Closed Bug 498132 Opened 15 years ago Closed 15 years ago

Assertion: "Unknown NPVariant type!" will freeze Firefox 3.0.11 and 3.0.12pre on java.com with Java 6 update 14 installed

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Version:
1.9.0 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(status1.9.1 unaffected)

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
status1.9.1 --- unaffected

People

(Reporter: atb12345, Assigned: mayhemer)

References

(
URL
)

Details

(5 keywords)

Attachments

(4 files, 2 obsolete files)

WinDbg log file
25.33 KB, application/octet-stream
Details
Another Windbg stacktrace
7.27 KB, application/octet-stream
Details
WinDbg stack of a debug build
3.95 KB, text/plain
Details
Honza's fix, but isolated to this plugin only.
1.62 KB, patch
jaas
: review+
jst
: superreview+
dveditz
: approval1.9.0.12+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11

Clicking http://www.java.com/en/download/installed.jsp causes Firefox to freeze.  I have to kill it with the Task Manager.  The problem does not occur in Firefox 3.0.10

Reproducible: Always
Confirmed by many other users.
http://forums.mozillazine.org/viewtopic.php?f=9&t=1293885
Also freezes in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.12pre) Gecko/2009061305 GranParadiso/3.0.12pre
Summary: Firefox 3.0.11 freezes with Java → Firefox 3.0.11, 3.0.12pre freezes with Java
Flags: blocking1.9.0.12?
wfm with Firefox 3.0.11 and Seamonkey 1.9.1 branch.
What's your OS, matti?  The five other reports confirming this problem in the Mozillazine topic [url=http://forums.mozillazine.org/viewtopic.php?f=9&t=1293885]FF 3.0.11 freezes with Java[/url] are all using Windows XP or Windows 2K using Java 1.6.0_13 or Java 1.6.0_14.  One Vista user reported no problem.
win2003 (xp,2003,vista,7,2k should not matter) and I retested with FF3.0.11, also no freeze.

Did you all tested in the safemode and/or a new profile ?
In that case use http://developer.mozilla.org/en/docs/How_to_get_a_stacktrace_with_WinDbg with !analyze -v -hang
This is in a brand new profile.  I upgraded from Java
1.6.0_13 to Java 1.6.0_14 a few days ago with the Java updater.  "Java Control Panel > Advanced > Java Plug-in > Enable the next-generation Java Plug-in" is not ticked.  (But the freeze occurs even if it is ticked.  After a browser restart, of course.)

about:plugins shows these Java entries:
Java(TM) Platform SE 6 U14
File name: npjpi160_14.dll
Classic Java Plug-in 1.6.0_14 for Netscape and Mozilla

Java Deployment Toolkit 6.0.140.8
File name: npdeploytk.dll
NPRuntime Script Plug-in Library for Java(TM) Deploy

Java(TM) Platform SE 6 U14
File name: npoji610.dll
Classic Java Plug-in 1.6.0_14 for Netscape and Mozilla
I have upgraded to U14 and i have this plugins :
File name: C:\Programme\Java\jre6\bin\new_plugin\npjp2.dll
Next Generation Java Plug-in 1.6.0_14 for Mozilla browsers

and 

File name: C:\Programme\Java\jre6\bin\new_plugin\npdeploytk.dll
Java(TM) Platform SE binary
Attached file WinDbg log file 
WinDbg log file attached, using this build:
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
It looks like it's probably a JavaScript problem rather than a Java one.  If I disable JavaScript with Tools > Options, then the freeze does not occur on the URL I supplied.  Instead, the web page displays a message that JavaScript must be enabled.  None of the Java testing sites I've gone to indicate any problem.  I'm editing the bug title to reflect that it appears to be the site that's freezing Firefox 3.0.11 and Firefox 3.0.12pre on Windows XP, not Java.
Summary: Firefox 3.0.11, 3.0.12pre freezes with Java → Firefox 3.0.11, 3.0.12pre freeze on java.com
The freeze does not occur if I use the Add-ons manager to disable the Java Deployment Toolkit 6.0.140.8 plug-in.
File name: D:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
NPRuntime Script Plug-in Library for Java(TM) Deploy
Could it be a mimetype problem that has finally manifested in Fx 3.0.11?  This Sun bug report last modified Jan 2009 says they were going to change it to prevent a possible collision with a Mozilla internal mimetype, but it looks like Sun didn't change the mimetype of this plugin after all.
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6729238

Java Deployment Toolkit 6.0.140.8
File name: D:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
MIME Type application/npruntime-scriptable-plugin;DeploymentToolkit
I can confirm the freeze after clicking on the affected URL link, and that disabling the "Java Deployment Toolkit 6.0.140.08" allows the page to load correctly. This is on two Windows XP sp3 machines using firefox 3.0.11. This issue wasn't present in firefox version 3.0.10

This may or may not be related to this bug from SDN:
http://bugs.sun.com/bugdatabase/view_bu ... id=6729238
Sorry broken link above, but its the same as in the previous Comment(#11)
Currently back on 3.0.10.with no issues.

Exactly the same freezes with 3.0.11 on these links.

http://www.java.com/en/download/dt_verify.jsp?plugin=true&latest=true&users_jre=1.6.0_14

http://www.java.com/en/  click on: Downloads/Help Center/Do I Have Java

Also here.

http://browserspy.dk/    Click on 'Java' (test) in left column.
^On Windows XP sp3.
Since this problem does not exist in Firefox 3.0.10, I've added regression to Keywords.  I'm afraid I don't have the Internet bandwidth to find the regression window.  Would one of the other commenters be able to do this?  It might facilitate a fix.
Keywords: regression
Component: General → Plug-ins
Product: Firefox → Core
QA Contact: general → plugins
Version: unspecified → 1.9.0 Branch
new based on the dupe.
We still need a windbg trace of the hang
Status: UNCONFIRMED → NEW
Ever confirmed: true
Do you have this hang only on java.com or similar? Since I installed fx 3.0.11 I've got a lot of hangs on many sites (http://www.atpworldtour.com/, http://www.sonyericssonwtatour.com/) and it seems related to flash content (I've been recently using Flash player 10.0.22.87). It happens both in safe-mode and normal mode. 
Has anyone experienced the same troubles ? I've got a windbg trace of the hang, shall I post it here or in a new thread, since this one seems related to a Java issue ?
This appears to happen on ANY website which accesses the Java Deployment Toolkit (http://java.com/js/deployJava.js).
Also, it appears to ONLY occur on Windows XP (and possibly Windows 2000, according to some reporters).
Windows 2003 and Vista do not exhibit this problem.
I can confirm that disabling the following plugin fixes the problem without adversely affecting most other javascript functionality.

Java Deployment Toolkit 6.0.140.8

    File name: npdeploytk.dll
    NPRuntime Script Plug-in Library for Java(TM) Deploy
Al: Can you confirm this on Windows 2000 or XP?
Also: If we can get a regression range from someone using 3.0.11pre builds, that'd help a lot.

The only possibly similar bug I can think of is bug 489988... Olli?
We have the same problems with our Applets. 3.0.10 works fine and 3.0.11 doesn't load the Applets.
Win XP SP2
JRE 1.6.0_14

Navigating to : java.com/en/download/installed.jsp freezes the browser and the process needs to be killed using task manager. Tried on a Windows Vista and it seems work without any problems.
This is from the windbg log from comment #8 :

7783fc25 ntdll!RtlFreeHeap+0x60
76549a26 kernel32!HeapFree+0x14
039a2447 npdeploytk!NP_Shutdown+0x111f2
03992b25 npdeploytk!NP_Shutdown+0x18d0
039919aa npdeploytk!NP_Shutdown+0x755
03991e4e npdeploytk!NP_Shutdown+0xbf9
039919dc npdeploytk!NP_Shutdown+0x787
Opened log file 'c:\firefox-debug_0b14_2009-06-15_11-06-44-197.log'
0:000> lm
start    end        module name
00400000 0044d000   firefox    (private pdb symbols)  c:\symbols\firefox.pdb\B98465A72D2644489463DEA9CA12B16F2\firefox.pdb
60000000 600ae000   MOZCRT19   (private pdb symbols)  c:\symbols\mozcrt19.pdb\2126926F1DB546E291A60219BC41A6431\mozcrt19.pdb
600b0000 600e0000   nspr4      (private pdb symbols)  c:\symbols\nspr4.pdb\D5F7227600414C138F7CAFB88DED1CB01\nspr4.pdb
600e0000 600e7000   plds4      (private pdb symbols)  c:\symbols\plds4.pdb\D89D391483234F1586523C2ABF8D87381\plds4.pdb
600f0000 600f7000   plc4       (private pdb symbols)  c:\symbols\plc4.pdb\8C14826C45FB49EFACBC1BA98475759D1\plc4.pdb
60100000 601ad000   js3250     (private pdb symbols)  c:\symbols\js3250.pdb\382394C3026145A18722078977A7D90526\js3250.pdb
60210000 6027d000   sqlite3    (private pdb symbols)  c:\symbols\sqlite3.pdb\08D9B2E8856846858BF55059C33D6EE52\sqlite3.pdb
60340000 603ef000   nss3       (private pdb symbols)  c:\symbols\nss3.pdb\92EEB93F6235414197121954CB25547F1\nss3.pdb
603f0000 60404000   nssutil3   (private pdb symbols)  c:\symbols\nssutil3.pdb\00DA2D5242694F36AF276507E2DF9FFF1\nssutil3.pdb
60410000 60430000   ssl3       (private pdb symbols)  c:\symbols\ssl3.pdb\0958DD2B008B415FB2E861EABF5B25951\ssl3.pdb
60430000 60448000   smime3     (private pdb symbols)  c:\symbols\smime3.pdb\9B90483CFEA640BC88C64CFB2B43D6F71\smime3.pdb
60490000 60dfa000   xul        (private pdb symbols)  c:\symbols\xul.pdb\867C597A5651419DA6CD96B692EE9EAFc\xul.pdb
60e00000 60e07000   xpcom      (private pdb symbols)  c:\symbols\xpcom.pdb\E2F355C6ABEC405AA5EDE6896C5230BC3\xpcom.pdb
71aa0000 71aa8000   WS2HELP    (pdb symbols)          c:\symbols\ws2help.pdb\537CE830EFE94FE3A92C95153BDB71462\ws2help.pdb
71ab0000 71ac7000   WS2_32     (pdb symbols)          c:\symbols\ws2_32.pdb\07AC08831007408D919E0CCF1EA499BF2\ws2_32.pdb
71ad0000 71ad9000   WSOCK32    (pdb symbols)          c:\symbols\wsock32.pdb\E7B6C17E43604822813D3B65499B6C0F2\wsock32.pdb
73000000 73026000   WINSPOOL   (pdb symbols)          c:\symbols\winspool.pdb\97A6ECC94EA7450CA7D375BD9DFFCA5E2\winspool.pdb
74d90000 74dfb000   USP10      (pdb symbols)          c:\symbols\usp10.pdb\14C8D7F8AB3C48A4B95A73BAC9A6B02C1\usp10.pdb
76380000 76385000   MSIMG32    (pdb symbols)          c:\symbols\msimg32.pdb\E28D4258D66B428EB5D74279EB57A08F2\msimg32.pdb
76390000 763ad000   IMM32      (pdb symbols)          c:\symbols\imm32.pdb\2C17A49C251B4C8EB9E2AD13D7D9EA162\imm32.pdb
763b0000 763f9000   COMDLG32   (pdb symbols)          c:\symbols\comdlg32.pdb\4FCBEAD63D7345998C1F92D8DBB0DC272\comdlg32.pdb
76b40000 76b6d000   WINMM      (pdb symbols)          c:\symbols\winmm.pdb\4FC9F179964745CAA3C78D6FADFC28322\winmm.pdb
77120000 771ac000   OLEAUT32   (pdb symbols)          c:\symbols\oleaut32.pdb\149FB0C830BC400DBA99728EFB58A1132\oleaut32.pdb
773d0000 774d3000   COMCTL32   (pdb symbols)          c:\symbols\MicrosoftWindowsCommon-Controls-6.0.2600.2982-comctl32.pdb\C0A72EE9578847AAB7770CF02FFED0941\MicrosoftWindowsCommon-Controls-6.0.2600.2982-comctl32.pdb
774e0000 7761c000   ole32      (pdb symbols)          c:\symbols\ole32.pdb\092F43621A1A4763AF651D154C2AEEE02\ole32.pdb
77c00000 77c08000   VERSION    (pdb symbols)          c:\symbols\version.pdb\180A90C40384463E82DDC45B2C8AB76E2\version.pdb
77c10000 77c68000   msvcrt     (pdb symbols)          c:\symbols\msvcrt.pdb\A678F3C30DED426B839032B996987E381\msvcrt.pdb
77d40000 77dd0000   USER32     (pdb symbols)          c:\symbols\user32.pdb\036A117A6A5C43DE835AE71302E905042\user32.pdb
77dd0000 77e6b000   ADVAPI32   (pdb symbols)          c:\symbols\advapi32.pdb\455D6C5F184D45BBB5C5F30F829751142\advapi32.pdb
77e70000 77f01000   RPCRT4     (pdb symbols)          c:\symbols\rpcrt4.pdb\BEA45A721DA141DAA3BA86B3A20311532\rpcrt4.pdb
77f10000 77f56000   GDI32      (pdb symbols)          c:\symbols\gdi32.pdb\1FA0F418684D4EFA9F8447E4192B18522\gdi32.pdb
77f60000 77fd6000   SHLWAPI    (pdb symbols)          c:\symbols\shlwapi.pdb\FC9C70C875684C029646458419D14DDF2\shlwapi.pdb
7c800000 7c8f4000   kernel32   (pdb symbols)          c:\symbols\kernel32.pdb\FB334FB28FA34128BDE9229285BE4C2F2\kernel32.pdb
7c900000 7c9b0000   ntdll      (pdb symbols)          c:\symbols\ntdll.pdb\36515FB5D04345E491F672FA2E2878C02\ntdll.pdb
7c9c0000 7d1d4000   SHELL32    (pdb symbols)          c:\symbols\shell32.pdb\2087DF0BBCC84D3F926626937555E4D52\shell32.pdb
0:000> g
ModLoad: 629c0000 629c9000   C:\WINDOWS\system32\LPK.DLL
ModLoad: 10000000 10063000   C:\WINDOWS\system32\wxvault.dll
ModLoad: 76bf0000 76bfb000   C:\WINDOWS\system32\PSAPI.DLL
ModLoad: 71b20000 71b32000   C:\WINDOWS\system32\MPR.dll
ModLoad: 00930000 00935000   C:\WINDOWS\system32\detoured.dll
ModLoad: 48000000 48020000   C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
ModLoad: 62000000 6208d000   C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopResources_en.dll
ModLoad: 71a50000 71a8f000   C:\WINDOWS\system32\mswsock.dll
ModLoad: 59a60000 59b01000   C:\WINDOWS\system32\dbghelp.dll
ModLoad: 5ad70000 5ada8000   C:\WINDOWS\system32\uxtheme.dll
ModLoad: 74720000 7476b000   C:\WINDOWS\system32\MSCTF.dll
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\SETUPAPI.dll
eax=77c3b8c1 ebx=00000000 ecx=002739d8 edx=77c61ae8 esi=7c90e88e edi=00000001
eip=7c90eb94 esp=0012fe24 ebp=0012ff20 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiFastSystemCallRet:
7c90eb94 c3              ret
0:000> gn
       ^ No runnable debuggees error in 'gn'
Attaching the Windbg logs again, missed the exception analysis part earlier:

Opened log file 'c:\firefox-debug_0b14_2009-06-15_11-46-24-937.log'
0:000> lm
start    end        module name
00400000 0044d000   firefox    (deferred)             
60000000 600ae000   MOZCRT19   (deferred)             
600b0000 600e0000   nspr4      (deferred)             
600e0000 600e7000   plds4      (deferred)             
600f0000 600f7000   plc4       (deferred)             
60100000 601ad000   js3250     (deferred)             
60210000 6027d000   sqlite3    (deferred)             
60340000 603ef000   nss3       (deferred)             
603f0000 60404000   nssutil3   (deferred)             
60410000 60430000   ssl3       (deferred)             
60430000 60448000   smime3     (deferred)             
60490000 60dfa000   xul        (deferred)             
60e00000 60e07000   xpcom      (deferred)             
71aa0000 71aa8000   WS2HELP    (deferred)             
71ab0000 71ac7000   WS2_32     (deferred)             
71ad0000 71ad9000   WSOCK32    (deferred)             
73000000 73026000   WINSPOOL   (deferred)             
74d90000 74dfb000   USP10      (deferred)             
76380000 76385000   MSIMG32    (deferred)             
76390000 763ad000   IMM32      (deferred)             
763b0000 763f9000   COMDLG32   (deferred)             
76b40000 76b6d000   WINMM      (deferred)             
77120000 771ac000   OLEAUT32   (deferred)             
773d0000 774d3000   COMCTL32   (deferred)             
774e0000 7761c000   ole32      (deferred)             
77c00000 77c08000   VERSION    (deferred)             
77c10000 77c68000   msvcrt     (deferred)             
77d40000 77dd0000   USER32     (deferred)             
77dd0000 77e6b000   ADVAPI32   (deferred)             
77e70000 77f01000   RPCRT4     (deferred)             
77f10000 77f56000   GDI32      (deferred)             
77f60000 77fd6000   SHLWAPI    (deferred)             
7c800000 7c8f4000   kernel32   (deferred)             
7c900000 7c9b0000   ntdll      (pdb symbols)          c:\symbols\ntdll.pdb\36515FB5D04345E491F672FA2E2878C02\ntdll.pdb
7c9c0000 7d1d4000   SHELL32    (deferred)             
0:000> g
ModLoad: 629c0000 629c9000   C:\WINDOWS\system32\LPK.DLL
ModLoad: 10000000 10063000   C:\WINDOWS\system32\wxvault.dll
ModLoad: 76bf0000 76bfb000   C:\WINDOWS\system32\PSAPI.DLL
ModLoad: 71b20000 71b32000   C:\WINDOWS\system32\MPR.dll
ModLoad: 00930000 00935000   C:\WINDOWS\system32\detoured.dll
ModLoad: 48000000 48020000   C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
ModLoad: 62000000 6208d000   C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopResources_en.dll
ModLoad: 71a50000 71a8f000   C:\WINDOWS\system32\mswsock.dll
ModLoad: 59a60000 59b01000   C:\WINDOWS\system32\dbghelp.dll
ModLoad: 5ad70000 5ada8000   C:\WINDOWS\system32\uxtheme.dll
ModLoad: 74720000 7476b000   C:\WINDOWS\system32\MSCTF.dll
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\SETUPAPI.dll
eax=77c3b8c1 ebx=00000000 ecx=002739d8 edx=77c61ae8 esi=7c90e88e edi=00000001
eip=7c90eb94 esp=0012fe24 ebp=0012ff20 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiFastSystemCallRet:
7c90eb94 c3              ret
0:000> kp
ChildEBP RetAddr  
0012fe20 7c90e89a ntdll!KiFastSystemCallRet
0012fe24 7c81ca5e ntdll!ZwTerminateProcess+0xc
0012ff20 7c81cab6 kernel32!_ExitProcess+0x62
0012ff34 6000179e kernel32!ExitProcess+0x14
0012ff40 60001b66 MOZCRT19!__crtExitProcess(int status = 1610619886)+0x2e [e:\fx19rel\winnt_5.2_depend\mozilla\obj-fx-trunk\memory\jemalloc\src\crt0dat.c @ 683]
0012ff78 60001bee MOZCRT19!doexit(int code = 1, int quick = 0, int retcaller = 0)+0x116 [e:\fx19rel\winnt_5.2_depend\mozilla\obj-fx-trunk\memory\jemalloc\src\crt0dat.c @ 596]
0012ff88 00401439 MOZCRT19!exit(int code = 2088856911)+0xe [e:\fx19rel\winnt_5.2_depend\mozilla\obj-fx-trunk\memory\jemalloc\src\crt0dat.c @ 398]
0012ffc0 7c816d4f firefox!__tmainCRTStartup(void)+0x169 [e:\fx19rel\winnt_5.2_depend\mozilla\obj-fx-trunk\memory\jemalloc\src\crtexe.c @ 605]
0012fff0 00000000 kernel32!BaseProcessStart+0x23
0:000> !analyze -v -f
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

Event is not an exception


Failure could not be analyzed

.lastevent
Last event: d4.b34: Exit process 0:d4, code 1
  debugger time: Mon Jun 15 11:46:33.996 2009 (GMT-4)
0:000> lm
start    end        module name
00400000 0044d000   firefox    (private pdb symbols)  c:\symbols\firefox.pdb\B98465A72D2644489463DEA9CA12B16F2\firefox.pdb
00930000 00935000   detoured   (deferred)             
10000000 10063000   wxvault    (deferred)             
48000000 48020000   GOEC62_1   (deferred)             
59a60000 59b01000   dbghelp    (deferred)             
5ad70000 5ada8000   uxtheme    (deferred)             
60000000 600ae000   MOZCRT19   (private pdb symbols)  c:\symbols\mozcrt19.pdb\2126926F1DB546E291A60219BC41A6431\mozcrt19.pdb
600b0000 600e0000   nspr4      (deferred)             
600e0000 600e7000   plds4      (deferred)             
600f0000 600f7000   plc4       (deferred)             
60100000 601ad000   js3250     (deferred)             
60210000 6027d000   sqlite3    (deferred)             
60340000 603ef000   nss3       (deferred)             
603f0000 60404000   nssutil3   (deferred)             
60410000 60430000   ssl3       (deferred)             
60430000 60448000   smime3     (deferred)             
60490000 60dfa000   xul        (deferred)             
60e00000 60e07000   xpcom      (deferred)             
62000000 6208d000   GoogleDesktopResources_en   (deferred)             
629c0000 629c9000   LPK        (deferred)             
71a50000 71a8f000   mswsock    (deferred)             
71aa0000 71aa8000   WS2HELP    (deferred)             
71ab0000 71ac7000   WS2_32     (deferred)             
71ad0000 71ad9000   WSOCK32    (deferred)             
71b20000 71b32000   MPR        (deferred)             
73000000 73026000   WINSPOOL   (deferred)             
74720000 7476b000   MSCTF      (deferred)             
74d90000 74dfb000   USP10      (deferred)             
76380000 76385000   MSIMG32    (deferred)             
76390000 763ad000   IMM32      (deferred)             
763b0000 763f9000   COMDLG32   (deferred)             
76b40000 76b6d000   WINMM      (deferred)             
76bf0000 76bfb000   PSAPI      (deferred)             
77120000 771ac000   OLEAUT32   (deferred)             
773d0000 774d3000   COMCTL32   (deferred)             
774e0000 7761c000   ole32      (deferred)             
77920000 77a13000   SETUPAPI   (deferred)             
77c00000 77c08000   VERSION    (deferred)             
77c10000 77c68000   msvcrt     (deferred)             
77d40000 77dd0000   USER32     (deferred)             
77dd0000 77e6b000   ADVAPI32   (deferred)             
77e70000 77f01000   RPCRT4     (deferred)             
77f10000 77f56000   GDI32      (deferred)             
77f60000 77fd6000   SHLWAPI    (deferred)             
7c800000 7c8f4000   kernel32   (pdb symbols)          c:\symbols\kernel32.pdb\FB334FB28FA34128BDE9229285BE4C2F2\kernel32.pdb
7c900000 7c9b0000   ntdll      (pdb symbols)          c:\symbols\ntdll.pdb\36515FB5D04345E491F672FA2E2878C02\ntdll.pdb
7c9c0000 7d1d4000   SHELL32    (deferred)             
0:000> .restart /f
WARNING: Whitespace at end of path element
CommandLine: "C:\Program Files\Mozilla Firefox\firefox.exe"
WARNING: Whitespace at end of path element
Symbol search path is: SRV*c:\symbols*http://symbols.mozilla.org/firefox;srv*;SRV*c:\localsymbols\*http://msdl.microsoft.com/download/symbols;SRV*c:\localsymbols\*http://symbols.mozilla.org/firefox


Executable search path is: 
ModLoad: 00400000 0044d000   firefox.exe
ModLoad: 7c900000 7c9b0000   ntdll.dll
ModLoad: 7c800000 7c8f4000   C:\WINDOWS\system32\kernel32.dll
ModLoad: 60490000 60dfa000   C:\Program Files\Mozilla Firefox\xul.dll
ModLoad: 60210000 6027d000   C:\Program Files\Mozilla Firefox\sqlite3.dll
ModLoad: 60000000 600ae000   C:\Program Files\Mozilla Firefox\MOZCRT19.dll
ModLoad: 77c10000 77c68000   C:\WINDOWS\system32\msvcrt.dll
ModLoad: 60100000 601ad000   C:\Program Files\Mozilla Firefox\js3250.dll
ModLoad: 600b0000 600e0000   C:\Program Files\Mozilla Firefox\nspr4.dll
ModLoad: 77dd0000 77e6b000   C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e70000 77f01000   C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 71ad0000 71ad9000   C:\WINDOWS\system32\WSOCK32.dll
ModLoad: 71ab0000 71ac7000   C:\WINDOWS\system32\WS2_32.dll
ModLoad: 71aa0000 71aa8000   C:\WINDOWS\system32\WS2HELP.dll
ModLoad: 76b40000 76b6d000   C:\WINDOWS\system32\WINMM.dll
ModLoad: 77d40000 77dd0000   C:\WINDOWS\system32\USER32.dll
ModLoad: 77f10000 77f56000   C:\WINDOWS\system32\GDI32.dll
ModLoad: 60430000 60448000   C:\Program Files\Mozilla Firefox\smime3.dll
ModLoad: 60340000 603ef000   C:\Program Files\Mozilla Firefox\nss3.dll
ModLoad: 603f0000 60404000   C:\Program Files\Mozilla Firefox\nssutil3.dll
ModLoad: 600f0000 600f7000   C:\Program Files\Mozilla Firefox\plc4.dll
ModLoad: 600e0000 600e7000   C:\Program Files\Mozilla Firefox\plds4.dll
ModLoad: 60410000 60430000   C:\Program Files\Mozilla Firefox\ssl3.dll
ModLoad: 7c9c0000 7d1d4000   C:\WINDOWS\system32\SHELL32.dll
ModLoad: 77f60000 77fd6000   C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 774e0000 7761c000   C:\WINDOWS\system32\ole32.dll
ModLoad: 77c00000 77c08000   C:\WINDOWS\system32\VERSION.dll
ModLoad: 73000000 73026000   C:\WINDOWS\system32\WINSPOOL.DRV
ModLoad: 763b0000 763f9000   C:\WINDOWS\system32\COMDLG32.dll
ModLoad: 773d0000 774d3000   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\COMCTL32.dll
ModLoad: 76390000 763ad000   C:\WINDOWS\system32\IMM32.dll
ModLoad: 76380000 76385000   C:\WINDOWS\system32\MSIMG32.dll
ModLoad: 74d90000 74dfb000   C:\WINDOWS\system32\USP10.dll
ModLoad: 77120000 771ac000   C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 60e00000 60e07000   C:\Program Files\Mozilla Firefox\xpcom.dll
(25c.f78): Break instruction exception - code 80000003 (first chance)
eax=00191eb4 ebx=7ffdd000 ecx=00000006 edx=00000040 esi=00191f48 edi=00191eb4
eip=7c901230 esp=0012fb20 ebp=0012fc94 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!DbgBreakPoint:
7c901230 cc              int     3
0:000> .childdbg 1
Processes created by the current process will be debugged
0:000> sxn gp
0:000> .logopen /t c:\firefox-debug.log
Closing open log file c:\firefox-debug_0b14_2009-06-15_11-46-24-937.log
This is verified on Windows XP. Running Firefox 3.0.11 with the Java 1.6.0_14 causes a hang on
This is verified on Windows XP. Running Firefox 3.0.11 with the Java 1.6.0_14 causes a hang on http://www.java.com/en/download/installed.jsp. Doing the same with Firefox 3.0.10 does not hang.
I've attached another stacktrace. Not sure if it is usable though since I've never done it before.

I furthermore can confirm that this bug happens when http://java.com/js/deployJava.js. Is being used. This is quite bad since it actually is the Applet and Webstart deployment technique officially recommended by SUN (and thus used quite often). Sucessful execution of this script should be a prerequisite for any RC.
Alright. We need a regression range.

Anyone who sees this, please use the following link to download the "mozilla1.9.0" builds and see when this regressed:

http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2009/

It's important to know when so we can determine what caused this.

We probably don't need anymore Windbg stacktraces, but thanks to everyone for providing them.
Keywords: regressionwindow-wanted
The hang doesn't happen on all Java applets, as I've found through looking around.
I do notice on games on nintendo8.com, I get the following error and the applets don't run:

load: class AppletGui not found.
java.lang.ClassNotFoundException: AppletGui
	at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
	at java.lang.ClassLoader.loadClass(Unknown Source)
	at java.lang.ClassLoader.loadClass(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
	at sun.plugin2.applet.Plugin2Manager.createApplet(Unknown Source)
	at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
Caused by: java.io.IOException: open HTTP connection failed:http://nintendo8.com/AppletGui.class
	at sun.plugin2.applet.Applet2ClassLoader.getBytes(Unknown Source)
	at sun.plugin2.applet.Applet2ClassLoader.access$000(Unknown Source)
	at sun.plugin2.applet.Applet2ClassLoader$1.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	... 7 more
Exception: java.lang.ClassNotFoundException: AppletGui
I can't reproduce the hang on my debug builds.
And the bonsai query includes some commits which aren't probably in 04-21-05 build
I have modified the deployJava.js script to try to avoid the browser crash.
Try this link, and let me know if it crashes.

http://www.pinlady.net/tmp/modified_DeployJava.js.html
Keywords: hang
With a trunk build I get an assertion when trying to load the given page:

0:000> kp
ChildEBP RetAddr  
0012aaf4 003121e3 ntdll!DbgBreakPoint
0012ae14 00311cc2 xpcom_core!Break(char * aMsg = 0x0012ae34 "###!!! ASSERTION: Unknown NPVariant type!: 'Error', file c:/mozilla/minefield/modules/plugin/base/src/nsNPAPIPlugin.cpp, line 1798")+0x233 [c:\mozilla\minefield\xpcom\base\nsdebugimpl.cpp @ 489]

I'll attach the complete backtrace of windbg.
Keywords: assertion
Summary: Firefox 3.0.11, 3.0.12pre freeze on java.com → Assertion: "Unknown NPVariant type!" will freeze Firefox 3.0.11 and 3.0.12pre on java.com
And as a note: The same build doesn't crash with Java 6 update 13. So something could have been probably regressed in the latest Java version itself?
Summary: Assertion: "Unknown NPVariant type!" will freeze Firefox 3.0.11 and 3.0.12pre on java.com → Assertion: "Unknown NPVariant type!" will freeze Firefox 3.0.11 and 3.0.12pre on java.com with Java 6 update 14 installed
For the record, this doesn't happen with 3.5 / 1.9.1 branch.
The best URL at least for me is: http://browserspy.dk/java.php

Samuel, I can clearly reproduce it with Firefox 3.0.11 but not with the latest Shiretoko and Minefield nightly builds. But opening this page with a debug build of Minefield also constantly gives me the assertion. So I wonder if 1.9.1 is affected too. I don't have a debug build for Shiretoko yet. Have to build one before. :(
(In reply to comment #37)
> I have modified the deployJava.js script to try to avoid the browser crash.
> Try this link, and let me know if it crashes.
> http://www.pinlady.net/tmp/modified_DeployJava.js.html

I do not crash loading that one -- what did you modify? If it doesn't affect functionality maybe we could get Sun to modify the live copy at http://java.com/js/deployJava.js
I changed this:

for (var i = 0; i < plugin.jvms.getLength(); i++) {
                  list[i] = plugin.jvms.get(i).version;
}


To this:

var jvms = plugin.jvms;
for (var i = 0; i < jvms.getLength(); i++) {
                list[i] = jvms.get(i).version;
}
The current working theory (based on your change) is that this is a regression from bug 487204. Trying to make a debug build to test this theory.

The patch in bug 487204 is pretty simple and self-obviously unharmful, but it may be exposing some bug elsewhere or in the plugin itself.
Blocks: 487204
(In reply to comment #45)
> The current working theory (based on your change) is that this is a regression
> from bug 487204. Trying to make a debug build to test this theory.

So this is also on trunk and 1.9.1. JFI I can see the same assertion on 1.9.1 too.
We need to block on this one way or another for 1.9.0.12. Not sure if we need to fix the assertion on 1.9.1/1.9.2, but flagging for that as well...
Flags: wanted1.9.1.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9.2?
Flags: blocking1.9.0.12?
Flags: blocking1.9.0.12+
Keywords: regressionwindow-wanted
Whiteboard: [needs owner]
Flags: in-testsuite?
Flags: in-litmus?
I can confirm this issue on the Java.com site as well as my home site http://www.fuser.com, need a fix ASAP....
(In reply to comment #36)
> Maybe bug 456705?

I wouldn't say so. I'm trying to reproduce with debug build of 3.0.12pre, no luck. I can see the assertion failure only. The variant passed looks like a completely broken instance.

JS stack:

0 anonymous() ["http://browserspy.dk/js/deployJava.js":31]
    plugin = [object HTMLEmbedElement @ 0x686d518 (native @ 0x7418268)]
    this = [object Object]
1 anonymous() ["http://browserspy.dk/js/deployJava.js":2]
    browser = undefined
    i = undefined
    plugin = undefined
    list =
    this = [object Object]
2 detectJRE() ["http://browserspy.dk/java.php":148]
    i = undefined
    result = undefined
    list = undefined
    this = [object Window @ 0x44ff778 (native @ 0x44fd3ec)]
3 <TOP LEVEL> ["http://browserspy.dk/java.php":159]
    this = [object Window @ 0x44ff778 (native @ 0x44fd3ec)]
There is a tryserver build available without the JS patches at:
https://build.mozilla.org/tryserver-builds/opettay@mozilla.com-java_hang_js_bckt/

I tried this build on Windows XP and everything works. No hang anymore when loading the browserspy page.
That tryserver build backed out both Bug 426520 and Bug 487204.
We are not hanging on that assertion or an invalid variant type. We hang in HeapFree when a broken variant presents it self as NPVariantType_String. I figured out that in release mode we get lot's of broken variants passed to this function. Looks like we ignore some failure result when getting/creating a variant. I haven't seen a variant being released twice or something like that.

There is probably no way to get symbols for npdeploytk.dll, isn't it?
 
Just FYI... the bug in question disappeared yesterday, but re-appeared today.  Still works fine in IE8.
Moving to the JS component. We really need an owner here.
Assignee: nobody → general
Component: Plug-ins → JavaScript Engine
QA Contact: plugins → general
(In reply to comment #57)
> We are not hanging on that assertion or an invalid variant type. We hang in
> HeapFree when a broken variant presents it self as NPVariantType_String. I
> figured out that in release mode we get lot's of broken variants passed to this
> function. Looks like we ignore some failure result when getting/creating a
> variant. I haven't seen a variant being released twice or something like that.
> 
> There is probably no way to get symbols for npdeploytk.dll, isn't it?

I debugged the npdeploytk.dll with source code.
In npdeploytk.dll, it calls NPN_InvokeDefault() on an NPObject that returns a
bool to a result variant. For some reason, after successful
NPN_InvokeDefault(), the variant is not received the right result which is
supposed to be a boolean variant. 

A workaround is to set the result variant to void before NPN_InvokeDefault()
call. This seems to fix the hang problem
I don't see how this is JS -- sounds from the bug like it's in our plugin code's handling of variants?
Assignee: general → nobody
Component: JavaScript Engine → Plug-ins
QA Contact: general → plugins
Hao Dong: great you have figured out what's going on. can you provide a patch + potentially an automated test for this, please?
Assignee: nobody → hao.dong
Status: NEW → ASSIGNED
(In reply to comment #62)
> Hao Dong: great you have figured out what's going on. can you provide a patch +
> potentially an automated test for this, please?

npdeploytk.dll is part of Sun's JRE. Sun is probably going to patch it in the next update release and code more defensively in npdeploytk.dll to avoid such issues.

In the meantime, we need help from Mozilla to understand why NPN_InvokeDefault(NPP npp, NPObject *npobj, const NPVariant *args, uint32_t argCount, NPVariant *result) call does not set the return value to the result variant. It used to work before FF 3.0.11.
Hao: Josh can probably help with that. Josh?

Is there any way you can update the JS on java.com with the changes in comment 44? There's no difference functionally and it should solve a bunch of sites that include that file.
It appears that the Sun folks have already updated deployJava.js to include my suggested change:

http://java.com/js/deployJava.js

I have also updated my Java detection site at:
http://www.pinlady.net/PluginDetect/JavaDetect.htm

But you may have to clear your browser cache before visiting any Java sites that crashed Firefox, to make sure you are getting the updated js.
Confirming the assertion failure is gone. We have no more a test case.
What about browserspy.dk? Has it been changed too?
The following still crashes (after clearing cache):

http://pluraserver.com/?affiliate=a1653b46-efe9-ac95-d977-121844725f45&cpu=0.7

It works fine in 3.5.
I don't have a Windows environment to debug this so I can't help much right now.

Hao - interesting that setting the result to void before the InvokeDefault call helps, because after checking for a valid context, object, and result pointer we set the result to void - "VOID_TO_NPVARIANT(*result);".
Attached patch try this, v1.0 (obsolete) — Splinter Review 
This patch is based on my reading of Hao's comments and our source code, I have not done any debugging whatsoever. Can somebody tell me if this patch gets rid of the hang? We wouldn't want to take this patch exactly but for a test it should work fine.
I try to make a minimalized version. Here is a first version:

http://web.inter.nl.net/users/L.B.Kruijswijk/ffjavadetectcrash.html

It is not yet finished. Code is obfusicated, so it takes some effort.

It hangs immediately in 3.0.11 and not in 3.5.

Note, that this crashes only in the detection of Java. It does not actually
start Java. In 3.5, I don't see any start of Java in this simplified version.

Lucas
Here is the original deployJava.js that crashes Firefox 3.0.11:

http://www.pinlady.net/tmp/original_DeployJava.js.html


Here is the modified deployJava.js that should not cause any Firefox crash:

http://www.pinlady.net/tmp/modified_DeployJava.js.html
This is the minimum script I could make (it is also on the site, 2 posts earlier):

<html>
<head>
</head>
<body>
<script type="text/javascript">

// Minimum crash script for Firefox 3.0.11.

var div=document.createElement("div")
document.body.appendChild(div)
div.innerHTML="<object type=\"application/npruntime-scriptable-plugin;DeploymentToolkit\"></object>"
var obj=div.firstChild
var len=obj.jvms.getLength()
for(var x=0;x<len;x++){
    obj.jvms.get(x)
}

</script>
</body>
</html>
When I look to the fix of #44, then it is the multiple 'obj.jvms' that is killing.

You can even further simplify the script as follows:

var div=document.createElement("div")
document.body.appendChild(div)
div.innerHTML="<object type=\"application/npruntime-scriptable-plugin;DeploymentToolkit\"></object>"
var obj=div.firstChild
for(var x=0;x<10;x++) obj.jvms

However, if I unroll the loop, it won't crash anymore.
Attached patch v1 (obsolete) — Splinter Review 
I'm enable to reproduce with the scripts you provide.

I'm able to reproduce on browserspy.

This is fixing the assertion failure and also the crash/hang.
Assignee: hao.dong → honzab.moz
Attachment #384227 - Attachment is obsolete: true
Attachment #384487 - Flags: review?(jst)
Whiteboard: [needs owner] → [needs r=jst]
Attachment #384487 - Flags: review?(joshmoz)
Attachment #384487 - Attachment is obsolete: true
Attachment #384487 - Flags: review?(jst)
Attachment #384487 - Flags: review?(joshmoz)
Comment on attachment 384487 [details] [diff] [review]
v1

I'm fine with doing this to work around this problem, but I'd prefer to do this only for this particular plugin rather than doing this for all plugins and letting them start depending on this workaround.

Sun still needs to fix the bug in the plugin, to not ever return success here w/o properly initializing the out param etc, but I doubt that fix will be available before 3.0.12 goes out, so I think we should go ahead and work around this.

I'll attach a modified version of Honza's fix here.

        Attachment #384783 -
        Flags: superreview+

        Attachment #384783 -
        Flags: review?(joshmoz)

    
  

        Attachment #384783 -
        Flags: review?(joshmoz) → review+

    
    

    
  
Comment on attachment 384783 [details] [diff] [review]
Honza's fix, but isolated to this plugin only.

Maybe add parenthesis around the strcmp == 0 so precedence is more obvious.

    
    

    
  
Precedence of == against && is usually not misunderstood, but perhaps the issue here is that long string literal, pushing the == 0 way over? If so a single-use static const char kMagicMimeType[] = "..." constant might help.

/be

        Attachment #384783 -
        Flags: approval1.9.0.12+

    
    

    
  
Comment on attachment 384783 [details] [diff] [review]
Honza's fix, but isolated to this plugin only.

Approved for 1.9.0.12, a=dveditz

We definitely want this for the 1.9.0 branch. We probably want to land on the 1.9.1 branch too just in case the same broken plugin causes problems there, too. I'm assuming you don't want this on trunk, otherwise we could have gone with the simpler v1 patch and fixed any future broken plugins too.

    
    

    
  
(In reply to comment #76)
> Sun still needs to fix the bug in the plugin, to not ever return success here
> w/o properly initializing the out param etc, but I doubt that fix will be
> available before 3.0.12 goes out, so I think we should go ahead and work around
> this.

We should file a new bug to track the removal of this hack once Sun has fixed it in an upcoming version of Java.

    
    

    
  
Checking in modules/plugin/base/src/ns4xPlugin.cpp;
/cvsroot/mozilla/modules/plugin/base/src/ns4xPlugin.cpp,v  <--  ns4xPlugin.cpp
new revision: 1.167; previous revision: 1.166

Will leave bug open until we decide whether we do or don't want this on trunk/1.9.1
Keywords: fixed1.9.0.12

    
    

    
  
Verified for 1.9.0.12 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.12pre) Gecko/2009070606 GranParadiso/3.0.12pre (.NET CLR 3.5.30729).
Keywords: fixed1.9.0.12verified1.9.0.12

    
    

    
  
By the way, shouldn't this be "resolved" so I can mark it "verified" since it is a 1.9.0 only bug?
Flags: wanted1.9.1.x?
Flags: wanted1.9.1.x-
Flags: blocking1.9.1.1-

    
    

    
  
Resolving this as worksforme on trunk.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME

          status1.9.1:
          --- → unaffected
Flags: wanted1.9.1.x-

    
    

    
  
Maybe blocklist old Java versions since it's fixed in the latest?

    
  
Flags: blocking1.9.2?
Whiteboard: [needs r=jst]
Flags: in-testsuite?
Flags: in-litmus?
Flags: in-litmus-

    
  
Product: Core → Core Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: