Closed Bug 328675 Opened 18 years ago Closed 16 years ago

Clicking Play on Realplayer plugin silently crashes browser [@ pngu3267.dll + 0x7d7d (0x158e7d7d) bfe3872e]

Categories

(Core Graveyard :: Plug-ins, defect, P4)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
Windows XP
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: mmortal03, Assigned: jst)

References

(
URL
)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(2 files)

testcase
404 bytes, text/html
Details
patch?
1.08 KB, patch
emaijala+moz
: review+
jst
: superreview+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060224 Firefox/1.6a1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060224 Firefox/1.6a1

Warning, it will close your browser. Go to this guy's myspace, scroll down to the realplayer plugin showing up a little down the page on the left. Click on the play button. The browser silently crashes. Here is the link: http://www.myspace.com/jsmitty2005

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060224 Firefox/1.6a1

Also,
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060225 Firefox/1.6a1

Talkback ID: TB15641144Z

Reproducible: Always

Steps to Reproduce:
Bug 192914 might be relevent.
Keywords: crash
Summary: Clicking Play on Realplayer plugin silently crashes browser → Clicking Play on Realplayer plugin silently crashes browser [@ pngu3267.dll + 0x7d7d (0x158e7d7d) bfe3872e]
Component: General → Plug-ins
Product: Firefox → Core
QA Contact: general → plugins
Version: unspecified → Trunk
Incident ID: 15641144
Stack Signature	pngu3267.dll + 0x7d7d (0x158e7d7d) bfe3872e
Product ID	FirefoxTrunk
Build ID	2006022504
Trigger Time	2006-02-26 03:49:16.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	pngu3267.dll + (00007d7d)
URL visited	
User Comments	
Since Last Crash	50307 sec
Total Uptime	52165 sec
Trigger Reason	Stack overflow
Source File, Line No.	N/A
Stack Trace 	
pngu3267.dll + 0x7d7d (0x158e7d7d)
embd3260.dll + 0x11dc (0x626311dc)
pngu3267.dll + 0x7cec (0x158e7cec)
pngu3267.dll + 0x63f3 (0x158e63f3)
USER32.dll + 0x8734 (0x77d48734)
USER32.dll + 0x8816 (0x77d48816)
USER32.dll + 0xc63f (0x77d4c63f)
USER32.dll + 0xe905 (0x77d4e905)
PluginWndProc   USER32.dll + 0x8734 (0x77d48734)
USER32.dll + 0x8816 (0x77d48816)
USER32.dll + 0xc63f (0x77d4c63f)
USER32.dll + 0xe905 (0x77d4e905)
pngu3267.dll + 0x7d66 (0x158e7d66)
pngu3267.dll + 0x7d00 (0x158e7d00)
pngu3267.dll + 0x63f3 (0x158e63f3)
USER32.dll + 0x8734 (0x77d48734)
USER32.dll + 0x8816 (0x77d48816)
USER32.dll + 0xc63f (0x77d4c63f)
USER32.dll + 0xe905 (0x77d4e905)
PluginWndProc   USER32.dll + 0x8734 (0x77d48734)
USER32.dll + 0x8816 (0x77d48816)
USER32.dll + 0xc63f (0x77d4c63f)
USER32.dll + 0xe905 (0x77d4e905)
pngu3267.dll + 0x7d66 (0x158e7d66)
pngu3267.dll + 0x7d00 (0x158e7d00)
pngu3267.dll + 0x63f3 (0x158e63f3)
USER32.dll + 0x8734 (0x77d48734)
USER32.dll + 0x8816 (0x77d48816)
USER32.dll + 0xc63f (0x77d4c63f)
USER32.dll + 0xe905 (0x77d4e905)
PluginWndProc   USER32.dll + 0x8734 (0x77d48734)
USER32.dll + 0x8816 (0x77d48816)
USER32.dll + 0xc63f (0x77d4c63f)
USER32.dll + 0xe905 (0x77d4e905)
pngu3267.dll + 0x7d66 (0x158e7d66)
pngu3267.dll + 0x7d00 (0x158e7d00)
pngu3267.dll + 0x63f3 (0x158e63f3)
USER32.dll + 0x8734 (0x77d48734)
USER32.dll + 0x8816 (0x77d48816)
USER32.dll + 0xc63f (0x77d4c63f)
USER32.dll + 0xe905 (0x77d4e905)
PluginWndProc   USER32.dll + 0x8734 (0x77d48734)
USER32.dll + 0x8816 (0x77d48816)
USER32.dll + 0xc63f (0x77d4c63f)
USER32.dll + 0xe905 (0x77d4e905)
pngu3267.dll + 0x7d66 (0x158e7d66)
pngu3267.dll + 0x7d00 (0x158e7d00)
pngu3267.dll + 0x63f3 (0x158e63f3)
USER32.dll + 0x8734 (0x77d48734)
USER32.dll + 0x8816 (0x77d48816)
USER32.dll + 0xc63f (0x77d4c63f)
USER32.dll + 0xe905 (0x77d4e905)
PluginWndProc   USER32.dll + 0x8734 (0x77d48734)
USER32.dll + 0x8816 (0x77d48816)
USER32.dll + 0xc63f (0x77d4c63f)
USER32.dll + 0xe905 (0x77d4e905)
pngu3267.dll + 0x7d66 (0x158e7d66)
pngu3267.dll + 0x7d00 (0x158e7d00)
pngu3267.dll + 0x63f3 (0x158e63f3)

I can reproduce this bug on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060625 Minefield/3.0a1 ID:2006062504 [cairo]
Status: UNCONFIRMED → NEW
Ever confirmed: true
This bug is still alive and well in Seamonkey with the Realplayer Plugin on Windows XP:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a5pre) Gecko/20070512 SeaMonkey/1.5a

I've stopped using RealPlayer on Linux, probably because of it.
Another page that triggers this is: http://www.inf.fu-berlin.de/inst/zdm/livecasting/demo_test/real-emb-playstop.html (just keep trying; you'll eventually hit it).

Indeed, this still *does* happen, as I've demonstrated with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b1) Gecko/2007110703 Firefox/3.0b1
Flags: blocking1.9?
+'ing this but setting priority to P3.
Flags: blocking1.9? → blocking1.9+
Priority: -- → P3
Attached file testcase 
I think this is the same crash as mentioned in the bug. I didn't minimized this from one of the mentioned sites, though.
Assignee: nobody → jst
Priority: P3 → P4
Given the age of this bug, lack of dups, and lack of motion moving off blocking list
Flags: blocking1.9+ → blocking1.9-
The original test case doesn't crash for me anymore, however, the example case in comment #7 still does.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b3pre) Gecko/2008012204 Firefox/3.0a6pre
This regressed between 2005-12-04 and 2005-12-05:
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2005-12-04+04&maxdate=2005-12-05+06&cvsroot=%2Fcvsroot
It seems to have somehow been regressed from bug 317486.
Backing out the relevant parts of that patch seems to make the crash go away.
Blocks: 317486
Attached patch patch?Splinter Review 
Is this an acceptable workaround for the crash?
Btw, this seems perhaps related to bug 192914 to me.
Re-nominating since this is a regression on the 1.9 branch with a regression range, regardless of how old it is.
Flags: blocking1.9- → blocking1.9?
Keywords: regression
Attachment #301478 - Flags: superreview?(jst)
Attachment #301478 - Flags: review?(emaijala)
Would be great to have this fixed. Lets try to get this patch reviewed at least.
Flags: blocking1.9? → blocking1.9+
(In reply to comment #11)
> Is this an acceptable workaround for the crash?

Martijn, I think this is the correct approach here, yes. Do you know whether we're recursing to death on a WM_SETFOCUS or WM_KILLFOCUS? It might make sense to have this protection for only the one real is having problems with just in case it depends on this in some other oddball cases.
Apparently, the recursing to death happens on WM_SETFOCUS and WM_KILLFOCUS. Just doing it for one of the events doesn't fix the crash, it seems.
Comment on attachment 301478 [details] [diff] [review]
patch?

Fair enough. sr=jst
Attachment #301478 - Flags: superreview?(jst) → superreview+
Whiteboard: [HAVE FIX]
Attachment #301478 - Flags: review?(emaijala) → review+
Fix checked in. Thank you Martijn for the fix! Oh, and I just noticed that Ere reviewed this, I said in the checkin comment that this was r+sr=jst :( Sorry about that...
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Whiteboard: [HAVE FIX]
Sorry, I missed Ere reviewing this.
I guess I need to readjust my bugmail settings.

Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b4pre) Gecko/2008022704 Minefield/3.0b4pre
Status: RESOLVED → VERIFIED
Crash Signature: [@ pngu3267.dll + 0x7d7d (0x158e7d7d) bfe3872e]
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: