Closed Bug 472344 Opened 17 years ago Closed 16 years ago

Regression - Crash [@ nsIFrame::GetView] when using Silverlight

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Version:
1.8 Branch
Platform:
x86
Windows Vista
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: eduardot, Assigned: timeless)

References

(
URL
)

Details

(Keywords: crash, fixed1.8.1.21, regression)

Crash Data

Attachments

(1 file)

patch
708 bytes, patch
timeless
: review+
timeless
: superreview+
dveditz
: approval1.8.1.next+
timeless
: approval1.8.0.next?
Details | Diff | Splinter Review
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2) Build Identifier: Firefox 2.0.0.20 I cannot repro this issue using FF 2.0.0.17 but it repros in the latest version 2.0.0.20 1)Install Silverlight (http://www.microsoft.com/silverlight) Runtime 2) Navigate to www.microsoft.com/technet 3) Select any video from '"How Do I?" Videos' section to play 3) After video plays about 10 seconds, click the 'X' to close i Reproducible: Always Steps to Reproduce: 1. 2. 3. Actual Results: After doing the steps above, I got a crash. I attached a debugger and load the symbols from http://symbols.mozilla.org/firefox firefox.exe!nsIFrame::GetView() Line 2327 C++ firefox.exe!nsPluginInstanceOwner::InvalidateRect(nsPluginRect * invalidRect=0x0018fb38) Line 2608 + 0xb bytes C++ firefox.exe!nsPluginInstancePeerImpl::InvalidateRect(nsPluginRect * invalidRect=0x0018fb38) Line 880 C++ firefox.exe!_invalidaterect(_NPP * npp=0x05c8de44, _NPRect * invalidRect=0x05c8de40) Line 1445 C++ Expected Results: No Crash. Works fine in FF 3.0.5 and FF 2.0.0.17
2390 NS_IMETHODIMP nsPluginInstanceOwner::InvalidateRect(nsPluginRect *invalidRect) 2391 { 2392 nsresult rv = NS_ERROR_FAILURE; 2393 2394 if (mOwner && invalidRect && mWidgetVisible) { 2395 //no reference count on view 2396 nsIView* view = mOwner->GetView(); so mOwner shouldn't be null... http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/generic/nsFrame.cpp&rev=3.574.2.17&mark=2327#2321 we're either crashing because this is null, or this is garbage. could you provide locals for the top two frames? :) (i don't really want to install silverlight)
Severity: normal → critical
Component: General → Plug-ins
Keywords: crash, regression
Product: Firefox → Core
QA Contact: general → plugins
Summary: Regression - Crash firefox.exe!nsIFrame::GetView() when using Silverlight → Regression - Crash [@ nsIFrame::GetView] when using Silverlight
Version: unspecified → 1.8 Branch
doh. this was fixed by bz in rev 1.522 (the sources i quoted at the beginning of comment 1 are from where it's fixed). note that 2.0.0.20 is officially one rev past end of life. we don't intend to release any updated versions.
Assignee: nobody → beltzner
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
r+sr=me to add the null-check so that tbird/seamonkey/etc won't have this problem. I'm not sure why you assigned this to beltzner, though.
That late-2005 fix never landed on 1.8 so that doesn't explain the regression between 2.0.0.17 and 2.0.0.19 (-.20 was a respin). Would be nice to narrow down the regression-range, first to whether it broke in 2.0.0.18 or 2.0.0.19, and then a binary-search through nightlies from http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2008/ (builds with a -mozilla1.8 suffix). If I had to guess the only relevant-looking plugin-related fix was for bug 433610 landed 2008-09-22. If so that means it broke in 2.0.0.18 released mid-November The fix timeless refers to is bug 312055, and the trunk patch for bug 433610 may have passed testing without realizing it was relying on such an old patch.
Flags: wanted1.9.0.x?
I did the search, and I got the build that initially repro this issue. Also the 9/23 had another issue that prevented the plugin to show until you press the stop loading button but once that you pass that, you get the crash. No Repro http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2008/09/2008-09-21-04-mozilla1.8/ Repros http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2008/09/2008-09-23-12-mozilla1.8/ http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2008/10/2008-10-29-18-firefox2.0.0.18/
Yeah, that's when the fix for bug 433610 landed.
Attached patch patchSplinter Review
Attachment #355678 - Flags: superreview+
Attachment #355678 - Flags: review+
Attachment #355678 - Flags: approval1.8.1.next?
Attachment #355678 - Flags: approval1.8.0.next?
Assignee: beltzner → timeless
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.next+
Comment on attachment 355678 [details] [diff] [review] patch Approved for 1.8.1.21, a=dveditz for release-drivers
Attachment #355678 - Flags: approval1.8.1.next? → approval1.8.1.next+
This is 1.8-only so there's no need for it to be wanted on 1.9.0. Please re-nominate if that's incorrect.
Flags: wanted1.9.0.x? → wanted1.9.0.x-
Fix checked into the 1.8 branch
Blocks: CVE-2008-5013
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Keywords: fixed1.8.1.21
Resolution: --- → FIXED
Crash Signature: [@ nsIFrame::GetView]
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: