Closed Bug 427382 (npturnmed) Opened 16 years ago Closed 13 years ago

Turner Media Plugin 1.0.0.9 [NPTURNMED.dll] trips Data Execution Prevention DEP and crashes

Categories

(External Software Affecting Firefox :: Other, defect)

Product:
External Software Affecting Firefox
Component:
Other
Platform:
x86
Windows Vista
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bstretch, Assigned: kev)

References

(
URL
)

Details

(Keywords: crash, qawanted, regression, Whiteboard: [sg:vector (turner media)])

Attachments

(3 files)

VS 2008 dump file, Minefield 2008042106 crashing as described
81.38 KB, application/octet-stream
Details
lm and selected !lmi
14.47 KB, text/plain
Details
"lm v" and "!analyze" for the attached dump
129.62 KB, text/plain
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5

3.0b5 randomly trips Data Execution Prevention aka DEP under 64-bit Vista SP1.  Sometimes it happens when I open a new page, sometimes Firefox will have crashed while left idle overnight, etc.  I can't find the pattern but 3.0b4 and prior didn't do this. 

I haven't rebooted Windows in quite a while so I suppose there's a slight chance that's a factor, but I'm betting that there just aren't that many 64-bit Vista 3.0b5 users who leave 20-30 tabs open. 

Reproducible: Sometimes

Steps to Reproduce:
1.
2.
3.



64-bit Vista SP1
AMD Phenom 9500 CPU
4GB RAM
Getting similar behavior with FF3b5 and Vista SP1 32-bit (Intel C2D T7500, 2GB RAM).

It crashes with a DEP error several times a day, usually when a page is loading. I also have a lot of tabs open regularly, but regularly restart Windows and FF. 

This behavior was not present in FF3b4.
Keywords: crash, regression
I can confirm this with Windows Vista Home Premium (32-bit)/AMD Phenom Quadcore. No SP1 installed. The worst thing is that you cannot turn of Data Execution Protection for firefox.exe. When you try to do it it Windows tells "This progam must run with Data Execution Protection (DEP) enabled."

I am not sure whether I can get the stack trace, because the program is shutdown by Windows, not crashed by a segfault.





it should be possible.

use file>open executable
be sure to select debug child processes also
We've been building with -SAFESEH and -NXCOMPAT for a while, way before 3.0b5. Could be a bug that just happens to trip it.

I have a minidump (with heap) of this, saved via vs.net 2k8.  Email me if you want it.
either post it online or follow the windbg instructions, you can use windbg to open the dump.
Go to http://www.cnn.com/live/ and click on one of the videos. This trips DEP and closes Firefox every time for me on 32bit Vista.
follow the directions from comment 2. reopen once you get around to it.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → INCOMPLETE
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9pre) Gecko/2008042106 Minefield/3.0pre

Crashing after trying to view video on cnn.com/live

Please reopen.
This is from that dump:

WARNING: Frame IP not in any known module. Following frames may be wrong.
0026f6c8 7671f8d2 0x2046538
0026f6f4 7671f794 user32!InternalCallWinProc+0x23
0026f76c 76720817 user32!UserCallWinProcCheckWow+0x14b
0026f7c8 76720a65 user32!DispatchClientMessage+0xda
0026f7f0 777099ce user32!__fnDWORD+0x24
0026f81c 767114c8 ntdll!KiUserCallbackDispatcher+0x2e
0026f820 6805c380 user32!NtUserDestroyWindow+0xc
0026f848 68449e5a xul!nsWindow::Destroy(void)+0xc4 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\widget\src\windows\nswindow.cpp @ 1499]
0026f874 68628b29 xul!nsPluginInstanceOwner::Destroy(void)+0x236 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\layout\generic\nsobjectframe.cpp @ 3864]
0026f8a0 6863e1fc xul!DoStopPlugin(class nsPluginInstanceOwner * aInstanceOwner = 0x0cd8d880, int aDelayedStop = 0)+0x16d [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\layout\generic\nsobjectframe.cpp @ 1846]
0026f8d4 680b2368 xul!nsStopPluginRunnable::Run(void)+0x2a [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\layout\generic\nsobjectframe.cpp @ 1882]
0026f8f8 680a175a xul!nsThread::ProcessNextEvent(int mayWait = <Memory access error>, int * result = <Memory access error>)+0x218 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\threads\nsthread.cpp @ 511]
0026f910 681f31f1 xul!nsBaseAppShell::Run(void)+0x4a [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\widget\src\xpwidgets\nsbaseappshell.cpp @ 169]
0026f91c 68161fbc xul!nsAppStartup::Run(void)+0x1e [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\toolkit\components\startup\src\nsappstartup.cpp @ 182]
0026f924 003130a8 xul!XRE_main(int argc = <Memory access error>, char ** argv = <Memory access error>, struct nsXREAppData * aAppData = <Memory access error>)+0xdaa [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\toolkit\xre\nsapprunner.cpp @ 3174]

I've got all the symbols loaded etc, so I can poke this further, but I don't know what I'm looking for.
Status: RESOLVED → UNCONFIRMED
Resolution: INCOMPLETE → ---
It's pretty clear we're destroying a plugin. That makes plugin code immediately suspect. Paul, what plugins were running at the time of the DEP exception?
Component: General → Plug-ins
Product: Firefox → Core
QA Contact: general → plugins
Version: unspecified → Trunk
Attached file lm and selected !lmi 
Here's !lm from this dump, and !lmi on a few things that looked plugin-ish.
Doesn't tell us much. Paul, you could try disabling all your plugins from the add-ons manager and trying to reproduce. Then enable plugins on at a time until you find the one that triggers DEP.
my money's on "turner media plugin" NPTURNMED

paul: if you could try renaming that plugin to *.dul, and see if you still crash, that'd be great. our working assumption is that you'd need to visit a turner media property (cnn?)
This is probably not needed since ted already posted the required data, but anyway; here is "lm v" and "!analyze -v".
I did some testing around this (and can confirm the Crash btw):

The Plugin is called Turner Media Plugin 1.0.0.9
    File name: NPTURNMED.dll
    NPTURNMED

On Windows XP with DEP enabled + plugin you don't crash
On Vista 64bit + enabled DEP and Plugin the stream can not be loaded ?
On Vista 32bit + enabled DEP and Plugin you crash withing seconds on the Live Link (http://www.cnn.com/live/)

However http://edition.cnn.com/video/ does not crash the browser and you can watch videos, you crash here only if you click on the "Live Video" Link.

So i think its really the Turner Media Plugin. CCing Kev to this Bug.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Since this is a crash on a topsite (CNN.com), and this occurs on Vista which is a highly used OS, i would recommend we block this for the final release.   Kev, its your call.

I'll work on getting in touch with CNN and developers tomorrow. I'll put a note together for release-drivers by Monday with recommendations.
Assignee: nobody → kev
The compiler/linker flag that "caused" this problem is /NXCOMPAT, added in bug 368854. I believe that we would probably be better off to keep the security flag in place and break the CNN plugin than go back. Window?
Blocks: 368854
Summary: 3.0b5 randomly trips Data Execution Prevention DEP and crashes → Turner Media Plugin 1.0.0.9 [NPTURNMED.dll] trips Data Execution Prevention DEP and crashes
Tripping DEP is prima facie evidence of a potentially exploitable condition. We should blocklist this plugin if we have to, but not turn off DEP.

Has anyone gone back to 3.0b4 to see whether it continues not to crash? The perceived increase in DEP crashes between 3.0b4 and 3.0b5 might indicate we broke something in plugin code, or it might just be recent content changes that make the crashing conditions more likely.
How do you end up with that plugin? When I go to the live site all the videos seem to play in Flash.
I have only Flash and Firebug beta 1.1 installed. I guess it's Flash.
(In reply to comment #22)
> How do you end up with that plugin? When I go to the live site all the videos
> seem to play in Flash.
> 

Hi Dan, you need to click on the "Live Video" Link on http://edition.cnn.com/video/ 

Then you get (without the installed plugin) a Plugin Error. 

Note: You get this Plugin Error and the Install Link only when you have Firefox (like Beta 5, Trunk does not work) and when you Windows, since its a Installer Package.
Alias: npturnmed
(In reply to comment #21)
> Has anyone gone back to 3.0b4 to see whether it continues not to crash? The
> perceived increase in DEP crashes between 3.0b4 and 3.0b5 might indicate we
> broke something in plugin code, or it might just be recent content changes that
> make the crashing conditions more likely.
> 

Fwiw i also crashed when using the Plugin in Beta 4.
Blocks: 422558
Reaching out to Turner's development team.
I don't have the npturnmed.dll plugin at all.  I will note that cnet.com videos will often (consistently?) lock up and crash 3.0b4 on my 64-bit Vista AMD Phenom system but not trip DEP.  I went back to 3.0b4 due to the problems described in comment #0 above. 
This same behavior is happening for me in RC1.
This issue is profile specific.

I had ffrc1 crash on me multiple times no matter what I tried. I then created a clean profile and it worked. I was trying to edit a post in wordpress (2.5.0).

I could be flash interefering with something profile specific. I know wordpress uses flash to upload pics (which I was trying to do).
reporter: sorry, your bug got hijacked, life's a race (first person to provide detailed instructions to the worm gets the worm). follow the steps and collect the output that was collected to enable us to analyze this bug; once you've done that, file a new bug with what you've collected and then mention that bug number here.
I don't want the bug. You keep it :)

What does it means to have "a Firefox version for which symbols are availables from the Mozilla symbol server". How do I check? about:buildconfig?

All Windows Firefox nightlies/releases from almost the past year have symbols available on the symbol server.

varun: comment 31 was in reply to comment 28 by the reporter, not to you. the reporter can be seen at the top of any bug (and will typically get bugmail forever). the apology only applies to him.

Anyone else experiencing a DEP crash needs to check about:plugins. if they have turnmed, then this is the probably the right bug (especially if disabling the plugin makes the crash go away) and they get to wait for us to blacklist the plugin. if they don't have turnmed, then this isn't their bug and then need to follow the instructions described by comments in this bug.
;)
I uninstalled the Turner Media Plugin and the DEP crashes persist (now happening in RC2).
so file a new bug following the outlined steps ....
We should investigate using this API (Vista or later) to avoid bogus DEP crashes like these:
http://msdn.microsoft.com/en-us/library/bb736299(VS.85).aspx

Chrome does some legwork to use an undocumented API to enable DEP on XP as well:
http://src.chromium.org/viewvc/chrome/trunk/src/sandbox/src/dep.cc?view=markup
Is this still happening for people? Has a newer version of npturnmed.dll or a newer Firefox fixed it?
Keywords: testcase-wanted
Whiteboard: [sg:vector (turner media)]
Keywords: qawanted
(In reply to comment #40)
> Is this still happening for people? Has a newer version of npturnmed.dll or a
> newer Firefox fixed it?

ok will do some testing around this !

- Tomcat
I think CNN has stopped using the turner plugin, I just checked and I don't have it installed and CNN videos play just fine.  I'm using Win7 RC build 7100 and trunks, but doubt that makes any difference. 

I could boot into Vista and check if need be. 

Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2a1pre) Gecko/20090702 Minefield/3.6a1pre Firefox/3.0.11 ID:20090702133434
Tomcat an I looked at the page for CNN live video. It appears that they are only using flash now. Unless there is another Turner property that is still using the Turner Media Plugin it would make sense to blocklist the plugin.
I've not had issues with CNN Live video for some time now. No Turner Media Plugin needed. 

As far as other Turner related sites requiring this plugin, I don't know. But I do get a request to add the "XMP" plugin when trying to play video at 2 other Turner-owned sites. Have no idea if this is the same plugin or not:

Click "videos" here at TBS (Turner Broadcast System): http://www.tbs.com/

Click "videos" here at TNT (Turner Network Television: http://www.tnt.tv/
Added a litmus testcase to test for turner plugin video tests.  https://litmus.mozilla.org/show_test.cgi?searchType=by_id&id=7863.  not necessarily related to the bug comments posted here.
Flags: in-litmus+
The sites in comment 45  are using a mix of the Turner Plugin and Flash Video. Seems that the majority is Turner Plugin based, right clicking on the video will show you the video type. Flash video brings up the normal flash menu where as the Turner video has no such menu.

On Vista x64 with the 1.0.0.10 version of the plugin from TBS I have had videos playing in the background for a hour or so without issue on Firefox 3.5.1.
Component: Plug-ins → Other
Product: Core → Plugins
QA Contact: plugins → other
Version: Trunk → 1.x
Closing this out as I don't believe it's relevant any more. CNN is using the Octoshape plugin for flash (a plugin for a plugin) now, and I believe the TMP is gone. Re-open if we need to, but I think this is done. http://www.octoshape.com/addin/about.php
Status: NEW → RESOLVED
Closed: 16 years ago13 years ago
Resolution: --- → FIXED
Version and milestone values are being reset to defaults as part of product refactoring.
Version: 1.x → unspecified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: