Closed Bug 192914 Opened 22 years ago Closed 22 years ago

M130B Trunk crash loading URL [@ pngu3266.dll | pngu3267.dll]

Categories

(Core Graveyard :: Plug-ins, defect, P1)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
Windows XP
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
mozilla1.4alpha

People

(Reporter: stephen, Assigned: peterlubczynski-bugs)

References

(
URL
)

Details

(Keywords: crash, testcase, topcrash+, Whiteboard: [fixed1.3])

Crash Data

Attachments

(2 files)

patch v.1 (disables subclassing of Real)
1.44 KB, patch
Details | Diff | Splinter Review
patch v.2 (prevents recursive events for Real)
3.52 KB, patch
smontagu
: review+
peterlubczynski-bugs
: superreview+
asa
: approval1.3+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3b) Gecko/20030210 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3b) Gecko/20030210 The URL in will cause all Mozilla windows will close. No talkback window appears afterward. I have reproduced problem in v1.2 and 1.3b1. Reproducible: Always Steps to Reproduce: 1.Put the URL in Mozilla and wait for the page to load 2.About halfway through, all Mozilla windows will close. No talkback window appears afterward. Actual Results: The same result as described in Details. Expected Results: Load the page. It works in Internet Explorer v6.0. Using the built in Modern theme.
Keywords: crash
Works for me, or at least it loaded right after I stopped blocking cookies (the site sent me to a "you need to allow cookie" page before). I'm using the released 1.3b on Win2000, with a bunch of add-ins (including the latest Multizilla beta) and the Pinball theme. Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2b; MultiZilla v1.1.33 (b)) Gecko/20030210
I reproduced this bug using Mozilla 1.3b release on W2K. Talkback ID's: TB17133564Z and TB17133487K
Reproduced on Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.3b) Gecko/20030210 Talkback ID: TB17134002Z
I was able to load this site using 2003021108 under W2K with no errors.
WFM with build 2003021008 under Windows XP Home (SP1)
Keywords: stackwanted
Whiteboard: TB17133487K
I was able to access this page with 2003021008 in Windows 2000.
Confirming to new...I was able to reproduce this easily on my XP machine. Here is my incident: Incident ID 17273215 Stack Signature pngu3266.dll + 0x7985 (0x605f7985) a0ad8b03 Email Address jpatel@netscape.com Product ID MozillaTrunk Build ID 2003021408 Trigger Time 2003-02-17 15:05:19 Platform Win32 Operating System Windows NT 5.1 build 2600 Module pngu3266.dll URL visited http://www2.warehouse.com/product.asp?pf%5Fid=CPU1826&blind=no&cat=mac User Comments Trying to reproduce bug 192914. I just went to the url and waited for the page to load...it never finished. Most of the content loaded fine, but it looked like there was a broken image that didn't show before i saw the crash. Trigger Reason Stack overflow Source File Name Trigger Line No. Stack Trace pngu3266.dll + 0x7985 (0x605f7985) embd3260.dll + 0x1209 (0x06341209) pngu3266.dll + 0x78f4 (0x605f78f4) pngu3266.dll + 0x6237 (0x605f6237) USER32.dll + 0x27ad7 (0x77d67ad7) USER32.dll + 0x2ccd4 (0x77d6ccd4) USER32.dll + 0x5cd6 (0x77d45cd6) USER32.dll + 0x5cf5 (0x77d45cf5) PluginWndProc [c:/builds/seamonkey/mozilla/modules/plugin/base/src/nsPluginNativeWindowWin.cpp, line 211] USER32.dll + 0x27ad7 (0x77d67ad7) USER32.dll + 0x2ccd4 (0x77d6ccd4) USER32.dll + 0x5cd6 (0x77d45cd6) USER32.dll + 0x5cf5 (0x77d45cf5) pngu3266.dll + 0x796e (0x605f796e) pngu3266.dll + 0x7908 (0x605f7908) pngu3266.dll + 0x6237 (0x605f6237) USER32.dll + 0x27ad7 (0x77d67ad7) USER32.dll + 0x2ccd4 (0x77d6ccd4) USER32.dll + 0x5cd6 (0x77d45cd6) USER32.dll + 0x5cf5 (0x77d45cf5) PluginWndProc [c:/builds/seamonkey/mozilla/modules/plugin/base/src/nsPluginNativeWindowWin.cpp, line 211] USER32.dll + 0x27ad7 (0x77d67ad7) USER32.dll + 0x2ccd4 (0x77d6ccd4) USER32.dll + 0x5cd6 (0x77d45cd6) USER32.dll + 0x5cf5 (0x77d45cf5) pngu3266.dll + 0x796e (0x605f796e) pngu3266.dll + 0x7908 (0x605f7908) pngu3266.dll + 0x6237 (0x605f6237) USER32.dll + 0x27ad7 (0x77d67ad7) USER32.dll + 0x2ccd4 (0x77d6ccd4) USER32.dll + 0x5cd6 (0x77d45cd6) USER32.dll + 0x5cf5 (0x77d45cf5) PluginWndProc [c:/builds/seamonkey/mozilla/modules/plugin/base/src/nsPluginNativeWindowWin.cpp, line 211] USER32.dll + 0x27ad7 (0x77d67ad7) USER32.dll + 0x2ccd4 (0x77d6ccd4) USER32.dll + 0x5cd6 (0x77d45cd6) USER32.dll + 0x5cf5 (0x77d45cf5) pngu3266.dll + 0x796e (0x605f796e) pngu3266.dll + 0x7908 (0x605f7908) pngu3266.dll + 0x6237 (0x605f6237) USER32.dll + 0x27ad7 (0x77d67ad7) USER32.dll + 0x2ccd4 (0x77d6ccd4) USER32.dll + 0x5cd6 (0x77d45cd6) USER32.dll + 0x5cf5 (0x77d45cf5) PluginWndProc [c:/builds/seamonkey/mozilla/modules/plugin/base/src/nsPluginNativeWindowWin.cpp, line 211] USER32.dll + 0x27ad7 (0x77d67ad7) USER32.dll + 0x2ccd4 (0x77d6ccd4) USER32.dll + 0x5cd6 (0x77d45cd6) USER32.dll + 0x5cf5 (0x77d45cf5) pngu3266.dll + 0x796e (0x605f796e) pngu3266.dll + 0x7908 (0x605f7908) pngu3266.dll + 0x6237 (0x605f6237) USER32.dll + 0x27ad7 (0x77d67ad7) USER32.dll + 0x2ccd4 (0x77d6ccd4) USER32.dll + 0x5cd6 (0x77d45cd6) USER32.dll + 0x5cf5 (0x77d45cf5) PluginWndProc [c:/builds/seamonkey/mozilla/modules/plugin/base/src/nsPluginNativeWindowWin.cpp, line 211] USER32.dll + 0x27ad7 (0x77d67ad7) USER32.dll + 0x2ccd4 (0x77d6ccd4) USER32.dll + 0x5cd6 (0x77d45cd6) USER32.dll + 0x5cf5 (0x77d45cf5) pngu3266.dll + 0x796e (0x605f796e) pngu3266.dll + 0x7908 (0x605f7908) pngu3266.dll + 0x6237 (0x605f6237) This is also a topcrasher for Mozilla 1.3 Beta and is clearly happening on the latest MozillaTrunk builds as well. Here is the latest Talkback data: pngu3267.dll 19 BBID range: 17090045 - 17245990 Min/Max Seconds since last crash: 13 - 246494 Min/Max Runtime: 726 - 358175 Crash data range: 2003-02-11 to 2003-02-16 Build ID range: 2003021008 to 2003021308 Stack Trace: pngu3267.dll + 0x7d25 (0x60367d25) embd3260.dll + 0x11d9 (0x026811d9) pngu3267.dll + 0x7c94 (0x60367c94) pngu3267.dll + 0x645b (0x6036645b) USER32.dll + 0x27b17 (0x77d67b17) USER32.dll + 0x2cdce (0x77d6cdce) USER32.dll + 0x5cc9 (0x77d45cc9) USER32.dll + 0x5ce8 (0x77d45ce8) PluginWndProc [c:/builds/seamonkey/mozilla/modules/plugin/base/src/nsPluginNativeWindowWin.cpp line 211] USER32.dll + 0x27b17 (0x77d67b17) USER32.dll + 0x2cdce (0x77d6cdce) USER32.dll + 0x5cc9 (0x77d45cc9) USER32.dll + 0x5ce8 (0x77d45ce8) pngu3267.dll + 0x7d0e (0x60367d0e) pngu3267.dll + 0x7ca8 (0x60367ca8) pngu3267.dll + 0x645b (0x6036645b) USER32.dll + 0x27b17 (0x77d67b17) USER32.dll + 0x2cdce (0x77d6cdce) USER32.dll + 0x5cc9 (0x77d45cc9) USER32.dll + 0x5ce8 (0x77d45ce8) PluginWndProc [c:/builds/seamonkey/mozilla/modules/plugin/base/src/nsPluginNativeWindowWin.cpp line 211] USER32.dll + 0x27b17 (0x77d67b17) USER32.dll + 0x2cdce (0x77d6cdce) USER32.dll + 0x5cc9 (0x77d45cc9) USER32.dll + 0x5ce8 (0x77d45ce8) pngu3267.dll + 0x7d0e (0x60367d0e) pngu3267.dll + 0x7ca8 (0x60367ca8) pngu3267.dll + 0x645b (0x6036645b) USER32.dll + 0x27b17 (0x77d67b17) USER32.dll + 0x2cdce (0x77d6cdce) USER32.dll + 0x5cc9 (0x77d45cc9) USER32.dll + 0x5ce8 (0x77d45ce8) PluginWndProc [c:/builds/seamonkey/mozilla/modules/plugin/base/src/nsPluginNativeWindowWin.cpp line 211] USER32.dll + 0x27b17 (0x77d67b17) USER32.dll + 0x2cdce (0x77d6cdce) USER32.dll + 0x5cc9 (0x77d45cc9) USER32.dll + 0x5ce8 (0x77d45ce8) pngu3267.dll + 0x7d0e (0x60367d0e) pngu3267.dll + 0x7ca8 (0x60367ca8) pngu3267.dll + 0x645b (0x6036645b) USER32.dll + 0x27b17 (0x77d67b17) USER32.dll + 0x2cdce (0x77d6cdce) USER32.dll + 0x5cc9 (0x77d45cc9) USER32.dll + 0x5ce8 (0x77d45ce8) PluginWndProc [c:/builds/seamonkey/mozilla/modules/plugin/base/src/nsPluginNativeWindowWin.cpp line 211] USER32.dll + 0x27b17 (0x77d67b17) USER32.dll + 0x2cdce (0x77d6cdce) USER32.dll + 0x5cc9 (0x77d45cc9) USER32.dll + 0x5ce8 (0x77d45ce8) pngu3267.dll + 0x7d0e (0x60367d0e) pngu3267.dll + 0x7ca8 (0x60367ca8) pngu3267.dll + 0x645b (0x6036645b) USER32.dll + 0x27b17 (0x77d67b17) USER32.dll + 0x2cdce (0x77d6cdce) USER32.dll + 0x5cc9 (0x77d45cc9) USER32.dll + 0x5ce8 (0x77d45ce8) PluginWndProc [c:/builds/seamonkey/mozilla/modules/plugin/base/src/nsPluginNativeWindowWin.cpp line 211] USER32.dll + 0x27b17 (0x77d67b17) USER32.dll + 0x2cdce (0x77d6cdce) USER32.dll + 0x5cc9 (0x77d45cc9) USER32.dll + 0x5ce8 (0x77d45ce8) pngu3267.dll + 0x7d0e (0x60367d0e) pngu3267.dll + 0x7ca8 (0x60367ca8) pngu3267.dll + 0x645b (0x6036645b) (17245990) Comments: starting a realplayer movie embedded in browser (17243878) URL: www.islamicity.com (17236221) URL: www.denon.co.uk/ (17223260) Comments: Tried to re-size a window that was playing a movie trailer (with RealOne as a plugin). (17220288) URL: air1.com (17220288) Comments: The problem is with the realaudio plugin media player work fine. (17167656) URL: www.europa.eu-int - The page of Ebs (europa by satelitte) (17167656) Comments: I was seeing a live tv (by reaol one 2.0) and mozilla has quit. (17133564) URL: http://www2.warehouse.com/product.asp?pf%5Fid=CPU1826&blind=no&cat=mac (17133564) Comments: reproducing bug 192914 (17133487) URL: http://www2.warehouse.com/product.asp?pf%5Fid=CPU1826&blind=no&cat=mac (17133487) Comments: reproducing bug 192914 (17110294) URL: search engine google.com
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: stackwantedtestcase, topcrash+
I loaded up http://www2.warehouse.com/product.asp?pf%5Fid=CPU1826&blind=no&cat=mac on IE and it worked fine. Looking at the source...I'm guessing something bad might be happening around this JS code on the page: <br><div class='s8a'><!-- Begin - Vendaria integration code --> <table BORDER="0" CELLPADDING="0" CELLSPACING="0"><tr><td> <script language="JavaScript1.2">var strIdlet="oCnpgzKJLlKKllvmlluqgwIqKuvLIl";var strAdlet="macwarehouse_CPU1826";</script><script src="http://fp.vendaria.com/integration/custom/macwarehouse/vendariashutoff.js" language="JavaScript"></script><script language="JavaScript1.2">if((typeof vnd_blnEnabled=="undefined")&&(typeof blnVendariaEnabled=="boolean")){if(blnVendariaEnabled)document.write( "<scr" + "ipt src='http://fp.vendaria.com/integration/custom/macwarehouse/vendaria2.js' language='JavaScript1.2'></scr" + "ipt>" );}</script><script language="JavaScript1.2">if(typeof blnVendariaEnabled=="boolean"){if(blnVendariaEnabled)document.write( "<scr" + "ipt src='http://fp.vendaria.com/envision/vswitch/" + strIdlet + "$" + strAdlet + ".js3' language='JavaScript1.2' type='text/javascript'></scr" + "ipt>" ) ;}</script><script language="JavaScript1.2">if((typeof vnd_getSupported=="undefined")&&(typeof blnVendariaEnabled=="boolean")){if(blnVendariaEnabled)document.write( "<scr" + "ipt src='http://fp.vendaria.com/integration/custom/pub/vendaria2.js' language='JavaScript1.2'></scr" + "ipt>" );}</script><script language="JavaScript1.2">var vnd_blnSupported = false;if( typeof vnd_getSupported == "function" ){vnd_blnSupported = vnd_getSupported( strIdlet, strAdlet );}if( vnd_blnSupported ){vnd_createLink( strIdlet, strAdlet, "", "<img src=http://www.warehouse.com/mecaimages/www/menu/IPOD_ViewVideo.gif border=0>", "" );vnd_preCache( strIdlet, strAdlet );}else document.write( "<img src='http://ondemand.vendaria.com/integration/svlt/0.vnd?bz_state=visited&src=ns&purl=" + strAdlet + "&iid=" + strIdlet + "' border=0 height=0 width=0>");</script></td></tr></table><!-- End - Vendaria integration code --> I think that's the code for the "View Image" image/link that didn't render properly with Mozilla (but worked fine in IE). Setting the component to Plugins for now, please reset and reassign if necessary. Thanks.
Component: Browser-General → Plug-ins
reassigning to plugin component owners.
Assignee: asa → peterlubczynski
QA Contact: asa → shrir
Summary: This URL will cause Mozilla to crash and close immediately with no warning. → M130B Trunk crash loading URL [@ pngu3266.dll]
Adding pngu3267.dll to summary since similar crashes are being reported by that stack signature.
Summary: M130B Trunk crash loading URL [@ pngu3266.dll] → M130B Trunk crash loading URL [@ pngu3266.dll | pngu3267.dll]
*** Bug 195661 has been marked as a duplicate of this bug. ***
*** Bug 195713 has been marked as a duplicate of this bug. ***
my bug 195713 has a minimal testcase (if it's indeed a dupe of this bug)
Better testcase: http://www.die-maus.de/wirsinddiemaus/mauskarten/?lang=de This crash is caused because of stack overflow on dispatching a WM_WINDOWPOSCHANGING event. Disabling plugin subclassing seems to stop the crash. This could have something to do with bug 183955.
URL: http://www2.warehouse.com/product.asp...http://www.die-maus.de/wirsinddiemaus...
Priority: -- → P1
QA Contact: shrir → bmartin
Target Milestone: --- → mozilla1.3final
This patch disables subclassing of Real which appears to make the crash go away. The 'real' fix here is to make our subclassing and windows event dispatching code more robust but it's okay to disable it for Real as it's not really needed.
Attachment #116153 - Flags: superreview?(bzbarsky)
Attachment #116153 - Flags: review?(smontagu)
Comment on attachment 116153 [details] [diff] [review] patch v.1 (disables subclassing of Real) Why do you want to return NS_ERROR_FAILURE? (not that anybody is checking the return value, AFAICT)
I was under the impression that returning NS_ERROR_FAILURE from this function means we didn't subclass or associate. The same erorr code gets returned if we are windowless. In this case it doesn't matter because the caller, a few lines up, isn't checking return codes anyway. For a good simplified markup testcase see: http://bugzilla.mozilla.org/attachment.cgi?id=116084&action=view
Status: NEW → ASSIGNED
Comment on attachment 116153 [details] [diff] [review] patch v.1 (disables subclassing of Real) >+ // Real doesn't like to be subclassed. It may case events to get "cause". I'm ok with this landing on the branch, but I'm not sure this should go on trunk.... Making the event dispatch system more robust or simply moving things that can cause synchronous infinite recursiou out to happening off a PLEvent would be much more preferable, no?
Okay, this crash can also be prevented by catching the recursive case for Real and not dispatching the event. Real seem to go into this state when subclassed on just about any first Windows event. For example, just having this tag and resizing the window to clip Real puts us in this state: <embed src="http://does.not.matter.if.this.is.a.valid.mp3" type="audio/x-pn-realaudio-plugin">
Attachment #116338 - Flags: superreview?(bzbarsky)
Attachment #116338 - Flags: review?(smontagu)
Um... shouldn't we detect event recursion for _all_ plug-ins, not just Real? If not, why not? In other words, what functionality would this break if applied to all plug-ins and why is that not a concern for Real?
I think we should get this into 1.3 final. Setting blocking1.3+ flag.
Flags: blocking1.3+
If this is going to make 1.3 it will need some quick turnaround on reviews. Please set the "approval 1.3?" flag as soon as it has r= and sr=.
I've been looking at this closer in the debugger and talked with Kevin and we think it's safest to take patch v.2 for the branch and leave this open for a (possible) better solution for the trunk. It is possible and completely valid for a plugin to synchronously dispatch an event to itself such that it looks like its in recursion. By blocking all recursion on all plugins, it may accidentaly break other plugins. I've been testing Real and doesn't see any worse than this bug in using that approach. ...looking for reviews for patch v.2
Attachment #116153 - Flags: superreview?(bzbarsky)
Attachment #116153 - Flags: review?(smontagu)
Comment on attachment 116338 [details] [diff] [review] patch v.2 (prevents recursive events for Real) yeah, looks just fine for branch. Thanks, Peter!
Attachment #116338 - Flags: superreview?(bzbarsky) → superreview+
Comment on attachment 116338 [details] [diff] [review] patch v.2 (prevents recursive events for Real) r=smontagu
Attachment #116338 - Flags: superreview?(bzbarsky)
Attachment #116338 - Flags: superreview+
Attachment #116338 - Flags: review?(smontagu)
Attachment #116338 - Flags: review+
Comment on attachment 116338 [details] [diff] [review] patch v.2 (prevents recursive events for Real) Requesting drivers approval to land this on the 1.3 branch: This fixes a regression that casues Real to crash which came from the subclassing code in bug 132759. (restoring sr+ lost in mid-air)
Attachment #116338 - Flags: superreview?(bzbarsky)
Attachment #116338 - Flags: superreview+
Attachment #116338 - Flags: approval1.3?
Comment on attachment 116338 [details] [diff] [review] patch v.2 (prevents recursive events for Real) a=asa (on behalf of drivers) for checkin to 1.3 branch. Time is short so if you can land this tonight that would be ideal. Thanks.
Attachment #116338 - Flags: approval1.3? → approval1.3+
*** Bug 188315 has been marked as a duplicate of this bug. ***
Whiteboard: TB17133487K → [fixed1.3]
Target Milestone: mozilla1.3final → mozilla1.4alpha
I'm unable to reproduce this bug on Mozilla 1.3b, MS Windows XP SP1.
Nevermind my last comment
*** Bug 196610 has been marked as a duplicate of this bug. ***
Is this fixed on trunk?
I've checked in patch v.2 into the trunk to make tonight's 1.4a deadline and opened bug 199215 to track a better solution for this problem. Marking FIXED.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Marking verified Fixed, tested against latest trunk
Status: RESOLVED → VERIFIED
This fix may have serious regressions over other plugins(i.e. Java plugin) on Windows. The event flow is interrupted because of this bug. Makers of real player should check their plugin for a better solution not Mozilla. Looks like a search for a better solution (bug 199215) is no longer. We are still trying to find out why the testcase presented in http://www.neurodna.com/mozilla works well on solaris but behaves miseriable on windows.
> This fix may have serious regressions over other plugins(i.e. Java plugin) on > Windows. Excuse me? Did you read the patch? The patch only changes behavior when the MIME type for the data involved is "audio/x-pn-realaudio-plugin". Which is never the case for the Java plugin.
I do not know the reasoning for your abrupt reply, but yes you are right it is checking the mimetype of real. It would be helpful if you may show some directions. If we compare mozilla solaris and windows using the testcase we get weird behaviour especially when the frame is scrolled. Applet flashes, sometimes disappears while scrolling. We do not have this problem on solaris. I thought, there would be some events being forgotten for evaluation. If you have access to a windows machine you will see what I am at. What does sInMessageDispatch do in here? thanks. + sInMessageDispatch = PR_TRUE; + NS_TRY_SAFE_CALL_RETURN(res, ::CallWindowProc((WNDPROC)win->GetWindowProc(), hWnd, msg, wParam, lParam), nsnull, inst); + + sInMessageDispatch = PR_FALSE;
(In reply to comment #37) > checking the mimetype of real. It would be helpful if you may show some > directions. If we compare mozilla solaris and windows using the testcase we get Pleaase, file a new bug on the problem instead of adding irrelevant comments here. Anyway, I can reproduce , on Windows, what you've been observing. On Linux, scrolling is a lot smoother than on Windows.
Jungshik, thanks for replying. I am sorry for my irrelevant comment because it was the only way of showing this problem to others. We have filed Bug 274600 concerning this, but it is called invalid by one person and got no other responses. We will reopen the bug. It concerns us that this bug splips through in each new version because our application depends on a stable java applet behaviour.
(In reply to comment #37) > I do not know the reasoning for your abrupt reply The reasoning was that you claimed this patch causes problems for the Java plugin, which is clearly not the case.. > What does sInMessageDispatch do in here? Absolutely nothing, for plugins that are not handling the Real MIME type. jshin is right -- if you're seeing a Java issue, please file a separate bug on it...
Crash Signature: [@ pngu3266.dll | pngu3267.dll]
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: