Last Comment Bug 472344 - Regression - Crash [@ nsIFrame::GetView] when using Silverlight
: Regression - Crash [@ nsIFrame::GetView] when using Silverlight
Status: RESOLVED FIXED
: crash, fixed1.8.1.21, regression
Product: Core
Classification: Components
Component: Plug-ins (show other bugs)
: 1.8 Branch
: x86 Windows Vista
: -- critical (vote)
: ---
Assigned To: timeless
:
:
Mentors:
http://www.microsoft.com/technet
Depends on:
Blocks: CVE-2008-5013
  Show dependency treegraph
 
Reported: 2009-01-06 10:54 PST by Eduardo Leal-Tostado
Modified: 2011-06-09 14:58 PDT (History)
4 users (show)
samuel.sidler+old: wanted1.9.0.x-
samuel.sidler+old: blocking1.8.1.next+
samuel.sidler+old: wanted1.8.1.x+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
patch (708 bytes, patch)
2009-01-06 16:29 PST, timeless
timeless: review+
timeless: superreview+
dveditz: approval1.8.1.next+
timeless: approval1.8.0.next?
Details | Diff | Splinter Review

Description Eduardo Leal-Tostado 2009-01-06 10:54:06 PST
User-Agent:       Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)
Build Identifier: Firefox 2.0.0.20

I cannot repro this issue using FF 2.0.0.17 but it repros in the latest version 2.0.0.20


1)Install Silverlight (http://www.microsoft.com/silverlight) Runtime
2) Navigate to www.microsoft.com/technet
3) Select any video from '"How Do I?" Videos' section to play
3) After video plays about 10 seconds, click the 'X' to close i

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Actual Results:  
After doing the steps above, I got a crash. I attached a debugger and load the symbols from http://symbols.mozilla.org/firefox


firefox.exe!nsIFrame::GetView()  Line 2327	C++
firefox.exe!nsPluginInstanceOwner::InvalidateRect(nsPluginRect * invalidRect=0x0018fb38)  Line 2608 + 0xb bytes	C++
firefox.exe!nsPluginInstancePeerImpl::InvalidateRect(nsPluginRect * invalidRect=0x0018fb38)  Line 880	C++
 	firefox.exe!_invalidaterect(_NPP * npp=0x05c8de44, _NPRect * invalidRect=0x05c8de40)  Line 1445	C++


Expected Results:  
No Crash.  Works fine in FF 3.0.5 and FF 2.0.0.17
Comment 1 timeless 2009-01-06 12:16:45 PST
2390 NS_IMETHODIMP nsPluginInstanceOwner::InvalidateRect(nsPluginRect *invalidRect)
2391 {
2392   nsresult rv = NS_ERROR_FAILURE;
2393 
2394   if (mOwner && invalidRect && mWidgetVisible) {
2395     //no reference count on view
2396     nsIView* view = mOwner->GetView();

so mOwner shouldn't be null...

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/generic/nsFrame.cpp&rev=3.574.2.17&mark=2327#2321

we're either crashing because this is null, or this is garbage.

could you provide locals for the top two frames? :)

(i don't really want to install silverlight)
Comment 2 timeless 2009-01-06 12:25:23 PST
doh. this was fixed by bz in rev 1.522

(the sources i quoted at the beginning of comment 1 are from where it's fixed).

note that 2.0.0.20 is officially one rev past end of life. we don't intend to release any updated versions.
Comment 3 Boris Zbarsky [:bz] (still a bit busy) 2009-01-06 13:05:42 PST
r+sr=me to add the null-check so that tbird/seamonkey/etc won't have this problem.

I'm not sure why you assigned this to beltzner, though.
Comment 4 Daniel Veditz [:dveditz] 2009-01-06 13:39:32 PST
That late-2005 fix never landed on 1.8 so that doesn't explain the regression between 2.0.0.17 and 2.0.0.19 (-.20 was a respin).

Would be nice to narrow down the regression-range, first to whether it broke in 2.0.0.18 or 2.0.0.19, and then a binary-search through nightlies from http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2008/ (builds with a -mozilla1.8 suffix).

If I had to guess the only relevant-looking plugin-related fix was for bug 433610 landed 2008-09-22. If so that means it broke in 2.0.0.18 released mid-November

The fix timeless refers to is bug 312055, and the trunk patch for bug 433610 may have passed testing without realizing it was relying on such an old patch.
Comment 5 Eduardo Leal-Tostado 2009-01-06 14:25:36 PST
I did the search, and I got the build that initially repro this issue.  Also the 9/23 had another issue that prevented the plugin to show until you press the stop loading button but once that you pass that, you get the crash.

No Repro
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2008/09/2008-09-21-04-mozilla1.8/

Repros
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2008/09/2008-09-23-12-mozilla1.8/

http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2008/10/2008-10-29-18-firefox2.0.0.18/
Comment 6 Boris Zbarsky [:bz] (still a bit busy) 2009-01-06 14:42:21 PST
Yeah, that's when the fix for bug 433610 landed.
Comment 7 timeless 2009-01-06 16:29:18 PST
Created attachment 355678 [details] [diff] [review]
patch
Comment 8 Daniel Veditz [:dveditz] 2009-01-16 11:25:04 PST
Comment on attachment 355678 [details] [diff] [review]
patch

Approved for 1.8.1.21, a=dveditz for release-drivers
Comment 9 Samuel Sidler (old account; do not CC) 2009-01-16 11:58:50 PST
This is 1.8-only so there's no need for it to be wanted on 1.9.0. Please re-nominate if that's incorrect.
Comment 10 Daniel Veditz [:dveditz] 2009-02-28 23:02:48 PST
Fix checked into the 1.8 branch

Note You need to log in before you can comment on or make changes to this bug.