319049 - SeaMonkey crashes when closing tab with QuickTime plugin [@ nsObjectLoadingContent::EnsureInstantiation]

Status: RESOLVED FIXED

(Core Graveyard :: Plug-ins, defect, P1)

Description

[Frank Wein [:mcsmurf]]

To reproduce:
0. Install QuickTime (plugin)
1. Load URL in a new tab
2. Wait for it to load (? not sure did not test with a incomplete load of the mp3 file)
3. Close tab

Results:
SeaMonkey crashes.

Stacktrace:
nsObjectLoadingContent::EnsureInstantiation(nsObjectLoadingContent * const 0x031ff8d8, nsIPluginInstance * * 0x0012d0d0) line 551 + 2 bytes
nsHTMLExternalObjSH::GetPluginInstance(nsHTMLExternalObjSH * const 0x00000000, nsIXPConnectWrappedNative * 0x031ff914, nsIPluginInstance * * 0x031ff8d8) line 8561 + 10 bytes
nsHTMLExternalObjSH::PostCreate(nsHTMLExternalObjSH * const 0x0330c088, nsIXPConnectWrappedNative * 0x025999a8, JSContext * 0x01e75100, JSObject * 0x033719f0) line 8600
XPCWrappedNative::GetNewOrUsed(XPCCallContext & {...}, nsISupports * 0x00f11258, XPCWrappedNativeScope * 0x01e694f8, XPCNativeInterface * 0x01e5eef0, XPCWrappedNative * * 0x0012d1cc) line 456
XPCConvert::NativeInterface2JSObject(XPCCallContext & {...}, nsIXPConnectJSObjectHolder * * 0x0012d1f4, nsISupports * 0x031ff94c, const nsID * 0x0012d330, JSObject * 0x01e694f8, int 1, unsigned int * 0x0012d37c) line 1107 + 23 bytes
XPCConvert::NativeData2JS(XPCCallContext & {...}, long * 0x0012d38c, const void * 0x00000000, const nsXPTType & {...}, const nsID * 0x0012d330, JSObject * 0x02c9e9e0, unsigned int * 0x0012d37c) line 468 + 25 bytes
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode -1832261230) line 2228 + 27 bytes
XPC_WN_GetterSetter(JSContext * 0x01e75100, JSObject * 0x02765910, unsigned int 0, long * 0x02765928, long * 0x0012d470) line 1476 + 11 bytes
js_Invoke(JSContext * 0x00000001, unsigned int 0, unsigned int 2) line 1211 + 17 bytes
js_InternalInvoke(JSContext * 0x032e38e4, JSObject * 0x02c9e9e0, long 46790752, unsigned int 0, unsigned int 0, long * 0x00000000, long * 0x0012d734) line 1308 + 13 bytes
js_InternalGetOrSet(JSContext * 0x01e75100, JSObject * 0x02c9e9e0, long 31664224, long 46790752, int 4, unsigned int 0, long * 0x00000000, long * 0x0012d734) line 1367 + 21 bytes
js_GetProperty(JSContext * 0x01e75100, JSObject * 0x02c9e9e0, long 31664224, long * 0x0012d734) line 2950 + 29 bytes
js_Interpret(JSContext * 0x01e75100, unsigned char * 0x032e38b4, long * 0x0012d7e0) line 5479 + 431 bytes
js_Invoke(JSContext * 0x00000001, unsigned int 0, unsigned int 0) line 1231 + 12 bytes
js_Interpret(JSContext * 0x01e75100, unsigned char * 0x028dec18, long * 0x0012d9f0) line 3756
js_Invoke(JSContext * 0x00000001, unsigned int 1, unsigned int 2) line 1231 + 12 bytes
js_InternalInvoke(JSContext * 0x032e3858, JSObject * 0x028de4d8, long 53942312, unsigned int 0, unsigned int 1, long * 0x0012dbb8, long * 0x0012dbc8) line 1308 + 13 bytes
JS_CallFunctionValue(JSContext * 0x01e75100, JSObject * 0x028de4d8, long 53942312, unsigned int 1, long * 0x0012dbb8, long * 0x0012dbc8) line 4157 + 26 bytes
nsJSContext::CallEventHandler(nsJSContext * const 0x00000000, JSObject * 0x028de4d8, JSObject * 0x03371828, unsigned int 1, long * 0x0012dbb8, long * 0x0012dbc8) line 1424 + 22 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x01e75100, nsIDOMEvent * 0x02861db8) line 195 + 74 bytes
nsXBLPrototypeHandler::ExecuteHandler(nsXBLPrototypeHandler * const 0x00000000, nsIDOMEventReceiver * 0x0333e158, nsIDOMEvent * 0x02861db8) line 507
nsXBLEventHandler::HandleEvent(nsXBLEventHandler * const 0x028cd648, nsIDOMEvent * 0x0333e158) line 86
nsEventListenerManager::HandleEventSubType(nsEventListenerManager * const 0x00000000, nsListenerStruct * 0x028cd6f8, nsIDOMEventListener * 0x028cd648, nsIDOMEvent * 0x02861db8, nsIDOMEventTarget * 0x0333e158, unsigned int 42343872, unsigned int 2) line 1685 + 12 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x028cd6c0, nsPresContext * 0x00000001, nsEvent * 0x0337b978, nsIDOMEvent * * 0x0012e46c, nsIDOMEventTarget * 0x0333e158, unsigned int 2, nsEventStatus * 0x0012e454) line 1792
nsXULElement::HandleDOMEvent(nsXULElement * const 0x00000000, nsPresContext * 0x01d79630, nsEvent * 0x0331dbb0, nsIDOMEvent * * 0x0012e46c, unsigned int 2, nsEventStatus * 0x0012e454) line 1931
nsXULElement::HandleDOMEvent(nsXULElement * const 0x00000000, nsPresContext * 0x01d79630, nsEvent * 0x033233f0, nsIDOMEvent * * 0x0012e46c, unsigned int 2, nsEventStatus * 0x0012e454) line 1952
nsXULElement::HandleDOMEvent(nsXULElement * const 0x00000000, nsPresContext * 0x01d79630, nsEvent * 0x033233f0, nsIDOMEvent * * 0x0012e46c, unsigned int 7, nsEventStatus * 0x0012e454) line 1952
nsEventStateManager::DispatchNewEvent(nsEventStateManager * const 0x01edf348, nsISupports * 0x028c1a98, nsIDOMEvent * 0x02861db8, int * 0x0012e4f0) line 4561
nsEventListenerManager::DispatchEvent(nsEventListenerManager * const 0x028c1a98, nsIDOMEvent * 0x02861db8, int * 0x0012e4f0) line 2138 + 18 bytes
nsDOMEventRTTearoff::DispatchEvent(nsDOMEventRTTearoff * const 0x0288ee60, nsIDOMEvent * 0x02861db8, int * 0x0012e4f0) line 700 + 15 bytes
XPTC_InvokeByIndex(nsISupports * 0x0288ee60, unsigned int 5, unsigned int 2, nsXPTCVariant * 0x0012e4e0) line 102
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode 177072880) line 2139 + 22 bytes
XPC_WN_CallMethod(JSContext * 0x01e75100, JSObject * 0x028deaf0, unsigned int 1, long * 0x01d297c0, long * 0x01d29790) line 1444 + 10 bytes
js_Invoke(JSContext * 0x00000001, unsigned int 1, unsigned int 0) line 1211 + 17 bytes
js_Interpret(JSContext * 0x01e75100, unsigned char * 0x02c9f678, long * 0x0012e9b4) line 3756
js_Invoke(JSContext * 0x00000001, unsigned int 1, unsigned int 2) line 1231 + 12 bytes
js_InternalInvoke(JSContext * 0x032e3814, JSObject * 0x028deaf0, long 42855272, unsigned int 0, unsigned int 1, long * 0x0012ec1c, long * 0x0012ec1c) line 1308 + 13 bytes
js_InternalGetOrSet(JSContext * 0x01e75100, JSObject * 0x028deaf0, long 31523800, long 42855272, int 8, unsigned int 1, long * 0x0012ec1c, long * 0x0012ec1c) line 1367 + 21 bytes
js_SetProperty(JSContext * 0x01e75100, JSObject * 0x028deaf0, long 31523800, long * 0x0012ec1c) line 3053 + 33 bytes
js_Interpret(JSContext * 0x01e75100, unsigned char * 0x032e3804, long * 0x0012ecc8) line 3587 + 632 bytes
js_Invoke(JSContext * 0x00000001, unsigned int 1, unsigned int 2) line 1231 + 12 bytes
js_InternalInvoke(JSContext * 0x032e37bc, JSObject * 0x028de838, long 42854736, unsigned int 0, unsigned int 1, long * 0x0012ef30, long * 0x0012ef30) line 1308 + 13 bytes
js_InternalGetOrSet(JSContext * 0x01e75100, JSObject * 0x028de838, long 31523800, long 42854736, int 8, unsigned int 1, long * 0x0012ef30, long * 0x0012ef30) line 1367 + 21 bytes
js_SetProperty(JSContext * 0x01e75100, JSObject * 0x028de838, long 31523800, long * 0x0012ef30) line 3053 + 33 bytes
js_Interpret(JSContext * 0x01e75100, unsigned char * 0x032e37ac, long * 0x0012efdc) line 3587 + 632 bytes
js_Invoke(JSContext * 0x00000001, unsigned int 1, unsigned int 2) line 1231 + 12 bytes
js_InternalInvoke(JSContext * 0x01e75128, JSObject * 0x028dee78, long 53942032, unsigned int 0, unsigned int 1, long * 0x0012f1a4, long * 0x0012f1b4) line 1308 + 13 bytes
JS_CallFunctionValue(JSContext * 0x01e75100, JSObject * 0x028dee78, long 53942032, unsigned int 1, long * 0x0012f1a4, long * 0x0012f1b4) line 4157 + 26 bytes
nsJSContext::CallEventHandler(nsJSContext * const 0x00000000, JSObject * 0x028dee78, JSObject * 0x03371710, unsigned int 1, long * 0x0012f1a4, long * 0x0012f1b4) line 1424 + 22 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x01e75100, nsIDOMEvent * 0x03323398) line 195 + 74 bytes
nsEventListenerManager::HandleEventSubType(nsEventListenerManager * const 0x00000000, nsListenerStruct * 0x028eb5d0, nsIDOMEventListener * 0x028eb538, nsIDOMEvent * 0x03323398, nsIDOMEventTarget * 0x03379dc0, unsigned int 53621664, unsigned int 42906940) line 1685 + 12 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x028eb598, nsPresContext * 0x00000001, nsEvent * 0x0012f4f0, nsIDOMEvent * * 0x0012f3e8, nsIDOMEventTarget * 0x03379dc0, unsigned int 7, nsEventStatus * 0x0012f534) line 1792
nsXULElement::HandleDOMEvent(nsXULElement * const 0x00000000, nsPresContext * 0x01d79630, nsEvent * 0x032eefb8, nsIDOMEvent * * 0x0012f3e8, unsigned int 7, nsEventStatus * 0x0012f534) line 1931
PresShell::HandleDOMEventWithTarget(PresShell * const 0x01e4186c, nsIContent * 0x01e4186c, nsEvent * 0x0012f4f0, nsEventStatus * 0x0012f534) line 6101
nsButtonBoxFrame::DoMouseClick(nsButtonBoxFrame * const 0x00000000, nsGUIEvent * 0x0012f620, int 0) line 171
nsButtonBoxFrame::MouseClicked(nsButtonBoxFrame * const 0x00000000, nsPresContext * 0x01d79630, nsGUIEvent * 0x0012f620) line 60 + 11 bytes
nsButtonBoxFrame::HandleEvent(nsButtonBoxFrame * const 0x028b11c0, nsPresContext * 0x01d79630, nsGUIEvent * 0x0012f620, nsEventStatus * 0x0012f990) line 139
PresShell::HandleEventInternal(PresShell * const 0x00000000, nsEvent * 0x00000000, nsIView * 0x00000000, unsigned int 1, nsEventStatus * 0x0012f990) line 6045 + 19 bytes
PresShell::HandleEventWithTarget(PresShell * const 0x01e5fb28, nsEvent * 0x0012f620, nsIFrame * 0x028b11c0, nsIContent * 0x028eb120, unsigned int 1, nsEventStatus * 0x0012f990) line 5918
nsEventStateManager::CheckForAndDispatchClick(nsEventStateManager * const 0x00000000, nsPresContext * 0x01d79630, nsMouseEvent * 0x028eb120, nsEventStatus * 0x0012f990) line 2971
nsEventStateManager::PostHandleEvent(nsEventStateManager * const 0x01edf348, nsPresContext * 0x01d79630, nsEvent * 0x0012fa64, nsIFrame * 0x028b11c0, nsEventStatus * 0x0012f990, nsIView * 0x01ef5e20) line 1959 + 13 bytes
PresShell::HandleEventInternal(PresShell * const 0x00000000, nsEvent * 0x00000000, nsIView * 0x01ef5e20, unsigned int 1, nsEventStatus * 0x0012f990) line 6074 + 25 bytes
PresShell::HandleEvent(PresShell * const 0x01e5fb28, nsIView * 0x01ef5e20, nsGUIEvent * 0x0012fa64, nsEventStatus * 0x0012f990, int 1, int & 27340272) line 5856 + 19 bytes
nsViewManager::HandleEvent(nsViewManager * const 0x00000000, nsView * 0x00000000, nsPoint {...}, nsGUIEvent * 0x0012fa64, int 1) line 2545
nsViewManager::DispatchEvent(nsViewManager * const 0x01ee0ad0, nsGUIEvent * 0x01ef5e20, nsEventStatus * 0x0012fa20) line 2237 + 41 bytes
HandleEvent(nsGUIEvent * 0x0012fa64) line 176
nsWindow::DispatchEvent(nsWindow * const 0x01dc3a84, nsGUIEvent * 0x0012fa64, nsEventStatus & nsEventStatus_eIgnore) line 1162 + 3 bytes
nsWindow::DispatchWindowEvent(nsWindow * const 0x00000000, nsGUIEvent * 0x00000000) line 1183
nsWindow::DispatchMouseEvent(nsWindow * const 0x00000000, unsigned int 301, unsigned int 0, long 6358252) line 6007
ChildWindow::DispatchMouseEvent(ChildWindow * const 0x00000000, unsigned int 301, unsigned int 0, long 6358252) line 6213 + 19 bytes
nsWindow::ProcessMessage(nsWindow * const 0x00000000, unsigned int 514, unsigned int 0, long 6358252, long * 0x0012fd78) line 4618 + 18 bytes
nsWindow::WindowProc(HWND__ * 0x002b02a4, unsigned int 514, unsigned int 0, long 31210116) line 1351 + 16 bytes
USER32! 77e3158f()
USER32! 77e31dc9()
USER32! 77e31e7e()
nsAppStartup::Run(nsAppStartup * const 0x00f7ecc0) line 208
main1(int 2, char * * 0x00000000, nsISupports * 0x00000000) line 1248 + 9 bytes
main(int 2, char * * 0x00242428) line 1737 + 22 bytes
WinMain(HINSTANCE__ * 0x00400000, HINSTANCE__ * 0x00400000, char * 0x0013388e, HINSTANCE__ * 0x00400000) line 1761 + 23 bytes
SEAMONKEY! WinMainCRTStartup + 308 bytes
KERNEL32! 77e98989()

This is probably caused by Bug 315841.

Comment 1

[Christian :Biesinger (don't email me, ping me on IRC)]

Attachment: patch

mcsmurf, can you test this patch?

Comment 2

[Christian :Biesinger (don't email me, ping me on IRC)]

Comment on attachment 204958 [details] [diff] [review]
patch

I'm told this is working

Comment 3

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 204958 [details] [diff] [review]
patch

Indeed.  r+sr=bzbarsky

Comment 4

[Christian :Biesinger (don't email me, ping me on IRC)]

note that I'm not sure when I'll be able to checkin (possibly sometime tuesday california time), so if people want this in earlier, someone else will have to do it

Comment 5

[Boris Zbarsky [:bzbarsky]]

I checked this in for biesi.