Last Comment Bug 329205 - 64-bit Firefox 1.5 crashes when it fails to load libjavaplugin_oji.so plugin
: 64-bit Firefox 1.5 crashes when it fails to load libjavaplugin_oji.so plugin
Status: RESOLVED FIXED
: crash, fixed1.8.0.4, fixed1.8.1
Product: Core
Classification: Components
Component: Plug-ins (show other bugs)
: Trunk
: Other AIX
: -- normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
: Benjamin Smedberg [:bsmedberg]
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-02 22:55 PST by Ganesh
Modified: 2006-05-26 12:01 PDT (History)
2 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Patch (1.12 KB, patch)
2006-03-03 01:48 PST, Ganesh
timeless: review-
Details | Diff | Splinter Review
New patch with timeless comment (1.09 KB, patch)
2006-03-12 21:30 PST, Ganesh
timeless: review+
roc: superreview+
jst: approval‑branch‑1.8.1+
dveditz: approval1.8.0.4+
Details | Diff | Splinter Review

Description Ganesh 2006-03-02 22:55:20 PST
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Build Identifier: 

I have been hitting with the same problem when I try to load my java plugins in my Firefox 1.5 64-bit browser. I am using J2RE 1.4.2.

I have a debug build of my Firefox 1.5 64-bit and I created a link in "plugins" directory from /usr/java14_64/jre/bin/libjava/libjavaplugin_oji.so.

The problem was when I try to execute "about:plugins" in the address bar, the browser is crashed. The browser is trying to load libjavaplugin_oji.so but some how it was not able to load it successfully.


Reproducible: Always

Steps to Reproduce:
Comment 1 Ganesh 2006-03-02 22:59:32 PST
Attaching the full stack trace information:
===========================================

(dbx) t
pthread_kill(??, ??) at 0x90000000040b214
_p_raise(??) at 0x90000000040ac68
unnamed block in FatalSignalHandler(int)(0xb0000000b), line 206 in "nsProfileLock.cpp"
FatalSignalHandler(int)(0xb0000000b), line 206 in "nsProfileLock.cpp"
unnamed block in LoadExtraSharedLibs()(), line 235 in "nsPluginsDirUnix.cpp"
unnamed block in LoadExtraSharedLibs()(), line 235 in "nsPluginsDirUnix.cpp"
LoadExtraSharedLibs()(), line 235 in "nsPluginsDirUnix.cpp"
LoadPlugin(PRLibrary*&)(0xfffffffffff9bf0, 0xfffffffffff9cb8), line 405 in "nsPluginsDirUnix.cpp"
unnamed block in ScanPluginsDirectory(nsIFile*,nsIComponentManager*,int,int*,int)(0x11138bfb0, 0x111397490, 0x1106814f0, 0x100000001, 0xfffffffffff9dfc, 0x0), line 4941 in "nsPluginHostImpl.cpp"
unnamed block in ScanPluginsDirectory(nsIFile*,nsIComponentManager*,int,int*,int)(0x11138bfb0, 0x111397490, 0x1106814f0, 0x100000001, 0xfffffffffff9dfc, 0x0), line 4941 in "nsPluginHostImpl.cpp"
unnamed block in ScanPluginsDirectory(nsIFile*,nsIComponentManager*,int,int*,int)(0x11138bfb0, 0x111397490, 0x1106814f0, 0x100000001, 0xfffffffffff9dfc, 0x0), line 4941 in "nsPluginHostImpl.cpp"
ScanPluginsDirectory(nsIFile*,nsIComponentManager*,int,int*,int)(0x11138bfb0, 0x111397490, 0x1106814f0, 0x100000001, 0xfffffffffff9dfc, 0x0), line 4941 in "nsPluginHostImpl.cpp"
unnamed block in ScanPluginsDirectoryList(nsISimpleEnumerator*,nsIComponentManager*,int,int*,int)(0x11138bfb0, 0x111391b90, 0x1106814f0, 0x100000001, 0xfffffffffff9ec0, 0x0), line 5039 in "nsPluginHostImpl.cpp"
ScanPluginsDirectoryList(nsISimpleEnumerator*,nsIComponentManager*,int,int*,int)(0x11138bfb0, 0x111391b90, 0x1106814f0, 0x100000001, 0xfffffffffff9ec0, 0x0), line 5039 in "nsPluginHostImpl.cpp"
FindPlugins(int,int*)(0x11138bfb0, 0x100000001, 0xfffffffffff9ff0), line 5122 in "nsPluginHostImpl.cpp"
LoadPlugins()(0x11138bfb0), line 5059 in "nsPluginHostImpl.cpp"
ReloadPlugins(int)(0x11138bfb0, 0x0), line 2680 in "nsPluginHostImpl.cpp"
unnamed block in nsPluginArray.Refresh(int)(0x11138b9d0, 0x0), line 200 in "nsPluginArray.cpp"
nsPluginArray.Refresh(int)(0x11138b9d0, 0x0), line 200 in "nsPluginArray.cpp"
nsPluginArray.Refresh()(0x11138b9d0), line 259 in "nsPluginArray.cpp"
XPTC_InvokeByIndex() at 0x9000000006fa964
unnamed block in CallMethod(XPCCallContext&,XPCWrappedNative::CallMode)(0xfffffffffffaa38, 0x0), line 2138 in "xpcwrappednative.cpp"
CallMethod(XPCCallContext&,XPCWrappedNative::CallMode)(0xfffffffffffaa38, 0x0), line 2138 in "xpcwrappednative.cpp"
XPC_WN_CallMethod(JSContext*,JSObject*,unsigned int,long*,long*)(0x111188350, 0x110cd7ef0, 0x100000001, 0x1113beea8, 0xfffffffffffac40), line 1444 in "xpcwrappednativejsops.cpp"
js_Invoke(0x111188350, 0x100000001, 0x0), line 1177 in "jsinterp.c"
js_Interpret(0x111188350, 0x1113f266b, 0xfffffffffffc0f0), line 3522 in "jsinterp.c"
js_Execute(0x111188350, 0x110cb4380, 0x1113f25f0, 0x0, 0x0, 0xfffffffffffc2f8), line 1423 in "jsinterp.c"
JS_EvaluateUCScriptForPrincipals(0x111188350, 0x110cb4380, 0x11081f978, 0x1113bd238, 0xd0700000d07, 0xfffffffffffc4b8, 0x3a0000003a, 0xfffffffffffc2f8), line 4103 in "jsapi.c"
unnamed block in EvaluateString(const nsAString_internal&,void*,nsIPrincipal*,const char*,unsigned int,const char*,nsAString_internal*,int*)(0x111186370, 0xfffffffffffc668, 0x110cb4380, 0x11081f970, 0xfffffffffffc4b8, 0x3a0000003a, 0x900000000537d28, 0x0), line 1054 in "nsJSEnvironment.cpp"
unnamed block in EvaluateString(const nsAString_internal&,void*,nsIPrincipal*,const char*,unsigned int,const char*,nsAString_internal*,int*)(0x111186370, 0xfffffffffffc668, 0x110cb4380, 0x11081f970, 0xfffffffffffc4b8, 0x3a0000003a, 0x900000000537d28, 0x0), line 1054 in "nsJSEnvironment.cpp"
EvaluateString(const nsAString_internal&,void*,nsIPrincipal*,const char*,unsigned int,const char*,nsAString_internal*,int*)(0x111186370, 0xfffffffffffc668, 0x110cb4380, 0x11081f970, 0xfffffffffffc4b8, 0x3a0000003a, 0x900000000537d28, 0x0), line 1054 in "nsJSEnvironment.cpp"
EvaluateScript(nsScriptLoadRequest*,const nsString&)(0x110e6bab0, 0x11135d570, 0xfffffffffffc668), line 756 in "nsScriptLoader.cpp"
ProcessRequest(nsScriptLoadRequest*)(0x110e6bab0, 0x11135d570), line 659 in "nsScriptLoader.cpp"
ProcessScriptElement(nsIScriptElement*,nsIScriptLoaderObserver*)(0x110e6bab0, 0x11135d318, 0x11135d310), line 594 in "nsScriptLoader.cpp"
unnamed block in MaybeProcessScript()(0x11135d2d0), line 659 in "nsHTMLScriptElement.cpp"
MaybeProcessScript()(0x11135d2d0), line 659 in "nsHTMLScriptElement.cpp"
BindToTree(nsIDocument*,nsIContent*,nsIContent*,int)(0x11135d2d0, 0x110e69b50, 0x11135ce10, 0x0, 0x100000001), line 453 in "nsHTMLScriptElement.cpp"
AppendChildTo(nsIContent*,int)(0x11135ce10, 0x11135d2d0, 0x0), line 2802 in "nsGenericElement.cpp"
ProcessSCRIPTTag(const nsIParserNode&)(0x110eb6cb0, 0x111311140), line 4160 in "nsHTMLContentSink.cpp"
AddLeaf(const nsIParserNode&)(0x110eb6cb0, 0x111311140), line 3030 in "nsHTMLContentSink.cpp"
unnamed block in AddLeaf(const nsIParserNode*)(0x111155310, 0x111311140), line 3572 in "CNavDTD.cpp"
AddLeaf(const nsIParserNode*)(0x111155310, 0x111311140), line 3572 in "CNavDTD.cpp"
HandleScriptToken(const nsIParserNode*)(0x111155310, 0x111311140), line 2173 in "CNavDTD.cpp"
OpenContainer(const nsCParserNode*,nsHTMLTag,int,nsEntryStack*)(0x111155310, 0x111311140, 0x5200000052, 0x100000001, 0x0), line 3225 in "CNavDTD.cpp"
HandleDefaultStartToken(CToken*,nsHTMLTag,nsCParserNode*)(0x111155310, 0x111326758, 0x5200000052, 0x111311140), line 1281 in "CNavDTD.cpp"
unnamed block in HandleStartToken(CToken*)(0x111155310, 0x111326758), line 1668 in "CNavDTD.cpp"
unnamed block in HandleStartToken(CToken*)(0x111155310, 0x111326758), line 1668 in "CNavDTD.cpp"
HandleStartToken(CToken*)(0x111155310, 0x111326758), line 1668 in "CNavDTD.cpp"
unnamed block in HandleToken(CToken*,nsIParser*)(0x111155310, 0x0, 0x110e6b210), line 955 in "CNavDTD.cpp"
unnamed block in HandleToken(CToken*,nsIParser*)(0x111155310, 0x0, 0x110e6b210), line 955 in "CNavDTD.cpp"
HandleToken(CToken*,nsIParser*)(0x111155310, 0x0, 0x110e6b210), line 955 in "CNavDTD.cpp"
unnamed block in BuildModel(nsIParser*,nsITokenizer*,nsITokenObserver*,nsIContentSink*)(0x111155310, 0x110e6b210, 0x11113b290, 0x0, 0x110eb6d48), line 458 in "CNavDTD.cpp"
unnamed block in BuildModel(nsIParser*,nsITokenizer*,nsITokenObserver*,nsIContentSink*)(0x111155310, 0x110e6b210, 0x11113b290, 0x0, 0x110eb6d48), line 458 in "CNavDTD.cpp"
BuildModel(nsIParser*,nsITokenizer*,nsITokenObserver*,nsIContentSink*)(0x111155310, 0x110e6b210, 0x11113b290, 0x0, 0x110eb6d48), line 458 in "CNavDTD.cpp"
unnamed block in BuildModel()(0x110e6b210), line 2127 in "nsParser.cpp"
BuildModel()(0x110e6b210), line 2127 in "nsParser.cpp"
unnamed block in ResumeParse(int,int,int)(0x110e6b210, 0x100000001, 0x100000001, 0x100000001), line 1994 in "nsParser.cpp"
unnamed block in ResumeParse(int,int,int)(0x110e6b210, 0x100000001, 0x100000001, 0x100000001), line 1994 in "nsParser.cpp"
ResumeParse(int,int,int)(0x110e6b210, 0x100000001, 0x100000001, 0x100000001), line 1994 in "nsParser.cpp"
ContinueInterruptedParsing()(0x110e6b210), line 1472 in "nsParser.cpp"
ContinueParsing()(0x110e6b210), line 1450 in "nsParser.cpp"
unnamed block in SheetComplete(SheetLoadData*,int)(0x110e6af30, 0x111292030, 0x100000001), line 1452 in "nsCSSLoader.cpp"
unnamed block in SheetComplete(SheetLoadData*,int)(0x110e6af30, 0x111292030, 0x100000001), line 1452 in "nsCSSLoader.cpp"
SheetComplete(SheetLoadData*,int)(0x110e6af30, 0x111292030, 0x100000001), line 1452 in "nsCSSLoader.cpp"
ParseSheet(nsIUnicharInputStream*,SheetLoadData*,int&)(0x110e6af30, 0x111123650, 0x111292030, 0xfffffffffffe410), line 1384 in "nsCSSLoader.cpp"
OnStreamComplete(nsIUnicharStreamLoader*,nsISupports*,unsigned int,nsIUnicharInputStream*)(0x111292030, 0x111288a10, 0x0, 0x0, 0x111123650), line 806 in "nsCSSLoader.cpp"
unnamed block in OnStopRequest(nsIRequest*,nsISupports*,unsigned int)(0x111288a10, 0x1112bd750, 0x0, 0x0), line 194 in "nsUnicharStreamLoader.cpp"
OnStopRequest(nsIRequest*,nsISupports*,unsigned int)(0x111288a10, 0x1112bd750, 0x0, 0x0), line 194 in "nsUnicharStreamLoader.cpp"
unnamed block in OnStopRequest(nsIRequest*,nsISupports*,unsigned int)(0x1112bd750, 0x1112b8e90, 0x0, 0x0), line 711 in "nsJARChannel.cpp"
OnStopRequest(nsIRequest*,nsISupports*,unsigned int)(0x1112bd750, 0x1112b8e90, 0x0, 0x0), line 711 in "nsJARChannel.cpp"
OnStateStop()(0x1112b8e90), line 506 in "nsInputStreamPump.cpp"
unnamed block in OnInputStreamReady(nsIAsyncInputStream*)(0x1112b8e90, 0x111316bc8), line 343 in "nsInputStreamPump.cpp"
OnInputStreamReady(nsIAsyncInputStream*)(0x1112b8e90, 0x111316bc8), line 343 in "nsInputStreamPump.cpp"
unnamed block in EventHandler(PLEvent*)(0x111310338), line 119 in "nsStreamUtils.cpp"
EventHandler(PLEvent*)(0x111310338), line 119 in "nsStreamUtils.cpp"
PL_HandleEvent(0x111310338), line 688 in "plevent.c"
unnamed block in PL_ProcessPendingEvents(0x1106b1c30), line 623 in "plevent.c"
PL_ProcessPendingEvents(0x1106b1c30), line 623 in "plevent.c"
ProcessPendingEvents()(0x1106b1770), line 417 in "nsEventQueue.cpp"
event_processor_callback(_GIOChannel*,GIOCondition,void*)(0x110dcb450, 0x100000001, 0x1106b1770), line 67 in "nsAppShell.cpp"
g_io_unix_dispatch(0x110dcb4f0, 0x110581200, 0x1106b1770) at 0x9000000010b2524
g_main_dispatch(0x11067e330) at 0x900000001066f54
g_main_context_dispatch(0x11067e330) at 0x90000000106c03c
g_main_context_iterate(0x11067e330, 0x100000001, 0x100000001, 0x1108d8090) at 0x900000001066b68
g_main_loop_run(0x110bf22b0) at 0x90000000106b5a4
gtk_main(), line 976 in "gtkmain.c"
Run()(0x1107f2870), line 139 in "nsAppShell.cpp"
unnamed block in Run()(0x1107f27d0), line 150 in "nsAppStartup.cpp"
Run()(0x1107f27d0), line 150 in "nsAppStartup.cpp"
unnamed block in XRE_main(0x100000001, 0xffffffffffff9a0, 0x1104992c0), line 2313 in "nsAppRunner.cpp"
unnamed block in XRE_main(0x100000001, 0xffffffffffff9a0, 0x1104992c0), line 2313 in "nsAppRunner.cpp"
unnamed block in XRE_main(0x100000001, 0xffffffffffff9a0, 0x1104992c0), line 2313 in "nsAppRunner.cpp"
unnamed block in XRE_main(0x100000001, 0xffffffffffff9a0, 0x1104992c0), line 2313 in "nsAppRunner.cpp"
XRE_main(0x100000001, 0xffffffffffff9a0, 0x1104992c0), line 2313 in "nsAppRunner.cpp"
main(argc = 1, argv = 0x0ffffffffffff9a0), line 61 in "nsBrowserApp.cpp"
Comment 2 Ganesh 2006-03-03 01:38:21 PST
When the browser fails to load the plugin at
http://lxr.mozilla.org/seamonkey/source/modules/plugin/base/src/nsPluginsDirUnix.cpp#219

then the value of 'sonameListToSave' will be NULL. So accessing the value of sonameListToSave at http://lxr.mozilla.org/seamonkey/source/modules/plugin/base/src/nsPluginsDirUnix.cpp#235

causing the browser to crash. So we need to check the value of "sonameListToSave" against NULL before accessing its conent.

Thanks,
Ganesh.

Comment 3 Ganesh 2006-03-03 01:48:03 PST
Created attachment 213878 [details] [diff] [review]
Patch
Comment 4 Philip K. Warren 2006-03-03 07:33:46 PST
Comment on attachment 213878 [details] [diff] [review]
Patch

Ganesh -

This patch should be reviewed by one of the peer reviewers first. Also for branch approval you need to ask for it and one of the Mozilla.org drivers will decide whether the patch should be take for the branch or not.
Comment 5 timeless 2006-03-03 08:08:45 PST
Comment on attachment 213878 [details] [diff] [review]
Patch

Is the problem that sonameListToSave[0] = 0? if so, a check of that would be much better than an extra call to PL_strlen.
Comment 6 Ganesh 2006-03-06 22:27:02 PST
Yes, the problem is with, char sonameListToSave[PLUGIN_MAX_LEN_OF_TMP_ARR] = "";. Since the call to "LoadExtraSharedLib" function at ln:219 fails, the value of "sonameListToSave" won't be set with any values.

http://lxr.mozilla.org/seamonkey/source/modules/plugin/base/src/nsPluginsDirUnix.cpp#219

So Accessing its value (NULL) at ln: 235 causes the browser to crash.

http://lxr.mozilla.org/seamonkey/source/modules/plugin/base/src/nsPluginsDirUnix.cpp#235

In the previously posted patch, I ensured that the length of "sonameListToSave" is greater that zero before access its value. Or also we can do a string compare against "" (empty string) using strcmp or PL_strcmp.

Let me know your comment on the same.

Thanks,
Ganesh.
Comment 7 timeless 2006-03-07 09:12:33 PST
just use if (sonameListToSave[0]) or if (!sonameListToSave[0]) unless the file's style happens to like explicit compares of char against '\0' or 0 or nsnull (it has no business comparing char against nsnull, but...).
Comment 8 Ganesh 2006-03-12 21:30:22 PST
Created attachment 214873 [details] [diff] [review]
New patch with timeless comment
Comment 9 timeless 2006-03-13 08:52:35 PST
Comment on attachment 214873 [details] [diff] [review]
New patch with timeless comment

>Index: nsPluginsDirUnix.cpp
>===================================================================
>RCS file: /cvsroot/mozilla/modules/plugin/base/src/nsPluginsDirUnix.cpp,v
>retrieving revision 1.38
>diff -u -3 -p -r1.38 nsPluginsDirUnix.cpp
>--- nsPluginsDirUnix.cpp	21 Sep 2005 19:14:30 -0000	1.38
>+++ nsPluginsDirUnix.cpp	13 Mar 2006 05:23:54 -0000
>@@ -232,8 +232,11 @@ static void LoadExtraSharedLibs()
>                         arrayOfLibs[i][PL_strlen(arrayOfLibs[i])] = ':'; //restore ":" in sonameList
>                 }
>             }
>-            for (p = &sonameListToSave[PL_strlen(sonameListToSave) - 1]; *p == ':'; p--)
>-                *p = 0; //delete tail ":" delimiters
>+
>+            // Check whether sonameListToSave is a empty String, Bug: 329205
>+            if (sonameListToSave[0]) 
>+                for (p = &sonameListToSave[PL_strlen(sonameListToSave) - 1]; *p == ':'; p--)
>+                    *p = 0; //delete tail ":" delimiters

ok, i'm finally starting to read this code, and i'm getting really scared. (i'm very sorry i didn't read it earlier, the last time i tried to read the code i got distracted by mismatched allocators.)

if the loop was:
for (p = &sonameListToSave[PL_strlen(sonameListToSave) - 1]; p >= sonameListToSave && *p == ':'; p--)
    *p = 0; //delete tail ":" delimiters

would the crash have happened?

what happens if my sonameListToSave is ":::::::::::::" and the character before the address referenced by sonameListToSave is also ':'? isn't this code just randomly reading and corrupting memory if it decides that it likes it?
Comment 10 Ganesh 2006-03-13 22:01:38 PST
(In reply to comment #9)
=========================

I feel the value of sonameListToSave will never be set as ":::::::::::::". The
value of sonameListToSave
will be set only in line no: 225 and line no:226.
http://lxr.mozilla.org/seamonkey/source/modules/plugin/base/src/nsPluginsDirUnix.cpp#225
225                         PL_strcat(sonameListToSave, p);
226                         PL_strcat(sonameListToSave,":");

This value will be set only when the function LoadExtraSharedLib() loads the .so
file successfully. So either the value of arrayOfLibs[i] or soname is not a NULL
value. If both are NULL, LoadExtraSharedLib() function will fails to load.
http://lxr.mozilla.org/seamonkey/source/modules/plugin/base/src/nsPluginsDirUnix.cpp#219

So when LoadExtraSharedLib() function loads the .so file successfully, the value
of soname or arrayOfLibs[i] will be copied to p, which will then strcat to 
sonameListToSave along with the delimiter ":"
http://lxr.mozilla.org/seamonkey/source/modules/plugin/base/src/nsPluginsDirUnix.cpp#221
221                     p = soname ? soname : arrayOfLibs[i];

So the value of sonameListToSave will never be set as ":::::::::::::" and it can
be either NULL or like "<libname1.so>:<libname2.so>:" format and we are deleting
this tail ":" delimiter in line no:236
http://lxr.mozilla.org/seamonkey/source/modules/plugin/base/src/nsPluginsDirUnix.cpp#235

Comment 11 timeless 2006-03-30 22:49:51 PST
Comment on attachment 214873 [details] [diff] [review]
New patch with timeless comment

grumble, i know i've written a number of other comments for this bug. i must keep failing to commit them.

i really would like to see some portion of this code replaced w/ mozilla's string classes.

but this will do for now.
Comment 12 Mike Kaply [:mkaply] 2006-04-07 08:45:47 PDT
Fixed on trunk.
Comment 13 Daniel Veditz [:dveditz] 2006-04-12 11:53:40 PDT
Comment on attachment 214873 [details] [diff] [review]
New patch with timeless comment

Please get approval and land on the 1.8 branch before we evaluate for the 1.8.0. branch. Then we like to see some testing time before we approve things.
Comment 14 Daniel Veditz [:dveditz] 2006-04-21 14:04:19 PDT
Comment on attachment 214873 [details] [diff] [review]
New patch with timeless comment

approved for 1.8.0 branch, a=dveditz for drivers
Comment 15 Wolfgang Rosenauer [:wolfiR] 2006-04-23 22:09:48 PDT
checked in into both branches

Note You need to log in before you can comment on or make changes to this bug.