Crash in [@ PLDHashTable::Iterator::Iterator | mozilla::plugins::PPluginModuleChild::ClearSubtree]
Categories
(Core Graveyard :: Plug-ins, defect, P2)
Tracking
(firefox-esr60 unaffected, firefox-esr68 unaffected, firefox-esr78 wontfix, firefox68 unaffected, firefox69 wontfix, firefox70 wontfix, firefox71 wontfix, firefox72 wontfix, firefox73 wontfix, firefox74 wontfix)
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox-esr68 | --- | unaffected |
| firefox-esr78 | --- | wontfix |
| firefox68 | --- | unaffected |
| firefox69 | --- | wontfix |
| firefox70 | --- | wontfix |
| firefox71 | --- | wontfix |
| firefox72 | --- | wontfix |
| firefox73 | --- | wontfix |
| firefox74 | --- | wontfix |
People
(Reporter: philipp, Assigned: handyman)
References
Details
(4 keywords)
Crash Data
Attachments
(3 files)
This bug is for crash report bp-3ddae7bc-ed26-4c3d-8593-293c80190806.
Top 10 frames of crashing thread:
0 xul.dll PLDHashTable::Iterator::Iterator xpcom/ds/PLDHashTable.cpp:727
1 xul.dll void mozilla::plugins::PPluginModuleChild::ClearSubtree ipc/ipdl/PPluginModuleChild.cpp:1554
2 xul.dll mozilla::plugins::PPluginModuleChild::OnChannelClose ipc/ipdl/PPluginModuleChild.cpp:1526
3 xul.dll bool mozilla::plugins::PluginModuleParent::DoShutdown dom/plugins/ipc/PluginModuleParent.cpp:1928
4 xul.dll nsresult mozilla::plugins::PluginModuleParent::NP_Shutdown dom/plugins/ipc/PluginModuleParent.cpp:1906
5 xul.dll nsNPAPIPlugin::Shutdown dom/plugins/base/nsNPAPIPlugin.cpp:293
6 xul.dll nsPluginTag::TryUnloadPlugin dom/plugins/base/nsPluginTags.cpp:637
7 xul.dll nsresult nsPluginHost::UnloadPlugins dom/plugins/base/nsPluginHost.cpp:664
8 xul.dll nsresult nsPluginHost::Observe dom/plugins/base/nsPluginHost.cpp:3288
9 xul.dll nsObserverService::NotifyObservers xpcom/ds/nsObserverService.cpp:291
this crash signature is newly showing up in reports from firefox 69 users.
|
||
Updated•6 years ago
|
|
||
Comment 1•6 years ago
|
||
Anything change in plugin code recently? These are clearly UAF, but since they're all in shutdown we'll call it sec-moderate rather than sec-high.
|
Assignee | |
Comment 2•6 years ago
|
||
So far, no plugin changes I'm seeing look to be relevant. I'm currently leaning in the direction of this being a more core issue.
- The first report for PluginModuleParent::ClearSubtree was on a 6/21 (alpha) build. It's the only one before they start appearing in beta on 7/1. At that point they are pretty rare but the frequency is on the order of "daily". So its pretty safe to say it appeared in 69.0a1 but it could have been any time then.
- There seem to be two callstacks -- one for shutting down from a timeout handler and one for normal shutdown. I initially thought they weren't respecting one another but now I'm less sure (see below). Maybe this happens when both parts of the code try to Close() the PluginModuleParent. I don't see a reason why behavior would change now but it could be something random (e.g. Adobe changes that slow shutdown).
- If the crash is really plugin code related then the issue would likely be in dom/plugins from sometime in May. I see nothing relevant in hg log.
- Broadening the crash search gives me some reason to think the issue is related to something about IPC generically. Specifically, a 6 month search for ClearSubtree comes up with other actor crashes... but they start with PBackgroundIDBFactory on 5/29 [1]. That's still 69.0a1. There's also PNecko, PBackground and PContent. In many spots, the other crash stacks are garbage but look similar to the plugin ones [2] (e.g. a crash iterating over members as part of OnChannelError -- timeout?). This is a tenuous connection but its the strongest lead I can see.
I don't have any great ideas from here. Maybe an IPC peer can confirm/reject my theory. If that isn't it, tho, then it'll take some effort to figure this out.
--
[1] https://crash-stats.mozilla.org/search/?signature=~ClearSubtree&date=%3E%3D2019-02-13T15%3A31%3A00.000Z&date=%3C2019-08-13T15%3A31%3A00.000Z&_facets=signature&_sort=build_id&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=shutdown_progress#crash-reports
[2] https://crash-stats.mozilla.org/report/index/94d6f66a-a3c4-458d-a5ce-21cf10190603
|
||
Comment 3•6 years ago
|
||
The priority flag is not set for this bug.
:jimm, could you have a look please?
For more information, please visit auto_nag documentation.
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
||
Comment 4•6 years ago
|
||
Too late for a fix in 70 but we could still take a patch for 71/72.
|
||
Comment 5•6 years ago
|
||
This signature went away for a while but is spiking up again in the last few days.
|
|
||
Updated•6 years ago
|
|
|
||
Comment 6•6 years ago
|
||
I wonder if the spike correlates to Adobe pushing out a newer Flash release? Timing seems pretty close. Not sure why we'd be less resilient to that than we used to be, though.
|
|
||
Comment 7•5 years ago
|
||
Seeing a new spike in the last couple days, which seems to correlate with a flash update (https://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html says "last published April 14, 2020"
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 10•5 years ago
|
||
|
|
Assignee | |
Comment 11•5 years ago
|
||
Depends on D108802
|
|
Assignee | |
Comment 12•5 years ago
|
||
Badly designed actors delete themselves without using Send__delete__ or another valid IPDL shutdown scheme. This makes them robust to having their manager closed afterward.
Depends on D108803
|
||
Comment 13•4 years ago
|
||
|
|
||
Updated•4 years ago
|
|
|
||
Updated•3 years ago
|
|
|
||
Updated•2 years ago
|
Description
•