Closed
Bug 422024
Opened 16 years ago
Closed 16 years ago
crashes in free called by _releasevariantvalue
Categories
(Core Graveyard :: Plug-ins, defect, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: dbaron, Assigned: pavlov)
Details
(Keywords: crash, topcrash)
Attachments
(1 file, 1 obsolete file)
2.12 KB,
patch
|
jst
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
One of the topcrashes in Fx3.0b4 is crashes in free called from http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/plugin/base/src/ns4xPlugin.cpp&rev=1.159&mark=1889#1889 These account for: * 3 of a sample of 10 of the crashes in RtlEnterCriticalSection (topcrash #2) * 1 of a sample of 10 of the crashes in free (topcrash #3) The four that I looked at: ea403114-ef1c-11dc-a707-001a4bd46e84 e4a84021-ef1c-11dc-92e3-001a4bd43ed6 d42e93e1-ef18-11dc-a301-001a4bd43e5c 4005345e-ef19-11dc-8538-001a4bd43ef6 all seem to be on Windows NT 5.1 service pack 2 (I think that's XP SP2), so it doesn't seem like the problem is bug 365986. The common part of the stack is: 0 free jemalloc.c:5915 1 _releasevariantvalue mozilla/modules/plugin/base/src/ns4xPlugin.cpp:1889 2 CallNPMethodInternal mozilla/modules/plugin/base/src/nsJSNPRuntime.cpp:1385 3 CallNPMethod mozilla/modules/plugin/base/src/nsJSNPRuntime.cpp:1394 4 js_Invoke
Comment 1•16 years ago
|
||
looks like this might be #4 top crash for beta5 In particular the common part of stack mentioned in comment zero that looks like 0 mozcrt19.dll free jemalloc.c:6067 1 xul.dll _releasevariantvalue mozilla/modules/plugin/base/src/ns4xPlugin.cpp:1889 2 xul.dll CallNPMethodInternal mozilla/modules/plugin/base/src/nsJSNPRuntime.cpp:1385 3 xul.dll CallNPMethod mozilla/modules/plugin/base/src/nsJSNPRuntime.cpp:1394 4 js3250.dll js_Invoke mozilla/js/src/jsinterp.c:1287 5 js3250.dll js_Interpret mozilla/js/src/jsinterp.c:4841 6 js3250.dll js_Invoke mozilla/js/src/jsinterp.c:1303 7 js3250.dll fun_apply mozilla/js/src/jsfun.c:1650 8 js3250.dll js_Interpret mozilla/js/src/jsinterp.c:4824 9 js3250.dll js_Invoke mozilla/js/src/jsinterp.c:1303 10 js3250.dll js_InternalInvoke mozilla/js/src/jsinterp.c:1359 is seen a lot with comment where people are on yahoo mail... > I am having consistent problems on Yahoo Webmail with these crashes for the last two betas. > Yahoo! mail really doesn't work right... this is like the fifth time in two days! > firefox 3 crashed when reading yahoo emails, especically a shipping notification email from newegg.com
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Assignee | ||
Updated•16 years ago
|
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Assignee | ||
Comment 3•16 years ago
|
||
this is the same really as the yahoo crash, but I'm going to put a patch in here.
Assignee | ||
Updated•16 years ago
|
Assignee: nobody → pavlov
Status: REOPENED → NEW
Assignee | ||
Updated•16 years ago
|
Flags: tracking1.9+
Priority: -- → P2
Hardware: PC → Other
Assignee | ||
Comment 4•16 years ago
|
||
we need something like this (untested)
sadly you shouldn't use #if for windows, just a bunch of getprocaddress calls, in order: GetModuleHandleEx (you've written this code), VirtualQuery +#ifdef MOZ_MEMORY_WINDOWS + void *ptr = (void *)s->utf8characters; HMODULE m = NULL; if (GetModuleHandleEx) + GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS, (LPCTSTR)ptr, &m); else if (VirtualQuery) { /* http://www.tech-archive.net/Archive/Development/microsoft.public.win32.programmer.kernel/2005-01/0167.html http://www.microsoft.com/msj/archive/S1D4F.aspx */ PMEMORY_BASIC_INFORMATION bi; VirtualQuery((LPCVOID)ptr, &bi, sizeof bi); m = (HMODULE)bi.BaseAddress; } if (m) { + CRTFREE = (CRTFREE)GetProcAddress(m, "free"); + (CRTFREE)(ptr);
Assignee | ||
Comment 6•16 years ago
|
||
(In reply to comment #5) > sadly you shouldn't use #if for windows, just a bunch of getprocaddress calls, > in order: > huh?
Assignee | ||
Updated•16 years ago
|
Flags: tracking1.9+ → blocking1.9+
Updated•16 years ago
|
Severity: normal → critical
Comment 7•16 years ago
|
||
Progress on this, Stuart?
Comment 8•16 years ago
|
||
14:08 < stuart> i'm going to miss triage -- my bug (422024) will be fixed this afternoon
Updated•16 years ago
|
Whiteboard: [ETA 4/29]
Assignee | ||
Comment 9•16 years ago
|
||
I tried all the various module related functions and none of them work properly. This code isn't super cheap, but it should be called infrequently.
Attachment #315297 -
Attachment is obsolete: true
Attachment #318644 -
Flags: superreview?
Attachment #318644 -
Flags: review?
Comment 10•16 years ago
|
||
So, who's supposed to review this?
Assignee | ||
Updated•16 years ago
|
Attachment #318644 -
Flags: review? → review?(jst)
Comment 11•16 years ago
|
||
Comment on attachment 318644 [details] [diff] [review] fix r+sr=jst, but I wonder if it'd be worth adding code to put a notification on the error console every time this happens so that plugin vendors have a chance to notice this and fix their code. W/o that, there's little incentive for plugin vendors to ever even know they're mis-using the API...
Attachment #318644 -
Flags: superreview?
Attachment #318644 -
Flags: superreview+
Attachment #318644 -
Flags: review?(jst)
Attachment #318644 -
Flags: review+
Assignee | ||
Updated•16 years ago
|
Status: NEW → RESOLVED
Closed: 16 years ago → 16 years ago
Resolution: --- → FIXED
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•