Closed Bug 500777 Opened 14 years ago Closed 14 years ago

Crash in [@ nsMimeTypeArray::GetMimeTypes() ] while logging into QMO

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
1.9.1 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.2a1
Tracking Flags:
Tracking Status
status1.9.1 --- .8-fixed

People

(Reporter: marcia, Assigned: Natch)

Details

(Keywords: crash, fixed1.9.0.18, Whiteboard: [sg:dos])

Crash Data

Attachments

(3 files, 2 obsolete files)

null check [trunk patch]
1.10 KB, patch
smaug
: review+
smaug
: superreview+
Details | Diff | Splinter Review
191 patch
1.12 KB, patch
dveditz
: approval1.9.1.8+
Details | Diff | Splinter Review
1.9.0 patch
1.30 KB, patch
dveditz
: approval1.9.0.18+
Details | Diff | Splinter Review 
Seen while running  Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 (.NET CLR 3.5.30729)

STR:
1. I had several tabs open, went back to QMO to login. As soon as I tried to type in the login field the browser crashed.

This is a fairly clean profile with no extensions. Breakpad:http://crash-stats.mozilla.com/report/index/426e0e7c-3f2e-4f56-9750-585842090626
Have not yet been able to reproduce but working on it.
Severity: normal → major
Keywords: crash
OS: Windows NT → Windows 7
Marcia, I wonder if it is somehow related to the word/excel problem you reported lately against the application helper dialog.
Severity: major → critical
The Win 7 machine in the lab does not have any of the MS products installed.  The word/excel issue I reported was on a Mac machine. Also in this instance there was no file handler being called I was simply typing something in a login field.

(In reply to comment #2)
> Marcia, I wonder if it is somehow related to the word/excel problem you
> reported lately against the application helper dialog.
That's right, thanks for clarification. So lets hope you will find it again.

Given the crash report we crash while accessing plugin->GetLength().

256         nsIDOMPlugin* plugin = nsnull;
257         if (pluginArray->Item(k, &plugin) == NS_OK) {
258           PRUint32 mimeTypeCount = 0;
259           if (plugin->GetLength(&mimeTypeCount) == NS_OK) {
260             nsCOMPtr<nsIDOMMimeType> item;

Can pluginArray->Item return a non-modified parameter so we are accessing a null pointer?

http://mxr.mozilla.org/mozilla1.9.1/source/dom/src/base/nsPluginArray.cpp#108

Marcia, was it the front page on QMO or another sub page? Can you remember?
Component: General → DOM
Product: Firefox → Core
QA Contact: general → general
Version: 3.5 Branch → Trunk
Yes I was on the front page of QMO logging in at the top of the page.
marcia: can you paste about:plugins here?
Installed plugins
Find more information about browser plugins at mozilla.org.
Help for installing plugins is available from plugindoc.mozdev.org.

Java Deployment Toolkit 6.0.140.8

    File name: npdeploytk.dll
    NPRuntime Script Plug-in Library for Java(TM) Deploy

MIME Type 	Description 	Suffixes 	Enabled
application/npruntime-scriptable-plugin;DeploymentToolkit 			Yes

Mozilla Default Plug-in

    File name: npnul32.dll
    Default Plug-in

MIME Type 	Description 	Suffixes 	Enabled
* 	Mozilla Default Plug-in 	* 	No

Google Update

    File name: npGoogleOneClick8.dll
    Google Update

MIME Type 	Description 	Suffixes 	Enabled
application/x-vnd.google.oneclickctrl.8 			Yes

Shockwave Flash

    File name: NPSWF32.dll
    Shockwave Flash 10.0 r22

MIME Type 	Description 	Suffixes 	Enabled
application/x-shockwave-flash 	Adobe Flash movie 	swf 	Yes
application/futuresplash 	FutureSplash movie 	spl 	Yes

Windows Presentation Foundation

    File name: NPWPF.dll
    Windows Presentation Foundation (WPF) plug-in for Mozilla browsers

MIME Type 	Description 	Suffixes 	Enabled
application/x-ms-xbap 	XAML Browser Application 	xbap 	Yes
application/xaml+xml 	XAML Document 	xaml 	Yes
Java(TM) Platform SE 6 U14

    File name: npjp2.dll
    Next Generation Java Plug-in 1.6.0_14 for Mozilla browsers

MIME Type 	Description 	Suffixes 	Enabled
application/x-java-applet 	Java Applet 		Yes
application/x-java-bean 	JavaBeans 		Yes
application/x-java-vm 			Yes
application/x-java-applet;version=1.1.1 			Yes
application/x-java-bean;version=1.1.1 			Yes
application/x-java-applet;version=1.1 			Yes
application/x-java-bean;version=1.1 			Yes
application/x-java-applet;version=1.2 			Yes
application/x-java-bean;version=1.2 			Yes
application/x-java-applet;version=1.1.3 			Yes
application/x-java-bean;version=1.1.3 			Yes
application/x-java-applet;version=1.1.2 			Yes
application/x-java-bean;version=1.1.2 			Yes
application/x-java-applet;version=1.3 			Yes
application/x-java-bean;version=1.3 			Yes
application/x-java-applet;version=1.2.2 			Yes
application/x-java-bean;version=1.2.2 			Yes
application/x-java-applet;version=1.2.1 			Yes
application/x-java-bean;version=1.2.1 			Yes
application/x-java-applet;version=1.3.1 			Yes
application/x-java-bean;version=1.3.1 			Yes
application/x-java-applet;version=1.4 			Yes
application/x-java-bean;version=1.4 			Yes
application/x-java-applet;version=1.4.1 			Yes
application/x-java-bean;version=1.4.1 			Yes
application/x-java-applet;version=1.4.2 			Yes
application/x-java-bean;version=1.4.2 			Yes
application/x-java-applet;version=1.5 			Yes
application/x-java-bean;version=1.5 			Yes
application/x-java-applet;version=1.6 			Yes
application/x-java-bean;version=1.6 			Yes
application/x-java-applet;jpi-version=1.6.0_14 			Yes
application/x-java-bean;jpi-version=1.6.0_14 			Yes
After reviewing the crash data and seeing that "Cooliris" was mentioned twice in the user comments, I went back in and installed it and crashed in this stack. Breakpad is here:
http://crash-stats.mozilla.com/report/index/2fde3c68-528e-4bbe-9a5a-9d2ad2090702

Here is my config on this machine - I have several other addons as well:

User Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5
Build ID: 20090624012136

Enabled Extensions: [11]
- Adblock Plus 1.0.2: http://adblockplus.org/
- Cooliris 1.11: http://www.cooliris.com/
- Crash Me Now! Advanced 0.2: http://ted.mielczarek.org/code/mozilla/
- Custom Buttons² 3.0.1: http://custombuttons2.com/
- Firebug 1.4.0b3: http://www.google.com/search?q=Firefox%20Firebug
- Firecookie 0.8: http://www.janodvarko.cz/firecookie
- FireFTP 1.0.5: http://fireftp.mozdev.org
- FirePHP 0.3.1: http://www.firephp.org/
- FlashGot 1.1.9.6: http://flashgot.net
- MR Tech Toolkit 6.0.3.4: http://www.mrtech.com/extensions/
- Status-bar Scientific Calculator 4.5: http://www.cse.iitb.ac.in/~sunnygoyal/statusscicalc.html

Disabled Extensions: [1]
- Google Desktop Search 1.1: http://desktop.google.com/

Total Extensions: 12

Installed Themes: [2]
- Chromifox Basic 1.1: http://42st.org/falconer/chromifox/
- Default: http://www.mozilla.org/

Installed Plugins: (12)
- Cooliris embbedded in a tab
- Coupons Inc. Plugin
- Default Plugin
- Flip4Mac Windows Media Plugin 2.2.1
- Java Embedding Plugin 0.9.7.1
- MoveNetworks Quantum Media Player
- QuickTime Plug-in 7.6.2
- Shockwave Flash
- Shockwave for Director
- Silverlight Plug-In
- Viewpoint Media Player (WPN)
- WARP Video Player
OS: Windows 7 → All
Hardware: x86 → All
Marcia, does it also crash with all the other add-ons disabled? Can you reproduce it with a new profile? WFM here with latest CoolIris add-on installed.
Have not yet been able to reproduce the crash, but it was interesting that it crashed once I installed Cooliris. Perhaps an interaction between Cooliris and one of the other extensions? Need to review the crash data once again and look for some clues in the comments.
Two of the latest comments in the crash status reference picasa, one mentions picasa download.
(In reply to comment #4)
> That's right, thanks for clarification. So lets hope you will find it again.
> 
> Given the crash report we crash while accessing plugin->GetLength().
> 
> 256         nsIDOMPlugin* plugin = nsnull;
> 257         if (pluginArray->Item(k, &plugin) == NS_OK) {
> 258           PRUint32 mimeTypeCount = 0;
> 259           if (plugin->GetLength(&mimeTypeCount) == NS_OK) {
> 260             nsCOMPtr<nsIDOMMimeType> item;
> 
> Can pluginArray->Item return a non-modified parameter so we are accessing a
> null pointer?
There seems to be many cases when Item() returns NS_OK but a null plugin.
Whimboo, want to provide a patch for the null check? I could review.
Note, the code does null check in the previous loop just few lines above.
Olli, I would leave it up to the devs. I can investigate some issues but supplying a real fix isn't easy all the time. Especially in areas you don't have any knowledge.
Attached patch null check [branch patch] (obsolete) — Splinter Review 

        Attachment #387028 -
        Flags: review?(Olli.Pettay)

    
  

        Attachment #387028 -
        Attachment description: null check → null check [branch patch]

    
    

    
  
Comment on attachment 387028 [details] [diff] [review]
null check [branch patch]

While you're here, could you make plugin to be nsCOMPtr and change == NS_OK check to be NS_SUCCEEDED

    
    

    
  

      
      
      
      

        Attached patch
          
          
        null check [trunk patch] (obsolete)
        — Splinter Review
      

    


  
Sure. I guess I'll upload a branch patch again if this is ever wanted there.

        Attachment #387028 -
        Attachment is obsolete: true

        Attachment #387030 -
        Flags: review?(Olli.Pettay)

        Attachment #387028 -
        Flags: review?(Olli.Pettay)

    
    

    
  


  
Sorry, uploaded the same thing :(

Here's the real one.

        Attachment #387030 -
        Attachment is obsolete: true

        Attachment #387032 -
        Flags: review?(Olli.Pettay)

        Attachment #387030 -
        Flags: review?(Olli.Pettay)

        Attachment #387032 -
        Flags: superreview+

        Attachment #387032 -
        Flags: review?(Olli.Pettay)

        Attachment #387032 -
        Flags: review+

    
    

    
  
If there's anyway to create a crash-test for this, lemme know. I can't reproduce the crash (I don't login to QMO), so if there's some sort of testcase I'll happily include it in the patch.
Keywords: checkin-needed

    
  
Assignee: nobody → highmind63
Status: NEW → ASSIGNED

    
    

    
  
Unfortunately I have only crashed twice and have not been able to reproduce the crash, but will let you know if I am able to.

(In reply to comment #19)
> If there's anyway to create a crash-test for this, lemme know. I can't
> reproduce the crash (I don't login to QMO), so if there's some sort of testcase
> I'll happily include it in the patch.

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/248555b52b97
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.2a1
Version: Trunk → 1.9.1 Branch

    
    

    
  
Hm. I just crashed with a very similar stack on 1.9.0.

  bp-8fdf5a12-aa4e-44dd-b8cd-6ba752091114

I guess we didn't fix it there, did we? Oh well...
Whiteboard: [sg:dos]

    
    

    
  
(In reply to comment #22)
> I guess we didn't fix it there, did we? Oh well...

Or 1.9.1, where the crash was actually seen in the wild originally.

    
    

    
  
I don't mind taking this to 1.9.1/1.9.0 if it's wanted...

          status1.9.1:
          --- → ?
Flags: wanted1.9.0.x?

    
    

    
  
If it's just a null check, I'd say yes, but let me check with Dan first.

          status1.9.1:
          ?wanted
Flags: wanted1.9.0.x? → wanted1.9.0.x+

    
    

    
  
Wanted! Let's get this fixed.

Note that there have been 767 crashes in the last week with this signature in Firefox 3.5.5.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        191 patchSplinter Review
      

    


  
Patch for 1.9.1. 1.9.0 coming up if this doesn't apply (I don't have a local tree to check on).

        Attachment #412875 -
        Flags: approval1.9.1.6?

    
    

    
  
This is already fixed on 1.9.0! Not sure who re-regressed it, but see: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla%2Fdom%2Fsrc%2Fbase%2FnsMimeTypeArray.cpp&rev=&cvsroot=%2Fcvsroot

It was fixed originally by bug 308778. Are there any crash stacks on 1.9.0 with this?
Flags: wanted1.9.0.x+ → wanted1.9.0.x?

    
    

    
  
I must be crazy, it obviously does exist, the loop right above it was fixed, not the one below...

Patch for 1.9.0 in the morning hopefully. I guess wanted-1.9.0.x+ again...
Flags: wanted1.9.0.x? → wanted1.9.0.x+

    
    

    
  

      
      
      
      

        Attached patch
          
          
        1.9.0 patchSplinter Review
      

    


  
Patch for cvs 1.9.0 branch.

        Attachment #413072 -
        Flags: approval1.9.0.16?

        Attachment #412875 -
        Flags: approval1.9.1.6? → approval1.9.1.7?

    
    

    
  
Comment on attachment 413072 [details] [diff] [review]
1.9.0 patch

Pushing these noms out.

        Attachment #413072 -
        Flags: approval1.9.0.16? → approval1.9.0.17?

    
    

    
  
CC'ing Aakash and Carsten, who could eventually have an idea for a testcase.

    
    

    
  
Comment on attachment 412875 [details] [diff] [review]
191 patch

Approved for 1.9.1.7 and 1.9.0.17, a=dveditz for release-drivers

        Attachment #412875 -
        Flags: approval1.9.1.7? → approval1.9.1.7+

        Attachment #413072 -
        Flags: approval1.9.0.17? → approval1.9.0.17+

    
  
Keywords: checkin-needed
Whiteboard: [sg:dos] → [sg:dos] [c-n: 1.9.0 and 1.9.1]

    
    

    
  
Pushed to 1.9.1: http://hg.mozilla.org/releases/mozilla-1.9.1/rev/ca9293559ec2

Still need someone to push to 1.9.0...

          status1.9.1:
          wanted.7-fixed
Whiteboard: [sg:dos] [c-n: 1.9.0 and 1.9.1] → [sg:dos] [c-n: 1.9.0]

    
    

    
  
(In reply to comment #35)
> Pushed to 1.9.1: http://hg.mozilla.org/releases/mozilla-1.9.1/rev/ca9293559ec2
> 
> Still need someone to push to 1.9.0...

Dan, this still needs to get pushed to 1.9.0...

    
    

    
  
Checking in nsMimeTypeArray.cpp;
/cvsroot/mozilla/dom/src/base/nsMimeTypeArray.cpp,v  <--  nsMimeTypeArray.cpp
new revision: 1.29; previous revision: 1.28
Keywords: fixed1.9.0.18
Whiteboard: [sg:dos] [c-n: 1.9.0] → [sg:dos]

    
  
Keywords: checkin-needed
Crash Signature: [@ nsMimeTypeArray::GetMimeTypes() ]
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.