It first appeared in 19.0a1/20121101 and has been hit by 2 users. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=bed18790882f&tochange=5bd5bb168eb1 It might be a regression from bug 797568. Signature nsNPAPIPluginInstance::GetImageSize(nsIntSize*) More Reports Search UUID 1d9e7e62-c443-4b8a-835f-dc3a42121101 Date Processed 2012-11-01 19:52:52 Uptime 19 Last Crash 23 seconds before submission Install Age 7.7 hours since version was first installed. Install Time 2012-11-01 12:10:31 Product FennecAndroid Version 19.0a1 Build ID 20121101030705 Release Channel nightly OS Android OS Version 0.0.0 Linux 2.6.39.4+ #1 SMP PREEMPT Thu Mar 29 23:01:48 CST 2012 armv7l acer/a500_ww_gen1/picasso:4.0.3/IML74K/1333032611:user/release-keys Build Architecture arm Build Architecture Info Crash Reason SIGSEGV Crash Address 0x2c App Notes AdapterDescription: 'NVIDIA Corporation -- NVIDIA Tegra -- OpenGL ES 2.0 14.01002 -- Model: A500, Product: a500_ww_gen1, Manufacturer: Acer, Hardware: picasso' EGL? EGL+ GL Context? GL Context+ GL Layers? GL Layers+ Acer A500 acer/a500_ww_gen1/picasso:4.0.3/IML74K/1333032611:user/release-keys EMCheckCompatibility True Adapter Vendor ID NVIDIA Corporation Adapter Device ID NVIDIA Tegra Device Acer A500 Android API Version 15 (REL) Android CPU ABI armeabi-v7a Frame Module Signature Source 0 libxul.so nsNPAPIPluginInstance::GetImageSize nsNPAPIPluginInstance.cpp:1213 1 libxul.so nsPluginInstanceOwner::IsUpToDate nsPluginInstanceOwner.h:255 2 libxul.so nsPluginInstanceOwner::NotifyPaintWaiter nsPluginInstanceOwner.cpp:144 3 libxul.so nsObjectFrame::BuildLayer nsObjectFrame.cpp:1615 4 libxul.so nsDisplayPlugin::BuildLayer nsObjectFrame.h:331 5 libxul.so mozilla::::ContainerState::ProcessDisplayItems FrameLayerBuilder.cpp:2058 6 libxul.so mozilla::::ContainerState::ProcessDisplayItems FrameLayerBuilder.cpp:1989 7 libxul.so mozilla::::ContainerState::ProcessDisplayItems FrameLayerBuilder.cpp:1989 8 libxul.so mozilla::FrameLayerBuilder::BuildContainerLayerFor FrameLayerBuilder.cpp:2870 9 libxul.so nsDisplayScrollLayer::BuildLayer nsDisplayList.cpp:2900 10 libxul.so mozilla::::ContainerState::ProcessDisplayItems FrameLayerBuilder.cpp:2058 11 libxul.so mozilla::FrameLayerBuilder::BuildContainerLayerFor FrameLayerBuilder.cpp:2870 12 libxul.so nsDisplayOwnLayer::BuildLayer nsDisplayList.cpp:2752 13 libxul.so mozilla::::ContainerState::ProcessDisplayItems FrameLayerBuilder.cpp:2058 14 libxul.so mozilla::::ContainerState::ProcessDisplayItems FrameLayerBuilder.cpp:1989 15 libxul.so mozilla::::ContainerState::ProcessDisplayItems FrameLayerBuilder.cpp:1989 16 libxul.so mozilla::FrameLayerBuilder::BuildContainerLayerFor FrameLayerBuilder.cpp:2870 17 libxul.so nsDisplayList::PaintForFrame const nsDisplayList.cpp:1063 18 libxul.so nsDisplayList::PaintRoot const nsDisplayList.cpp:983 19 libxul.so nsLayoutUtils::PaintFrame nsLayoutUtils.cpp:1853 20 libxul.so PresShell::Paint nsPresShell.cpp:5351 21 libxul.so nsViewManager::ProcessPendingUpdatesForView nsViewManager.cpp:439 22 libxul.so nsViewManager::ProcessPendingUpdates nsViewManager.cpp:1214 23 libxul.so nsRefreshDriver::Notify nsRefreshDriver.cpp:432 24 libxul.so nsTimerImpl::Fire nsTimerImpl.cpp:485 ... More reports at: https://crash-stats.mozilla.com/report/list?signature=nsNPAPIPluginInstance%3A%3AGetImageSize%28nsIntSize*%29

"Crash Address" 0x2c is consistent with the offset of mRunning and a null nsNPAPIPluginInstance at http://hg.mozilla.org/mozilla-central/annotate/a7537715edf9/dom/plugins/base/nsNPAPIPluginInstance.cpp#l1213 http://hg.mozilla.org/mozilla-central/rev/caad55e54b0b changed the order so that the null check on |container| is now after the NotifyPaintWaiter() call. |container| is null when there is no instance.

Restoring the previous order of method calls, but still only calling GetImageContainer if the container is likely to be used.

https://hg.mozilla.org/integration/mozilla-inbound/rev/f64ee963d915 I haven't tried to write a test. This seems specific to Android, perhaps because of the in-process image container model there. I'm guessing that getting into this situation would involve some race conditions with plugin destruction, but I don't know STR. Probably better value for time than adding new tests for Android would be to start running existing tests, such as dom/plugins/test/mochitest.

It's #2 top crasher over the last three days.