Closed
Bug 427382
(npturnmed)
Opened 16 years ago
Closed 13 years ago
Turner Media Plugin 1.0.0.9 [NPTURNMED.dll] trips Data Execution Prevention DEP and crashes
Categories
(External Software Affecting Firefox :: Other, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: bstretch, Assigned: kev)
References
()
Details
(Keywords: crash, qawanted, regression, Whiteboard: [sg:vector (turner media)])
Attachments
(3 files)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 3.0b5 randomly trips Data Execution Prevention aka DEP under 64-bit Vista SP1. Sometimes it happens when I open a new page, sometimes Firefox will have crashed while left idle overnight, etc. I can't find the pattern but 3.0b4 and prior didn't do this. I haven't rebooted Windows in quite a while so I suppose there's a slight chance that's a factor, but I'm betting that there just aren't that many 64-bit Vista 3.0b5 users who leave 20-30 tabs open. Reproducible: Sometimes Steps to Reproduce: 1. 2. 3. 64-bit Vista SP1 AMD Phenom 9500 CPU 4GB RAM
Getting similar behavior with FF3b5 and Vista SP1 32-bit (Intel C2D T7500, 2GB RAM). It crashes with a DEP error several times a day, usually when a page is loading. I also have a lot of tabs open regularly, but regularly restart Windows and FF. This behavior was not present in FF3b4.
Updated•16 years ago
|
Keywords: crash,
regression
Comment 3•16 years ago
|
||
I can confirm this with Windows Vista Home Premium (32-bit)/AMD Phenom Quadcore. No SP1 installed. The worst thing is that you cannot turn of Data Execution Protection for firefox.exe. When you try to do it it Windows tells "This progam must run with Data Execution Protection (DEP) enabled." I am not sure whether I can get the stack trace, because the program is shutdown by Windows, not crashed by a segfault.
it should be possible. use file>open executable be sure to select debug child processes also
Comment 5•16 years ago
|
||
We've been building with -SAFESEH and -NXCOMPAT for a while, way before 3.0b5. Could be a bug that just happens to trip it.
I have a minidump (with heap) of this, saved via vs.net 2k8. Email me if you want it.
either post it online or follow the windbg instructions, you can use windbg to open the dump.
Go to http://www.cnn.com/live/ and click on one of the videos. This trips DEP and closes Firefox every time for me on 32bit Vista.
follow the directions from comment 2. reopen once you get around to it.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → INCOMPLETE
Comment 10•16 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9pre) Gecko/2008042106 Minefield/3.0pre Crashing after trying to view video on cnn.com/live Please reopen.
Comment 11•16 years ago
|
||
This is from that dump: WARNING: Frame IP not in any known module. Following frames may be wrong. 0026f6c8 7671f8d2 0x2046538 0026f6f4 7671f794 user32!InternalCallWinProc+0x23 0026f76c 76720817 user32!UserCallWinProcCheckWow+0x14b 0026f7c8 76720a65 user32!DispatchClientMessage+0xda 0026f7f0 777099ce user32!__fnDWORD+0x24 0026f81c 767114c8 ntdll!KiUserCallbackDispatcher+0x2e 0026f820 6805c380 user32!NtUserDestroyWindow+0xc 0026f848 68449e5a xul!nsWindow::Destroy(void)+0xc4 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\widget\src\windows\nswindow.cpp @ 1499] 0026f874 68628b29 xul!nsPluginInstanceOwner::Destroy(void)+0x236 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\layout\generic\nsobjectframe.cpp @ 3864] 0026f8a0 6863e1fc xul!DoStopPlugin(class nsPluginInstanceOwner * aInstanceOwner = 0x0cd8d880, int aDelayedStop = 0)+0x16d [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\layout\generic\nsobjectframe.cpp @ 1846] 0026f8d4 680b2368 xul!nsStopPluginRunnable::Run(void)+0x2a [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\layout\generic\nsobjectframe.cpp @ 1882] 0026f8f8 680a175a xul!nsThread::ProcessNextEvent(int mayWait = <Memory access error>, int * result = <Memory access error>)+0x218 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\threads\nsthread.cpp @ 511] 0026f910 681f31f1 xul!nsBaseAppShell::Run(void)+0x4a [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\widget\src\xpwidgets\nsbaseappshell.cpp @ 169] 0026f91c 68161fbc xul!nsAppStartup::Run(void)+0x1e [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\toolkit\components\startup\src\nsappstartup.cpp @ 182] 0026f924 003130a8 xul!XRE_main(int argc = <Memory access error>, char ** argv = <Memory access error>, struct nsXREAppData * aAppData = <Memory access error>)+0xdaa [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\toolkit\xre\nsapprunner.cpp @ 3174] I've got all the symbols loaded etc, so I can poke this further, but I don't know what I'm looking for.
Status: RESOLVED → UNCONFIRMED
Resolution: INCOMPLETE → ---
Comment 12•16 years ago
|
||
It's pretty clear we're destroying a plugin. That makes plugin code immediately suspect. Paul, what plugins were running at the time of the DEP exception?
Component: General → Plug-ins
Product: Firefox → Core
QA Contact: general → plugins
Version: unspecified → Trunk
Comment 13•16 years ago
|
||
Here's !lm from this dump, and !lmi on a few things that looked plugin-ish.
Comment 14•16 years ago
|
||
Doesn't tell us much. Paul, you could try disabling all your plugins from the add-ons manager and trying to reproduce. Then enable plugins on at a time until you find the one that triggers DEP.
Comment 15•16 years ago
|
||
my money's on "turner media plugin" NPTURNMED paul: if you could try renaming that plugin to *.dul, and see if you still crash, that'd be great. our working assumption is that you'd need to visit a turner media property (cnn?)
Comment 16•16 years ago
|
||
This is probably not needed since ted already posted the required data, but anyway; here is "lm v" and "!analyze -v".
Comment 17•16 years ago
|
||
I did some testing around this (and can confirm the Crash btw): The Plugin is called Turner Media Plugin 1.0.0.9 File name: NPTURNMED.dll NPTURNMED On Windows XP with DEP enabled + plugin you don't crash On Vista 64bit + enabled DEP and Plugin the stream can not be loaded ? On Vista 32bit + enabled DEP and Plugin you crash withing seconds on the Live Link (http://www.cnn.com/live/) However http://edition.cnn.com/video/ does not crash the browser and you can watch videos, you crash here only if you click on the "Live Video" Link. So i think its really the Turner Media Plugin. CCing Kev to this Bug.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 18•16 years ago
|
||
Since this is a crash on a topsite (CNN.com), and this occurs on Vista which is a highly used OS, i would recommend we block this for the final release. Kev, its your call.
Assignee | ||
Comment 19•16 years ago
|
||
I'll work on getting in touch with CNN and developers tomorrow. I'll put a note together for release-drivers by Monday with recommendations.
Assignee | ||
Updated•16 years ago
|
Assignee: nobody → kev
Comment 20•16 years ago
|
||
The compiler/linker flag that "caused" this problem is /NXCOMPAT, added in bug 368854. I believe that we would probably be better off to keep the security flag in place and break the CNN plugin than go back. Window?
Blocks: 368854
Summary: 3.0b5 randomly trips Data Execution Prevention DEP and crashes → Turner Media Plugin 1.0.0.9 [NPTURNMED.dll] trips Data Execution Prevention DEP and crashes
Comment 21•16 years ago
|
||
Tripping DEP is prima facie evidence of a potentially exploitable condition. We should blocklist this plugin if we have to, but not turn off DEP. Has anyone gone back to 3.0b4 to see whether it continues not to crash? The perceived increase in DEP crashes between 3.0b4 and 3.0b5 might indicate we broke something in plugin code, or it might just be recent content changes that make the crashing conditions more likely.
Comment 22•16 years ago
|
||
How do you end up with that plugin? When I go to the live site all the videos seem to play in Flash.
Comment 23•16 years ago
|
||
I have only Flash and Firebug beta 1.1 installed. I guess it's Flash.
Comment 24•16 years ago
|
||
(In reply to comment #22) > How do you end up with that plugin? When I go to the live site all the videos > seem to play in Flash. > Hi Dan, you need to click on the "Live Video" Link on http://edition.cnn.com/video/ Then you get (without the installed plugin) a Plugin Error. Note: You get this Plugin Error and the Install Link only when you have Firefox (like Beta 5, Trunk does not work) and when you Windows, since its a Installer Package.
Comment 25•16 years ago
|
||
(In reply to comment #21) > Has anyone gone back to 3.0b4 to see whether it continues not to crash? The > perceived increase in DEP crashes between 3.0b4 and 3.0b5 might indicate we > broke something in plugin code, or it might just be recent content changes that > make the crashing conditions more likely. > Fwiw i also crashed when using the Plugin in Beta 4.
Assignee | ||
Comment 27•16 years ago
|
||
Reaching out to Turner's development team.
Reporter | ||
Comment 28•16 years ago
|
||
I don't have the npturnmed.dll plugin at all. I will note that cnet.com videos will often (consistently?) lock up and crash 3.0b4 on my 64-bit Vista AMD Phenom system but not trip DEP. I went back to 3.0b4 due to the problems described in comment #0 above.
Comment 29•16 years ago
|
||
This same behavior is happening for me in RC1.
Comment 30•16 years ago
|
||
This issue is profile specific. I had ffrc1 crash on me multiple times no matter what I tried. I then created a clean profile and it worked. I was trying to edit a post in wordpress (2.5.0). I could be flash interefering with something profile specific. I know wordpress uses flash to upload pics (which I was trying to do).
Comment 31•16 years ago
|
||
reporter: sorry, your bug got hijacked, life's a race (first person to provide detailed instructions to the worm gets the worm). follow the steps and collect the output that was collected to enable us to analyze this bug; once you've done that, file a new bug with what you've collected and then mention that bug number here.
Comment 32•16 years ago
|
||
I don't want the bug. You keep it :) What does it means to have "a Firefox version for which symbols are availables from the Mozilla symbol server". How do I check? about:buildconfig?
Comment 33•16 years ago
|
||
All Windows Firefox nightlies/releases from almost the past year have symbols available on the symbol server.
Comment 34•16 years ago
|
||
varun: comment 31 was in reply to comment 28 by the reporter, not to you. the reporter can be seen at the top of any bug (and will typically get bugmail forever). the apology only applies to him. Anyone else experiencing a DEP crash needs to check about:plugins. if they have turnmed, then this is the probably the right bug (especially if disabling the plugin makes the crash go away) and they get to wait for us to blacklist the plugin. if they don't have turnmed, then this isn't their bug and then need to follow the instructions described by comments in this bug.
Comment 35•16 years ago
|
||
;)
Comment 36•16 years ago
|
||
I uninstalled the Turner Media Plugin and the DEP crashes persist (now happening in RC2).
Comment 37•16 years ago
|
||
so file a new bug following the outlined steps ....
Comment 39•16 years ago
|
||
We should investigate using this API (Vista or later) to avoid bogus DEP crashes like these: http://msdn.microsoft.com/en-us/library/bb736299(VS.85).aspx Chrome does some legwork to use an undocumented API to enable DEP on XP as well: http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/dep.cc?view=markup
Comment 40•15 years ago
|
||
Is this still happening for people? Has a newer version of npturnmed.dll or a newer Firefox fixed it?
Keywords: testcase-wanted
Whiteboard: [sg:vector (turner media)]
Comment 42•15 years ago
|
||
(In reply to comment #40) > Is this still happening for people? Has a newer version of npturnmed.dll or a > newer Firefox fixed it? ok will do some testing around this ! - Tomcat
Comment 43•15 years ago
|
||
I think CNN has stopped using the turner plugin, I just checked and I don't have it installed and CNN videos play just fine. I'm using Win7 RC build 7100 and trunks, but doubt that makes any difference. I could boot into Vista and check if need be. Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2a1pre) Gecko/20090702 Minefield/3.6a1pre Firefox/3.0.11 ID:20090702133434
Comment 44•15 years ago
|
||
Tomcat an I looked at the page for CNN live video. It appears that they are only using flash now. Unless there is another Turner property that is still using the Turner Media Plugin it would make sense to blocklist the plugin.
Comment 45•15 years ago
|
||
I've not had issues with CNN Live video for some time now. No Turner Media Plugin needed. As far as other Turner related sites requiring this plugin, I don't know. But I do get a request to add the "XMP" plugin when trying to play video at 2 other Turner-owned sites. Have no idea if this is the same plugin or not: Click "videos" here at TBS (Turner Broadcast System): http://www.tbs.com/ Click "videos" here at TNT (Turner Network Television: http://www.tnt.tv/
Comment 46•15 years ago
|
||
Added a litmus testcase to test for turner plugin video tests. https://litmus.mozilla.org/show_test.cgi?searchType=by_id&id=7863. not necessarily related to the bug comments posted here.
Flags: in-litmus+
Comment 47•15 years ago
|
||
The sites in comment 45 are using a mix of the Turner Plugin and Flash Video. Seems that the majority is Turner Plugin based, right clicking on the video will show you the video type. Flash video brings up the normal flash menu where as the Turner video has no such menu. On Vista x64 with the 1.0.0.10 version of the plugin from TBS I have had videos playing in the background for a hour or so without issue on Firefox 3.5.1.
Component: Plug-ins → Other
Product: Core → Plugins
QA Contact: plugins → other
Version: Trunk → 1.x
Assignee | ||
Comment 48•13 years ago
|
||
Closing this out as I don't believe it's relevant any more. CNN is using the Octoshape plugin for flash (a plugin for a plugin) now, and I believe the TMP is gone. Re-open if we need to, but I think this is done. http://www.octoshape.com/addin/about.php
Assignee | ||
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 16 years ago → 13 years ago
Resolution: --- → FIXED
Updated•9 years ago
|
Keywords: testcase-wanted
Comment 49•8 years ago
|
||
Version and milestone values are being reset to defaults as part of product refactoring.
Version: 1.x → unspecified
You need to log in
before you can comment on or make changes to this bug.
Description
•