Closed Bug 333504 Opened 19 years ago Closed 9 years ago

firefox and thunderbird crashes with shdocvw.dll on the stack [@ 0x00000000]

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: chofmann, Unassigned)

Details

(Keywords: crash)

Crash Data

this query shows about 3000 crashes with shdocvw.dll on the stack... http://talkback-reports.mozilla.org/search/private.jsp?search=1&searchby=stack&match=contains&searchfor=SHDOCVW.DLL&vendor=MozillaOrg&product=All&platform=All&buildid=&sdate=&stime=&edate=&etime=&sortby=stack this .dll is part of IE http://msdn.microsoft.com/workshop/browser/overview/Overview.asp what makes me nervous is this .dll has been the target of virus attacks. http://antivirus.about.com/od/virusdescriptions/a/bofra.htm Might be worth some more investigation to figure out why these reports are showing up in both Firefox and Thunderbird. With Firefox there is some speculation that the .dll is loaded by some of the IE extensions or plugins that might also load part of IE, but with Thunderbird its not understood how this .dll could get on the stack... Firefox stacks look like 0x00000000 destroyTimerEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/xpcom/threads/nsTimerImpl.cpp, line 468] shdocvw.dll + 0x150c24 (0x778b0c24) nsHTMLFormElement::GetPositionInGroup [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLFormElement.cpp, line 1548] 0x20982ddc -- Used IE View extention to open a page in IE. That was probably the problem. 0x00000000 destroyTimerEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/xpcom/threads/nsTimerImpl.cpp, line 468] shdocvw.dll + 0x150c24 (0x778b0c24) nsHTMLFormElement::GetAcceptCharset [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLFormElement.cpp, line 531] 0xc9330000 0x00000000 destroyTimerEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/xpcom/threads/nsTimerImpl.cpp, line 468] shdocvw.dll + 0xc0c24 (0x778b0c24) nsSubDocumentFrame::QueryInterface [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/generic/nsFrameFrame.cpp, line 198] 0x9e890000 0x00000000 destroyTimerEvent [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/xpcom/threads/nsTimerImpl.cpp, line 468] shdocvw.dll + 0xc0c24 (0x778b0c24) nsSubDocumentFrame::QueryInterface [c:/builds/tinderbox/Fx-Mozilla1.8.0/WINNT_5.2_Depend/mozilla/layout/generic/nsFrameFrame.cpp, line 198] 0x9e890000 Thunderbird crashes look mostly like 0x00000000 destroyTimerEvent [e:/builds/tinderbox/Tb-Mozilla1.8/WINNT_5.0_Depend/mozilla/xpcom/threads/nsTimerImpl.cpp, line 468] shdocvw.dll + 0x150c24 (0x778b0c24) nsWebBrowserPersist::OnProgress [e:/builds/tinderbox/Tb-Mozilla1.8/WINNT_5.0_Depend/mozilla/embedding/components/webbrowserpersist/src/nsWebBrowserPersist.cpp, line 940] 0x1974c085 ---- security-private until we have a better handle on what is going on...
Group: security
most of the comments for thunderbird reports have something to do with labling messages...
Making security sensitive since that seems to be what chofmann intended, but does it need to be if all this is public on talkback? shdocvw.dll is a normal part of Windows; we load shell32.dll for a couple functions, and shell32.dll will load shdocvw.dll. Not sure when what we ask for would be delegated since the imported shdocvw.dll functions are by ordinal rather than symbolic names. Someone who's got the debugging windows kernel installed could figure it out.
I don't know if this is related, but labeling messages has always caused crashes for some users. I've always suspected it had something to do with having a context menu up whose action changes something under the context menu, while it's still up. On the trunk today, labeling messages generates the following assert/warning: NS_NOTREACHED("frame was not removed from primary frame map before destruction or was readded to map after being removed"); NTDLL.DLL!7c901230() [Frames below may be incorrect and/or missing, no symbols loaded for NTDLL.DLL] > xpcom_core.dll!Break(const char * aMsg=0x0012deac) Line 471 C++ xpcom_core.dll!NS_DebugBreak_P(unsigned int aSeverity=0x00000001, const char * aStr=0x02f21858, const char * aExpr=0x02f2184c, const char * aFile=0x02f21818, int aLine=0x000002bd) Line 354 + 0xc bytes C++ gklayout.dll!nsFrameManager::NotifyDestroyingFrame(nsIFrame * aFrame=0x04bd8bc8) Line 701 + 0x1c bytes C++ gklayout.dll!PresShell::NotifyDestroyingFrame(nsIFrame * aFrame=0x04bd8bc8) Line 3074 C++ gklayout.dll!nsFrame::Destroy(nsPresContext * aPresContext=0x034dcb18) Line 644 C++ gklayout.dll!nsSplittableFrame::Destroy(nsPresContext * aPresContext=0x034dcb18) Line 74 C++ gklayout.dll!nsContainerFrame::Destroy(nsPresContext * aPresContext=0x034dcb18) Line 165 + 0xd bytes C++ gklayout.dll!nsBoxFrame::Destroy(nsPresContext * aPresContext=0x034dcb18) Line 1086 C++ gklayout.dll!nsMenuPopupFrame::Destroy(nsPresContext * aPresContext=0x034dcb18) Line 2001 C++ gklayout.dll!nsPopupSetFrame::RemovePopupFrame(nsIFrame * aPopup=0x04bd8bc8) Line 717 C++ gklayout.dll!nsCSSFrameConstructor::ContentRemoved(nsIContent * aContainer=0x034df220, nsIContent * aChild=0x035e5b10, int aIndexInContainer=0x00000017, int aInReinsertContent=0x00000000) Line 10084 C++ gklayout.dll!nsCSSFrameConstructor::RecreateFramesForContent(nsIContent * aContent=0x035e5b10) Line 11703 + 0x1b bytes C++ gklayout.dll!nsCSSFrameConstructor::RestyleElement(nsIContent * aContent=0x035e5b10, nsIFrame * aPrimaryFrame=0x04bd8bc8, nsChangeHint aMinHint=0x00000000) Line 10600 C++ gklayout.dll!nsCSSFrameConstructor::ProcessOneRestyle(nsIContent * aContent=0x035e5b10, nsReStyleHint aRestyleHint=eReStyle_Self, nsChangeHint aChangeHint=0x00000000) Line 13422 C++ gklayout.dll!nsCSSFrameConstructor::AttributeChanged(nsIContent * aContent=0x035e5b10, int aNameSpaceID=0x00000000, nsIAtom * aAttribute=0x020b7d80, int aModType=0x00000003) Line 10801 C++ gklayout.dll!PresShell::AttributeChanged(nsIDocument * aDocument=0x032c92d0, nsIContent * aContent=0x035e5b10, int aNameSpaceID=0x00000000, nsIAtom * aAttribute=0x020b7d80, int aModType=0x00000003) Line 5171 C++ gklayout.dll!nsXULDocument::AttributeChanged(nsIContent * aElement=0x035e5b10, int aNameSpaceID=0x00000000, nsIAtom * aAttribute=0x020b7d80, int aModType=0x00000003) Line 1025 C++ gklayout.dll!nsXULElement::UnsetAttr(int aNameSpaceID=0x00000000, nsIAtom * aName=0x020b7d80, int aNotify=0x00000001) Line 1453 C++ gklayout.dll!nsPopupSetFrame::DestroyPopup(nsIFrame * aPopup=0x04bd8bc8, int aDestroyEntireChain=0x00000001) Line 449 C++ gklayout.dll!nsMenuPopupFrame::DismissChain() Line 1846 C++ gklayout.dll!nsMenuPopupFrame::DismissChain() Line 1857 C++ gklayout.dll!nsMenuFrame::Execute(nsGUIEvent * aEvent=0x0012f60c) Line 1673 C++
Should bug 220959, "crash [@ nsTimerImpl::Fire / destroyTimerEvent] if I assign a label to a thread", depend on this bug?
Severity: normal → critical
Keywords: crash
Whiteboard: [sg:investigate]
Product: Firefox → Core
QA Contact: general → general
Group: core-security
Whiteboard: [sg:investigate]
(In reply to comment #4) > Should bug 220959, "crash [@ nsTimerImpl::Fire / destroyTimerEvent] if I assign > a label to a thread", depend on this bug? that bug is now WFM. And there are no destroyTimerEvent crashes in thunderbird. There is however a small number of crashes with shdocvw.dll on the stack http://crash-stats.mozilla.com/query/query?product=Thunderbird&version=ALL%3AALL&range_value=2&range_unit=weeks&date=07%2F24%2F2010+16%3A19%3A48&query_search=signature&query_type=contains&query=wininet.dll&build_id=&process_type=any&hang_type=any&do_query=1 on example from the list above is bp-15c983ad-075a-4471-a320-cc6dd2100714 v.3.1 0 wininet.dll wininet.dll@0x3670 1 wininet.dll wininet.dll@0x36b7 2 wininet.dll wininet.dll@0x63fd 3 wininet.dll wininet.dll@0x63b2 4 wininet.dll wininet.dll@0x72b0 5 shdocvw.dll shdocvw.dll@0x278f3 6 shdocvw.dll shdocvw.dll@0x953e2 7 shdocvw.dll shdocvw.dll@0x958a0 8 shdocvw.dll shdocvw.dll@0x15677 9 ole32.dll [thunk]:`vcall'{36,{flat}}' }' 10 ole32.dll ActivationPropertiesIn::DelegateCreateInstance 11 ole32.dll CApartmentActivator::CreateInstance 12 ole32.dll CProcessActivator::CCICallback 13 ole32.dll CProcessActivator::AttemptActivation 14 ole32.dll CProcessActivator::ActivateByContext 15 ole32.dll CProcessActivator::CreateInstance 16 ole32.dll ActivationPropertiesIn::DelegateCreateInstance 17 ole32.dll CClientContextActivator::CreateInstance 18 ole32.dll ActivationPropertiesIn::DelegateCreateInstance 19 ole32.dll ActivationPropertiesOut::Initialize 20 ole32.dll CComActivator::DoCreateInstance also bp-b58bb9b5-5f51-49f8-9c2b-e88262100724 0 webcheck.dll LoadSubscription 1 shdocvw.dll shdocvw.dll@0x87354 2 shdocvw.dll shdocvw.dll@0x87f96 3 shell32.dll _InvokeInProcExec 4 shell32.dll CShellExecute::_ShellExecPidl 5 shell32.dll CShellExecute::_DoExecPidl 6 shell32.dll _aullrem 7 shell32.dll CShellExecute::ExecuteNormal 8 shell32.dll ShellExecuteNormal 9 shell32.dll ShellExecuteExW 10 thunderbird.exe nsMIMEInfoWin::LoadUriInternal uriloader/exthandler/win/nsMIMEInfoWin.cpp:328 11 thunderbird.exe nsMIMEInfoBase::LaunchWithURI uriloader/exthandler/nsMIMEInfoImpl.cpp:355 12 thunderbird.exe nsExternalHelperAppService::LoadURI uriloader/exthandler/nsExternalHelperAppService.cpp:908 13 thunderbird.exe nsExternalHelperAppService::LoadUrl uriloader/exthandler/nsExternalHelperAppService.cpp:846 14 xpcom_core.dll NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102 15 thunderbird.exe XPCWrappedNative::CallMethod js/src/xpconnect/src/xpcwrappednative.cpp:2722 bp-913d85e1-559d-45fa-ad49-c91e12100721 npCoralIETab.dll@0x33b20 is one example from the list of Firefox crashes http://crash-stats.mozilla.com/query/query?product=Firefox&version=ALL%3AALL&range_value=1&range_unit=days&date=07%2F24%2F2010+16%3A09%3A12&query_search=stack&query_type=contains&query=shdocvw.dll&build_id=&process_type=any&hang_type=any&do_query=1
Crash Signature: [@ 0x00000000]
rare but still occurs. examples from version 7 bp-6d1574a8-b94d-4aa8-b299-ed2d82111019 bp-d874f499-6f81-4daa-8eb2-a54c32111027 though most wininet.dll crashes don't have shdocvw.dll
Crash Signature: [@ 0x00000000] → [@ 0x00000000] [@ wininet.dll@0x3670 ]
You need to log in before you can comment on or make changes to this bug.