Closed
Bug 1182919
Opened 9 years ago
Closed 9 years ago
crash in nsCOMPtr_base::assign_with_AddRef(nsISupports*) | nsBaseWidget::AddChild(nsIWidget*)
Categories
(Core Graveyard :: Plug-ins, defect)
Tracking
(e10s?, firefox40 unaffected, firefox41+ fixed, firefox42+ fixed, firefox-esr31 unaffected, firefox-esr38 unaffected)
RESOLVED
FIXED
mozilla42
Tracking | Status | |
---|---|---|
e10s | ? | --- |
firefox40 | --- | unaffected |
firefox41 | + | fixed |
firefox42 | + | fixed |
firefox-esr31 | --- | unaffected |
firefox-esr38 | --- | unaffected |
People
(Reporter: u279076, Assigned: jimm)
References
Details
(Keywords: crash, sec-critical, Whiteboard: [b2g-adv-main2.5-])
Crash Data
This bug was filed from the Socorro interface and is report bp-ef31a836-e574-4ece-8334-2a5932150712. ============================================================= 0 libxul.so nsCOMPtr_base::assign_with_AddRef(nsISupports*) xpcom/glue/nsCOMPtr.h 1 libxul.so nsBaseWidget::AddChild(nsIWidget*) widget/nsBaseWidget.cpp 2 libxul.so mozilla::widget::PluginWidgetProxy::Create(nsIWidget*, void*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsWidgetInitData*) widget/PluginWidgetProxy.cpp 3 libxul.so mozilla::dom::TabChild::CreatePluginWidget(nsIWidget*, nsIWidget**) dom/ipc/TabChild.cpp 4 libxul.so nsPluginInstanceOwner::CreateWidget() dom/plugins/base/nsPluginInstanceOwner.cpp 5 libxul.so nsPluginHost::CreateWidget(nsPluginInstanceOwner*) dom/plugins/base/nsPluginHost.cpp 6 libxul.so nsPluginHost::InstantiatePluginInstance(nsACString_internal const&, nsIURI*, nsObjectLoadingContent*, nsPluginInstanceOwner**) dom/plugins/base/nsPluginHost.cpp 7 libxul.so nsObjectLoadingContent::InstantiatePluginInstance(bool) dom/base/nsObjectLoadingContent.cpp 8 libxul.so nsObjectLoadingContent::SyncStartPluginInstance() dom/base/nsObjectLoadingContent.cpp 9 libxul.so nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp 10 libxul.so NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp 11 libxul.so mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp 12 libxul.so MessageLoop::Run() ipc/chromium/src/base/message_loop.cc 13 libxul.so nsBaseAppShell::Run() widget/nsBaseAppShell.cpp 14 libxul.so XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp 15 libxul.so MessageLoop::Run() ipc/chromium/src/base/message_loop.cc 16 libxul.so XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp 17 plugin-container content_process_main(int, char**) ipc/contentproc/plugin-container.cpp Ø 18 libc-2.19.so libc-2.19.so@0x21b44 19 plugin-container _init 20 plugin-container malloc_good_size memory/build/replace_malloc.c 21 plugin-container __libc_csu_fini 22 plugin-container malloc_good_size memory/build/replace_malloc.c 23 plugin-container _start ============================================================= More reports: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=nsCOMPtr_base%3A%3Aassign_with_AddRef%28nsISupports*%29+|+nsBaseWidget%3A%3AAddChild%28nsIWidget*%29 Hit this crash today on Debian 8.1 64-bit with Firefox 42.0a1 20150712030212 with Flash 11.2.202.481. All I did was load engadget.com and the tab crashed while loading. Restoring the tab did not reproduce the crash.
Hit this again, this time on Dropbox.com when the sign-up dialog appeared: 0 libxul.so nsCOMPtr_base::assign_with_AddRef(nsISupports*) xpcom/glue/nsCOMPtr.h 1 libxul.so nsBaseWidget::AddChild(nsIWidget*) widget/nsBaseWidget.cpp 2 libxul.so mozilla::widget::PluginWidgetProxy::Create(nsIWidget*, void*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsWidgetInitData*) widget/PluginWidgetProxy.cpp 3 libxul.so mozilla::dom::TabChild::CreatePluginWidget(nsIWidget*, nsIWidget**) dom/ipc/TabChild.cpp 4 libxul.so nsPluginInstanceOwner::CreateWidget() dom/plugins/base/nsPluginInstanceOwner.cpp 5 libxul.so nsPluginHost::CreateWidget(nsPluginInstanceOwner*) dom/plugins/base/nsPluginHost.cpp 6 libxul.so nsPluginHost::InstantiatePluginInstance(nsACString_internal const&, nsIURI*, nsObjectLoadingContent*, nsPluginInstanceOwner**) dom/plugins/base/nsPluginHost.cpp 7 libxul.so nsObjectLoadingContent::InstantiatePluginInstance(bool) dom/base/nsObjectLoadingContent.cpp 8 libxul.so nsObjectLoadingContent::SyncStartPluginInstance() dom/base/nsObjectLoadingContent.cpp 9 libxul.so nsObjectLoadingContent::ScriptRequestPluginInstance(JSContext*, nsNPAPIPluginInstance**) dom/base/nsObjectLoadingContent.cpp 10 libxul.so nsObjectLoadingContent::DoResolve(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JSPropertyDescriptor>) dom/base/nsObjectLoadingContent.cpp 11 libxul.so mozilla::dom::HTMLObjectElementBinding::_resolve obj-firefox/dom/bindings/HTMLObjectElementBinding.cpp 12 libxul.so js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) js/src/vm/NativeObject-inl.h 13 libxul.so js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, js::PropertyName*, JS::MutableHandle<JS::Value>) js/src/vm/NativeObject.h 14 libxul.so js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp 15 libxul.so Interpret js/src/vm/Interpreter.cpp 16 libxul.so js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp 17 libxul.so js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/vm/Interpreter.cpp 18 libxul.so js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp 19 libxul.so JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) js/src/jsapi.cpp 20 libxul.so mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) obj-firefox/dom/bindings/EventListenerBinding.cpp 21 libxul.so void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JSCompartment*) obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h 22 libxul.so mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) dom/events/EventListenerManager.cpp 23 libxul.so mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) dom/events/EventListenerManager.cpp 24 libxul.so mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) dom/events/EventListenerManager.h 25 libxul.so mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) dom/events/EventDispatcher.cpp 26 libxul.so nsDocumentViewer::LoadComplete(nsresult) layout/base/nsDocumentViewer.cpp 27 libxul.so nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) docshell/base/nsDocShell.cpp 28 libxul.so nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) docshell/base/nsDocShell.cpp 29 libxul.so nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) uriloader/base/nsDocLoader.cpp 30 libxul.so nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) uriloader/base/nsDocLoader.cpp 31 libxul.so nsDocLoader::DocLoaderIsEmpty(bool) uriloader/base/nsDocLoader.cpp 32 libxul.so nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) uriloader/base/nsDocLoader.cpp 33 libxul.so nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) netwerk/base/nsLoadGroup.cpp 34 libxul.so nsDocument::DoUnblockOnload() dom/base/nsDocument.cpp 35 libxul.so nsUnblockOnloadEvent::Run() dom/base/nsDocument.cpp 36 libxul.so nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp 37 libxul.so NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp 38 libxul.so mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp 39 libxul.so MessageLoop::Run() ipc/chromium/src/base/message_loop.cc 40 libxul.so nsBaseAppShell::Run() widget/nsBaseAppShell.cpp 41 libxul.so XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp 42 libxul.so MessageLoop::Run() ipc/chromium/src/base/message_loop.cc 43 libxul.so XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp 44 plugin-container content_process_main(int, char**) ipc/contentproc/plugin-container.cpp Ø 45 libc-2.19.so libc-2.19.so@0x21b44 46 plugin-container _init 47 plugin-container malloc_good_size memory/build/replace_malloc.c 48 plugin-container __libc_csu_fini 49 plugin-container malloc_good_size memory/build/replace_malloc.c 50 plugin-container _start
Comment 2•9 years ago
|
||
I think that this as well as some other similar signatures - see top of https://crash-analysis.mozilla.com/rkaiser/2015-07-12/2015-07-12.firefox.42.explosiveness.html - are all the same cause as bug 1182921.
Comment 3•9 years ago
|
||
I ran into this twice yesterday when I was streaming footy. Once the video started buffering, I would refresh the page and the tab would crash instantly once the video appeared, crashes: - https://crash-stats.mozilla.com/report/index/f721c59e-b7ba-4e6d-ab74-6f1862150712 - https://crash-stats.mozilla.com/report/index/8df0840f-118b-4ee3-86ab-98e652150712 These STR are not really reproducible, but I was doing the following every time I got the crash: - launched the stream from http://live.mlssoccer.com - started watching the game and hit a "buffering" at times - once I hit the buffering wall, I refreshed the tab and would get the crash
Comment 4•9 years ago
|
||
Marking s-s per IRC discussion and crash reports that show 0x5a crash pattern.
Group: core-security
Updated•9 years ago
|
Keywords: sec-critical
Comment 7•9 years ago
|
||
[Tracking Requested - why for this release]:
Crash Signature: [@ nsCOMPtr_base::assign_with_AddRef(nsISupports*) | nsBaseWidget::AddChild(nsIWidget*)] → [@ nsCOMPtr_base::assign_with_AddRef(nsISupports*) | nsBaseWidget::AddChild(nsIWidget*)]
[@ nsRefPtr<T>::assign_with_AddRef(mozilla::dom::Blob*) | nsBaseWidget::RemoveChild(nsIWidget*)]
[@ nsRefPtr<T>::assign_with_AddRef(mozilla::dom::Blob*) | nsBaseWid…
status-firefox41:
--- → affected
status-firefox42:
--- → affected
tracking-firefox41:
--- → ?
tracking-firefox42:
--- → ?
Updated•9 years ago
|
Crash Signature: nsRefPtr<T>::assign_with_AddRef(mozilla::dom::Element*) | nsBaseWidget::RemoveChild(nsIWidget*)] → nsRefPtr<T>::assign_with_AddRef(mozilla::dom::Element*) | nsBaseWidget::RemoveChild(nsIWidget*)]
[@ nsRefPtr<T>::assign_with_AddRef(mozilla::dom::Registry*) | nsBaseWidget::AddChild(nsIWidget*)]
[@ nsRefPtr<T>::assign_with_AddRef(mozilla::dom::Registry…
Comment 8•9 years ago
|
||
This started on Nightly on 2015-07-11 and on Dev Edition on 2015-07-14 so must be a patch that was merged to m-c probably on the 10th and uplifted to m-a on the 13th. This is a huge crash spike on Nightly and a pretty large one starting on Dev Edition as well now.
Comment 9•9 years ago
|
||
It also looks like the signature is fluctuating for every build.
Crash Signature: [@ nsCOMPtr_base::assign_with_AddRef(nsISupports*) | nsBaseWidget::AddChild(nsIWidget*)]
[@ nsRefPtr<T>::assign_with_AddRef(mozilla::dom::Blob*) | nsBaseWidget::RemoveChild(nsIWidget*)]
[@ nsRefPtr<T>::assign_with_AddRef(mozilla::dom::Blob*) | nsBaseWid… → [@ nsCOMPtr_base::assign_with_AddRef | nsBaseWidget::AddChild]
[@ nsCOMPtr_base::assign_with_AddRef | nsBaseWidget::RemoveChild]
[@ nsRefPtr<T>::assign_with_AddRef | nsBaseWidget::AddChild]
[@ nsRefPtr<T>::assign_with_AddRef | nsBaseWidget::RemoveChild…
Comment 10•9 years ago
|
||
This is e10s. jimm, one for you?
tracking-e10s:
--- → ?
Flags: needinfo?(jmathies)
Comment 11•9 years ago
|
||
RyanVM mentioned on IRC that bug 1174461 would fit the time criteria.
Comment 12•9 years ago
|
||
Code changes look highly-relevant too.
Comment 13•9 years ago
|
||
Bug 1174461 has been backed out from both branches and nightlies are being respun.
Assignee: nobody → jmathies
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox40:
--- → unaffected
status-firefox-esr31:
--- → unaffected
status-firefox-esr38:
--- → unaffected
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
Assignee | ||
Comment 14•9 years ago
|
||
yeah I think I caused this with my changes in bug 1174461. I'm not sure if the caching caused it or the change to SetParent. I'll have to dig a bit. That patch is safe to backout, it was just an optimization.
Flags: needinfo?(jmathies)
Comment 15•9 years ago
|
||
Should/can we remove the security-group flag as the offender has been backed out on both channels and this never was in beta or release?
This was mentioned as a top crash for FF41.
Comment 17•9 years ago
|
||
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #15) > Should/can we remove the security-group flag as the offender has been backed > out on both channels and this never was in beta or release? Let's wait a few days. It was on central for at least a few Nightlys.
Comment 19•9 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #17) > Let's wait a few days. It was on central for at least a few Nightlys. OK, it's just that as long as it's hidden we have all our topcrash reports point to the signatures without pointing to a bug. But next week, the signature probably will be gone from stats anyhow. Still, will be good to have it unhidden for history.
Updated•9 years ago
|
Flags: needinfo?(continuation)
Updated•9 years ago
|
Group: core-security
Updated•9 years ago
|
Whiteboard: [b2g-adv-main2.5-]
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•