Closed Bug 511671 Opened 16 years ago Closed 16 years ago

QuakeLive plugin crashes browser when opening a game window [@ nsPurpleBuffer::Put]

Categories

(Core :: Widget: Cocoa, defect)

Product:
Core
Component:
Widget: Cocoa
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: ttimo, Unassigned)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

Attachments

(2 files, 1 obsolete file)

window init code sample
497 bytes, text/plain
Details
gdb stack
11.87 KB, text/plain
Details
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.13) Gecko/2009082005 Iceweasel/3.0.12 (Debian-3.0.12-1) Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 The QuakeLive plugin opens a render window when a player wants to connect to a server. This is done from a thread that is specific to the plugin, but runs in the same process as the browser overall. While this works fine on Safari we are seeing this crash on FireFox. We think this is because FireFox tries to do things with that Window when it really shouldn't, as that Window really is unrelated to the browser. We have created a specific account that can be used to logon to the site and bypass the user agent check, as we currently refuse FF 3.5.x on Mac since we know it will be crashing. We can provide that account information outside of the ticket tracking. Reproducible: Always Steps to Reproduce: 1. Logon to http://www.quakelive.com/ with FireFox 3.5.x on a Mac (Intel OSX 10.5 used here), using the moztest account 2. Install plugin if needed / wait through the content download until you can get to the server list. 3. Connect to an online server, or start a practice game. Actual Results: Crash. I've seen it not crash sometimes, in which case you can just exit out of the game and try again, then it will crash. Not 100% but very, very close. Expected Results: Game window opens, plugin connects to the game successfully. Going to upload backtrace, and code sample of the window creation.
Depends on: 500538
Attached file backtrace (obsolete) —
This code runs in the plugin's thread, in the browser process. We use the same basic architecture on all operating systems, OSX FireFox is the only one on which we have the crash.
Attachment #395604 - Attachment mime type: application/octet-stream → text/plain
I suspect most of the symbols in this stack trace are spurious. To get a good stack trace (that's not a Breakpad stack trace), you need to generate it using a copy of FF that you've built yourself -- either a debug build (which is easiest) or an optimized build with debug symbols.
Component: General → Plug-ins
Product: Firefox → Core
QA Contact: general → plugins
Steven, I will take care of it and check it in the next hours. I will report back.
Severity: normal → critical
Keywords: crash
Version: unspecified → Trunk
No longer depends on: 500538
Thanks, Henrik!
Confirmed for now with a debug build. Because we are accessing an invalid address lets close this bug. Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x414b07f3 0x1cc74703 in ?? () I'll attach a complete gdb stack in a moment.
Group: core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
This bug is closed for the public so I will put the login credentials in so devs will have a chance to get it in their debugger and to fix this crash: email = moztest@quakelive.com password = m0zt3st
Summary: QuakeLive plugin crashes browser in JS_BeginRequest when opening game window → QuakeLive plugin crashes browser when opening a game window [@ nsPurpleBuffer::Put]
Attached file gdb stack
Just a note beside. I was not able to crash Firefox 3.5.2 on OS X 10.5.8 but my Shiretoko debug build crashed.
Attachment #395603 - Attachment is obsolete: true
I missed the first lines in the stack. Given by the output below the crashing thread is not the main thread? Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x12e2f318 [Switching to process 90019 thread 0xa22b] 0x00592ee6 in nsPurpleBuffer::Put (this=0x100e660, p=0x1cc2b918) at /data/build/shiretoko/xpcom/base/nsCycleCollector.cpp:767 767 e->mObject = p;
Component: Plug-ins → XPCOM
QA Contact: plugins → xpcom
Correct, the plugin starts it's own thread and creates a render window out of that thread (comment #2). Notifications for Windows that don't actually belong to the browser should be ignored?
Creating a toplevel window from a plugin is already dangerous enough... doing it from another thread is thoroughly unsupported.
Component: XPCOM → Widget: Cocoa
QA Contact: xpcom → cocoa
I was also going to complain about calling Cocoa display methods on a secondary thread ... but you guys beat me to it. Timothee, it's now clear that the QuakeLive plugin is at fault here. It shouldn't call Cocoa display methods on anything but the main thread, or cause them to be called on anything but the main thread.
We can try creating the Window from the main thread and passing it over to the plugin thread. FWIW this current approach of creating the window in a seperate thread works fine on Windows (FF and IE), Linux (FF) and Mac (Safari). It seems to me the browser catching that Window through a Cocoa notification mechanism and not realizing it should ignore it is a bit of the issue there.
So the "window init sample code" runs on a secondary thread (one created by the plugin)? I don't know how you're able to get away with this in Safari. But I do know (from personal experience) that Safari does a lot of things on secondary threads (like loading Java applets) that other browsers do on the main thread. And Safari developers (of course) know a lot more about undocumented OS X internals than outsiders do.
(In reply to comment #13) > FWIW this current approach of creating the window in a seperate thread works > fine on Windows (FF and IE), Linux (FF) and Mac (Safari). It seems to me the For me the final game window doesn't open in it's own window on Windows. I believe the same applies to Linux (where I haven't tested it)?
Yes, we have seamless window mode integration working on Windows and Linux, but not on Mac. At this point on Mac we are not able to reliably open a render Window embedded in the browser (including following the browser when it's moving, supporting resizing and having a correct drawing order). We also need full keyboard and mouse grab since we're heavily interactive. We have some pieces of the embedding working, but not reliably enough to enable it in a public release. We have started discussions with Apple on this, and we'd be happy to investigate this with you as well. We know Java applets are getting the embedding and interaction right so there should be a way to get this working for us as well.
fwiw, this plugin doesn't play too well with Safari either. Process: Safari [6424] Path: /Applications/Safari.app/Contents/MacOS/Safari Identifier: com.apple.Safari Version: 4.0.2 (5530.19) Build Info: WebBrowser-55301900~2 Code Type: X86 (Native) Parent Process: launchd [161] Interval Since Last Report: 631966 sec Crashes Since Last Report: 1 Per-App Interval Since Last Report: 850 sec Per-App Crashes Since Last Report: 1 Date/Time: 2009-08-21 15:44:48.274 -0300 OS Version: Mac OS X 10.5.7 (9J61) Report Version: 6 Anonymous UUID: ABB9D74F-36BE-4AC8-ADA3-13E6BACBDF0F Exception Type: EXC_BREAKPOINT (SIGTRAP) Exception Codes: 0x0000000000000002, 0x0000000000000000 Crashed Thread: 18 Application Specific Information: *** Terminating app due to uncaught exception 'WebKitThreadingException', reason: 'DOMNode* kit(WebCore::Node*) was called from a secondary thread'
Definitely a plugin programming error, INVALID.
Group: core-security
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → INVALID
Crash Signature: [@ nsPurpleBuffer::Put]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: