Closed Bug 374475 Opened 19 years ago Closed 9 years ago

Flash Plugin crash when no flash plugin is installed.

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: gerald_leder, Unassigned)

Details

(Whiteboard: DUPEME)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2 Build Identifier: I run now https://bugzilla.mozilla.org/attachment.cgi?id=240026 (dbaron memory leak tool) and it crashes with the following crash dump. I'm using 1.8.1.2. I have to say that I use xulrunner via the swt embedding. When I deactivate the plugin support, no crashes occure. I replayed the memory leak tool several times and it always crashes. The problem is that I do not know on which pages its crashes. I run the test with in firefox 2.0.2 where a plugin exists and it never crashed. I dont know how to run firefox without plugin when flash is already installed. Personally I dont thing it has something todo with the javaxpcom bridge because otherwise its quite stable. >xul.dll!nsCOMPtr<nsIPluginInstance>::assign_with_AddRef(nsISupports * rawPtr=0xdddddddd) Line 1223 + 0x3 C++ xul.dll!nsCOMPtr<nsIPluginInstance>::operator=() Line 706 C++ xul.dll!nsPluginNativeWindow::GetPluginInstance(nsCOMPtr<nsIPluginInstance> & aPluginInstance={...}) Line 72 C++ xul.dll!PluginWndProc(HWND__ * hWnd=0x000213d0, unsigned int msg=128, unsigned int wParam=1, long lParam=0) Line 305 C++ user32.dll!77d18734() user32.dll!77d18816() user32.dll!77d1b4c0() user32.dll!77d1b50c() ntdll.dll!7c91eae3() user32.dll!77d194be() user32.dll!77d1d4e4() user32.dll!77d1b903() xul.dll!nsWindow::Destroy() Line 1888 + 0x19 C++ xul.dll!ViewWrapper::Release() Line 88 + 0x83 C++ xul.dll!nsView::~nsView() Line 284 C++ xul.dll!nsView::`scalar deleting destructor'() + 0xf C++ xul.dll!nsIView::Destroy() Line 321 + 0x1f C++ xul.dll!nsFrame::Destroy(nsPresContext * aPresContext=0x2db74be0) Line 661 C++ xul.dll!nsSplittableFrame::Destroy(nsPresContext * aPresContext=0x2db74be0) Line 72 C++ xul.dll!nsContainerFrame::Destroy(nsPresContext * aPresContext=0x2db74be0) Line 168 + 0xd C++ xul.dll!nsObjectFrame::Destroy(nsPresContext * aPresContext=0x2db74be0) Line 776 C++ xul.dll!nsFrameList::DestroyFrames(nsPresContext * aPresContext=0x2db74be0) Line 139 C++ xul.dll!nsContainerFrame::Destroy(nsPresContext * aPresContext=0x2db74be0) Line 164 C++ xul.dll!nsLineBox::DeleteLineList(nsPresContext * aPresContext=0x2db74be0, nsLineList & aLines={...}) Line 326 C++ xul.dll!nsBlockFrame::Destroy(nsPresContext * aPresContext=0x2db74be0) Line 303 + 0x10 C++ xul.dll!nsAreaFrame::Destroy(nsPresContext * aPresContext=0x2db74be0) Line 155 C++ xul.dll!nsFrameList::DestroyFrames(nsPresContext * aPresContext=0x2db74be0) Line 139 C++ xul.dll!nsAbsoluteContainingBlock::DestroyFrames(nsIFrame * aDelegatingFrame=0x2e2e73a4, nsPresContext * aPresContext=0x2db74be0) Line 435 C++ xul.dll!nsBlockFrame::Destroy(nsPresContext * aPresContext=0x2db74be0) Line 296 C++ xul.dll!nsAreaFrame::Destroy(nsPresContext * aPresContext=0x2db74be0) Line 155 C++ xul.dll!nsFrameList::DestroyFrames(nsPresContext * aPresContext=0x2db74be0) Line 139 C++ xul.dll!nsContainerFrame::Destroy(nsPresContext * aPresContext=0x2db74be0) Line 164 C++ xul.dll!CanvasFrame::Destroy(nsPresContext * aPresContext=0x2db74be0) Line 231 C++ xul.dll!nsFrameList::DestroyFrames(nsPresContext * aPresContext=0x2db74be0) Line 139 C++ xul.dll!nsContainerFrame::Destroy(nsPresContext * aPresContext=0x2db74be0) Line 164 C++ xul.dll!nsHTMLScrollFrame::Destroy(nsPresContext * aPresContext=0x2db74be0) Line 173 C++ xul.dll!nsFrameList::DestroyFrames(nsPresContext * aPresContext=0x2db74be0) Line 139 C++ xul.dll!nsContainerFrame::Destroy(nsPresContext * aPresContext=0x2db74be0) Line 164 C++ xul.dll!ViewportFrame::Destroy(nsPresContext * aPresContext=0x2db74be0) Line 68 C++ xul.dll!nsFrameManager::Destroy() Line 298 C++ xul.dll!PresShell::Destroy() Line 1994 C++ xul.dll!DocumentViewerImpl::Destroy() Line 1584 C++ xul.dll!nsDocShell::Destroy() Line 3529 C++ xul.dll!nsFrameLoader::Destroy() Line 251 C++ xul.dll!nsGenericHTMLFrameElement::UnbindFromTree(int aDeep=1, int aNullParent=0) Line 3677 C++ xul.dll!nsGenericElement::UnbindFromTree(int aDeep=1, int aNullParent=0) Line 2036 C++ xul.dll!nsGenericElement::UnbindFromTree(int aDeep=1, int aNullParent=0) Line 2036 C++ xul.dll!nsGenericElement::UnbindFromTree(int aDeep=1, int aNullParent=0) Line 2036 C++ xul.dll!nsGenericElement::UnbindFromTree(int aDeep=1, int aNullParent=0) Line 2036 C++ xul.dll!nsGenericElement::UnbindFromTree(int aDeep=1, int aNullParent=0) Line 2036 C++ xul.dll!nsGenericElement::UnbindFromTree(int aDeep=1, int aNullParent=0) Line 2036 C++ xul.dll!nsGenericElement::UnbindFromTree(int aDeep=1, int aNullParent=0) Line 2036 C++ xul.dll!nsGenericElement::UnbindFromTree(int aDeep=1, int aNullParent=0) Line 2036 C++ xul.dll!nsGenericElement::UnbindFromTree(int aDeep=1, int aNullParent=0) Line 2036 C++ xul.dll!nsHTMLBodyElement::UnbindFromTree(int aDeep=1, int aNullParent=0) Line 428 C++ xul.dll!nsGenericElement::UnbindFromTree(int aDeep=1, int aNullParent=1) Line 2036 C++ xul.dll!nsDocument::Destroy() Line 4988 C++ xul.dll!DocumentViewerImpl::Destroy() Line 1545 C++ xul.dll!nsSHistory::EvictGlobalContentViewer() Line 927 C++ xul.dll!nsSHistory::EvictContentViewers(int aPreviousIndex=1, int aIndex=2) Line 656 C++ xul.dll!DocumentViewerImpl::Show() Line 1896 C++ xul.dll!nsPresContext::EnsureVisible(int aUnsuppressFocus=0) Line 1311 C++ xul.dll!PresShell::UnsuppressAndInvalidate() Line 5080 + 0xd C++ xul.dll!PresShell::ProcessReflowCommands(int aInterruptible=1) Line 6996 C++ xul.dll!ReflowEvent::HandleEvent() Line 6754 C++ xul.dll!HandlePLEvent(ReflowEvent * aEvent=0x2eae8fc0) Line 6771 C++ xul.dll!PL_HandleEvent(PLEvent * self=0x2eae8fc0) Line 688 + 0xa C xul.dll!PL_ProcessPendingEvents(PLEventQueue * self=0x2a71eae0) Line 623 + 0x9 C xul.dll!_md_TimerProc(HWND__ * hwnd=0x00080d4e, unsigned int uMsg=275, unsigned int idEvent=0, unsigned long dwTime=97848015) Line 1013 + 0x9 C user32.dll!77d18734() user32.dll!77d19857() user32.dll!77d19791() user32.dll!77d18a10() swt-win32-3235.dll!27622233() Reproducible: Always Steps to Reproduce: 1. 2. 3.
I tried it now to change the lines and it still crashes with the same stacktrace. I run it twice and evertime it crashed. The problem is still that I dont know which page causes the crash. The last pages which are loaded are n: http://photobucket.com/ n-1: http://www.forbes.com/ n-2: http://www.chase.com/ n-3: http://www.netscape.com/ I tried to load this pages manually and nothing crashes. Seems to be another page(s). But i dont know in which popup these pages are loaded and which causes the problem . I have over 11 popups open and each of them has a sequence of at least 5 loaded pages. Any further idea. Because when I deactivte the plugins everything works fine for me.
Put a breakpoint in nsPluginNativeWindowWin::UndoSubclassAndAssociateWindow in a debubugger. Also put a breakpoint at line 560 in a debugger (so it stops just before executing "delete p"), what is the stack at that point? what is the value of 'p' and its member variables? Did you get a call to UndoSubclassAndAssociateWindow before that? Another thing to try: if you move the "SetPluginInstance(nsnull)" last in that method (to line 542 just before the return), does that help? Try setting the preference "browser.plugins.max_num_cached_plugins" to zero. Does that fix it? or make the crash happen earlier? or no difference? Does the crash happen on trunk? You didn't fill in the "Steps to Reproduce" so I don't know how to reproduce the crash. Please give detailed instructions on how to build and run the stuff you are using. Thanks.
(In reply to comment #3) > Put a breakpoint in nsPluginNativeWindowWin::UndoSubclassAndAssociateWindow ok, I will sent you the values later. I will do it with the SetPluginInstance change you wanted. In the output at least I saw these message, even I think it will not help you a lot. NPNULL: CPlugin::CPlugin() NPNULL: NPP_SetWindow, first time NPNULL: CPlugin::init() NPNULL: NPP_SetWindow, resizing NPNULL: CPlugin::resize() NPNULL: NPP_SetWindow, resizing NPNULL: CPlugin::resize() NPNULL: NPP_NewStream NPNULL: NPP_WriteReady NPNULL: NPP_DestroyStream NPNULL: CPlugin::CPlugin() NPNULL: NPP_SetWindow, first time NPNULL: CPlugin::init() NPNULL: NPP_SetWindow, resizing NPNULL: CPlugin::resize() NPNULL: NPP_SetWindow, resizing NPNULL: CPlugin::resize() NPNULL: NPP_NewStream NPNULL: NPP_WriteReady NPNULL: NPP_DestroyStream The thread 'Win32 Thread' (0x1610) has exited with code 0 (0x0). The thread 'Win32 Thread' (0x15a0) has exited with code 0 (0x0). The thread 'Win32 Thread' (0x13ec) has exited with code 0 (0x0). The thread 'Win32 Thread' (0x15b0) has exited with code 0 (0x0). The thread 'Win32 Thread' (0x12f0) has exited with code 0 (0x0). NPNULL: CPlugin::CPlugin() NPNULL: NPP_SetWindow, first time NPNULL: CPlugin::init() NPNULL: NPP_SetWindow, resizing NPNULL: CPlugin::resize() NPNULL: NPP_SetWindow, resizing NPNULL: CPlugin::resize() NPNULL: NPP_SetWindow, resizing NPNULL: CPlugin::resize() NPNULL: NPP_SetWindow, resizing NPNULL: CPlugin::resize() NPNULL: NPP_NewStream NPNULL: NPP_WriteReady NPNULL: NPP_DestroyStream NPNULL: NPP_Destroy NPNULL: CPlugin::shut() NPNULL: CPlugin::~CPlugin() NPNULL: NPP_Destroy NPNULL: CPlugin::shut() NPNULL: CPlugin::~CPlugin() The thread 'Win32 Thread' (0x14d4) has exited with code 0 (0x0). The thread 'Win32 Thread' (0x9bc) has exited with code 0 (0x0). The thread 'Win32 Thread' (0x1184) has exited with code 0 (0x0). The thread 'Win32 Thread' (0xbd8) has exited with code 0 (0x0). NPNULL: NPP_Destroy NPNULL: CPlugin::shut() NPNULL: CPlugin::~CPlugin() > Another thing to try: if you move the "SetPluginInstance(nsnull)" last > in that method (to line 542 just before the return), does that help? I tried it without "browser.plugins.max_num_cached_plugins" and it did not help :( > Try setting the preference "browser.plugins.max_num_cached_plugins" to zero. I added this setting now to the all.js and tried it now but it did not help. I tried it with and without the SetPluginInstance changes. > Does the crash happen on trunk? hm, this will take some time > > You didn't fill in the "Steps to Reproduce" so I don't know how to reproduce > the crash. Please give detailed instructions on how to build and run the > stuff you are using. Thanks. I'm using mozilla via the javaxpcom bridge meaning -) Eclipse 3.2.2 -) latest ATF snapshot for 1.8.1.2 -) Xulrunner 1.8.1.2 (Compilied on Centos 3.7) + Patch for 369410 + Typo fix for Patch 369410 (https://bugzilla.mozilla.org/attachment.cgi?id=255391) + change from comment #1 -) Windows XP (latest patch level from 2007-03-20) -) There are no plugins installed (e.g. no flash). I have deactivated java applets by default (because otherwise the whole system hangs under windows (you cannot run java inside of a java process)). I'm always using javiers lastest stuff because it hardly works without them for the ATF project. And Bug 369410 is not fully commited in the branch that why I need a separate patch for windows currently. This patch (attachment.cgi?id=255391) will be checked in for 1.8.1.4. But I dont think that this should cause this crash. It takes around 20-30 minutes till the crash happens when you run dbaron memory leak test.
(In reply to comment #4) > I'm using mozilla via the javaxpcom bridge meaning You have listed software I should have installed, fine, but how do I start the thing? (what do I need to type/click and where). Thanks.
(In reply to comment #5) > (In reply to comment #4) > You have listed software I should have installed, fine, but how do I start > the thing? (what do I need to type/click and where). Thanks. You need windows. After you have installed ATF(http://www.eclipse.org/atf/), 1. You start Eclipse 2. Open a browser window 3. Make sure that you have NO flash installed 4. Open https://bugzilla.mozilla.org/attachment.cgi?id=240026 5. Click "Start Browser Mem Buster Test" 6. Let it run for around 20-30min ->Then it should crash.
The key is that Destroy() is reentering the event loop. We have bugs on that already.
Whiteboard: DUPEME
None of those, actually... ;)
(In reply to Boris Zbarsky (:bz) from comment #11) > None of those, actually... ;) so not a dupe?
Oh, it's a dup; it's just that in the original "destroy" is not in the summary. And probably neither is "event loop". They're in comments, while the summary just says "crash" and _maybe_ if we're lucking mentions plug-ins or plugins...
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.