Last Comment Bug 472344 - Regression - Crash [@ nsIFrame::GetView] when using Silverlight
: Regression - Crash [@ nsIFrame::GetView] when using Silverlight
: crash, fixed1.8.1.21, regression
Product: Core
Classification: Components
Component: Plug-ins (show other bugs)
: 1.8 Branch
: x86 Windows Vista
-- critical (vote)
: ---
Assigned To: timeless
: Benjamin Smedberg [:bsmedberg]
Depends on:
Blocks: CVE-2008-5013
  Show dependency treegraph
Reported: 2009-01-06 10:54 PST by Eduardo Leal-Tostado
Modified: 2011-06-09 14:58 PDT (History)
4 users (show)
samuel.sidler+old: wanted1.9.0.x-
samuel.sidler+old: wanted1.8.1.x+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

patch (708 bytes, patch)
2009-01-06 16:29 PST, timeless
timeless: review+
timeless: superreview+
Details | Diff | Splinter Review

Description User image Eduardo Leal-Tostado 2009-01-06 10:54:06 PST
User-Agent:       Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2)
Build Identifier: Firefox

I cannot repro this issue using FF but it repros in the latest version

1)Install Silverlight ( Runtime
2) Navigate to
3) Select any video from '"How Do I?" Videos' section to play
3) After video plays about 10 seconds, click the 'X' to close i

Reproducible: Always

Steps to Reproduce:
Actual Results:  
After doing the steps above, I got a crash. I attached a debugger and load the symbols from

firefox.exe!nsIFrame::GetView()  Line 2327	C++
firefox.exe!nsPluginInstanceOwner::InvalidateRect(nsPluginRect * invalidRect=0x0018fb38)  Line 2608 + 0xb bytes	C++
firefox.exe!nsPluginInstancePeerImpl::InvalidateRect(nsPluginRect * invalidRect=0x0018fb38)  Line 880	C++
 	firefox.exe!_invalidaterect(_NPP * npp=0x05c8de44, _NPRect * invalidRect=0x05c8de40)  Line 1445	C++

Expected Results:  
No Crash.  Works fine in FF 3.0.5 and FF
Comment 1 User image timeless 2009-01-06 12:16:45 PST
2390 NS_IMETHODIMP nsPluginInstanceOwner::InvalidateRect(nsPluginRect *invalidRect)
2391 {
2392   nsresult rv = NS_ERROR_FAILURE;
2394   if (mOwner && invalidRect && mWidgetVisible) {
2395     //no reference count on view
2396     nsIView* view = mOwner->GetView();

so mOwner shouldn't be null...

we're either crashing because this is null, or this is garbage.

could you provide locals for the top two frames? :)

(i don't really want to install silverlight)
Comment 2 User image timeless 2009-01-06 12:25:23 PST
doh. this was fixed by bz in rev 1.522

(the sources i quoted at the beginning of comment 1 are from where it's fixed).

note that is officially one rev past end of life. we don't intend to release any updated versions.
Comment 3 User image Boris Zbarsky [:bz] (still a bit busy) 2009-01-06 13:05:42 PST
r+sr=me to add the null-check so that tbird/seamonkey/etc won't have this problem.

I'm not sure why you assigned this to beltzner, though.
Comment 4 User image Daniel Veditz [:dveditz] 2009-01-06 13:39:32 PST
That late-2005 fix never landed on 1.8 so that doesn't explain the regression between and (-.20 was a respin).

Would be nice to narrow down the regression-range, first to whether it broke in or, and then a binary-search through nightlies from (builds with a -mozilla1.8 suffix).

If I had to guess the only relevant-looking plugin-related fix was for bug 433610 landed 2008-09-22. If so that means it broke in released mid-November

The fix timeless refers to is bug 312055, and the trunk patch for bug 433610 may have passed testing without realizing it was relying on such an old patch.
Comment 5 User image Eduardo Leal-Tostado 2009-01-06 14:25:36 PST
I did the search, and I got the build that initially repro this issue.  Also the 9/23 had another issue that prevented the plugin to show until you press the stop loading button but once that you pass that, you get the crash.

No Repro

Comment 6 User image Boris Zbarsky [:bz] (still a bit busy) 2009-01-06 14:42:21 PST
Yeah, that's when the fix for bug 433610 landed.
Comment 7 User image timeless 2009-01-06 16:29:18 PST
Created attachment 355678 [details] [diff] [review]
Comment 8 User image Daniel Veditz [:dveditz] 2009-01-16 11:25:04 PST
Comment on attachment 355678 [details] [diff] [review]

Approved for, a=dveditz for release-drivers
Comment 9 User image Samuel Sidler (old account; do not CC) 2009-01-16 11:58:50 PST
This is 1.8-only so there's no need for it to be wanted on 1.9.0. Please re-nominate if that's incorrect.
Comment 10 User image Daniel Veditz [:dveditz] 2009-02-28 23:02:48 PST
Fix checked into the 1.8 branch

Note You need to log in before you can comment on or make changes to this bug.