Closed Bug 303811 Opened 19 years ago Closed 19 years ago

[@ 0x735c5357] crash in _releaseobject and other functions in ns4xPlugin.cpp

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: timeless, Unassigned)

References

Details

(Keywords: crash)

Crash Data

see also bug 302638, bug 293902, bug 302355 Count Offset Real Signature [ 14 0x735c5357 b47e70b0 - _releaseobject ] Crash date range: 01-AUG-05 to 06-AUG-05 Min/Max Seconds since last crash: 76 - 80397 Min/Max Runtime: 950 - 108194 Count Platform List 14 Windows XP [Windows NT 5.1 build 2600] Count Build Id List 6 2005080306 5 2005080206 3 2005080106 No of Unique Users 4 Stack trace(Frame) 0x735c5357 _releaseobject [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/modules/plugin/base/src/ns4xPlugin.cpp line 1522] js_GC [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsgc.c line 1839] js_ForceGC [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsgc.c line 1510] nsAppStartup::Run [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp line 146] main [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp line 61] kernel32.dll + 0x16d4f (0x7c816d4f) (7996538) URL: http://winsysinfo.sourceforge.net (7996538) Comments: I had 2 tabs open one for google search one viewing the project info on winsysinfo on sourceforge.
*** Bug 304366 has been marked as a duplicate of this bug. ***
Nominating for blocking-1.8b4: * 0x735c5357 is the #8 topcrash for Firefox on the Gecko 1.8 branch. * Crashing with a bogus instruction pointer scares me -- it could be a security hole if an attacker can put instructions there, or change the address to where the attacker put instructions. Btw, not all of the crashes at 0x735c5357 have _releaseobject as the next item on the stack, but they all have some function in ns4xPlugin.cpp as the next item.
Flags: blocking1.8b4?
Might be a dup of bug 300756, based on stacks in that bug. Let's see if these crashes go away in Talkback data over the next few days.
branch drivers waiting to see if this resolves itself before approving nomination for 1.8b4
Summary: [@ 0x735c5357 - _releaseobject] → [@ 0x735c5357] crash in _releaseobject and other functions in ns4xPlugin.cpp
not on talkback after checkin of 300756, duping. *** This bug has been marked as a duplicate of 300756 ***
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Flags: blocking1.8b4?
Resolution: --- → DUPLICATE
Had this again in a trunk build. Incident ID: 14061024 Stack Signature 0x6c707538 c964efb0 Product ID FirefoxTrunk Build ID 2006011606 Trigger Time 2006-01-17 02:55:50.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module URL visited User Comments Since Last Crash 8531 sec Total Uptime 30925 sec Trigger Reason Access violation Source File, Line No. N/A Stack Trace 0x6c707538 _releaseobject [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/modules/plugin/base/src/ns4xPlugin.cpp, line 1526] js_GC [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsgc.c, line 1845] js_ForceGC [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsgc.c, line 1508] nsAppStartup::Run [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 162] main [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61] kernel32.dll + 0x16d4f (0x7c816d4f)
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
See also many TB's on similar crash at bug 323234.
Having this again at http://forum.teamxbox.com/forumdisplay.php?f=128 Incident ID: TB14235374 Stack Signature 0x4449502f 7b524ae5 Product ID FirefoxTrunk Build ID 2006011905 Trigger Time 2006-01-21 07:07:52.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module URL visited User Comments Since Last Crash 54957 sec Total Uptime 67288 sec Trigger Reason Access violation Source File, Line No. N/A Stack Trace 0x4449502f _releaseobject [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/modules/plugin/base/src/ns4xPlugin.cpp, line 1527] js_GC [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsgc.c, line 1901] js_ForceGC [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/js/src/jsgc.c, line 1560] nsAppStartup::QueryInterface [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 126] main [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61] kernel32.dll + 0x16d4f (0x7c816d4f)
Status: UNCONFIRMED → NEW
Ever confirmed: true
*** Bug 324917 has been marked as a duplicate of this bug. ***
About half of the top crashers have stacks involving js_GC. Is it possible that it's related somehow, or just coincidence?
_releaseobject means an object is dying, for objects that are held by js, that can only happen under js_gc. if js_gc releases the last js reference and there are still c++ references, then the last release would come under some other stack, but in general it's clearly the case that usually the last reference is from js.
still seen on the trunk? I can't reproduce on the branch
looking for any instances of "releaseobject" and "nsappstartup::queryinterface" in the top five frames of the stack I don't see anything related to the crashes reported here. Also looked for matches to url "forum.teamxbox.com" and only found two crashes, both of which were not related to the stacks in this bugs. I'm guessing this is fixed now... marking WFM. reopen if any one discovers new evidence..
Status: NEW → RESOLVED
Closed: 19 years ago19 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ 0x735c5357]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.