemented ../../../../../dom/plugins/base/android/ANPVideo.cpp, 46
I/OMXClient( 6872): Using client-side OMX mux.
I/SoftAAC2( 6872): Reconfiguring decoder: 44100 Hz, 2 channels
I/GeckoPlugins( 6872): getApplicationDataDirectory return /data/data/org.mozilla.fennec/app_plugins
I/ESQueue ( 129): found AAC codec config (44100 Hz, 2 channels)
I/avc_utils( 129): found AVC codec config (640 x 360, Main-profile level 3.0)
D/NvOsDebugPrintf( 129): NvxLiteH264DecoderInit : Opening TVMR H264 block
E/OMXNodeInstance( 129): OMX_GetExtensionIndex failed
I/SoftAAC2( 129): Reconfiguring decoder: 44100 Hz, 2 channels
D/NvOsDebugPrintf( 129): NvMMLiteOpen : Block : BlockType = 261
D/NvOsDebugPrintf( 129): ++++++ NvAvpOpen +++++++
D/NvOsDebugPrintf( 129): ++++++++++++ TVMRFrameDelivery +++++++++++++++
D/NvOsDebugPrintf( 129): NvMMLiteBlockCreate : Block : BlockType = 261
D/NvOsDebugPrintf( 129): BeginSequence 640x368
D/NvOsDebugPrintf( 129): pnvsi->nDecodeBuffers = 4
D/NvOsDebugPrintf( 129): Display Resolution : (640x360)
D/NvOsDebugPrintf( 129): Display Aspect Ratio : (640x360)
D/NvOsDebugPrintf( 129): cbBeginSequence@428: SurfaceLayout = 2
D/NvOsDebugPrintf( 129): pStreamInfo->NumOfSurfaces = 8, MaxDPB = 24, InteraceStream = 0, InterlaceEnabled = 0
D/NvOsDebugPrintf( 129): Allocating new output: 640x368 (x 10)
E/GeckoConsole( 6872): SDK Version = 3.0.47
E/GeckoConsole( 6872): Loaded from a trusted youtube host: http://s.ytimg.com/yts/swfbin/ad3-vflETDQh6.swf
E/GeckoConsole( 6872): Loading xlb file for locale - en
E/GeckoConsole( 6872): Loaded xlb file for locale - en succeed
E/GeckoConsole( 6872): en_US is not supported. Attempting to trim locale.
E/GeckoConsole( 6872): Loading xlb file for locale - en
E/GeckoConsole( 6872): Loaded xlb file for locale - en succeed
W/libOpenSLES( 6872): Missed SL_PLAYEVENT_HEADATNEWPOS for position 3400; current position 4357
W/AudioTrack( 6872): releaseBuffer() track 0x67016228 name=0x4 disabled, restarting
D/Zygote ( 127): Process 6872 terminated by signal (11)
|
|
Reporter | |
Comment 20•12 years ago
|
||
Can Kevin narrow down the regression range of comment 0 with those STR?
Keywords: qawanted → reproducible
|
|
||
Comment 21•12 years ago
|
||
(In reply to James Willcox (:snorp) (jwillcox@mozilla.com) from comment #17)
> Strangely, I cannot reproduce it with my local build, only nightly.
Does your build have --enable-profiling?
The crash apparently happening inside SAMPLE_LABEL() which does stalk black magic, and this regression range included a compiler version bump...
|
|
||
Comment 22•12 years ago
|
||
stack* black magic, rather
|
|
Assignee | |
Comment 23•12 years ago
|
||
I do not build with --enable-profiling, no, so maybe that explains it.
|
||
Comment 24•12 years ago
|
||
Are you official builds built with --enable-profiling??
|
|
Assignee | |
Comment 25•12 years ago
|
||
Yeah, this has got to be some wonky side-effect from SAMPLE_LABEL(). I don't know how that stuff works. Benoit, who is best to look at that stuff?
Flags: needinfo?(bgirard)
|
||
Comment 26•12 years ago
|
||
SAMPLE_LABEL is orthogonal to enable-profiling.
Have you been able to catch this in a debugger? Having the value mStackPointer/this would find the cause.
Flags: needinfo?(bgirard)
|
|
Assignee | |
Comment 27•12 years ago
|
||
(In reply to Benoit Girard (:BenWa) from comment #26)
> SAMPLE_LABEL is orthogonal to enable-profiling.
Right. Also, I found that mobile nightlies don't have --enable-profiling anyway.
> Have you been able to catch this in a debugger? Having the value
> mStackPointer/this would find the cause.
Not as of yet.
|
|
Assignee | |
Comment 28•12 years ago
|
||
I still can't reproduce this with a local build, so I'm not sure what to do. We could remove the SAMPLE_LABEL, but that's just a bandaid.
|
|
||
Comment 29•12 years ago
|
||
So in the middle of this checkin from comment 0 I see Kartikaya Gupta — Bug 825151 - Bump ARMv7 mozconfigs to use NDK r8c and GCC 4.6. r=blassey,ted
I can crash Flash by opening several instances using a 1-1-2013 build. http://crash-stats.mozilla.com/report/index/bp-4f70c785-1802-4592-8ae3-98f262130214
Is it possible this signature morphed with the compiler change?
Flags: needinfo?(kbrosnan)
|
|
Reporter | |
Comment 30•12 years ago
|
||
(In reply to Kevin Brosnan [:kbrosnan] from comment #29)
> Is it possible this signature morphed with the compiler change?
I don't think so I compared the number of libflashplayer.so crashes in 20.0a1 before December 31 (they are 45) and the number of those in 21.0a1 (they are 106).
|
|
Reporter | |
Comment 31•12 years ago
|
||
Here are recent correlations per device in Aurora:
Asus Nexus 7 173
Amazon KFTT 9
Samsung GT-P7500 7
Acer A500 6
Samsung GT-P5100 6
Samsung GT-P7510 2
Samsung SC-03E 2
Amazon Kindle Fire 2
HTC One X 2
Telechips Android for Telechips M801 Evaluation Board 1
TOSHIBA AT100 1
Samsung SPH-L710 1
Samsung SCH-I905 1
Samsung GT-I9100 1
LENOVO K1 1
HUAWEI MediaPad 1
LGE L-01E 1
LGE L-06C 1
Samsung GT-I9300 1
ASUS Pad TF700T 1
Samsung GT-N7000 1
|
|
Reporter | |
Comment 32•12 years ago
|
||
Crashes stopped after 21.0a2/20120225 and 22.0a1/20130221 matching the landing of the patch of bug 842687.
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox21:
--- → verified
status-firefox22:
--- → verified
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
|
||
Updated•12 years ago
|
Keywords: regressionwindow-wanted,
testcase-wanted
|
|
Reporter | |
Comment 33•12 years ago
|
||
There are no crashes in 20.0b2 and above.
|
||
Updated•3 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•