Closed Bug 890590 Opened 12 years ago Closed 12 years ago

crash in _JNIEnv::CallStaticVoidMethod | mozilla::AndroidBridge::SendThumbnail

Categories

(Core Graveyard :: Widget: Android, defect)

Product:
Core Graveyard
Component:
Widget: Android
Version:
25 Branch
Platform:
ARM
Android
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(firefox24 unaffected, firefox25+ fixed, fennec25+)

Status:
RESOLVED FIXED
Milestone:
mozilla25
Tracking Flags:
Tracking Status
firefox24 --- unaffected
firefox25 + fixed
fennec 25+ ---

People

(Reporter: scoobidiver, Assigned: bnicholson)

References

Details

(4 keywords, Whiteboard: [native-crash])

Crash Data

Attachments

(1 file)

Don't reuse tab's bitmap when updating thumbnail
3.56 KB, patch
Details | Diff | Splinter Review
There are five crashes in 25.0a1/20130705. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=dcbbfcdf7bb4&tochange=17fe59f6c54a I suspect bug 803299 in this range. Signature arena_malloc | arena_dalloc | _JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...) | mozilla::AndroidBridge::SendThumbnail(_jobject*, int, bool) More Reports Search UUID 4b09d4db-add4-47f0-be30-d157e2130705 Date Processed 2013-07-05 18:56:46.437126 Uptime 2115 Install Age 2115 since version was first installed. Install Time 2013-07-05 18:21:23 Product FennecAndroid Version 25.0a1 Build ID 20130705031151 Release Channel nightly OS Android OS Version 0.0.0 Linux 3.4.10-g4c37954 #1 SMP PREEMPT Sat May 4 14:17:28 CST 2013 armv7l brightstarus_wwe/m7/m7 Build Architecture arm Build Architecture Info ARMv0 | None Crash Reason SIGSEGV Crash Address 0x0 App Notes AdapterDescription: 'Qualcomm -- Adreno (TM) 320 -- OpenGL ES 2.0 V@4.1 AU@3.04.01.01.13.018 (CL@) -- Model: HTC One, Product: m7, Manufacturer: HTC, Hardware: m7' GL Layers! EGL? EGL+ GL Context? GL Context+ GL Layers+ HTC HTC One brightstarus_wwe/m7/m7:4.1.2/JZO54K/164689.16:user/release-keys Processor Notes sp-processor08_phx1_mozilla_com_12337:2012; non-integer value of "SecondsSinceLastCrash"; exploitability tool: ERROR: unable to analyze dump Adapter Vendor ID Qualcomm Adapter Device ID Adreno (TM) 320 Android CPU ABI armeabi-v7a Android Manufacturer HTC Android Model HTC One Android Version 16 (REL) Frame Module Signature Source 0 libandroid_runtime.so libandroid_runtime.so@0x75c7e ... 27 libdvm.so libdvm.so@0x4f383 28 libxul.so _JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...) android-ndk/platforms/android-9/arch-arm/usr/include/jni.h 29 libxul.so mozilla::AndroidBridge::SendThumbnail(_jobject*, int, bool) widget/android/AndroidBridge.cpp 30 libxul.so ThumbnailRunnable::Run() widget/android/nsAppShell.cpp 31 libxul.so RunnableMethod<IPC::ChannelProxy::Context, void (IPC::ChannelProxy::Context::*)(), Tuple0>::Run() ipc/chromium/src/base/tuple.h 32 libxul.so MessageLoop::RunTask(Task*) ipc/chromium/src/base/message_loop.cc 33 libxul.so MessageLoop::ProcessNextDelayedNonNestableTask() ipc/chromium/src/base/message_loop.cc 34 libxul.so MessageLoop::DoIdleWork() ipc/chromium/src/base/message_loop.cc 35 libxul.so mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp 36 libxul.so MessageLoop::RunInternal() ipc/chromium/src/base/message_loop.cc 37 libxul.so MessageLoop::Run() ipc/chromium/src/base/message_loop.cc 38 libxul.so nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp 39 libxul.so nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp 40 libxul.so XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp 41 libxul.so XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp 42 libxul.so XRE_main toolkit/xre/nsAppRunner.cpp More reports at: https://crash-stats.mozilla.com/report/list?product=FennecAndroid&signature=arena_malloc+|+arena_dalloc+|+_JNIEnv%3A%3ACallStaticVoidMethod%28_jclass*%2C+_jmethodID*%2C+...%29+|+mozilla%3A%3AAndroidBridge%3A%3ASendThumbnail%28_jobject*%2C+int%2C+bool%29 https://crash-stats.mozilla.com/report/list?product=FennecAndroid&signature=arena_malloc https://crash-stats.mozilla.com/report/list?product=FennecAndroid&signature=libc+malloc+%28deleted%29%400x4e826
Three more crashes found: https://crash-stats.mozilla.com/report/list?product=FennecAndroid&signature=_ZN17AutoDecoderCancel13RequestCancelEP8_jobject
tracking-fennec: --- → ?
Crash Signature: , bool)] [@ arena_malloc ] [@ libc malloc (deleted)@0x4e826 ] [@ system@framework@framework.jar@classes.dex@0x685a61 ] [@ system@framework@framework.jar@classes.dex@0x6863c7 ] → , bool)] [@ _ZN17AutoDecoderCancel13RequestCancelEP8_jobject ] [@ arena_malloc ] [@ libc malloc (deleted)@0x4e826 ] [@ system@framework@framework.jar@classes.dex@0x685a61 ] [@ system@framework@framework.jar@classes.dex@0x6863c7 ]
tracking-firefox25: --- → ?
Keywords: topcrash
Silly bug 865146.
Crash Signature: , bool)] [@ _ZN17AutoDecoderCancel13RequestCancelEP8_jobject ] [@ arena_malloc ] [@ libc malloc (deleted)@0x4e826 ] [@ system@framework@framework.jar@classes.dex@0x685a61 ] [@ system@framework@framework.jar@classes.dex@0x6863c7 ] → , bool) ] [@ _ZN17AutoDecoderCancel13RequestCancelEP8_jobject] [@ arena_malloc] [@ libc malloc (deleted)@0x4e826] [@ system@framework@framework.jar@classes.dex@0x685a61] [@ system@framework@framework.jar@classes.dex@0x6863c7]
Crash Signature: , bool) ] [@ _ZN17AutoDecoderCancel13RequestCancelEP8_jobject] [@ arena_malloc] [@ libc malloc (deleted)@0x4e826] [@ system@framework@framework.jar@classes.dex@0x685a61] [@ system@framework@framework.jar@classes.dex@0x6863c7] → , bool) ] [@ _ZN17AutoDecoderCancel13RequestCancelEP8_jobject] [@ arena_malloc | arena_dalloc | nsTArray_Impl<nsCOMPtr<nsIAutoCompletePopup>, nsTArrayInfallibleAllocator>::RemoveElementsAt(unsigned int, unsigned int) ] [@ nsQueryInterface::operator()(n…
Crash Signature: , unsigned int*) ] [@ libc malloc (deleted)@0x4e826] [@ system@framework@framework.jar@classes.dex@0x685a61] [@ system@framework@framework.jar@classes.dex@0x6863c7] → , unsigned int*) ] [@ libc malloc (deleted)@0x4e826] [@ libc malloc (deleted)@0x1d1b6 ] [@ libcutils.so@0x300f ] [@ system@framework@framework.jar@classes.dex@0x685a61] [@ system@framework@framework.jar@classes.dex@0x6863c7] [@ system@framework@fram…
Assignee: nobody → bnicholson
tracking-fennec: ? → 25+
Looking through the crash reports, this only appears to be a problem on Nexus 4/7.
Summary: crash in _JNIEnv::CallStaticVoidMethod | mozilla::AndroidBridge::SendThumbnail → crash in _JNIEnv::CallStaticVoidMethod | mozilla::AndroidBridge::SendThumbnail on Nexus 4/7
I've had no luck reproducing this on a Nexus 4. Some STR would be helpful.
Keywords: steps-wanted
(In reply to Brian Nicholson (:bnicholson) from comment #4) > Looking through the crash reports, this only appears to be a problem on > Nexus 4/7. I disagree. There is bunch of signatures (more than the links in comment 0 and comment 1). It would be easier to aggregate them if bug 764756 and bug 893585 were fixed.
Crash Signature: system@framework@framework.jar@classes.dex@0x664d04] → system@framework@framework.jar@classes.dex@0x664d04] [@ system@framework@framework.jar@classes.dex@0x6878e8] [@ system@framework@framework.jar@classes.dex@0x687665] [@ system@framework@framework.jar@classes.dex@0x43de91] [@ system@framework@framework…
Depends on: 893585
Summary: crash in _JNIEnv::CallStaticVoidMethod | mozilla::AndroidBridge::SendThumbnail on Nexus 4/7 → crash in _JNIEnv::CallStaticVoidMethod | mozilla::AndroidBridge::SendThumbnail
I am able to reproduce this with some regularity by * setting Firefox to restore tabs on restart * quitting Firefox * starting Firefox * clicking on the tab switcher button quickly Not 100% but often this works.
Keywords: steps-wanted
Keywords: reproducible
It looks like the crash here is actually happening in Java. I found that the crash was always happening during the BGRA->ARGB conversion in processThumbnailData(), which was added as part of the 24-bit color support. Since we're holding onto the actual bitmap used in the BitmapDrawable shown in the tabs tray, I assume we're running into problems when updating the bitmap while it's simultaneously being shown in the UI. Rather than reusing the tab's existing bitmap, this patch creates a new one whenever we update the thumbnail. This seems to fix the crash for me, although I can't be completely sure since the crash is intermittent with the STR.
Attachment #779534 - Flags: review?(bugmail.mozilla)
Status: NEW → ASSIGNED
Comment on attachment 779534 [details] [diff] [review] Don't reuse tab's bitmap when updating thumbnail After spending all day debugging this, Chris just posted a patch that removes the BGRA->ARGB code from Java altogether and moves the logic to Gecko. So much for this patch.
Attachment #779534 - Flags: review?(bugmail.mozilla)
I think bug 896822 will fix this, but leaving open for now to be sure the crash disappears.
Depends on: 896822
Blocks: 803299
Crash Signature: [@ arena_malloc | arena_dalloc | _JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...) | mozilla::AndroidBridge::SendThumbnail(_jobject*, int, bool) ] [@ _ZN17AutoDecoderCancel13RequestCancelEP8_jobject] [@ arena_malloc | arena_dalloc | nsTArray_Imp… → [@ arena_malloc | arena_dalloc | _JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...) | mozilla::AndroidBridge::SendThumbnail(_jobject*, int, bool) ] [@ arena_malloc | arena_dalloc | _JNIEnv::CallStaticVoidMethod(_jclass*, _jmethodID*, ...) ] [@ _Z…
(In reply to Brian Nicholson (:bnicholson) from comment #10) > I think bug 896822 will fix this, but leaving open for now to be sure the > crash disappears. There have been no crashes since 25.0a1/20130725 so it's indeed fixed by that patch.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
status-firefox25: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: