Regression - Crash [@ nsIFrame::GetView] when using Silverlight

RESOLVED FIXED

Status

()

Core
Plug-ins
--
critical
RESOLVED FIXED
9 years ago
6 years ago

People

(Reporter: Eduardo Leal-Tostado, Assigned: timeless)

Tracking

({crash, fixed1.8.1.21, regression})

1.8 Branch
x86
Windows Vista
crash, fixed1.8.1.21, regression
Points:
---
Bug Flags:
wanted1.9.0.x -
blocking1.8.1.next +
wanted1.8.1.x +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

Attachments

(1 attachment)

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)
Build Identifier: Firefox 2.0.0.20

I cannot repro this issue using FF 2.0.0.17 but it repros in the latest version 2.0.0.20


1)Install Silverlight (http://www.microsoft.com/silverlight) Runtime
2) Navigate to www.microsoft.com/technet
3) Select any video from '"How Do I?" Videos' section to play
3) After video plays about 10 seconds, click the 'X' to close i

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Actual Results:  
After doing the steps above, I got a crash. I attached a debugger and load the symbols from http://symbols.mozilla.org/firefox


firefox.exe!nsIFrame::GetView()  Line 2327	C++
firefox.exe!nsPluginInstanceOwner::InvalidateRect(nsPluginRect * invalidRect=0x0018fb38)  Line 2608 + 0xb bytes	C++
firefox.exe!nsPluginInstancePeerImpl::InvalidateRect(nsPluginRect * invalidRect=0x0018fb38)  Line 880	C++
 	firefox.exe!_invalidaterect(_NPP * npp=0x05c8de44, _NPRect * invalidRect=0x05c8de40)  Line 1445	C++


Expected Results:  
No Crash.  Works fine in FF 3.0.5 and FF 2.0.0.17
(Assignee)

Comment 1

9 years ago
2390 NS_IMETHODIMP nsPluginInstanceOwner::InvalidateRect(nsPluginRect *invalidRect)
2391 {
2392   nsresult rv = NS_ERROR_FAILURE;
2393 
2394   if (mOwner && invalidRect && mWidgetVisible) {
2395     //no reference count on view
2396     nsIView* view = mOwner->GetView();

so mOwner shouldn't be null...

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/generic/nsFrame.cpp&rev=3.574.2.17&mark=2327#2321

we're either crashing because this is null, or this is garbage.

could you provide locals for the top two frames? :)

(i don't really want to install silverlight)
Severity: normal → critical
Component: General → Plug-ins
Keywords: crash, regression
Product: Firefox → Core
QA Contact: general → plugins
Summary: Regression - Crash firefox.exe!nsIFrame::GetView() when using Silverlight → Regression - Crash [@ nsIFrame::GetView] when using Silverlight
Version: unspecified → 1.8 Branch
(Assignee)

Comment 2

9 years ago
doh. this was fixed by bz in rev 1.522

(the sources i quoted at the beginning of comment 1 are from where it's fixed).

note that 2.0.0.20 is officially one rev past end of life. we don't intend to release any updated versions.
Assignee: nobody → beltzner
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
(Assignee)

Updated

9 years ago
r+sr=me to add the null-check so that tbird/seamonkey/etc won't have this problem.

I'm not sure why you assigned this to beltzner, though.
That late-2005 fix never landed on 1.8 so that doesn't explain the regression between 2.0.0.17 and 2.0.0.19 (-.20 was a respin).

Would be nice to narrow down the regression-range, first to whether it broke in 2.0.0.18 or 2.0.0.19, and then a binary-search through nightlies from http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2008/ (builds with a -mozilla1.8 suffix).

If I had to guess the only relevant-looking plugin-related fix was for bug 433610 landed 2008-09-22. If so that means it broke in 2.0.0.18 released mid-November

The fix timeless refers to is bug 312055, and the trunk patch for bug 433610 may have passed testing without realizing it was relying on such an old patch.
Flags: wanted1.9.0.x?
(Reporter)

Comment 5

9 years ago
I did the search, and I got the build that initially repro this issue.  Also the 9/23 had another issue that prevented the plugin to show until you press the stop loading button but once that you pass that, you get the crash.

No Repro
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2008/09/2008-09-21-04-mozilla1.8/

Repros
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2008/09/2008-09-23-12-mozilla1.8/

http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2008/10/2008-10-29-18-firefox2.0.0.18/
Yeah, that's when the fix for bug 433610 landed.
(Assignee)

Comment 7

9 years ago
Created attachment 355678 [details] [diff] [review]
patch
Attachment #355678 - Flags: superreview+
Attachment #355678 - Flags: review+
Attachment #355678 - Flags: approval1.8.1.next?
Attachment #355678 - Flags: approval1.8.0.next?
Assignee: beltzner → timeless
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.next+
Comment on attachment 355678 [details] [diff] [review]
patch

Approved for 1.8.1.21, a=dveditz for release-drivers
Attachment #355678 - Flags: approval1.8.1.next? → approval1.8.1.next+
This is 1.8-only so there's no need for it to be wanted on 1.9.0. Please re-nominate if that's incorrect.
Flags: wanted1.9.0.x? → wanted1.9.0.x-
Fix checked into the 1.8 branch
Blocks: 433610
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Keywords: fixed1.8.1.21
Resolution: --- → FIXED
Crash Signature: [@ nsIFrame::GetView]
You need to log in before you can comment on or make changes to this bug.