Closed
Bug 330100
Opened 19 years ago
Closed 16 years ago
Modifying the innerHTML of the body by a JavaScript function invoked by Flash crashes Firefox [@ NPSWF32.dll + 0xdaa8][@ Flash_EnforceLocalSecurity + 375376]
Categories
(External Software Affecting Firefox Graveyard :: Flash (Adobe), defect)
External Software Affecting Firefox Graveyard
Flash (Adobe)
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: bugs+mozilla, Assigned: msintov)
References
()
Details
(Keywords: crash, helpwanted)
Crash Data
Attachments
(2 files)
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.1) Gecko/20060214 Camino/1.0
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20060310 Firefox/1.6a1
A JavaScript function is invoked through
Flash' fscommand() method. This function appends an empty string to the
innerHTML of the body element, which contains a Flash movie in an embed tag.
Upon doing this, Firefox crashes.
See
<http://tests.novemberborn.net/browsers/safari/fscommand-redraw/crash.html>.
This bug was observed with Flash 8.0.22. The same problem occurs in Safari, see <http://bugzilla.opendarwin.org/show_bug.cgi?id=7707> for the bug report.
Reproducible: Always
Steps to Reproduce:
1. Load <http://tests.novemberborn.net/browsers/safari/fscommand-redraw/crash.html>
2. Confirm the JavaScript popup
Actual Results:
Firefox crashes.
Expected Results:
The document shouldn't have been changed, and Firefox shouldn't have crashed.
Reporter | ||
Comment 1•19 years ago
|
||
Reporter | ||
Comment 2•19 years ago
|
||
Comment 3•19 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060309 Firefox/1.6a1
It crashes also in Windows
TB16225408E TB16225394H
OS: MacOS X → All
Hardware: Macintosh → All
Comment 4•19 years ago
|
||
Looks like a flash problem?
Incident ID: 16225408
Stack Signature NPSWF32.dll + 0xdaa8 (0x3000daa8) 65f3a7ce
Product ID FirefoxTrunk
Build ID 2006030908
Trigger Time 2006-03-11 05:36:37.0
Platform Win32
Operating System Windows NT 5.1 build 2600
Module NPSWF32.dll + (0000daa8)
URL visited
User Comments
Since Last Crash 10 sec
Total Uptime 68499 sec
Trigger Reason Access violation
Source File, Line No. N/A
Stack Trace
NPSWF32.dll + 0xdaa8 (0x3000daa8)
NPSWF32.dll + 0x81469 (0x30081469)
NPSWF32.dll + 0x824b9 (0x300824b9)
NPSWF32.dll + 0x82932 (0x30082932)
Severity: normal → critical
Keywords: crash
Component: General → Plug-ins
Product: Firefox → Core
QA Contact: general → plugins
Summary: [CRASH] Modifying the innerHTML of the body by a JavaScript function invoked by Flash crashes Firefox → [CRASH] Modifying the innerHTML of the body by a JavaScript function invoked by Flash crashes Firefox [@ NPSWF32.dll + 0xdaa8][@ Flash_EnforceLocalSecurity + 375376]
Version: unspecified → Trunk
Updated•19 years ago
|
Summary: [CRASH] Modifying the innerHTML of the body by a JavaScript function invoked by Flash crashes Firefox [@ NPSWF32.dll + 0xdaa8][@ Flash_EnforceLocalSecurity + 375376] → Modifying the innerHTML of the body by a JavaScript function invoked by Flash crashes Firefox [@ NPSWF32.dll + 0xdaa8][@ Flash_EnforceLocalSecurity + 375376]
Assignee | ||
Comment 5•19 years ago
|
||
Yes, indeed this looks like a Flash Player crash. We will investigate a fix. Thanks so much for the report.
Updated•19 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee | ||
Comment 6•19 years ago
|
||
This should be fixed in the latest Flash Player 9 beta release (9r2), found here: http://labs.adobe.com/technologies/flashplayer9/
Assignee: nobody → msintov
Reporter | ||
Comment 7•19 years ago
|
||
Confirmed to be fixed with Flash 9 and Safari 419.3.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 8•19 years ago
|
||
Apologies, I'm suffering from jet lag and confused the Mozilla bugzilla with the Webkit bugzilla.
I could not verify this in Firefox 1.5.0.4 with Flash 9.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 9•19 years ago
|
||
Mark: to confirm, you still see a crash on Mac PPC?
Reporter | ||
Comment 10•19 years ago
|
||
Michelle, I'm afraid that's still the case. On the upside, the bug no longer occurs in Safari, see https://bugzilla.opendarwin.org/show_bug.cgi?id=7707
Assignee | ||
Comment 11•19 years ago
|
||
Doh, thanks Mark, I do see the crash. We will re-investigate.
Comment 12•18 years ago
|
||
I'm pretty sure the issue is now in Firefox. We call NPN_Invoke, which triggers the JavaScript function in the page, which replaces the innerhtml with " ". That causes the browser to unload the player and call NPP_Destroy. Here's where things get interesting. In Safari execution then returns to the player where we called out to NPN_Invoke as the stack unwinds. We've put code in the player to detect the case where we've been blown away during that call and shut down gracefully. But in Firefox the stack never unwinds - we call out to NPN_Invoke, Firefox calls NPP_Destroy, then Firefox crashes somewhere without returning from NPN_Invoke. Can someone debug this on the Firefox side to see what's going on?
Comment 13•18 years ago
|
||
you can have symbols for our builds, we don't really have symbols for yours, which makes life slightly harder.
Comment 14•18 years ago
|
||
Are people seeing the crash on trunk too? Or just on the 1.8 branches?
Comment 15•18 years ago
|
||
I'm not set up to build Firefox - hoping that someone who is can throw some light on this much more quickly than I'm able to, given that the crash is now in FireFox code.
Comment 16•18 years ago
|
||
(In reply to comment #14)
> Are people seeing the crash on trunk too? Or just on the 1.8 branches?
Yes, I'm seeing this with current trunk builds, too, talkback ID: TB21844976X
Comment 17•18 years ago
|
||
That crash is in the plugin. That doesn't match comment 12 (unless there are more bugs here in the plugin itself?).
Comment 18•18 years ago
|
||
In flash player 8 there was a crash in the player. We fixed that in player 9, where we now see a crash in Firefox as described in post 12.
Comment 19•18 years ago
|
||
Here's the last callstack with the Flash Player involved:
> NPSWF32.dll!PlatformPlayerProc(HWND__ * hWnd=0x002b09da, unsigned int message=1025, unsigned int uParam=1, long lParam=0) Line 113 C++
user32.dll!77d48734()
user32.dll!77d48816()
kernel32.dll!7c80cb22()
user32.dll!77d4c63f()
user32.dll!77d4e905()
firefox.exe!0050883a()
xpcom_core.dll!6037e24b()
xpcom_core.dll!6037e1c7()
xpcom_core.dll!6037e68f()
user32.dll!77d48734()
user32.dll!77d48816()
user32.dll!77d489cd()
user32.dll!77d49402()
user32.dll!77d48a10()
firefox.exe!00519492()
firefox.exe!00800d45()
firefox.exe!004020f8()
ntdll.dll!7c915b4f()
firefox.exe!00450048()
msvcrt.dll!77c3412a()
ntdll.dll!7c95db5c()
ntdll.dll!7c96cd11()
ntdll.dll!7c96e707()
ntdll.dll!7c94976b()
firefox.exe!009082d6()
msvcrt.dll!77c2c024()
firefox.exe!00401012()
firefox.exe!0040102e()
firefox.exe!00907f16()
ntdll.dll!7c915b4f()
kernel32.dll!7c816d4f()
ntdll.dll!7c915b4f()
kernel32.dll!7c8399f3()
After that we step through assembly for a while, unwinding the stack, and then crash with this stack:
> ntdll.dll!7c901010()
nspr4.dll!60194857()
xpcom_core.dll!6037e25d()
xpcom_core.dll!6037e1c7()
xpcom_core.dll!6037e68f()
user32.dll!77d48734()
user32.dll!77d48816()
user32.dll!77d489cd()
user32.dll!77d49402()
user32.dll!77d48a10()
firefox.exe!00519492()
firefox.exe!00800d45()
firefox.exe!004020f8()
ntdll.dll!7c915b4f()
firefox.exe!00450048()
msvcrt.dll!77c3412a()
ntdll.dll!7c95db5c()
ntdll.dll!7c96cd11()
ntdll.dll!7c96e707()
ntdll.dll!7c94976b()
firefox.exe!009082d6()
msvcrt.dll!77c2c024()
firefox.exe!00401012()
firefox.exe!0040102e()
firefox.exe!00907f16()
ntdll.dll!7c915b4f()
kernel32.dll!7c816d4f()
ntdll.dll!7c915b4f()
kernel32.dll!7c8399f3()
I'd like to update comment 12 a bit based on this debugging run. We called out to NPN_Invoke, during the invoke Firefox called back into us with NPP_Destroy. NPN_Invoke did return afterwards to player code, we detected that NPP_Destroy had been called, popped back up to the top of the stack and returned back to Firefox, which then crashed as shown above.
Comment 20•18 years ago
|
||
jmott: you know that you can get symbols for the microsoft frames. assuming this is actually crashing in older firefoxes, then you can use http://developer.mozilla.org/en/docs/How_to_get_a_stacktrace_with_WinDbg to get a firefox for which youo can have symbol information too (it explains how to setup symbols from microsoft too, so even if you choose not to use that build, at least you can have symbols for the win32 frames).
Comment 21•18 years ago
|
||
I attempted to install Flash 9 on a Win2k system to debug this, and it completely failed -- Firefox is not seeing the plugin. This is for both the Firefox plugin wizard and the download off the macromedia website.... :(
Gavin, can you reproduce this?
Keywords: helpwanted
Comment 22•18 years ago
|
||
(In reply to comment #21)
> Gavin, can you reproduce this?
I can, in an opt build, but getting useful information out of my debug build has proven difficult (trying it with a debugger attached results in an infinite loop of alerts and no crash). Without the debugger attached, the "plugin performed an illegal operation" dialog, and then above that I get the "if you do this you'll crash" dialog multiple times, seemingly in an infinite loop. I hit multiple assertions as I accept/cancel the prompts:
http://lxr.mozilla.org/seamonkey/source/modules/plugin/base/src/nsPluginHostImpl.cpp#6235
then:
http://lxr.mozilla.org/seamonkey/source/content/xul/document/src/nsXULPrototypeDocument.cpp#846
then:
http://lxr.mozilla.org/seamonkey/source/xpcom/glue/nsISupportsImpl.h#726
http://lxr.mozilla.org/seamonkey/source/xpcom/glue/nsISupportsImpl.h#146
(from http://lxr.mozilla.org/seamonkey/source/xpcom/glue/nsThreadUtils.cpp#51).
so it seems like there's a threading issue of some sort.
I guess I could try with a build from before Darin's threadmanager landing.
I also hit http://lxr.mozilla.org/seamonkey/source/xpfe/appshell/src/nsXULWindow.cpp#407 after hitting "OK" on the "Illegal Operation" dialog, but I don't think that's relevant to this bug.
Comment 23•18 years ago
|
||
Once you get assertion alerts up, we can reenter the event loop, and all sorts of weird stuff can happen....
If you can reproduce with an opt build (and a flash 9), do you get talkback? If so, what's the incident id?
Comment 24•18 years ago
|
||
TB22401312Y, which looks like a crash in the plugin. With a debug build and XPCOM_DEBUG_BREAK=warn, I crash at http://pastebin.mozilla.org/134 - not really useful. That crash occurs after repeatedly clicking "OK" to the seemingly never ending prompts, so it's probably unrelated.
Comment 25•17 years ago
|
||
WFM Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12 Shockwave Flash 9.0 r115
tested URL, clicking multiple times, reloading and shift-reloading.
http://tests.novemberborn.net/browsers/safari/fscommand-redraw/crash.html
Comment 26•16 years ago
|
||
Works fine for me too with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1) Gecko/20090616 Firefox/3.5 ID:20090616212246
Due to there was no more report I believe we can close this bug as WFM. If anyone is able to reproduce the crash with the latest Shiretoko/Minefield build and Flash 10.0.22.87 installed feel free to reopen. Thanks.
Status: REOPENED → RESOLVED
Closed: 19 years ago → 16 years ago
Resolution: --- → WORKSFORME
Component: Plug-ins → Flash (Adobe)
Product: Core → Plugins
QA Contact: plugins → adobe-flash
Version: Trunk → unspecified
Updated•14 years ago
|
Crash Signature: [@ NPSWF32.dll + 0xdaa8]
[@ Flash_EnforceLocalSecurity + 375376]
Updated•2 years ago
|
Product: External Software Affecting Firefox → External Software Affecting Firefox Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•