Closed Bug 1093330 Opened 5 years ago Closed 2 years ago

Delayed plugin input events sometimes crash when handled

Categories

(Core :: Plug-ins, defect, critical)

All
macOS
defect
Not set
critical

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: smichaud, Unassigned, Mentored)

Details

(Whiteboard: [lang=objc])

Crash Data

The NPCocoaEvent structure contains a number of fields for input events that (under the hood) are reference counted native objects:

NPNSString *NPCocoaEvent.data.key.characters
NPNSString *NPCocoaEvent.data.key.charactersIgnoringModifiers
NPNSString *NPCocoaEvent.data.text.text

(An NSNSString* is basically an NSString* or a CFStringRef.)

The processing of any input event (including plugin events) can be delayed, in either of these two locations:

https://hg.mozilla.org/mozilla-central/annotate/a458860efad7/layout/base/nsPresShell.cpp#l7340
https://hg.mozilla.org/mozilla-central/annotate/a458860efad7/layout/base/nsPresShell.cpp#l7606

No provision is made for incrementing or decrementing the reference counts of these native objects when the handling of an input event is delayed.  As a result we sometimes crash.

Here are a few examples:

https://crash-stats.mozilla.com/report/list?signature=objc_msgSend+%7C+IPC%3A%3AParamTraits%3C_NPNSString%2A%3E%3A%3AWrite%28IPC%3A%3AMessage%2A%2C+_NPNSString%2A+const%26%29&product=Firefox&query_type=contains&range_unit=weeks&process_type=any&hang_type=any&date=2014-11-03+22%3A00%3A00&range_value=4#reports

https://crash-stats.mozilla.com/report/list?signature=libobjc.A.dylib%400x10dd&product=Firefox&query_type=contains&range_unit=weeks&process_type=any&platform=mac&version=Firefox%3A34.0b5&hang_type=any&date=2014-11-03+22%3A00%3A00&range_value=1#reports

Due to longstanding bugs and design flaws in Socorro, it's exceedingly difficult to tell how many of these crashes we have, or when they started.

The bug itself (actually a design flaw) is old -- it goes back to our first implementation of delayed input events.  But I don't think we've seen many crashes.  At least they haven't come to my attention before.

They have now, though.  And there's some evidence they have increased recently.
Crash Signature: [@ objc_msgSend | IPC::ParamTraits<_NPNSString*>::Write(IPC::Message*, _NPNSString* const&) ] [@ libobjc.A.dylib@0x10dd ]
I'll get to this eventually.  But I won't cry if someone else takes it away from me.
Assignee: nobody → smichaud
I just ran into this crash while uploading a file to Jenkins: https://crash-stats.mozilla.com/report/index/2cc51b83-16fb-4caa-8872-8bc4b2141201
Assignee: smichaud → nobody
Mentor: smichaud
Whiteboard: [lang=objc]
Crash Signature: [@ objc_msgSend | IPC::ParamTraits<_NPNSString*>::Write(IPC::Message*, _NPNSString* const&) ] [@ libobjc.A.dylib@0x10dd ] → [@ objc_msgSend | IPC::ParamTraits<_NPNSString*>::Write(IPC::Message*, _NPNSString* const&) ] [@ libobjc.A.dylib@0x10dd ] [@ objc_msgSend | IPC::ParamTraits<T>::Write ]
Resolving old bugs which are likely not relevant any more, since NPAPI plugins are deprecated.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.