crash in libc.so@0x22048 / libc.so@0x21f90 - Android 4.4 Nexus devices - Downloading files

RESOLVED FIXED in Firefox 27

Status

()

defect
--
critical
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: kbrosnan, Assigned: jchen)

Tracking

({crash, topcrash})

Trunk
Firefox 29
All
Android
Points:
---

Firefox Tracking Flags

(firefox25 wontfix, firefox26 wontfix, firefox27+ fixed, firefox28+ fixed, firefox29+ fixed, fennec+)

Details

(Whiteboard: [native-crash], crash signature)

Attachments

(4 attachments, 1 obsolete attachment)

This bug was filed from the Socorro interface and is 
report bp-f6c44ac6-311d-4f1a-a60e-078ee2131201.
=============================================================

Crash on the older Nexus 7 2012 when running Android 4.4, http://en.wikipedia.org/wiki/Nexus_7_%282012_version%29
tracking-fennec: --- → ?
Some of the crash comments indicate downloading could be leading to crashes so maybe we can get some testcases on Kit Kat around downloads?
Flags: needinfo?(kbrosnan)
Keywords: steps-wanted
tracking-fennec: ? → +
I downloaded the same file repeatedly and eventually Firefox gave the file the same name. This crashed Firefox.
Flags: needinfo?(kbrosnan)
Keywords: steps-wanted
Renominating for tracking Fennec and to get an assignee.
tracking-fennec: + → ?
Duplicate of this bug: 945332
Crash Signature: [@ libc.so@0x22048] → [@ libc.so@0x22048] [@ libc.so@0x21f90]
Summary: crash in libc.so@0x22048 - Nexus 7 2012 Android 4.4 → crash in libc.so@0x22048 / libc.so@0x21f90 - Android 4.4 Nexus devices - Downloading files
This is reproducible on the ART run time as well
Crash Signature: [@ libc.so@0x22048] [@ libc.so@0x21f90] → [@ libc.so@0x22048] [@ libc.so@0x21f90] [@ libart.so@0x195657]
Posted file gdb output
Downloaded about 50 of [1] under gdb and produced the attached output. Ran `where` and `list` at the end. Note color codes are included.

In particular:

> #0  0x68817342 in mozalloc_abort (msg=0x6b8fab38 "[9119] ###!!! ABORT: 
>  Failed to push local JNI frame: 'ret == 0', file ../../dist/include
>  /AndroidBridge.h, line 515") at /home/mcomella/dev/fig/memory/mozalloc
>  /mozalloc_abort.cpp:30

[1]: https://upload.wikimedia.org/wikipedia/commons/d/d3/IU_at_the_Life_Style_Awards_2011_%282%29.jpg
Posted file logcat output
For run associated with comment 6, dumped a few minutes after the crash.
Jim, this looks like a mismatched JNI Push/PopFrame, can you dig in?
Assignee: nobody → nchen
tracking-fennec: ? → +
I was able to reproduce this on my Nexus 4, and I see several cases where local refs can be leaked in AndroidBridge. Right now I'm doing an audit of AndroidBridge methods.
Status: NEW → ASSIGNED
Seems to fix the crash on my Nexus 4 using mcomella's STR.
Attachment #8355594 - Flags: review?(blassey.bugs)
Comment on attachment 8355594 [details] [diff] [review]
Improve local ref management in AndroidBridge (v1)

Review of attachment 8355594 [details] [diff] [review]:
-----------------------------------------------------------------

::: widget/android/AndroidBridge.cpp
@@ +337,5 @@
>          aHandlersArray->AppendElement(app, false);
>          if (aDefaultApp && isDefault.Length() > 0)
>              *aDefaultApp = app;
> +
> +        aJNIEnv->PopLocalFrame(NULL);

why not use an AutoLocalJNIFrame?
Attachment #8355594 - Flags: review?(blassey.bugs) → review+
(In reply to Brad Lassey [:blassey] (use needinfo?) from comment #11)
> Comment on attachment 8355594 [details] [diff] [review]
> Improve local ref management in AndroidBridge (v1)
> 
> Review of attachment 8355594 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> ::: widget/android/AndroidBridge.cpp
> @@ +337,5 @@
> >          aHandlersArray->AppendElement(app, false);
> >          if (aDefaultApp && isDefault.Length() > 0)
> >              *aDefaultApp = app;
> > +
> > +        aJNIEnv->PopLocalFrame(NULL);
> 
> why not use an AutoLocalJNIFrame?

Good idea.

https://hg.mozilla.org/integration/mozilla-inbound/rev/d7dfd3217a54
Attachment #8355594 - Attachment is obsolete: true
Attachment #8356177 - Flags: review+
https://hg.mozilla.org/mozilla-central/rev/d7dfd3217a54
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 29
Comment on attachment 8356177 [details] [diff] [review]
Improve local ref management in AndroidBridge (v1.1)

[Approval Request Comment]

Bug caused by (feature/regressing bug #): N/A

User impact if declined: Crash doing certain tasks such as downloading files

Testing completed (on m-c, etc.): Locally, m-c

Risk to taking this patch (and alternatives if risky): Small; patch only fixes previous bugs and does not alter functionality

String or IDL/UUID changes made by this patch: None
Attachment #8356177 - Flags: approval-mozilla-beta?
Attachment #8356177 - Flags: approval-mozilla-aurora?
Attachment #8356177 - Flags: approval-mozilla-beta?
Attachment #8356177 - Flags: approval-mozilla-beta+
Attachment #8356177 - Flags: approval-mozilla-aurora?
Attachment #8356177 - Flags: approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.