Closed Bug 543917 Opened 14 years ago Closed 14 years ago

[OOPP] Segfault with totem plugin and .mov streams

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 532208

People

(Reporter: cjones, Unassigned)

Details

(Whiteboard: [OOPPTestday])

Attachments

(1 file)

valgrind log
26.36 KB, text/plain
Details
Attached file valgrind log 
While looking into bug 543802, I installed the VLC plugin, but apparently my existing install of the totem plugin "won" for playing .mov files.  However, totem still crashed in an interesting way.

See the STR in bug 543802.

 Parent
-------------------------------------------------------------------------------
Program /home/cjones/mozilla/ff-dbg/dist/bin/mozilla-runtime (pid = 10237) received signal 11.
(gdb) bt
#0  0x00007fbe263a5f51 in nanosleep () from /lib/libc.so.6
#1  0x00007fbe263a5da0 in __sleep (seconds=<value optimized out>) at ../sysdeps/unix/sysv/linux/sleep.c:138
#2  0x00007fbe2aa7078f in ah_crap_handler (signum=11) at /home/cjones/mozilla/mozilla-central/toolkit/xre/nsSigHandlers.cpp:164
#3  0x00007fbe2aa74e5d in nsProfileLock::FatalSignalHandler (signo=11, info=0x7fff0afcfef0, context=0x7fff0afcfdc0) at nsProfileLock.cpp:221
#4  <signal handler called>
#5  0x00007fbe2666cf08 in main_arena () from /lib/libc.so.6
#6  0x00007fbe2bde2988 in mozilla::plugins::PBrowserStreamParent::OnCallReceived (this=0xef3f20, msg=..., reply=@0x7fff0afd03f0) at PBrowserStreamParent.cpp:298
#7  0x00007fbe2bdc63a1 in mozilla::plugins::PPluginModuleParent::OnCallReceived (this=0x2026cd0, msg=..., reply=@0x7fff0afd03f0) at PPluginModuleParent.cpp:424
#8  0x00007fbe2bdbfb58 in mozilla::ipc::RPCChannel::DispatchIncall (this=0x2026ce0, call=...) at /home/cjones/mozilla/mozilla-central/ipc/glue/RPCChannel.cpp:373
#9  0x00007fbe2bdbfa71 in mozilla::ipc::RPCChannel::Incall (this=0x2026ce0, call=..., stackDepth=1) at /home/cjones/mozilla/mozilla-central/ipc/glue/RPCChannel.cpp:358
#10 0x00007fbe2bdbf19b in mozilla::ipc::RPCChannel::Call (this=0x2026ce0, msg=0x21ee430, reply=0x7fff0afd05a0) at /home/cjones/mozilla/mozilla-central/ipc/glue/RPCChannel.cpp:206
#11 0x00007fbe2bde203f in mozilla::plugins::PBrowserStreamParent::CallNPP_Write (this=0xef3f20, offset=@0x7fff0afd0654, data=..., consumed=0x7fff0afd067c) at PBrowserStreamParent.cpp:106
#12 0x00007fbe2bdb7513 in mozilla::plugins::BrowserStreamParent::Write (this=0xef3f20, offset=42646, len=8192, buffer=0x21cb500) at /home/cjones/mozilla/mozilla-central/dom/plugins/BrowserStreamParent.cpp:74
#13 0x00007fbe2bda8a5e in mozilla::plugins::PluginModuleParent::NPP_Write (instance=0x1f322a0, stream=0x222e5f8, offset=42646, len=8192, buffer=0x21cb500) at /home/cjones/mozilla/mozilla-central/dom/plugins/PluginModuleParent.cpp:333
#14 0x00007fbe2ba9d028 in nsNPAPIPluginStreamListener::OnDataAvailable (this=0x222e5b0, pluginInfo=0xedffa0, input=0x1fd9c50, length=5336) at /home/cjones/mozilla/mozilla-central/modules/plugin/base/src/nsNPAPIPluginInstance.cpp:657
#15 0x00007fbe2baa628c in nsPluginStreamListenerPeer::OnDataAvailable (this=0x1949ca0, request=0x2179f10, aContext=0x0, aIStream=0x1fd9c50, sourceOffset=34454, aLength=21720) at /home/cjones/mozilla/mozilla-central/modules/plugin/base/src/nsPluginHost.cpp:1371
#16 0x00007fbe2abd75d8 in nsStreamListenerTee::OnDataAvailable (this=0x1fd9c10, request=0x2179f10, context=0x0, input=0x20a5778, offset=34454, count=21720) at /home/cjones/mozilla/mozilla-central/netwerk/base/src/nsStreamListenerTee.cpp:107
#17 0x00007fbe2ac96f91 in nsHttpChannel::OnDataAvailable (this=0x2179ec0, request=0x20a58c0, ctxt=0x0, input=0x20a5778, offset=34454, count=21720) at /home/cjones/mozilla/mozilla-central/netwerk/protocol/http/src/nsHttpChannel.cpp:5363
#18 0x00007fbe2ab9f5d1 in nsInputStreamPump::OnStateTransfer (this=0x20a58c0) at /home/cjones/mozilla/mozilla-central/netwerk/base/src/nsInputStreamPump.cpp:508
#19 0x00007fbe2ab9f125 in nsInputStreamPump::OnInputStreamReady (this=0x20a58c0, stream=0x20a5778) at /home/cjones/mozilla/mozilla-central/netwerk/base/src/nsInputStreamPump.cpp:398
#20 0x00007fbe2bf3a34f in nsInputStreamReadyEvent::Run (this=0x21e88f0) at /home/cjones/mozilla/mozilla-central/xpcom/io/nsStreamUtils.cpp:112
#21 0x00007fbe2bf6795d in nsThread::ProcessNextEvent (this=0x769d00, mayWait=0, result=0x7fff0afd0b7c) at /home/cjones/mozilla/mozilla-central/xpcom/threads/nsThread.cpp:527
#22 0x00007fbe2bef8030 in NS_ProcessNextEvent_P (thread=0x769d00, mayWait=0) at nsThreadUtils.cpp:250
#23 0x00007fbe2bdbda60 in mozilla::ipc::MessagePump::Run (this=0x75fb70, aDelegate=0x75fdc0) at /home/cjones/mozilla/mozilla-central/ipc/glue/MessagePump.cpp:118
#24 0x00007fbe2be6a065 in MessageLoop::RunInternal (this=0x75fdc0) at /home/cjones/mozilla/mozilla-central/ipc/chromium/src/base/message_loop.cc:211
#25 0x00007fbe2be69fea in MessageLoop::RunHandler (this=0x75fdc0) at /home/cjones/mozilla/mozilla-central/ipc/chromium/src/base/message_loop.cc:194
#26 0x00007fbe2be69f7b in MessageLoop::Run (this=0x75fdc0) at /home/cjones/mozilla/mozilla-central/ipc/chromium/src/base/message_loop.cc:168
#27 0x00007fbe2bc68ff5 in nsBaseAppShell::Run (this=0xf390b0) at /home/cjones/mozilla/mozilla-central/widget/src/xpwidgets/nsBaseAppShell.cpp:174
#28 0x00007fbe2b9c756d in nsAppStartup::Run (this=0xfbb5a0) at /home/cjones/mozilla/mozilla-central/toolkit/components/startup/src/nsAppStartup.cpp:183
#29 0x00007fbe2aa6261a in XRE_main (argc=3, argv=0x7fff0afd1518, aAppData=0x6a51a0) at /home/cjones/mozilla/mozilla-central/toolkit/xre/nsAppRunner.cpp:3476
#30 0x0000000000401302 in main (argc=4, argv=0x7fff0afd1518) at /home/cjones/mozilla/mozilla-central/browser/app/nsBrowserApp.cpp:158
(gdb) f 11
#11 0x00007fbe2bde203f in mozilla::plugins::PBrowserStreamParent::CallNPP_Write (this=0xef3f20, offset=@0x7fff0afd0654, data=..., consumed=0x7fff0afd067c) at PBrowserStreamParent.cpp:106
Current language:  auto
The current source language is "auto; currently c++".
(gdb) p this
$1 = (class mozilla::plugins::PBrowserStreamParent * const) 0xef3f20
(gdb) f 6
#6  0x00007fbe2bde2988 in mozilla::plugins::PBrowserStreamParent::OnCallReceived (this=0xef3f20, msg=..., reply=@0x7fff0afd03f0) at PBrowserStreamParent.cpp:298
(gdb) p actor
$2 = (class mozilla::plugins::PBrowserStreamParent *) 0xef3f20
(gdb) f 6
#6  0x00007fbe2bde2988 in mozilla::plugins::PBrowserStreamParent::OnCallReceived (this=0xef3f20, msg=..., reply=@0x7fff0afd03f0) at PBrowserStreamParent.cpp:298
(gdb) p *actor
$3 = {
  <mozilla::ipc::RPCChannel::RPCListener> = {
    <mozilla::ipc::SyncChannel::SyncListener> = {
      <mozilla::ipc::AsyncChannel::AsyncListener> = {
        <mozilla::ipc::HasResultCodes> = {<No data fields>}, 
        members of mozilla::ipc::AsyncChannel::AsyncListener: 
        _vptr.AsyncListener = 0x2183c00
      }, <No data fields>}, <No data fields>}, 
  <mozilla::ipc::IProtocolManager<mozilla::ipc::RPCChannel::RPCListener>> = {
    _vptr.IProtocolManager = 0x7fbe2ce16e38
  }, 
  members of mozilla::plugins::PBrowserStreamParent: 
  mChannel = 0x2026ce0, 
  mId = 1, 
  mManager = 0xef1fd0
}
(gdb) p actor->mId
$4 = 1


 Child
-------------------------------------------------------------------------------
Thread 5 (Thread 0x7f65caf33910 (LWP 10238)):
#0  pthread_cond_wait@@GLIBC_2.3.2 ()
    at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:261
#1  0x00007f65d3bd2fa8 in PR_WaitCondVar (cvar=0x1f3de50, timeout=4294967295)
    at /home/cjones/mozilla/mozilla-central/nsprpub/pr/src/pthreads/ptsynch.c:417
#2  0x00007f65d5c6d316 in mozilla::CondVar::Wait (this=0x1f45d00, 
    interval=4294967295) at BlockingResourceBase.cpp:373
#3  0x00007f65d5b37471 in mozilla::ipc::SyncChannel::WaitForNotify (
    this=0x1f45cc8)
    at /home/cjones/mozilla/mozilla-central/ipc/glue/SyncChannel.cpp:218
#4  0x00007f65d5b31bab in mozilla::ipc::RPCChannel::Call (this=0x1f45cc8, 
    msg=0x2617aa0, reply=0x7f65caf321e0)
    at /home/cjones/mozilla/mozilla-central/ipc/glue/RPCChannel.cpp:119
#5  0x00007f65d5b9504b in mozilla::plugins::PBrowserStreamChild::Call__delete__
    (actor=0x1fecc00, reason=@0x7f65caf3228c, artificial=@0x7f65caf322cf)
    at PBrowserStreamChild.cpp:125
#6  0x00007f65d5b17d0a in _destroystream (aNPP=0x20e7570, aStream=0x1fecc38, 
    aReason=0)
    at /home/cjones/mozilla/mozilla-central/dom/plugins/PluginModuleChild.cpp:797
#7  0x00007f65c3b92e67 in totemPlugin::UnsetStream (this=0x20e7830)
    at totemPlugin.cpp:1089
#8  0x00007f65d0f2dd2f in ?? () from /usr/lib/libdbus-glib-1.so.2
#9  0x00007f65d0aa35ae in IA__g_closure_invoke (closure=0x1fee500, 
    return_value=0x0, n_param_values=3, param_values=0x20e7d90, 
    invocation_hint=0x7f65caf324a0)
    at /build/buildd/glib2.0-2.22.3/gobject/gclosure.c:767
#10 0x00007f65d0ab8983 in signal_emit_unlocked_R (node=0x1f6e3f0, 
    detail=<value optimized out>, instance=<value optimized out>, 
    emission_return=<value optimized out>, 
    instance_and_params=<value optimized out>)
    at /build/buildd/glib2.0-2.22.3/gobject/gsignal.c:3247
#11 0x00007f65d0ab9d39 in IA__g_signal_emit_valist (instance=0x26f0d20, 
    signal_id=<value optimized out>, detail=678, var_args=0x7f65caf32690)
    at /build/buildd/glib2.0-2.22.3/gobject/gsignal.c:2980
#12 0x00007f65d0aba283 in IA__g_signal_emit (instance=0x1f3de5c, 
    signal_id=128, detail=29)
    at /build/buildd/glib2.0-2.22.3/gobject/gsignal.c:3037
#13 0x00007f65d0f2ed7c in ?? () from /usr/lib/libdbus-glib-1.so.2
#14 0x00007f65d0ced396 in dbus_connection_dispatch () from /lib/libdbus-1.so.3
#15 0x00007f65d0f25bd5 in ?? () from /usr/lib/libdbus-glib-1.so.2
#16 0x00007f65d080abce in g_main_dispatch (context=0x26cea90)
    at /build/buildd/glib2.0-2.22.3/glib/gmain.c:1960
#17 IA__g_main_context_dispatch (context=0x26cea90)
    at /build/buildd/glib2.0-2.22.3/glib/gmain.c:2513
#18 0x00007f65d080e598 in g_main_context_iterate (context=0x26cea90, 
    block=<value optimized out>, dispatch=<value optimized out>, 
    self=<value optimized out>)
    at /build/buildd/glib2.0-2.22.3/glib/gmain.c:2591
#19 0x00007f65d080e6c0 in IA__g_main_context_iteration (context=0x26cea90, 
    may_block=1) at /build/buildd/glib2.0-2.22.3/glib/gmain.c:2654
#20 0x00007f65d59b78be in nsAppShell::ProcessNextNativeEvent (this=0x2708c00, 
    mayWait=1)
The valgrind log has numerous use-after-free errors, but the relevant part is


==10558==  Address 0x1bb54cd8 is 24 bytes inside a block of size 64 free'd
==10558==    at 0x4C24A7A: operator delete(void*) (vg_replace_malloc.c:346)
==10558==    by 0x6971214: mozilla::plugins::BrowserStreamParent::~BrowserStreamParent() (BrowserStreamParent.cpp:19)
==10558==    by 0x695B4F1: mozilla::plugins::PluginInstanceParent::DeallocPBrowserStream(mozilla::plugins::PBrowserStreamParent*) (PluginInstanceParent.cpp:153)
==10558==    by 0x699C57A: mozilla::plugins::PBrowserStreamParent::Call__delete__(mozilla::plugins::PBrowserStreamParent*, short const&, bool const&) (PBrowserStreamParent.cpp:204)
==10558==    by 0x695C458: mozilla::plugins::PluginInstanceParent::NPP_DestroyStream(_NPStream*, short) (PluginInstanceParent.cpp:635)
==10558==    by 0x69629BE: mozilla::plugins::PluginModuleParent::NPP_DestroyStream(_NPP*, _NPStream*, short) (PluginModuleParent.cpp:308)
==10558==    by 0x6655FFD: nsNPAPIPluginStreamListener::CleanUpStream(short) (nsNPAPIPluginInstance.cpp:278)
==10558==    by 0x66575DC: nsNPAPIPluginStreamListener::OnStopBinding(nsIPluginStreamInfo*, unsigned int) (nsNPAPIPluginInstance.cpp:803)
==10558==    by 0x664F304: mozilla::plugins::parent::_destroystream(_NPP*, _NPStream*, short) (nsNPAPIPlugin.cpp:1222)
==10558==    by 0x6971613: mozilla::plugins::BrowserStreamParent::NPN_DestroyStream(short) (BrowserStreamParent.cpp:95)
==10558==    by 0x697142F: mozilla::plugins::BrowserStreamParent::Answer__delete__(short const&, bool const&) (BrowserStreamParent.cpp:50)
==10558==    by 0x699C949: mozilla::plugins::PBrowserStreamParent::OnCallReceived(IPC::Message const&, IPC::Message*&) (PBrowserStreamParent.cpp:293)


Totem calls __delete__ on the stream, which ends up in _destroystream() in the browser.  But *that* decides to *also* call NPP_DestroyStream(), and we get the first use-after-free when the in-call pops off the stack.

There's also an RPC race reported: it appears to be a race between _destroystream() and NPP_Write().  That would explain the other use-after-free errors.  The crash is probably just random memory corruption from all the PBrowserStream shenanigans.

Protecting against dtor re-entry from nsNPAPI* is pretty easy.  The "real bug" here is covered by bug 532208.  I'll give a little thought as to whether it's worth hacking in a quick fix.
(In reply to comment #1)
> I'll give a little thought as to whether it's
> worth hacking in a quick fix.

I tentatively lean towards "no", unless we start seeing this pattern in topcrashes.  The "hack" would involve refcounting BrowserStreams and doing some rather gross re-entry checks.  I prefer to fix this at the IPDL/protocol level.
I agree, the cost of the hack would be high, and fixing this for real using IPDL discard is probably going to be less work overall.
The workaround for bug 532208 fixes this segfault.

Want SUBSUMED
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
No longer blocks: 544058
No longer blocks: 545186
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: