Crash in [@ nsMimeTypeArray::GetMimeTypes() ] while logging into QMO

RESOLVED FIXED in mozilla1.9.2a1

Status

()

Core
DOM
--
critical
RESOLVED FIXED
8 years ago
2 years ago

People

(Reporter: marcia, Assigned: Natch)

Tracking

({crash, fixed1.9.0.18})

1.9.1 Branch
mozilla1.9.2a1
crash, fixed1.9.0.18
Points:
---
Bug Flags:
wanted1.9.0.x +

Firefox Tracking Flags

(status1.9.1 .8-fixed)

Details

(Whiteboard: [sg:dos], crash signature)

Attachments

(3 attachments, 2 obsolete attachments)

(Reporter)

Description

8 years ago
Seen while running  Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 (.NET CLR 3.5.30729)

STR:
1. I had several tabs open, went back to QMO to login. As soon as I tried to type in the login field the browser crashed.

This is a fairly clean profile with no extensions. Breakpad:http://crash-stats.mozilla.com/report/index/426e0e7c-3f2e-4f56-9750-585842090626
(Reporter)

Comment 1

8 years ago
Have not yet been able to reproduce but working on it.
Severity: normal → major
Keywords: crash
(Reporter)

Updated

8 years ago
OS: Windows NT → Windows 7
Marcia, I wonder if it is somehow related to the word/excel problem you reported lately against the application helper dialog.
Severity: major → critical
(Reporter)

Comment 3

8 years ago
The Win 7 machine in the lab does not have any of the MS products installed.  The word/excel issue I reported was on a Mac machine. Also in this instance there was no file handler being called I was simply typing something in a login field.

(In reply to comment #2)
> Marcia, I wonder if it is somehow related to the word/excel problem you
> reported lately against the application helper dialog.
That's right, thanks for clarification. So lets hope you will find it again.

Given the crash report we crash while accessing plugin->GetLength().

256         nsIDOMPlugin* plugin = nsnull;
257         if (pluginArray->Item(k, &plugin) == NS_OK) {
258           PRUint32 mimeTypeCount = 0;
259           if (plugin->GetLength(&mimeTypeCount) == NS_OK) {
260             nsCOMPtr<nsIDOMMimeType> item;

Can pluginArray->Item return a non-modified parameter so we are accessing a null pointer?

http://mxr.mozilla.org/mozilla1.9.1/source/dom/src/base/nsPluginArray.cpp#108

Marcia, was it the front page on QMO or another sub page? Can you remember?
Component: General → DOM
Product: Firefox → Core
QA Contact: general → general
Version: 3.5 Branch → Trunk
(Reporter)

Comment 5

8 years ago
Yes I was on the front page of QMO logging in at the top of the page.

Comment 6

8 years ago
marcia: can you paste about:plugins here?
(Reporter)

Comment 7

8 years ago
Installed plugins
Find more information about browser plugins at mozilla.org.
Help for installing plugins is available from plugindoc.mozdev.org.

Java Deployment Toolkit 6.0.140.8

    File name: npdeploytk.dll
    NPRuntime Script Plug-in Library for Java(TM) Deploy

MIME Type 	Description 	Suffixes 	Enabled
application/npruntime-scriptable-plugin;DeploymentToolkit 			Yes

Mozilla Default Plug-in

    File name: npnul32.dll
    Default Plug-in

MIME Type 	Description 	Suffixes 	Enabled
* 	Mozilla Default Plug-in 	* 	No

Google Update

    File name: npGoogleOneClick8.dll
    Google Update

MIME Type 	Description 	Suffixes 	Enabled
application/x-vnd.google.oneclickctrl.8 			Yes

Shockwave Flash

    File name: NPSWF32.dll
    Shockwave Flash 10.0 r22

MIME Type 	Description 	Suffixes 	Enabled
application/x-shockwave-flash 	Adobe Flash movie 	swf 	Yes
application/futuresplash 	FutureSplash movie 	spl 	Yes

Windows Presentation Foundation

    File name: NPWPF.dll
    Windows Presentation Foundation (WPF) plug-in for Mozilla browsers

MIME Type 	Description 	Suffixes 	Enabled
application/x-ms-xbap 	XAML Browser Application 	xbap 	Yes
application/xaml+xml 	XAML Document 	xaml 	Yes
Java(TM) Platform SE 6 U14

    File name: npjp2.dll
    Next Generation Java Plug-in 1.6.0_14 for Mozilla browsers

MIME Type 	Description 	Suffixes 	Enabled
application/x-java-applet 	Java Applet 		Yes
application/x-java-bean 	JavaBeans 		Yes
application/x-java-vm 			Yes
application/x-java-applet;version=1.1.1 			Yes
application/x-java-bean;version=1.1.1 			Yes
application/x-java-applet;version=1.1 			Yes
application/x-java-bean;version=1.1 			Yes
application/x-java-applet;version=1.2 			Yes
application/x-java-bean;version=1.2 			Yes
application/x-java-applet;version=1.1.3 			Yes
application/x-java-bean;version=1.1.3 			Yes
application/x-java-applet;version=1.1.2 			Yes
application/x-java-bean;version=1.1.2 			Yes
application/x-java-applet;version=1.3 			Yes
application/x-java-bean;version=1.3 			Yes
application/x-java-applet;version=1.2.2 			Yes
application/x-java-bean;version=1.2.2 			Yes
application/x-java-applet;version=1.2.1 			Yes
application/x-java-bean;version=1.2.1 			Yes
application/x-java-applet;version=1.3.1 			Yes
application/x-java-bean;version=1.3.1 			Yes
application/x-java-applet;version=1.4 			Yes
application/x-java-bean;version=1.4 			Yes
application/x-java-applet;version=1.4.1 			Yes
application/x-java-bean;version=1.4.1 			Yes
application/x-java-applet;version=1.4.2 			Yes
application/x-java-bean;version=1.4.2 			Yes
application/x-java-applet;version=1.5 			Yes
application/x-java-bean;version=1.5 			Yes
application/x-java-applet;version=1.6 			Yes
application/x-java-bean;version=1.6 			Yes
application/x-java-applet;jpi-version=1.6.0_14 			Yes
application/x-java-bean;jpi-version=1.6.0_14 			Yes
(Reporter)

Comment 8

8 years ago
After reviewing the crash data and seeing that "Cooliris" was mentioned twice in the user comments, I went back in and installed it and crashed in this stack. Breakpad is here:
http://crash-stats.mozilla.com/report/index/2fde3c68-528e-4bbe-9a5a-9d2ad2090702

Here is my config on this machine - I have several other addons as well:

User Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5
Build ID: 20090624012136

Enabled Extensions: [11]
- Adblock Plus 1.0.2: http://adblockplus.org/
- Cooliris 1.11: http://www.cooliris.com/
- Crash Me Now! Advanced 0.2: http://ted.mielczarek.org/code/mozilla/
- Custom Buttons² 3.0.1: http://custombuttons2.com/
- Firebug 1.4.0b3: http://www.google.com/search?q=Firefox%20Firebug
- Firecookie 0.8: http://www.janodvarko.cz/firecookie
- FireFTP 1.0.5: http://fireftp.mozdev.org
- FirePHP 0.3.1: http://www.firephp.org/
- FlashGot 1.1.9.6: http://flashgot.net
- MR Tech Toolkit 6.0.3.4: http://www.mrtech.com/extensions/
- Status-bar Scientific Calculator 4.5: http://www.cse.iitb.ac.in/~sunnygoyal/statusscicalc.html

Disabled Extensions: [1]
- Google Desktop Search 1.1: http://desktop.google.com/

Total Extensions: 12

Installed Themes: [2]
- Chromifox Basic 1.1: http://42st.org/falconer/chromifox/
- Default: http://www.mozilla.org/

Installed Plugins: (12)
- Cooliris embbedded in a tab
- Coupons Inc. Plugin
- Default Plugin
- Flip4Mac Windows Media Plugin 2.2.1
- Java Embedding Plugin 0.9.7.1
- MoveNetworks Quantum Media Player
- QuickTime Plug-in 7.6.2
- Shockwave Flash
- Shockwave for Director
- Silverlight Plug-In
- Viewpoint Media Player (WPN)
- WARP Video Player
OS: Windows 7 → All
Hardware: x86 → All
Marcia, does it also crash with all the other add-ons disabled? Can you reproduce it with a new profile? WFM here with latest CoolIris add-on installed.
(Reporter)

Comment 10

8 years ago
Have not yet been able to reproduce the crash, but it was interesting that it crashed once I installed Cooliris. Perhaps an interaction between Cooliris and one of the other extensions? Need to review the crash data once again and look for some clues in the comments.
(Reporter)

Comment 11

8 years ago
Two of the latest comments in the crash status reference picasa, one mentions picasa download.
(In reply to comment #4)
> That's right, thanks for clarification. So lets hope you will find it again.
> 
> Given the crash report we crash while accessing plugin->GetLength().
> 
> 256         nsIDOMPlugin* plugin = nsnull;
> 257         if (pluginArray->Item(k, &plugin) == NS_OK) {
> 258           PRUint32 mimeTypeCount = 0;
> 259           if (plugin->GetLength(&mimeTypeCount) == NS_OK) {
> 260             nsCOMPtr<nsIDOMMimeType> item;
> 
> Can pluginArray->Item return a non-modified parameter so we are accessing a
> null pointer?
There seems to be many cases when Item() returns NS_OK but a null plugin.
Whimboo, want to provide a patch for the null check? I could review.
Note, the code does null check in the previous loop just few lines above.
Olli, I would leave it up to the devs. I can investigate some issues but supplying a real fix isn't easy all the time. Especially in areas you don't have any knowledge.
(Assignee)

Comment 14

8 years ago
Created attachment 387028 [details] [diff] [review]
null check [branch patch]
Attachment #387028 - Flags: review?(Olli.Pettay)
(Assignee)

Updated

8 years ago
Attachment #387028 - Attachment description: null check → null check [branch patch]
Comment on attachment 387028 [details] [diff] [review]
null check [branch patch]

While you're here, could you make plugin to be nsCOMPtr and change == NS_OK check to be NS_SUCCEEDED
Something very similar was done for the loop above
http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&root=/cvsroot&subdir=mozilla/dom/src/base&command=DIFF_FRAMESET&file=nsMimeTypeArray.cpp&rev2=1.26&rev1=1.25
(Assignee)

Comment 17

8 years ago
Created attachment 387030 [details] [diff] [review]
null check [trunk patch]

Sure. I guess I'll upload a branch patch again if this is ever wanted there.
Attachment #387028 - Attachment is obsolete: true
Attachment #387030 - Flags: review?(Olli.Pettay)
Attachment #387028 - Flags: review?(Olli.Pettay)
(Assignee)

Comment 18

8 years ago
Created attachment 387032 [details] [diff] [review]
null check [trunk patch]

Sorry, uploaded the same thing :(

Here's the real one.
Attachment #387030 - Attachment is obsolete: true
Attachment #387032 - Flags: review?(Olli.Pettay)
Attachment #387030 - Flags: review?(Olli.Pettay)

Updated

8 years ago
Attachment #387032 - Flags: superreview+
Attachment #387032 - Flags: review?(Olli.Pettay)
Attachment #387032 - Flags: review+
(Assignee)

Comment 19

8 years ago
If there's anyway to create a crash-test for this, lemme know. I can't reproduce the crash (I don't login to QMO), so if there's some sort of testcase I'll happily include it in the patch.
Keywords: checkin-needed
(Assignee)

Updated

8 years ago
Assignee: nobody → highmind63
Status: NEW → ASSIGNED
(Reporter)

Comment 20

8 years ago
Unfortunately I have only crashed twice and have not been able to reproduce the crash, but will let you know if I am able to.

(In reply to comment #19)
> If there's anyway to create a crash-test for this, lemme know. I can't
> reproduce the crash (I don't login to QMO), so if there's some sort of testcase
> I'll happily include it in the patch.
http://hg.mozilla.org/mozilla-central/rev/248555b52b97
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.2a1
Version: Trunk → 1.9.1 Branch
Hm. I just crashed with a very similar stack on 1.9.0.

  bp-8fdf5a12-aa4e-44dd-b8cd-6ba752091114

I guess we didn't fix it there, did we? Oh well...
Whiteboard: [sg:dos]
(In reply to comment #22)
> I guess we didn't fix it there, did we? Oh well...

Or 1.9.1, where the crash was actually seen in the wild originally.
(Assignee)

Comment 24

8 years ago
I don't mind taking this to 1.9.1/1.9.0 if it's wanted...
status1.9.1: --- → ?
Flags: wanted1.9.0.x?
If it's just a null check, I'd say yes, but let me check with Dan first.
status1.9.1: ? → wanted
Flags: wanted1.9.0.x? → wanted1.9.0.x+
Wanted! Let's get this fixed.

Note that there have been 767 crashes in the last week with this signature in Firefox 3.5.5.
(Assignee)

Comment 27

8 years ago
Created attachment 412875 [details] [diff] [review]
191 patch

Patch for 1.9.1. 1.9.0 coming up if this doesn't apply (I don't have a local tree to check on).
Attachment #412875 - Flags: approval1.9.1.6?
(Assignee)

Comment 28

8 years ago
This is already fixed on 1.9.0! Not sure who re-regressed it, but see: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla%2Fdom%2Fsrc%2Fbase%2FnsMimeTypeArray.cpp&rev=&cvsroot=%2Fcvsroot

It was fixed originally by bug 308778. Are there any crash stacks on 1.9.0 with this?
Flags: wanted1.9.0.x+ → wanted1.9.0.x?
See comment 22.
(Assignee)

Comment 30

8 years ago
I must be crazy, it obviously does exist, the loop right above it was fixed, not the one below...

Patch for 1.9.0 in the morning hopefully. I guess wanted-1.9.0.x+ again...
Flags: wanted1.9.0.x? → wanted1.9.0.x+
(Assignee)

Comment 31

8 years ago
Created attachment 413072 [details] [diff] [review]
1.9.0 patch

Patch for cvs 1.9.0 branch.
Attachment #413072 - Flags: approval1.9.0.16?
Keywords: testcase-wanted
Attachment #412875 - Flags: approval1.9.1.6? → approval1.9.1.7?
Comment on attachment 413072 [details] [diff] [review]
1.9.0 patch

Pushing these noms out.
Attachment #413072 - Flags: approval1.9.0.16? → approval1.9.0.17?
CC'ing Aakash and Carsten, who could eventually have an idea for a testcase.
Comment on attachment 412875 [details] [diff] [review]
191 patch

Approved for 1.9.1.7 and 1.9.0.17, a=dveditz for release-drivers
Attachment #412875 - Flags: approval1.9.1.7? → approval1.9.1.7+
Attachment #413072 - Flags: approval1.9.0.17? → approval1.9.0.17+
(Assignee)

Updated

8 years ago
Keywords: checkin-needed
Whiteboard: [sg:dos] → [sg:dos] [c-n: 1.9.0 and 1.9.1]
(Assignee)

Comment 35

8 years ago
Pushed to 1.9.1: http://hg.mozilla.org/releases/mozilla-1.9.1/rev/ca9293559ec2

Still need someone to push to 1.9.0...
status1.9.1: wanted → .7-fixed
Whiteboard: [sg:dos] [c-n: 1.9.0 and 1.9.1] → [sg:dos] [c-n: 1.9.0]
(In reply to comment #35)
> Pushed to 1.9.1: http://hg.mozilla.org/releases/mozilla-1.9.1/rev/ca9293559ec2
> 
> Still need someone to push to 1.9.0...

Dan, this still needs to get pushed to 1.9.0...
Checking in nsMimeTypeArray.cpp;
/cvsroot/mozilla/dom/src/base/nsMimeTypeArray.cpp,v  <--  nsMimeTypeArray.cpp
new revision: 1.29; previous revision: 1.28
Keywords: fixed1.9.0.18
Whiteboard: [sg:dos] [c-n: 1.9.0] → [sg:dos]

Updated

7 years ago
Keywords: checkin-needed
Crash Signature: [@ nsMimeTypeArray::GetMimeTypes() ]
Keywords: testcase-wanted
You need to log in before you can comment on or make changes to this bug.