Last Comment Bug 500777 - Crash in [@ nsMimeTypeArray::GetMimeTypes() ] while logging into QMO
: Crash in [@ nsMimeTypeArray::GetMimeTypes() ] while logging into QMO
Status: RESOLVED FIXED
[sg:dos]
: crash, fixed1.9.0.18
Product: Core
Classification: Components
Component: DOM (show other bugs)
: 1.9.1 Branch
: All All
: -- critical (vote)
: mozilla1.9.2a1
Assigned To: Nochum Sossonko [:Natch]
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-26 13:05 PDT by Marcia Knous [:marcia - use ni]
Modified: 2015-10-16 11:49 PDT (History)
11 users (show)
samuel.sidler+old: wanted1.9.0.x+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
.8-fixed


Attachments
null check [branch patch] (906 bytes, patch)
2009-07-06 12:44 PDT, Nochum Sossonko [:Natch]
no flags Details | Diff | Review
null check [trunk patch] (906 bytes, patch)
2009-07-06 12:53 PDT, Nochum Sossonko [:Natch]
no flags Details | Diff | Review
null check [trunk patch] (1.10 KB, patch)
2009-07-06 12:54 PDT, Nochum Sossonko [:Natch]
bugs: review+
bugs: superreview+
Details | Diff | Review
191 patch (1.12 KB, patch)
2009-11-17 09:28 PST, Nochum Sossonko [:Natch]
dveditz: approval1.9.1.8+
Details | Diff | Review
1.9.0 patch (1.30 KB, patch)
2009-11-18 07:33 PST, Nochum Sossonko [:Natch]
dveditz: approval1.9.0.18+
Details | Diff | Review

Description Marcia Knous [:marcia - use ni] 2009-06-26 13:05:34 PDT
Seen while running  Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 (.NET CLR 3.5.30729)

STR:
1. I had several tabs open, went back to QMO to login. As soon as I tried to type in the login field the browser crashed.

This is a fairly clean profile with no extensions. Breakpad:http://crash-stats.mozilla.com/report/index/426e0e7c-3f2e-4f56-9750-585842090626
Comment 1 Marcia Knous [:marcia - use ni] 2009-06-26 13:06:26 PDT
Have not yet been able to reproduce but working on it.
Comment 2 Henrik Skupin (:whimboo) 2009-06-26 16:08:06 PDT
Marcia, I wonder if it is somehow related to the word/excel problem you reported lately against the application helper dialog.
Comment 3 Marcia Knous [:marcia - use ni] 2009-06-26 16:12:42 PDT
The Win 7 machine in the lab does not have any of the MS products installed.  The word/excel issue I reported was on a Mac machine. Also in this instance there was no file handler being called I was simply typing something in a login field.

(In reply to comment #2)
> Marcia, I wonder if it is somehow related to the word/excel problem you
> reported lately against the application helper dialog.
Comment 4 Henrik Skupin (:whimboo) 2009-06-26 16:26:05 PDT
That's right, thanks for clarification. So lets hope you will find it again.

Given the crash report we crash while accessing plugin->GetLength().

256         nsIDOMPlugin* plugin = nsnull;
257         if (pluginArray->Item(k, &plugin) == NS_OK) {
258           PRUint32 mimeTypeCount = 0;
259           if (plugin->GetLength(&mimeTypeCount) == NS_OK) {
260             nsCOMPtr<nsIDOMMimeType> item;

Can pluginArray->Item return a non-modified parameter so we are accessing a null pointer?

http://mxr.mozilla.org/mozilla1.9.1/source/dom/src/base/nsPluginArray.cpp#108

Marcia, was it the front page on QMO or another sub page? Can you remember?
Comment 5 Marcia Knous [:marcia - use ni] 2009-06-26 16:33:52 PDT
Yes I was on the front page of QMO logging in at the top of the page.
Comment 6 timeless 2009-06-28 01:29:52 PDT
marcia: can you paste about:plugins here?
Comment 7 Marcia Knous [:marcia - use ni] 2009-06-29 12:52:25 PDT
Installed plugins
Find more information about browser plugins at mozilla.org.
Help for installing plugins is available from plugindoc.mozdev.org.

Java Deployment Toolkit 6.0.140.8

    File name: npdeploytk.dll
    NPRuntime Script Plug-in Library for Java(TM) Deploy

MIME Type 	Description 	Suffixes 	Enabled
application/npruntime-scriptable-plugin;DeploymentToolkit 			Yes

Mozilla Default Plug-in

    File name: npnul32.dll
    Default Plug-in

MIME Type 	Description 	Suffixes 	Enabled
* 	Mozilla Default Plug-in 	* 	No

Google Update

    File name: npGoogleOneClick8.dll
    Google Update

MIME Type 	Description 	Suffixes 	Enabled
application/x-vnd.google.oneclickctrl.8 			Yes

Shockwave Flash

    File name: NPSWF32.dll
    Shockwave Flash 10.0 r22

MIME Type 	Description 	Suffixes 	Enabled
application/x-shockwave-flash 	Adobe Flash movie 	swf 	Yes
application/futuresplash 	FutureSplash movie 	spl 	Yes

Windows Presentation Foundation

    File name: NPWPF.dll
    Windows Presentation Foundation (WPF) plug-in for Mozilla browsers

MIME Type 	Description 	Suffixes 	Enabled
application/x-ms-xbap 	XAML Browser Application 	xbap 	Yes
application/xaml+xml 	XAML Document 	xaml 	Yes
Java(TM) Platform SE 6 U14

    File name: npjp2.dll
    Next Generation Java Plug-in 1.6.0_14 for Mozilla browsers

MIME Type 	Description 	Suffixes 	Enabled
application/x-java-applet 	Java Applet 		Yes
application/x-java-bean 	JavaBeans 		Yes
application/x-java-vm 			Yes
application/x-java-applet;version=1.1.1 			Yes
application/x-java-bean;version=1.1.1 			Yes
application/x-java-applet;version=1.1 			Yes
application/x-java-bean;version=1.1 			Yes
application/x-java-applet;version=1.2 			Yes
application/x-java-bean;version=1.2 			Yes
application/x-java-applet;version=1.1.3 			Yes
application/x-java-bean;version=1.1.3 			Yes
application/x-java-applet;version=1.1.2 			Yes
application/x-java-bean;version=1.1.2 			Yes
application/x-java-applet;version=1.3 			Yes
application/x-java-bean;version=1.3 			Yes
application/x-java-applet;version=1.2.2 			Yes
application/x-java-bean;version=1.2.2 			Yes
application/x-java-applet;version=1.2.1 			Yes
application/x-java-bean;version=1.2.1 			Yes
application/x-java-applet;version=1.3.1 			Yes
application/x-java-bean;version=1.3.1 			Yes
application/x-java-applet;version=1.4 			Yes
application/x-java-bean;version=1.4 			Yes
application/x-java-applet;version=1.4.1 			Yes
application/x-java-bean;version=1.4.1 			Yes
application/x-java-applet;version=1.4.2 			Yes
application/x-java-bean;version=1.4.2 			Yes
application/x-java-applet;version=1.5 			Yes
application/x-java-bean;version=1.5 			Yes
application/x-java-applet;version=1.6 			Yes
application/x-java-bean;version=1.6 			Yes
application/x-java-applet;jpi-version=1.6.0_14 			Yes
application/x-java-bean;jpi-version=1.6.0_14 			Yes
Comment 8 Marcia Knous [:marcia - use ni] 2009-07-02 14:55:11 PDT
After reviewing the crash data and seeing that "Cooliris" was mentioned twice in the user comments, I went back in and installed it and crashed in this stack. Breakpad is here:
http://crash-stats.mozilla.com/report/index/2fde3c68-528e-4bbe-9a5a-9d2ad2090702

Here is my config on this machine - I have several other addons as well:

User Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5
Build ID: 20090624012136

Enabled Extensions: [11]
- Adblock Plus 1.0.2: http://adblockplus.org/
- Cooliris 1.11: http://www.cooliris.com/
- Crash Me Now! Advanced 0.2: http://ted.mielczarek.org/code/mozilla/
- Custom Buttons² 3.0.1: http://custombuttons2.com/
- Firebug 1.4.0b3: http://www.google.com/search?q=Firefox%20Firebug
- Firecookie 0.8: http://www.janodvarko.cz/firecookie
- FireFTP 1.0.5: http://fireftp.mozdev.org
- FirePHP 0.3.1: http://www.firephp.org/
- FlashGot 1.1.9.6: http://flashgot.net
- MR Tech Toolkit 6.0.3.4: http://www.mrtech.com/extensions/
- Status-bar Scientific Calculator 4.5: http://www.cse.iitb.ac.in/~sunnygoyal/statusscicalc.html

Disabled Extensions: [1]
- Google Desktop Search 1.1: http://desktop.google.com/

Total Extensions: 12

Installed Themes: [2]
- Chromifox Basic 1.1: http://42st.org/falconer/chromifox/
- Default: http://www.mozilla.org/

Installed Plugins: (12)
- Cooliris embbedded in a tab
- Coupons Inc. Plugin
- Default Plugin
- Flip4Mac Windows Media Plugin 2.2.1
- Java Embedding Plugin 0.9.7.1
- MoveNetworks Quantum Media Player
- QuickTime Plug-in 7.6.2
- Shockwave Flash
- Shockwave for Director
- Silverlight Plug-In
- Viewpoint Media Player (WPN)
- WARP Video Player
Comment 9 Henrik Skupin (:whimboo) 2009-07-02 16:44:06 PDT
Marcia, does it also crash with all the other add-ons disabled? Can you reproduce it with a new profile? WFM here with latest CoolIris add-on installed.
Comment 10 Marcia Knous [:marcia - use ni] 2009-07-06 09:54:43 PDT
Have not yet been able to reproduce the crash, but it was interesting that it crashed once I installed Cooliris. Perhaps an interaction between Cooliris and one of the other extensions? Need to review the crash data once again and look for some clues in the comments.
Comment 11 Marcia Knous [:marcia - use ni] 2009-07-06 10:02:25 PDT
Two of the latest comments in the crash status reference picasa, one mentions picasa download.
Comment 12 Olli Pettay [:smaug] (high review load, please consider other reviewers) 2009-07-06 12:06:22 PDT
(In reply to comment #4)
> That's right, thanks for clarification. So lets hope you will find it again.
> 
> Given the crash report we crash while accessing plugin->GetLength().
> 
> 256         nsIDOMPlugin* plugin = nsnull;
> 257         if (pluginArray->Item(k, &plugin) == NS_OK) {
> 258           PRUint32 mimeTypeCount = 0;
> 259           if (plugin->GetLength(&mimeTypeCount) == NS_OK) {
> 260             nsCOMPtr<nsIDOMMimeType> item;
> 
> Can pluginArray->Item return a non-modified parameter so we are accessing a
> null pointer?
There seems to be many cases when Item() returns NS_OK but a null plugin.
Whimboo, want to provide a patch for the null check? I could review.
Note, the code does null check in the previous loop just few lines above.
Comment 13 Henrik Skupin (:whimboo) 2009-07-06 12:26:45 PDT
Olli, I would leave it up to the devs. I can investigate some issues but supplying a real fix isn't easy all the time. Especially in areas you don't have any knowledge.
Comment 14 Nochum Sossonko [:Natch] 2009-07-06 12:44:19 PDT
Created attachment 387028 [details] [diff] [review]
null check [branch patch]
Comment 15 Olli Pettay [:smaug] (high review load, please consider other reviewers) 2009-07-06 12:46:27 PDT
Comment on attachment 387028 [details] [diff] [review]
null check [branch patch]

While you're here, could you make plugin to be nsCOMPtr and change == NS_OK check to be NS_SUCCEEDED
Comment 16 Olli Pettay [:smaug] (high review load, please consider other reviewers) 2009-07-06 12:47:15 PDT
Something very similar was done for the loop above
http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&root=/cvsroot&subdir=mozilla/dom/src/base&command=DIFF_FRAMESET&file=nsMimeTypeArray.cpp&rev2=1.26&rev1=1.25
Comment 17 Nochum Sossonko [:Natch] 2009-07-06 12:53:19 PDT
Created attachment 387030 [details] [diff] [review]
null check [trunk patch]

Sure. I guess I'll upload a branch patch again if this is ever wanted there.
Comment 18 Nochum Sossonko [:Natch] 2009-07-06 12:54:26 PDT
Created attachment 387032 [details] [diff] [review]
null check [trunk patch]

Sorry, uploaded the same thing :(

Here's the real one.
Comment 19 Nochum Sossonko [:Natch] 2009-07-06 12:58:54 PDT
If there's anyway to create a crash-test for this, lemme know. I can't reproduce the crash (I don't login to QMO), so if there's some sort of testcase I'll happily include it in the patch.
Comment 20 Marcia Knous [:marcia - use ni] 2009-07-06 13:27:55 PDT
Unfortunately I have only crashed twice and have not been able to reproduce the crash, but will let you know if I am able to.

(In reply to comment #19)
> If there's anyway to create a crash-test for this, lemme know. I can't
> reproduce the crash (I don't login to QMO), so if there's some sort of testcase
> I'll happily include it in the patch.
Comment 21 Dão Gottwald [:dao] 2009-07-07 05:18:59 PDT
http://hg.mozilla.org/mozilla-central/rev/248555b52b97
Comment 22 Samuel Sidler (old account; do not CC) 2009-11-14 23:07:53 PST
Hm. I just crashed with a very similar stack on 1.9.0.

  bp-8fdf5a12-aa4e-44dd-b8cd-6ba752091114

I guess we didn't fix it there, did we? Oh well...
Comment 23 Smokey Ardisson (offline for a while; not following bugs - do not email) 2009-11-15 13:22:53 PST
(In reply to comment #22)
> I guess we didn't fix it there, did we? Oh well...

Or 1.9.1, where the crash was actually seen in the wild originally.
Comment 24 Nochum Sossonko [:Natch] 2009-11-15 17:46:18 PST
I don't mind taking this to 1.9.1/1.9.0 if it's wanted...
Comment 25 Samuel Sidler (old account; do not CC) 2009-11-16 08:42:51 PST
If it's just a null check, I'd say yes, but let me check with Dan first.
Comment 26 Samuel Sidler (old account; do not CC) 2009-11-16 15:50:31 PST
Wanted! Let's get this fixed.

Note that there have been 767 crashes in the last week with this signature in Firefox 3.5.5.
Comment 27 Nochum Sossonko [:Natch] 2009-11-17 09:28:56 PST
Created attachment 412875 [details] [diff] [review]
191 patch

Patch for 1.9.1. 1.9.0 coming up if this doesn't apply (I don't have a local tree to check on).
Comment 28 Nochum Sossonko [:Natch] 2009-11-17 10:45:20 PST
This is already fixed on 1.9.0! Not sure who re-regressed it, but see: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla%2Fdom%2Fsrc%2Fbase%2FnsMimeTypeArray.cpp&rev=&cvsroot=%2Fcvsroot

It was fixed originally by bug 308778. Are there any crash stacks on 1.9.0 with this?
Comment 29 Samuel Sidler (old account; do not CC) 2009-11-17 21:15:49 PST
See comment 22.
Comment 30 Nochum Sossonko [:Natch] 2009-11-17 22:28:37 PST
I must be crazy, it obviously does exist, the loop right above it was fixed, not the one below...

Patch for 1.9.0 in the morning hopefully. I guess wanted-1.9.0.x+ again...
Comment 31 Nochum Sossonko [:Natch] 2009-11-18 07:33:17 PST
Created attachment 413072 [details] [diff] [review]
1.9.0 patch

Patch for cvs 1.9.0 branch.
Comment 32 Samuel Sidler (old account; do not CC) 2009-11-19 15:41:38 PST
Comment on attachment 413072 [details] [diff] [review]
1.9.0 patch

Pushing these noms out.
Comment 33 Henrik Skupin (:whimboo) 2009-11-20 03:41:09 PST
CC'ing Aakash and Carsten, who could eventually have an idea for a testcase.
Comment 34 Daniel Veditz [:dveditz] 2009-12-02 15:35:03 PST
Comment on attachment 412875 [details] [diff] [review]
191 patch

Approved for 1.9.1.7 and 1.9.0.17, a=dveditz for release-drivers
Comment 35 Nochum Sossonko [:Natch] 2009-12-09 12:56:02 PST
Pushed to 1.9.1: http://hg.mozilla.org/releases/mozilla-1.9.1/rev/ca9293559ec2

Still need someone to push to 1.9.0...
Comment 36 Henrik Skupin (:whimboo) 2010-01-28 06:09:11 PST
(In reply to comment #35)
> Pushed to 1.9.1: http://hg.mozilla.org/releases/mozilla-1.9.1/rev/ca9293559ec2
> 
> Still need someone to push to 1.9.0...

Dan, this still needs to get pushed to 1.9.0...
Comment 37 Daniel Veditz [:dveditz] 2010-02-02 01:34:34 PST
Checking in nsMimeTypeArray.cpp;
/cvsroot/mozilla/dom/src/base/nsMimeTypeArray.cpp,v  <--  nsMimeTypeArray.cpp
new revision: 1.29; previous revision: 1.28

Note You need to log in before you can comment on or make changes to this bug.