303811 - [@ 0x735c5357] crash in _releaseobject and other functions in ns4xPlugin.cpp

Status: RESOLVED WORKSFORME

(Core :: DOM: Core & HTML, defect)

Description

[timeless]

see also bug 302638, bug 293902, bug 302355

     Count   Offset    Real Signature
[ 14   0x735c5357 b47e70b0 - _releaseobject ]
 
     Crash date range: 01-AUG-05 to 06-AUG-05
     Min/Max Seconds since last crash: 76 - 80397
     Min/Max Runtime: 950 - 108194
 
     Count   Platform List 
     14   Windows XP [Windows NT 5.1 build 2600] 
 
     Count   Build Id List 
     6   2005080306
     5   2005080206
     3   2005080106
 
     No of Unique Users        4
 
 Stack trace(Frame) 

	 0x735c5357  
	 _releaseobject
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/modules/plugin/base/src/ns4xPlugin.cpp
 line 1522] 
	 js_GC	[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsgc.c 
line 1839] 
	 js_ForceGC
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsgc.c  line 1510] 
	 nsAppStartup::Run
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp
 line 146] 
	 main
[c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp
 line 61] 
	 kernel32.dll + 0x16d4f (0x7c816d4f)   
 
     (7996538)	URL: http://winsysinfo.sourceforge.net
     (7996538)	Comments: I had 2 tabs open  one for google search  one viewing
the project info on winsysinfo on sourceforge.

Comment 1

[Jaime Mitchell (use bugmail@jaimem.org.uk for email)]

*** Bug 304366 has been marked as a duplicate of this bug. ***

Comment 2

[Jesse Ruderman]

Nominating for blocking-1.8b4:
* 0x735c5357 is the #8 topcrash for Firefox on the Gecko 1.8 branch.
* Crashing with a bogus instruction pointer scares me -- it could be a security
hole if an attacker can put instructions there, or change the address to where
the attacker put instructions.

Btw, not all of the crashes at 0x735c5357 have _releaseobject as the next item
on the stack, but they all have some function in ns4xPlugin.cpp as the next item.

Comment 3

[Jesse Ruderman]

Might be a dup of bug 300756, based on stacks in that bug.  Let's see if these
crashes go away in Talkback data over the next few days.

Comment 4

[Chris Beard]

branch drivers waiting to see if this resolves itself before approving
nomination for 1.8b4

Comment 5

[Mike Connor [:mconnor]]

not on talkback after checkin of 300756, duping.

*** This bug has been marked as a duplicate of 300756 ***

Comment 6

[Ryuichi KUBUKI]

Had this again in a trunk build. 

Incident ID: 14061024

Stack Signature	 0x6c707538 c964efb0
Product ID	FirefoxTrunk
Build ID	2006011606
Trigger Time	2006-01-17 02:55:50.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	
URL visited	
User Comments	
Since Last Crash	8531 sec
Total Uptime	30925 sec
Trigger Reason	Access violation
Source File, Line No.	N/A

Stack Trace 	
0x6c707538
_releaseobject  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/modules/plugin/base/src/ns4xPlugin.cpp, line 1526]
js_GC  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsgc.c, line 1845]
js_ForceGC  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsgc.c, line 1508]
nsAppStartup::Run  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 162]
main  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x16d4f (0x7c816d4f)

Comment 7

[Jerry Baker]

See also many TB's on similar crash at bug 323234.

Comment 8

[Ryuichi KUBUKI]

Having this again at http://forum.teamxbox.com/forumdisplay.php?f=128

Incident ID: TB14235374
Stack Signature	0x4449502f 7b524ae5
Product ID	FirefoxTrunk
Build ID	2006011905
Trigger Time	2006-01-21 07:07:52.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	
URL visited	
User Comments	
Since Last Crash	54957 sec
Total Uptime	67288 sec
Trigger Reason	Access violation
Source File, Line No.	N/A

Stack Trace 	

0x4449502f
_releaseobject  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/modules/plugin/base/src/ns4xPlugin.cpp, line 1527]
js_GC  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsgc.c, line 1901]
js_ForceGC  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsgc.c, line 1560]
nsAppStartup::QueryInterface  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 126]
main  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x16d4f (0x7c816d4f)

Comment 9

[timeless]

*** Bug 324917 has been marked as a duplicate of this bug. ***

Comment 10

[Jerry Baker]

About half of the top crashers have stacks involving js_GC. Is it possible that it's related somehow, or just coincidence?

Comment 11

[timeless]

_releaseobject means an object is dying, for objects that are held by js, that can only happen under js_gc. if js_gc releases the last js reference and there are still c++ references, then the last release would come under some other stack, but in general it's clearly the case that usually the last reference is from js.

Comment 12

[chris hofmann]

still seen on the trunk?  I can't reproduce on the branch

Comment 13

[chris hofmann]

looking for any instances of "releaseobject" and "nsappstartup::queryinterface" in the top five frames of the stack I don't see anything related to the crashes reported here.  Also looked for matches to url "forum.teamxbox.com" and only found two crashes, both of which were not related to the stacks in this bugs.

I'm guessing this is fixed now... marking WFM.  reopen if any one discovers new evidence..