Asynchronous Plugin Init crashes due to invalid NPStreams

RESOLVED FIXED in Firefox 39

Status

()

Core
Plug-ins
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: Guilherme Lima, Assigned: aklotz)

Tracking

({crash})

39 Branch
mozilla40
crash
Points:
---

Firefox Tracking Flags

(firefox38 disabled, firefox39+ fixed, firefox40 fixed)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
This bug was filed from the Socorro interface and is 
report bp-7dfd0e4b-6116-4cd9-96d1-70ca92150330.
=============================================================

I don't have STR, unfortunately.

Another crash report is https://crash-stats.mozilla.com/report/index/aefc121d-d46e-455d-8c60-4f5cc2150328

Both happened after I turned dom.ipc.plugins.asyncInit to true - I'm on Nightly but have e10s off.
I'm going to move this to be a catch-all bug for a bunch of crash signatures that I'm seeing. They all point to the same thing: The PluginAsyncSurrogate is referencing NPStreams that are not longer valid.
Assignee: nobody → aklotz
Blocks: 1116806
Status: NEW → ASSIGNED
Crash Signature: [@ mozilla::plugins::BrowserStreamParent::BrowserStreamParent(mozilla::plugins::PluginInstanceParent*, _NPStream*)] → [@ mozilla::plugins::BrowserStreamParent::BrowserStreamParent(mozilla::plugins::PluginInstanceParent*, _NPStream*)] [@ mozilla::plugins::PluginAsyncSurrogate::NotifyAsyncInitFailed()] [@ mozilla::plugins::PluginAsyncSurrogate::DestroyAsyncStream(…
status-firefox38: --- → disabled
status-firefox39: --- → affected
status-firefox40: --- → affected
OS: Windows 7 → All
Hardware: x86 → All
Version: Trunk → 39 Branch
Created attachment 8587050 [details] [diff] [review]
Don't manipulate plugin streams when destruction is imminent

From all of those crash signatures, I am seeing either:
1) NPP_Destroy is pending, so it doesn't make sense to send deferred NPP_NewStreams or to call back into the browser to destroy them; or
2) The plugin instance owner is gone, so NPP_Destroy hasn't been called yet but it is pending. Again, we should not try anything since the streams are being destroyed by the browser anyway.
Attachment #8587050 - Flags: review?(jmathies)

Updated

2 years ago
Attachment #8587050 - Flags: review?(jmathies) → review+
Summary: crash in mozilla::plugins::BrowserStreamParent::BrowserStreamParent(mozilla::plugins::PluginInstanceParent*, _NPStream*) → Asynchronous Plugin Init crashes due to invalid NPStreams
https://hg.mozilla.org/integration/mozilla-inbound/rev/62bb8ecd5237
Comment on attachment 8587050 [details] [diff] [review]
Don't manipulate plugin streams when destruction is imminent

Approval Request Comment
[Feature/regressing bug #]: async plugin init
[User impact if declined]: crashes when plugin teardown overlaps with async init
[Describe test coverage new/current, TreeHerder]: Locally
[Risks and why]: Low, trivial fixes for a well understood problem
[String/UUID change made/needed]: None
Attachment #8587050 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/62bb8ecd5237
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
status-firefox40: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla40

Comment 6

2 years ago
[Tracking Requested - why for this release]:
Crashes with the signatures on this bug are killing us on 39 Dev Edition right now (and plugin crashes and hangs have been rising a lot as well since 39 was shipped to that channel). Can this patch please be uplifted? Or is there something else we need there?
tracking-firefox39: --- → ?

Comment 7

2 years ago
"are killing us right now" means that 60% of all 39 Dev Edition crashes are in those signatures at this time.
Comment on attachment 8587050 [details] [diff] [review]
Don't manipulate plugin streams when destruction is imminent

Approving for 39 since this has been stable on m-c for days and is a high impact crash.
Attachment #8587050 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
tracking-firefox39: ? → +
https://hg.mozilla.org/releases/mozilla-aurora/rev/e8ed559c3ebe
status-firefox39: affected → fixed

Comment 10

2 years ago
Is the fix effective in 39 because the crash rate doesn't seem to go down in aurora.

Comment 11

2 years ago
There's still crashes with this signature in the builds after this landed, including the builds from yesterday and today.

Comment 12

2 years ago
Aaron, should we get a new bug on file for what still exists with this signature or should we reopen this one?
Flags: needinfo?(aklotz)
There are other bugs being worked on for asynchronous initialization of plugin streams. Bug 1152890 only landed in Aurora yesterday so its effects are not being observed yet on crashstats. There is also bug 1151804 which is currently under review.

Both of those patches will indirectly affect those signatures, so I'd like to hold off on doing anything until bug 1151804 is uplifted.
Flags: needinfo?(aklotz)

Comment 14

2 years ago
[Tracking Requested - why for this release]:Nope problem is on FF latest 38beta. Crash was on site http://www.mmoga.com/advanced_search.php?keywords=diablo&x=0&y=0&currency=EUR This site use Adobe Flash.

Crash report: https://crash-stats.mozilla.com/report/index/32d6ac8d-5f32-4cbf-93f7-d53bf2150417

My settings:
accessibility.typeaheadfind.flashBar	0
browser.cache.disk_cache_ssl	false
browser.cache.disk.capacity	358400
browser.cache.disk.filesystem_reported	1
browser.cache.disk.parent_directory	F:\.Mozilla FF Cache BK-201
browser.cache.disk.smart_size.first_run	false
browser.cache.disk.smart_size.use_old_max	false
browser.cache.frecency_experiment	1
browser.cache.memory.capacity	-1
browser.cache.use_new_backend	1
browser.download.importedFromSqlite	true
browser.download.useDownloadDir	false
browser.places.smartBookmarksVersion	7
browser.search.useDBForOrder	true
browser.sessionstore.upgradeBackup.latestBuildID	20150416143048
browser.startup.homepage	https://www.google.pl/
browser.startup.homepage_override.buildID	20150416143048
browser.startup.homepage_override.mstone	38.0
browser.tabs.animate	false
browser.tabs.closeWindowWithLastTab	false
browser.urlbar.delay	70
browser.urlbar.trimURLs	false
dom.disable_open_during_load	false
dom.ipc.plugins.asyncInit	true
dom.ipc.plugins.flash.disable-protected-mode	true
dom.ipc.plugins.hangUIMinDisplaySecs	15
dom.ipc.plugins.hangUITimeoutSecs	16
dom.ipc.plugins.sandbox-level.flash	1
dom.ipc.plugins.sandbox-level.java	1
dom.ipc.plugins.sandbox-level.npdeployjava	1
dom.ipc.plugins.sandbox-level.nppl	1
dom.ipc.plugins.sandbox-level.nprndlhtml5videoshim	1
dom.ipc.plugins.sandbox-level.nprpplugin	1
dom.ipc.plugins.sandbox-level.npvlc	1
dom.max_chrome_script_run_time	60
dom.max_script_run_time	30
dom.mozApps.used	true
dom.mozBrowserFramesEnabled	true
dom.mozTCPSocket.enabled	true
dom.secureelement.enabled	true
dom.serviceWorkers.enabled	true
dom.w3c_pointer_events.enabled	true
extensions.lastAppVersion	38.0
font.language.group	x-unicode
gfx.direct2d.disabled	true
gfx.direct3d.last_used_feature_level_idx	0
gfx.font_rendering.cleartype_params.rendering_mode	3
gfx.font_rendering.directwrite.enabled	true
layers.d3d11.disable-warp	true
media.fragmented-mp4.gonk.enabled	true
media.gmp-eme-adobe.autoupdate	true
media.gmp-eme-adobe.hidden	false
media.gmp-eme-adobe.lastUpdate	1429117872
media.gmp-eme-adobe.version	8
media.gmp-gmpopenh264.autoupdate	false
media.gmp-gmpopenh264.enabled	true
media.gmp-gmpopenh264.lastUpdate	1429257802
media.gmp-gmpopenh264.provider.enabled	true
media.gmp-gmpopenh264.version	1.4
media.gmp-manager.buildID	20150416143048
media.gmp-manager.lastCheck	1429271410
media.gmp.insecure.allow	true
media.hardware-video-decoding.enabled	true
media.mediasource.eviction_threshold	78643200
media.mediasource.webm.enabled	true
media.mediasource.whitelist	false
media.peerconnection.identity.enabled	true
media.peerconnection.video.h264_enabled	true
media.track.enabled	true
media.webspeech.recognition.enable	true
media.webspeech.synth.enabled	true
media.windows-media-foundation.play-stand-alone	false
media.windows-media-foundation.use-dxva	false
network.cookie.prefsMigrated	true
network.predictor.cleaned-up	true
places.database.lastMaintenance	1429258144
places.history.expiration.transient_current_max_pages	104858
plugin.allow.asyncdrawing	true
plugin.disable_full_page_plugin_for_types	application/pdf
plugin.importedState	true
plugin.state.java	2
plugin.state.np-mswmp	1
plugin.state.np32dsw	1
plugin.state.npadobeaamdetect	0
plugin.state.npadobeexmandetectx	0
plugin.state.nparcpluginff	1
plugin.state.npbattlelog	1
plugin.state.npbrowserplugin	0
plugin.state.npctrl	2
plugin.state.npdeployjava	1
plugin.state.npdivx	1
plugin.state.npgeplugin	1
plugin.state.npgoogletalk	2
plugin.state.npgoogleupdate	2
plugin.state.npmigfpi	0
plugin.state.npo1d	2
plugin.state.npovshelper	1
plugin.state.nppdf	0
plugin.state.nppl	0
plugin.state.npqtplugin	1
plugin.state.nprndlhtml5videoshim	0
plugin.state.nprpplugin	0
plugin.state.npvlc	2
plugin.state.npwachk	0
plugin.state.npwatweb	1
plugin.state.npwlpg	1
plugins.load_appdir_plugins	true
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_bgcolor	false
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_bgimages	false
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_colorspace	
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_command	
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_downloadfonts	false
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_duplex	1515870810
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_edge_bottom	0
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_edge_left	0
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_edge_right	0
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_edge_top	0
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_evenpages	true
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_footercenter	
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_footerleft	&PT
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_footerright	&D
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_headercenter	
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_headerleft	&T
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_headerright	&U
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_in_color	true
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_margin_bottom	0.5
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_margin_left	0.5
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_margin_right	0.5
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_margin_top	0.5
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_oddpages	true
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_orientation	0
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_page_delay	50
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_paper_data	9
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_paper_height	11,00
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_paper_name	
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_paper_size_type	0
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_paper_size_unit	1
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_paper_width	8,50
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_plex_name	
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_resolution	1515870810
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_resolution_name	
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_reversed	false
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_scaling	1,00
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_shrink_to_fit	true
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_to_file	false
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_unwriteable_margin_bottom	0
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_unwriteable_margin_left	0
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_unwriteable_margin_right	0
print.printer_\\MARIANW7-PC\Canon_Inkjet_MP540_series.print_unwriteable_margin_top	0
privacy.cpd.extensions-dta	true
privacy.cpd.offlineApps	true
privacy.cpd.siteSettings	true
privacy.donottrackheader.enabled	true
privacy.sanitize.migrateFx3Prefs	true
privacy.sanitize.timeSpan	0
privacy.trackingprotection.enabled	true
storage.vacuum.last.index	1
storage.vacuum.last.places.sqlite	1428622611
status-firefox38: disabled → ---
tracking-firefox38: --- → ?

Comment 15

2 years ago
Really? I just checked in crash stats and the crash seems to have fallen off radar in 39 and neither i see it in 38.
(In reply to mkdante381 from comment #14)
> [Tracking Requested - why for this release]:Nope problem is on FF latest
> 38beta. Crash was on site
> http://www.mmoga.com/advanced_search.
> php?keywords=diablo&x=0&y=0&currency=EUR This site use Adobe Flash.
> 
> Crash report:
> https://crash-stats.mozilla.com/report/index/32d6ac8d-5f32-4cbf-93f7-
> d53bf2150417
> 
> My settings:
snip
> dom.ipc.plugins.asyncInit	true

Async plugin init is disabled by default on Beta 38 and is not a supported configuration at this time. The fixes being made to this bug and others are not being uplifted to Beta.
tracking-firefox38: ? → ---
status-firefox38: --- → disabled
You need to log in before you can comment on or make changes to this bug.