Closed Bug 1182919 Opened 4 years ago Closed 4 years ago

crash in nsCOMPtr_base::assign_with_AddRef(nsISupports*) | nsBaseWidget::AddChild(nsIWidget*)

Categories

(Core :: Plug-ins, defect, critical)

Unspecified
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla42
Tracking Status
e10s ? ---
firefox40 --- unaffected
firefox41 + fixed
firefox42 + fixed
firefox-esr31 --- unaffected
firefox-esr38 --- unaffected

People

(Reporter: ashughes, Assigned: jimm)

References

Details

(Keywords: crash, sec-critical, Whiteboard: [b2g-adv-main2.5-])

Crash Data

This bug was filed from the Socorro interface and is 
report bp-ef31a836-e574-4ece-8334-2a5932150712.
=============================================================
0 	libxul.so 	nsCOMPtr_base::assign_with_AddRef(nsISupports*) 	xpcom/glue/nsCOMPtr.h
1 	libxul.so 	nsBaseWidget::AddChild(nsIWidget*) 	widget/nsBaseWidget.cpp
2 	libxul.so 	mozilla::widget::PluginWidgetProxy::Create(nsIWidget*, void*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsWidgetInitData*) 	widget/PluginWidgetProxy.cpp
3 	libxul.so 	mozilla::dom::TabChild::CreatePluginWidget(nsIWidget*, nsIWidget**) 	dom/ipc/TabChild.cpp
4 	libxul.so 	nsPluginInstanceOwner::CreateWidget() 	dom/plugins/base/nsPluginInstanceOwner.cpp
5 	libxul.so 	nsPluginHost::CreateWidget(nsPluginInstanceOwner*) 	dom/plugins/base/nsPluginHost.cpp
6 	libxul.so 	nsPluginHost::InstantiatePluginInstance(nsACString_internal const&, nsIURI*, nsObjectLoadingContent*, nsPluginInstanceOwner**) 	dom/plugins/base/nsPluginHost.cpp
7 	libxul.so 	nsObjectLoadingContent::InstantiatePluginInstance(bool) 	dom/base/nsObjectLoadingContent.cpp
8 	libxul.so 	nsObjectLoadingContent::SyncStartPluginInstance() 	dom/base/nsObjectLoadingContent.cpp
9 	libxul.so 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
10 	libxul.so 	NS_ProcessNextEvent(nsIThread*, bool) 	xpcom/glue/nsThreadUtils.cpp
11 	libxul.so 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
12 	libxul.so 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
13 	libxul.so 	nsBaseAppShell::Run() 	widget/nsBaseAppShell.cpp
14 	libxul.so 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp
15 	libxul.so 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
16 	libxul.so 	XRE_InitChildProcess 	toolkit/xre/nsEmbedFunctions.cpp
17 	plugin-container 	content_process_main(int, char**) 	ipc/contentproc/plugin-container.cpp
Ø 18 	libc-2.19.so 	libc-2.19.so@0x21b44 	
19 	plugin-container 	_init 	
20 	plugin-container 	malloc_good_size 	memory/build/replace_malloc.c
21 	plugin-container 	__libc_csu_fini 	
22 	plugin-container 	malloc_good_size 	memory/build/replace_malloc.c
23 	plugin-container 	_start 	
=============================================================
More reports: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=nsCOMPtr_base%3A%3Aassign_with_AddRef%28nsISupports*%29+|+nsBaseWidget%3A%3AAddChild%28nsIWidget*%29

Hit this crash today on Debian 8.1 64-bit with Firefox 42.0a1 20150712030212 with Flash 11.2.202.481. All I did was load engadget.com and the tab crashed while loading. Restoring the tab did not reproduce the crash.
Hit this again, this time on Dropbox.com when the sign-up dialog appeared:

 0 	libxul.so 	nsCOMPtr_base::assign_with_AddRef(nsISupports*) 	xpcom/glue/nsCOMPtr.h
1 	libxul.so 	nsBaseWidget::AddChild(nsIWidget*) 	widget/nsBaseWidget.cpp
2 	libxul.so 	mozilla::widget::PluginWidgetProxy::Create(nsIWidget*, void*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsWidgetInitData*) 	widget/PluginWidgetProxy.cpp
3 	libxul.so 	mozilla::dom::TabChild::CreatePluginWidget(nsIWidget*, nsIWidget**) 	dom/ipc/TabChild.cpp
4 	libxul.so 	nsPluginInstanceOwner::CreateWidget() 	dom/plugins/base/nsPluginInstanceOwner.cpp
5 	libxul.so 	nsPluginHost::CreateWidget(nsPluginInstanceOwner*) 	dom/plugins/base/nsPluginHost.cpp
6 	libxul.so 	nsPluginHost::InstantiatePluginInstance(nsACString_internal const&, nsIURI*, nsObjectLoadingContent*, nsPluginInstanceOwner**) 	dom/plugins/base/nsPluginHost.cpp
7 	libxul.so 	nsObjectLoadingContent::InstantiatePluginInstance(bool) 	dom/base/nsObjectLoadingContent.cpp
8 	libxul.so 	nsObjectLoadingContent::SyncStartPluginInstance() 	dom/base/nsObjectLoadingContent.cpp
9 	libxul.so 	nsObjectLoadingContent::ScriptRequestPluginInstance(JSContext*, nsNPAPIPluginInstance**) 	dom/base/nsObjectLoadingContent.cpp
10 	libxul.so 	nsObjectLoadingContent::DoResolve(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JSPropertyDescriptor>) 	dom/base/nsObjectLoadingContent.cpp
11 	libxul.so 	mozilla::dom::HTMLObjectElementBinding::_resolve 	obj-firefox/dom/bindings/HTMLObjectElementBinding.cpp
12 	libxul.so 	js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) 	js/src/vm/NativeObject-inl.h
13 	libxul.so 	js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, js::PropertyName*, JS::MutableHandle<JS::Value>) 	js/src/vm/NativeObject.h
14 	libxul.so 	js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
15 	libxul.so 	Interpret 	js/src/vm/Interpreter.cpp
16 	libxul.so 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
17 	libxul.so 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
18 	libxul.so 	js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
19 	libxul.so 	JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) 	js/src/jsapi.cpp
20 	libxul.so 	mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) 	obj-firefox/dom/bindings/EventListenerBinding.cpp
21 	libxul.so 	void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JSCompartment*) 	obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h
22 	libxul.so 	mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) 	dom/events/EventListenerManager.cpp
23 	libxul.so 	mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) 	dom/events/EventListenerManager.cpp
24 	libxul.so 	mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) 	dom/events/EventListenerManager.h
25 	libxul.so 	mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) 	dom/events/EventDispatcher.cpp
26 	libxul.so 	nsDocumentViewer::LoadComplete(nsresult) 	layout/base/nsDocumentViewer.cpp
27 	libxul.so 	nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) 	docshell/base/nsDocShell.cpp
28 	libxul.so 	nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) 	docshell/base/nsDocShell.cpp
29 	libxul.so 	nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) 	uriloader/base/nsDocLoader.cpp
30 	libxul.so 	nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) 	uriloader/base/nsDocLoader.cpp
31 	libxul.so 	nsDocLoader::DocLoaderIsEmpty(bool) 	uriloader/base/nsDocLoader.cpp
32 	libxul.so 	nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) 	uriloader/base/nsDocLoader.cpp
33 	libxul.so 	nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) 	netwerk/base/nsLoadGroup.cpp
34 	libxul.so 	nsDocument::DoUnblockOnload() 	dom/base/nsDocument.cpp
35 	libxul.so 	nsUnblockOnloadEvent::Run() 	dom/base/nsDocument.cpp
36 	libxul.so 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
37 	libxul.so 	NS_ProcessNextEvent(nsIThread*, bool) 	xpcom/glue/nsThreadUtils.cpp
38 	libxul.so 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
39 	libxul.so 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
40 	libxul.so 	nsBaseAppShell::Run() 	widget/nsBaseAppShell.cpp
41 	libxul.so 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp
42 	libxul.so 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
43 	libxul.so 	XRE_InitChildProcess 	toolkit/xre/nsEmbedFunctions.cpp
44 	plugin-container 	content_process_main(int, char**) 	ipc/contentproc/plugin-container.cpp
Ø 45 	libc-2.19.so 	libc-2.19.so@0x21b44 	
46 	plugin-container 	_init 	
47 	plugin-container 	malloc_good_size 	memory/build/replace_malloc.c
48 	plugin-container 	__libc_csu_fini 	
49 	plugin-container 	malloc_good_size 	memory/build/replace_malloc.c
50 	plugin-container 	_start
I think that this as well as some other similar signatures - see top of https://crash-analysis.mozilla.com/rkaiser/2015-07-12/2015-07-12.firefox.42.explosiveness.html - are all the same cause as bug 1182921.
I ran into this twice yesterday when I was streaming footy. Once the video started buffering, I would refresh the page and the tab would crash instantly once the video appeared, crashes:

- https://crash-stats.mozilla.com/report/index/f721c59e-b7ba-4e6d-ab74-6f1862150712
- https://crash-stats.mozilla.com/report/index/8df0840f-118b-4ee3-86ab-98e652150712

These STR are not really reproducible, but I was doing the following every time I got the crash:

- launched the stream from http://live.mlssoccer.com
- started watching the game and hit a "buffering" at times
- once I hit the buffering wall, I refreshed the tab and would get the crash
Marking s-s per IRC discussion and crash reports that show 0x5a crash pattern.
Group: core-security
Duplicate of this bug: 1182917
Duplicate of this bug: 1182921
[Tracking Requested - why for this release]:
Crash Signature: [@ nsCOMPtr_base::assign_with_AddRef(nsISupports*) | nsBaseWidget::AddChild(nsIWidget*)] → [@ nsCOMPtr_base::assign_with_AddRef(nsISupports*) | nsBaseWidget::AddChild(nsIWidget*)] [@ nsRefPtr<T>::assign_with_AddRef(mozilla::dom::Blob*) | nsBaseWidget::RemoveChild(nsIWidget*)] [@ nsRefPtr<T>::assign_with_AddRef(mozilla::dom::Blob*) | nsBaseWid…
Crash Signature: nsRefPtr<T>::assign_with_AddRef(mozilla::dom::Element*) | nsBaseWidget::RemoveChild(nsIWidget*)] → nsRefPtr<T>::assign_with_AddRef(mozilla::dom::Element*) | nsBaseWidget::RemoveChild(nsIWidget*)] [@ nsRefPtr<T>::assign_with_AddRef(mozilla::dom::Registry*) | nsBaseWidget::AddChild(nsIWidget*)] [@ nsRefPtr<T>::assign_with_AddRef(mozilla::dom::Registry…
This started on Nightly on 2015-07-11 and on Dev Edition on 2015-07-14 so must be a patch that was merged to m-c probably on the 10th and uplifted to m-a on the 13th.
This is a huge crash spike on Nightly and a pretty large one starting on Dev Edition as well now.
It also looks like the signature is fluctuating for every build.
Crash Signature: [@ nsCOMPtr_base::assign_with_AddRef(nsISupports*) | nsBaseWidget::AddChild(nsIWidget*)] [@ nsRefPtr<T>::assign_with_AddRef(mozilla::dom::Blob*) | nsBaseWidget::RemoveChild(nsIWidget*)] [@ nsRefPtr<T>::assign_with_AddRef(mozilla::dom::Blob*) | nsBaseWid… → [@ nsCOMPtr_base::assign_with_AddRef | nsBaseWidget::AddChild] [@ nsCOMPtr_base::assign_with_AddRef | nsBaseWidget::RemoveChild] [@ nsRefPtr<T>::assign_with_AddRef | nsBaseWidget::AddChild] [@ nsRefPtr<T>::assign_with_AddRef | nsBaseWidget::RemoveChild…
This is e10s. jimm, one for you?
tracking-e10s: --- → ?
Flags: needinfo?(jmathies)
RyanVM mentioned on IRC that bug 1174461 would fit the time criteria.
Code changes look highly-relevant too.
Bug 1174461 has been backed out from both branches and nightlies are being respun.
Assignee: nobody → jmathies
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
yeah I think I caused this with my changes in bug 1174461. I'm not sure if the caching caused it or the change to SetParent. I'll have to dig a bit. That patch is safe to backout, it was just an optimization.
Flags: needinfo?(jmathies)
Should/can we remove the security-group flag as the offender has been backed out on both channels and this never was in beta or release?
This was mentioned as a top crash for FF41.
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #15)
> Should/can we remove the security-group flag as the offender has been backed
> out on both channels and this never was in beta or release?

Let's wait a few days. It was on central for at least a few Nightlys.
I can unhide it on Monday.
Flags: needinfo?(continuation)
(In reply to Andrew McCreight [:mccr8] from comment #17)
> Let's wait a few days. It was on central for at least a few Nightlys.

OK, it's just that as long as it's hidden we have all our topcrash reports point to the signatures without pointing to a bug. But next week, the signature probably will be gone from stats anyhow. Still, will be good to have it unhidden for history.
Flags: needinfo?(continuation)
Group: core-security
Whiteboard: [b2g-adv-main2.5-]
You need to log in before you can comment on or make changes to this bug.