Closed Bug 531290 Opened 15 years ago Closed 15 years ago

Firefox 3.6b4 [@ PL_strlen | nsNPAPIPluginInstance::Initialize(nsIPluginInstanceOwner*, char const*) ] during npietab.dll initialization [@nsCOMPtr_base::assign_from_qi(nsQueryInterface, nsID const&) | xul.dll@0x9cc3c3 ]

Categories

(Core Graveyard :: Plug-ins, defect, P2)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
Windows XP
Type:
defect

Tracking

(status1.9.2 beta5-fixed)

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.2
Tracking Flags:
Tracking Status
status1.9.2 --- beta5-fixed

People

(Reporter: chofmann, Assigned: jst)

References

Details

(Keywords: crash, regression, topcrash, Whiteboard: [crashkill][#2 Firefox 3.6b4 topcrash])

Crash Data

Attachments

(1 file)

Don't hand back uninitialized pointers (even if we return an error).
786 bytes, patch
jaas
: review+
Details | Diff | Splinter Review
Very early 3.6b4 crash data shows this as the top crash. I don't see any reports of this in beta3 or before in a quick scan. Possibly a few testers that have spotted a new or existing compat problem with IE Tab. Only comment so far is "Test d'utilisation du module IE Tab" Stack looks like http://crash-stats.mozilla.com/report/index/c07d22ba-b8a2-4050-8807-05b892091126 Frame Module Signature [Expand] Source 0 plc4.dll PL_strlen nsprpub/lib/libc/src/strlen.c:50 1 xul.dll nsNPAPIPluginInstance::Initialize modules/plugin/base/src/nsNPAPIPluginInstance.cpp:1091 2 npietab.dll npietab.dll@0x3789 3 npietab.dll npietab.dll@0x3470 4 xul.dll nsPluginNativeWindow::CallSetWindow obj-firefox/dist/include/nsPluginNativeWindow.h:101 5 xul.dll nsPluginNativeWindowWin::CallSetWindow modules/plugin/base/src/nsPluginNativeWindowWin.cpp:510 6 xul.dll nsPluginHost::InstantiateEmbeddedPlugin modules/plugin/base/src/nsPluginHost.cpp:3267 7 xul.dll nsObjectFrame::InstantiatePlugin layout/generic/nsObjectFrame.cpp:1021 8 xul.dll nsObjectFrame::Instantiate layout/generic/nsObjectFrame.cpp:2088 9 xul.dll nsObjectLoadingContent::Instantiate content/base/src/nsObjectLoadingContent.cpp:1763 10 xul.dll nsObjectLoadingContent::EnsureInstantiation content/base/src/nsObjectLoadingContent.cpp:787 11 xul.dll nsHTMLPluginObjElementSH::GetPluginInstanceIfSafe dom/base/nsDOMClassInfo.cpp:9415 12 xul.dll nsHTMLPluginObjElementSH::SetupProtoChain dom/base/nsDOMClassInfo.cpp:9495 13 xul.dll nsHTMLPluginObjElementSH::PostCreate dom/base/nsDOMClassInfo.cpp:9608 14 xul.dll FinishCreate js/src/xpconnect/src/xpcwrappednative.cpp:660 15 xul.dll XPCWrappedNative::GetNewOrUsed js/src/xpconnect/src/xpcwrappednative.cpp:590 16 xul.dll XPCConvert::NativeInterface2JSObject js/src/xpconnect/src/xpcconvert.cpp:1199 17 xul.dll XPCConvert::NativeData2JS js/src/xpconnect/src/xpcconvert.cpp:471 18 xul.dll XPCConvert::NativeData2JS js/src/xpconnect/src/xpcprivate.h:2974 19 xul.dll XPCWrappedNative::CallMethod js/src/xpconnect/src/xpcwrappednative.cpp:2809 20 xul.dll XPC_WN_CallMethod js/src/xpconnect/src/xpcwrappednativejsops.cpp:1740 21 js3250.dll js_Invoke js/src/jsinterp.cpp:1360 22 js3250.dll js_InternalInvoke js/src/jsinterp.cpp:1423 23 js3250.dll JS_CallFunctionValue js/src/jsapi.cpp:5098 24 xul.dll XPC_NW_FunctionWrapper js/src/xpconnect/src/XPCNativeWrapper.cpp:531 25 js3250.dll js_Invoke js/src/jsinterp.cpp:1360 26 js3250.dll js_Interpret js/src/jsops.cpp:2240 27 js3250.dll js_Invoke js/src/jsinterp.cpp:1368 28 js3250.dll js_InternalInvoke js/src/jsinterp.cpp:1423 29 js3250.dll js_GetPropertyHelper js/src/jsobj.cpp:4271 30 js3250.dll js_Interpret js/src/jsops.cpp:1520 31 js3250.dll js_Invoke js/src/jsinterp.cpp:1368 32 xul.dll nsXPCWrappedJSClass::CallMethod js/src/xpconnect/src/xpcwrappedjsclass.cpp:1696 33 xul.dll nsXPCWrappedJS::CallMethod js/src/xpconnect/src/xpcwrappedjs.cpp:570 34 xul.dll PrepareAndDispatch xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:114 35 xul.dll SharedStub xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141 36 xul.dll nsEventListenerManager::HandleEventSubType content/events/src/nsEventListenerManager.cpp:1041 more reports at http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=PL_strlen%20|%20nsNPAPIPluginInstance%3A%3AInitialize%28nsIPluginInstanceOwner*%2C%20char%20const*%29&date=&range_value=1&range_unit=weeks&do_query=1&signature=PL_strlen%20|%20nsNPAPIPluginInstance%3A%3AInitialize%28nsIPluginInstanceOwner*%2C%20char%20const*%29
Summary: Firefox 3.6b4 [@ PL_strlen | nsNPAPIPluginInstance::Initialize(nsIPluginInstanceOwner*, char const*) ] → Firefox 3.6b4 [@ PL_strlen | nsNPAPIPluginInstance::Initialize(nsIPluginInstanceOwner*, char const*) ] during npietab.dll initialization
there are a few instances of this showing up in builds from a few days ago 3.6b2pre 2009 11 08 053558 http://crash-stats.mozilla.com/report/index/a967984c-35c0-4a41-ba71-9400e2091121 3.6b3pre 2009 11 09 051912 http://crash-stats.mozilla.com/report/index/9757e9a9-223c-4c80-8405-9127d2091113 3.6b3pre 2009 11 13 051922 http://crash-stats.mozilla.com/report/index/036b1578-b275-4435-94e5-8acbb2091115 then the larger ramp up in reports begins on 3.6b4pre 2009 11 19 052617 http://crash-stats.mozilla.com/report/index/b4f77c3e-a94a-46a2-8345-1ea212091120 And the volume on this signature seems to be ramping quickly 51 reports on this signature in 3.6b4 and 3.5b5pre build in the last day.
Keywords: crash, regression
Whiteboard: [crashkill]
IE Tab is only shown compatible with 3.6a1 https://addons.mozilla.org/en-US/firefox/addon/1419
Based on the early data, this is continuing to look like the #1 topcrash in Firefox 3.6b4.
Flags: blocking1.9.2?
Keywords: topcrash
Whiteboard: [crashkill] → [crashkill][#1 Firefox 3.6b4 topcrash]
Are there any recent changes to IE Tab that might have caused this to start happening?
the amo page says: Updated June 2, 2009
Are we sure that this is IE Tab? If so, then the question is: why are we seeing more of this now, and that could be answered by the fact that LifeHacker posted a "how to get your add-ons to work in Firefox 3.6 beta" article recently. If not, then we should figure out what else could be causing it; the b3/b4 divide makes me suspicious.
(In reply to comment #6) > Are we sure that this is IE Tab? > no, but its a bystander near the top of the stack. > If so, then the question is: why are we seeing more of this now, and that could > be answered by the fact that LifeHacker posted a "how to get your add-ons to > work in Firefox 3.6 beta" article recently. > > If not, then we should figure out what else could be causing it; the b3/b4 > divide makes me suspicious. plugin code surrounds the ie tab code on the stack. plugin changes might be responsible, or plugin changes might have tickled an old bug in ie tab. josh, any thoughts on recent plugin initialization changes that might have tickled bugs here?
many more comments from users in the last day. most believe the problem is with IEtab. others indicate a problem in trying to login to hotmail/banking sites > Hi, the crash occurs when I try to log to my hotmail account, even typing the URL directly in the address field (so no link with MSN). maybe those are pre-configed to use ittab? There is one other interesting comment about another addon that might also have problems > Likely to be the extension "decreased productivity". Activating the "hide images" button in this extension, caused Firefox to crash or, is "decreased productivity" just a nick name for ietab ;-) I guess not, dp -> https://addons.mozilla.org/en-US/firefox/addon/6682
Its interesting that all the reported urls for this signature look something like this... [path on hardrive to user profile]jumbuldy-gook-path-hiding.default/extensions/%7B77b819fa-95ad-4f2c-ac7c-486b356188a9%7D/chrome/content/reloaded.html?url=http://www.cnn.com/ --- or some other site...
That's the UUID of IETab, yup. I don't think this blocks, but we should reach out to the author of the add-on and figure out if we changed something between b3 and b4 that would cause this amount of crashy-crash. The list I have of changes in Core::Plug-ins is: https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20status1.9.2:beta4-fixed%20component:Plug-ins
Flags: blocking1.9.2? → blocking1.9.2-
(cc'd the author of IE Tab to this bug - PCMan, could you please read through the previous comments and help us understand what might be causing this crash?
I suspect that this 3.6b4 crash signature is the same thing: [@nsCOMPtr_base::assign_from_qi(nsQueryInterface, nsID const&) | xul.dll@0x9cc3c3 ] (there are 42 crashes for 3.6b4, #94 on the b4 top crash list) http://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A3.6b4&version=Firefox%3A3.6b5pre&query_search=signature&query_type=exact&query=&date=&range_value=1&range_unit=weeks&do_query=1&signature=nsCOMPtr_base%3A%3Aassign_from_qi%28nsQueryInterface%2C%20nsID%20const%26%29%20|%20xul.dll%400x9cc3c3 and this signature for 3.6b5pre: [@nsCOMPtr_base::assign_from_qi(nsQueryInterface, nsID const&) | xul.dll@0x9da477 ] (3 crashes for 3.6b5pre, #17 on the b5pre top crash list) http://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A3.6b5pre&query_search=signature&query_type=exact&query=&date=&range_value=2&range_unit=weeks&do_query=1&signature=nsCOMPtr_base%3A%3Aassign_from_qi%28nsQueryInterface%2C%20nsID%20const%26%29%20|%20xul.dll%400x9da477
Summary: Firefox 3.6b4 [@ PL_strlen | nsNPAPIPluginInstance::Initialize(nsIPluginInstanceOwner*, char const*) ] during npietab.dll initialization → Firefox 3.6b4 [@ PL_strlen | nsNPAPIPluginInstance::Initialize(nsIPluginInstanceOwner*, char const*) ] during npietab.dll initialization [@nsCOMPtr_base::assign_from_qi(nsQueryInterface, nsID const&) | xul.dll@0x9cc3c3 ]
Whiteboard: [crashkill][#1 Firefox 3.6b4 topcrash] → [crashkill][#2 Firefox 3.6b4 topcrash]
This bug is caused by IE Tab uses the invalid domWindow from NPN_GetValue(). Since fx3.6b4, it seems plug-in will no longer use NPN_GetValue() to get the NPNVDOMWindow object. Thus, NPN_GetValue() always return NPERR_GENERIC_ERROR in this case. Refer to the source code: http://www.mozdev.org/source/browse/ietab/src/plug-in/plugin.cpp?rev=1.13;ln=1 See function nsPluginInstance::init(), near line 139: 139: NPN_GetValue( this->getInstance(), NPNVDOMWindow, 140: NS_STATIC_CAST(nsIDOMWindow **, &domWindow)); You can see IE Tab didn't check the success of NPN_GetValue(), it only check domWindow is not NULL, then immediately use domWindow to call GetDocument(). 141: if (domWindow) { 142: nsIDOMDocument* doc; 143: if( NS_SUCCEEDED( domWindow->GetDocument( &doc ) ) ) Actually, line 139, the NPN_GetValue() return NPERR_GENERIC_ERROR, so the domWindow is invalid. Then, line 143, the call domWindow->GetDocument() causes EXCEPTION_ACCESS_VIOLATION and crash the Firefox.
Getting XPCOM objects through NPN_GetValue() was removed by bug 500513.
Blocks: 500513
nick/fligtar, sounds like we need a scan of all addon source for uses of NPN_GetValue() and (another?) alert to addon developers about this change. considering the pretty high use of IE tab seems like this should block on getting a fixed version of IE tab in place.
Flags: blocking1.9.2- → blocking1.9.2?
as mentioned in comment 8 "decreased productivity" https://addons.mozilla.org/en-US/firefox/addon/6682 should also get checked for use of NPN_GetValue() dbaron's addon correlation analysis might also be helpful here to broadcast to and check the widest network of addons that might have this problem. Here is the list of addons that were around when we hit this crash on 11/27. There will likely be some false positives in the list, but its a good place to start investigations and outreach. PL_strlen | nsNPAPIPluginInstance::Initialize(nsIPluginInstanceOwner*, char const*)|EXCEPTION_ACCESS_VIOLATION (193 crashes) 100% (193/193) vs. 7% (248/3557) {77b819fa-95ad-4f2c-ac7c-486b356188a9} (IE Tab, https://addons.mozilla.org/addon/1419) 68% (131/193) vs. 22% (783/3557) {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} (Adblock Plus, https://addons.mozilla.org/addon/1865) 50% (96/193) vs. 10% (346/3557) compatibility@addons.mozilla.org 38% (74/193) vs. 10% (350/3557) {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} (Download Statusbar, https://addons.mozilla.org/addon/26) 33% (63/193) vs. 4% (152/3557) {8620c15f-30dc-4dba-a131-7c5d20cf4a29} (Nightly Tester Tools, https://addons.mozilla.org/addon/6543) 27% (53/193) vs. 5% (169/3557) {dc572301-7619-498c-a57d-39143191b318} (Tab Mix Plus, https://addons.mozilla.org/addon/1122) 25% (48/193) vs. 6% (197/3557) {DDC359D1-844A-42a7-9AA1-88A850A938A8} (DownThemAll!, https://addons.mozilla.org/addon/201) 22% (42/193) vs. 4% (154/3557) foxmarks@kei.com (Xmarks (formerly Foxmarks), https://addons.mozilla.org/addon/2410) 21% (40/193) vs. 4% (158/3557) {e4a8a97b-f2ed-450b-b12d-ee082ba24781} (Greasemonkey, https://addons.mozilla.org/addon/748) 21% (40/193) vs. 5% (165/3557) {1018e4d6-728f-4b20-ad56-37578a4de76b} (Flagfox, https://addons.mozilla.org/addon/5791) 22% (42/193) vs. 9% (305/3557) {b9db16a4-6edc-47ec-a1f4-b86292ed211d} (Video DownloadHelper, https://addons.mozilla.org/addon/3006) 19% (36/193) vs. 6% (214/3557) {73a6fe31-595d-460b-a920-fcc0f8843232} (NoScript, https://addons.mozilla.org/addon/722) 16% (30/193) vs. 3% (106/3557) {9669CC8F-B388-42FE-86F4-CB5E7F5A8BDC} (MR Tech Toolkit, https://addons.mozilla.org/addon/421) 17% (33/193) vs. 6% (200/3557) personas@christopher.beard (Personas, https://addons.mozilla.org/addon/10900) 19% (36/193) vs. 7% (262/3557) {3112ca9c-de6d-4884-a869-9855de68056c} (Google Toolbar, https://addons.mozilla.org/addon/6249) 13% (25/193) vs. 2% (70/3557) {4BBDD651-70CF-4821-84F8-2B918CF89CA3} (FEBE, https://addons.mozilla.org/addon/2109) 13% (26/193) vs. 3% (90/3557) {1280606b-2510-4fe0-97ef-9b5a22eafe41} (Fission, https://addons.mozilla.org/addon/1951) 12% (23/193) vs. 1% (36/3557) {0545b830-f0aa-4d7e-8820-50a4629a56fe} (ColorfulTabs, https://addons.mozilla.org/addon/1368) 15% (29/193) vs. 4% (152/3557) {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} (FlashGot, https://addons.mozilla.org/addon/220) 13% (26/193) vs. 3% (109/3557) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843) 11% (21/193) vs. 1% (27/3557) checkplaces@andyhalford.com (CheckPlaces, https://addons.mozilla.org/addon/10897) 11% (22/193) vs. 1% (48/3557) {a7c6cf7f-112c-4500-a7ea-39801a327e5f} (FireFTP, https://addons.mozilla.org/addon/684) 13% (25/193) vs. 3% (104/3557) {37E4D8EA-8BDA-4831-8EA1-89053939A250} (PDF Download, https://addons.mozilla.org/addon/636) 46% (88/193) vs. 36% (1267/3557) {20a82645-c095-46ed-80e3-08825760534b} (Microsoft .NET Framework Assistant, http://www.windowsclient.net/) 11% (22/193) vs. 2% (58/3557) FasterFox_Lite@BigRedBrent (Fasterfox, https://addons.mozilla.org/addon/9148) 11% (22/193) vs. 2% (61/3557) {000a9d1c-beef-4f90-9363-039d445309b8} (Google Gears Portable, https://addons.mozilla.org/addon/13492) 12% (23/193) vs. 3% (90/3557) {3d7eb24f-2740-49df-8937-200b1cc08f8a} (Flashblock, https://addons.mozilla.org/addon/433) 11% (21/193) vs. 2% (86/3557) {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} (Forecastfox, https://addons.mozilla.org/addon/398) 10% (20/193) vs. 2% (77/3557) firegestures@xuldev.org (FireGestures, https://addons.mozilla.org/addon/6366) 9% (17/193) vs. 1% (25/3557) add-to-searchbox@maltekraus.de (Add to Search Bar, https://addons.mozilla.org/addon/3682) 37% (71/193) vs. 29% (1021/3557) jqs@sun.com (Java Quick Starter, http://java.sun.com/javase/downloads/) 9% (17/193) vs. 1% (32/3557) {54BB9F3F-07E5-486c-9B39-C7398B99391C} (Text Link, https://addons.mozilla.org/addon/1939) 8% (16/193) vs. 1% (25/3557) LogMeInClient@logmein.com 9% (17/193) vs. 1% (50/3557) bettergmail2@ginatrapani.org (Better Gmail 2, https://addons.mozilla.org/addon/6076) 8% (16/193) vs. 1% (45/3557) piclens@cooliris.com (Cooliris, https://addons.mozilla.org/addon/5579) 8% (15/193) vs. 1% (27/3557) locationbar2@design-noir.de (Locationbar², https://addons.mozilla.org/addon/4014) 8% (16/193) vs. 1% (47/3557) {fce36c1e-58d8-498a-b2a5-66ad1cedebbb} (CustomizeGoogle, https://addons.mozilla.org/addon/743) 10% (19/193) vs. 3% (116/3557) elemhidehelper@adblockplus.org (Adblock Plus: Element Hiding Helper, https://addons.mozilla.org/addon/4364) 8% (15/193) vs. 1% (45/3557) {d37dc5d0-431d-44e5-8c91-49419370caa1} (FoxClocks, https://addons.mozilla.org/addon/1117) 7% (14/193) vs. 1% (27/3557) autopager@mozilla.org (AutoPager, https://addons.mozilla.org/addon/4925) 7% (14/193) vs. 1% (29/3557) {582195F5-92E7-40a0-A127-DB71295901D7} (Gmail Manager, https://addons.mozilla.org/addon/1320) 10% (19/193) vs. 4% (127/3557) {46551EC9-40F0-4e47-8E18-8E5CF550CFB8} (Stylish, https://addons.mozilla.org/addon/2108) 9% (17/193) vs. 3% (92/3557) {64161300-e22b-11db-8314-0800200c9a66} (Speed Dial, https://addons.mozilla.org/addon/4810) 7% (14/193) vs. 1% (47/3557) {EDA7B1D7-F793-4e03-B074-E6F303317FB0} (Menu Editor, https://addons.mozilla.org/addon/710) 7% (13/193) vs. 1% (29/3557) {6e84150a-d526-41f1-a480-a67d3fed910d} (IE View, https://addons.mozilla.org/addon/35) 6% (12/193) vs. 1% (22/3557) {02450954-cdd9-410f-b1da-db804e18c671} (Screengrab, https://addons.mozilla.org/addon/1146) 100% (193/193) vs. 94% (3360/3557) {972ce4c6-7e08-4474-a285-3208198ce6fd} (Default, https://addons.mozilla.org/addon/8150) 7% (14/193) vs. 2% (62/3557) {EF522540-89F5-46b9-B6FE-1829E2B572C6} (GooglePreview, https://addons.mozilla.org/addon/189) 9% (17/193) vs. 3% (118/3557) {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} (WOT, https://addons.mozilla.org/addon/3456) 6% (12/193) vs. 1% (30/3557) {07b2a769-ed19-4483-87ce-c643914c81bb} (Vista-aero, https://addons.mozilla.org/addon/4988) 6% (11/193) vs. 1% (19/3557) de-DE@dictionaries.addons.mozilla.org (German Dictionary, https://addons.mozilla.org/addon/3077) 6% (12/193) vs. 1% (38/3557) {95f24680-9e31-11da-a746-0800200c9a66} (Update Notifier, https://addons.mozilla.org/addon/2098) 6% (11/193) vs. 1% (20/3557) {c4d362ec-1cff-4ca0-9031-99a8fad7995a} (Configuration Mania, https://addons.mozilla.org/addon/4420) 6% (12/193) vs. 1% (39/3557) {c45c406e-ab73-11d8-be73-000a95be3b12} (Web Developer, https://addons.mozilla.org/addon/60)
latest list like for comment 17 can be found in http://people.mozilla.com/crash_analysis/20091129/ or daily directories and you can even get specific versions that might have the problem. check the 20091129_Firefox_3.6b4-interesting-addons-with-versions.txt.gz or similar files. just search down in the file for "nsNPAPIPluginInstance::Initialize" We might also see the list grow as more people check out 3.6 betas with a wider variety of addons.
we could also approach this on the module side. here are the .dll's that are around when we hit this crash on 11/27. where there is overlap between a .dll that is a binary component of an addon from the list above we might have a good candidate in need of a fix. do we keep a list of addons with binary components some where? PL_strlen | nsNPAPIPluginInstance::Initialize(nsIPluginInstanceOwner*, char const*)|EXCEPTION_ACCESS_VIOLATION (193 crashes) 100% (193/193) vs. 6% (212/3557) npietab.dll 100% (193/193) vs. 9% (325/3557) oledlg.dll 74% (143/193) vs. 52% (1833/3557) lpk.dll 78% (150/193) vs. 59% (2098/3557) msctf.dll 52% (101/193) vs. 35% (1244/3557) wship6.dll 35% (67/193) vs. 17% (620/3557) explorerframe.dll 35% (67/193) vs. 17% (620/3557) dui70.dll 75% (144/193) vs. 58% (2056/3557) apphelp.dll 36% (70/193) vs. 20% (697/3557) duser.dll 35% (67/193) vs. 19% (685/3557) profapi.dll 35% (67/193) vs. 20% (711/3557) RpcRtRemote.dll 35% (67/193) vs. 20% (711/3557) cryptsp.dll 99% (191/193) vs. 84% (2997/3557) nssckbi.dll 38% (73/193) vs. 23% (824/3557) cscapi.dll 99% (191/193) vs. 84% (3003/3557) freebl3.dll 99% (191/193) vs. 84% (3003/3557) nssdbm3.dll 99% (191/193) vs. 84% (3003/3557) softokn3.dll 44% (84/193) vs. 29% (1031/3557) EhStorShell.dll 34% (66/193) vs. 20% (700/3557) slc.dll 34% (66/193) vs. 20% (700/3557) srvcli.dll 91% (175/193) vs. 76% (2709/3557) shdocvw.dll 35% (67/193) vs. 20% (729/3557) devobj.dll 35% (67/193) vs. 20% (729/3557) sechost.dll 35% (67/193) vs. 20% (729/3557) CRYPTBASE.dll 35% (67/193) vs. 20% (729/3557) KERNELBASE.dll 34% (66/193) vs. 20% (713/3557) FWPUCLNT.DLL 49% (95/193) vs. 35% (1261/3557) powrprof.dll 35% (68/193) vs. 22% (770/3557) cfgmgr32.dll 40% (77/193) vs. 27% (949/3557) msvcr80.dll 37% (72/193) vs. 25% (880/3557) ntshrui.dll 31% (59/193) vs. 18% (651/3557) sspicli.dll 46% (89/193) vs. 34% (1207/3557) WindowsCodecs.dll 47% (90/193) vs. 34% (1227/3557) pnrpnsp.dll 46% (89/193) vs. 34% (1213/3557) NapiNSP.dll 46% (89/193) vs. 34% (1213/3557) nlaapi.dll 46% (89/193) vs. 34% (1225/3557) winnsi.dll 46% (89/193) vs. 34% (1226/3557) Wldap32.dll 46% (89/193) vs. 34% (1227/3557) IPHLPAPI.DLL 46% (89/193) vs. 34% (1227/3557) propsys.dll 46% (89/193) vs. 35% (1228/3557) WSHTCPIP.DLL 46% (89/193) vs. 35% (1230/3557) nsi.dll 38% (74/193) vs. 27% (955/3557) msctfime.ime 19% (36/193) vs. 7% (255/3557) googletoolbar-ff3.dll 19% (36/193) vs. 7% (255/3557) googletoolbarloader.dll 98% (189/193) vs. 87% (3086/3557) rasadhlp.dll 100% (193/193) vs. 89% (3162/3557) mscms.dll 46% (89/193) vs. 36% (1263/3557) dwmapi.dll 16% (30/193) vs. 5% (181/3557) lgscroll.dll 63% (122/193) vs. 53% (1897/3557) rsaenh.dll 77% (148/193) vs. 68% (2408/3557) iertutil.dll 21% (40/193) vs. 12% (438/3557) msi.dll 100% (193/193) vs. 92% (3261/3557) ntmarta.dll 12% (23/193) vs. 4% (141/3557) GoogleDesktopCommon.dll 74% (143/193) vs. 66% (2355/3557) normaliz.dll 13% (25/193) vs. 5% (190/3557) GoogleDesktopNetwork3.dll 91% (176/193) vs. 84% (2979/3557) crypt32.dll 91% (176/193) vs. 84% (2981/3557) msasn1.dll 8% (16/193) vs. 1% (45/3557) cooliris.dll 28% (55/193) vs. 22% (776/3557) mdnsNSP.dll 89% (171/193) vs. 82% (2925/3557) userenv.dll 8% (16/193) vs. 2% (72/3557) glu32.dll 8% (16/193) vs. 2% (72/3557) opengl32.dll 7% (13/193) vs. 1% (31/3557) SASSEH.DLL 9% (18/193) vs. 3% (124/3557) RocketDock.dll 6% (12/193) vs. 1% (38/3557) DropboxExt.3.dll 7% (14/193) vs. 2% (77/3557) frozen.dll 8% (15/193) vs. 3% (96/3557) metricsloader.dll 8% (15/193) vs. 3% (96/3557) metrics-ff3.dll
We should at the very least restore the code that handles NPNVDOMWindow (and friends) and make the code return null instead of leaving the out param uninitialized, which would in at least some cases make this crash go away, and in some others turn it into a unexploitable crash. Josh, can you make up a patch that does that? I think we need to block on doing at least that.
Assignee: nobody → joshmoz
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P2
Target Milestone: --- → mozilla1.9.2
I have a patch, taking bug.
Assignee: joshmoz → jst
This should avoid *this* crash, but with some plugins it could just change this from a uninitialized pointer access crash to a null pointer dereference crash. Still worth taking IMO.
Attachment #415011 - Flags: review?(joshmoz)
Attachment #415011 - Flags: review?(joshmoz) → review+
Google code search is quite good at finding (open source) consumers, for example NPN_GetValue of NPNVWindowNPObject: http://www.google.com/codesearch?q=NPN_GetValue+NPNVWindowNPObject+-webcore+-mozilla.org&hl=en&btnG=Search+Code I found many that does not check the return value, and some even use a non-initialized stack variable, eg Gnash and a couple of plugins by Google.
(In reply to comment #18) > We might also see the list grow as more people check out 3.6 betas with a wider > variety of addons. Given that the list shows 100% vs. 7% for IETab, and we know from the stack that IETab is directly related (causative), that leaves only 7% of the list left to be accounted for; the bulk of the list is extensions whose use is correlated with use of IETab. (This is not suprising; many users have no or very few extensions, and many have large numbers.) Correlation does not imply causation. IETab is causative (though not necessarily at fault); most of the rest of the list is just noise.
(In reply to comment #24) > Given that the list shows 100% vs. 7% for IETab, and we know from the stack > that IETab is directly related (causative), that leaves only 7% of the list > left to be accounted for; the bulk of the list is extensions whose use is er, sorry, it leaves *none* of the list left to be accounted for. It would be 7% if it were 93% vs. 0%.
Keywords: checkin-needed
this would be good to get out in a beta soon so we could get at the list of the other addons that might be affected and make some estimates about how widely they might be in use by non-beta testers.
Crash Signature: [@ PL_strlen | nsNPAPIPluginInstance::Initialize(nsIPluginInstanceOwner*, char const*) ] [@nsCOMPtr_base::assign_from_qi(nsQueryInterface, nsID const&) | xul.dll@0x9cc3c3 ]
Blocks: 1092381
No longer blocks: 1092381
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: