Closed Bug 884792 Opened 8 years ago Closed 8 years ago

crash in nsXPCWrappedJS::Release


(Firefox for Android Graveyard :: General, defect)

Not set


(firefox23 unaffected, firefox24+ fixed, fennec24+)

Firefox 24
Tracking Status
firefox23 --- unaffected
firefox24 + fixed
fennec 24+ ---


(Reporter: scoobidiver, Assigned: blassey)



(Keywords: crash, regression, topcrash, Whiteboard: [native-crash])

Crash Data


(1 file)

It has been hit twice by a single user in 24.0a1/20130619: bp-64122db3-bf91-493d-9737-948632130619.

Signature 	nsXPCWrappedJS::Release() More Reports Search
UUID	64122db3-bf91-493d-9737-948632130619
Date Processed	2013-06-19 12:21:21
Uptime	15
Last Crash	25 seconds before submission
Install Age	58 seconds since version was first installed.
Install Time	2013-06-19 12:20:22
Product	FennecAndroid
Version	24.0a1
Build ID	20130619031048
Release Channel	nightly
OS	Android
OS Version	0.0.0 Linux 3.0.31 #1 SMP PREEMPT Wed Apr 3 09:14:51 KST 2013 armv7l samsung/kona3gxx/kona3g:4.1.2/JZO54K/N5100XXBMD1:user/release-keys
Build Architecture	arm
Build Architecture Info	ARMv0
Crash Reason	SIGSEGV
Crash Address	0x0
App Notes 	
AdapterDescription: 'ARM -- Mali-400 MP -- OpenGL ES 2.0 -- Model: GT-N5100, Product: kona3gxx, Manufacturer: samsung, Hardware: smdk4x12'
GL Layers! EGL? EGL+ GL Context? GL Context+ GL Layers+ 
samsung GT-N5100
Processor Notes 	sp-processor09_phx1_mozilla_com_2231:2012; MDSW emitted too many frames, triggering truncation; exploitability tool: ERROR: unable to analyze dump
EMCheckCompatibility	True
Adapter Vendor ID	ARM
Adapter Device ID	Mali-400 MP
Device	samsung GT-N5100
Android API Version	16 (REL)
Android CPU ABI	armeabi-v7a

Frame 	Module 	Signature 	Source
0 	nsXPCWrappedJS::Release 	js/xpconnect/src/XPCWrappedJS.cpp:174
1 	nsXPTCStubBase::AddRef 	xpcom/reflect/xptcall/src/xptcall.cpp:31
2 	GrGLProgramStage::name const 	gfx/skia/src/gpu/gl/GrGLProgramStage.h:81
3 	nsTHashtable<nsBaseHashtableET<nsStringHashKey, nsCOMPtr<nsIObserver> > >::s_Ini 	obj-firefox/dist/include/nsTHashtable.h:474
4 	mozilla::RefPtr<mozilla::psm::TransportSecurityInfo>::~RefPtr 	
5 	nsTHashtable<nsBaseHashtableET<nsStringHashKey, nsCOMPtr<nsIObserver> > >::s_Cle 	obj-firefox/dist/include/nsCOMPtr.h:489
6 	PL_DHashTableRawRemove 	obj-firefox/xpcom/build/pldhash.cpp:683
7 	PL_DHashTableOperate 	obj-firefox/xpcom/build/pldhash.cpp:649

More reports at:
The GrGLProgramStage is a red herring here. Brad, looks like removeObserver is being called off the main thread, so perhaps that needs to be proxied to the main one.
Component: Graphics → General
Product: Core → Firefox for Android
Version: 24 Branch → Trunk
Summary: crash in GrGLProgramStage::name @ nsXPCWrappedJS::Release → crash in nsXPCWrappedJS::Release
It has been hit now by 5 users. It's a regression from either bug 882196 or bug 770840 (previously hidden by bug 882196).
tracking-fennec: --- → ?
Keywords: topcrash
Whiteboard: [native-crash][startupcrash] → [native-crash]
Attached patch patchSplinter Review
Assignee: nobody → blassey.bugs
Attachment #764934 - Flags: review?(bugmail.mozilla)
Comment on attachment 764934 [details] [diff] [review]

Review of attachment 764934 [details] [diff] [review]:

::: widget/android/nsAppShell.cpp
@@ +525,5 @@
> +        mObserversHash.Get(curEvent->Characters(), getter_AddRefs(observer));
> +
> +        if (observer) {
> +            observer->Observe(nullptr, NS_ConvertUTF16toUTF8(curEvent->CharactersExtra()).get(),
> +                              nsString(curEvent->Data()).get());

You changed the data from being a PromiseFlatString to a nsString. I assume that's ok but I don't know these string classes well enough to say for sure. Just pointing this out in case you didn't mean to do this.
Attachment #764934 - Flags: review?(bugmail.mozilla) → review+
In case it helps, a comment says: "switched to home screen after a download".
tracking-fennec: ? → 24+
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 24
Depends on: 887768
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.