532565 - Crash in [@ QuakeLivePlugin@0x5acc ] when exiting Quake Live game

Status: RESOLVED INCOMPLETE

(Plugins Graveyard :: Quake Live, defect)

Description

[Marcia Knous [:marcia]]

Seen while running Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2b4) Gecko/20091124 Firefox/3.6b4. Not able to reproduce using Win 7 or Win XP.

STR:
1. Visit http://www.quakelive.com/
2. Install the plugin
3. Register an account and start the game. Exit the game.
4. Crash

Both of these stacks show up in the Beta 4 results with the same description of closing the Quake Live game. It seems that the game might not be compatible with 3.6 but I did not get an unsupported browser message.

I also tested this in Namoroka and I crashed with this report - http://crash-stats.mozilla.com/report/index/bp-e33ef54f-1599-4ee6-99b7-3ac692091202 - which just shows a slightly different stack than when I crashed a second time - this time in Yield Request - http://crash-stats.mozilla.com/report/index/bp-69b6905a-dcb7-4905-9be2-715a42091202.

Signature	JS_YieldRequest
UUID	69b6905a-dcb7-4905-9be2-715a42091202
Time 	2009-12-02 16:25:08.936378
Uptime	966
Last Crash	3035 seconds before submission
Product	Firefox
Version	3.6b4
Build ID	20091124201530
Branch	1.9.2
OS	Mac OS X
OS Version	10.6.2 10C540
CPU	x86
CPU Info	GenuineIntel family 6 model 7 stepping 6
Crash Reason	EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE
Crash Address	0x1a4
User Comments	Quake Live
Processor Notes 	
Crashing Thread

Frame 	Module 	Signature [Expand] 	Source
libmozjs.dylib 	JS_YieldRequest 	js/src/jsapi.cpp:929
1 	XUL 	XPCJSContextStack::Pop 	js/src/xpconnect/src/xpcthreadcontext.cpp:112
2 	XUL 	nsCxPusher::Pop 	content/base/src/nsContentUtils.cpp:2878
3 	XUL 	nsContentUtils::CopyNewlineNormalizedUnicodeTo 	content/base/src/nsContentUtils.cpp:2705
4 	XUL 	nsEventListenerManager::HandleEvent 	content/events/src/nsEventListenerManager.cpp:1166
5 	XUL 	nsEventTargetChainItem::HandleEvent 	content/events/src/nsEventDispatcher.cpp:246
6 	XUL 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventDispatcher.cpp:310
7 	XUL 	nsEventDispatcher::Dispatch 	content/events/src/nsEventDispatcher.cpp:573
8 	XUL 	nsEventDispatcher::DispatchDOMEvent 	content/events/src/nsEventDispatcher.cpp:636
9 	XUL 	nsGlobalWindow::DispatchEvent 	dom/base/nsGlobalWindow.cpp:6504
10 	XUL 	nsGlobalWindow::DispatchEvent 	dom/base/nsGlobalWindow.cpp:6487
11 	XUL 	nsContentUtils::DispatchTrustedEvent 	content/base/src/nsContentUtils.cpp:3226
12 	XUL 	nsFocusManager::WindowRaised 	dom/base/nsFocusManager.cpp:663
13 	XUL 	nsWebShellWindow::HandleEvent 	xpfe/appshell/src/nsWebShellWindow.cpp:416
14 	XUL 	nsCocoaWindow::DispatchEvent 	widget/src/cocoa/nsCocoaWindow.mm:1259
15 	XUL 	-[WindowDelegate sendFocusEvent:] 	widget/src/cocoa/nsCocoaWindow.mm:1733
16 	XUL 	-[WindowDelegate sendToplevelActivateEvents] 	widget/src/cocoa/nsCocoaWindow.mm:1768
17 	XUL 	+[TopLevelWindowData activateInWindow:] 	widget/src/cocoa/nsWindowMap.mm:221
18 	Foundation 	_nsnote_callback 	
19 	CoreFoundation 	__CFXNotificationPost 	
20 	CoreFoundation 	_CFXNotificationPostNotification 	
21 	Foundation 	-[NSNotificationCenter postNotificationName:object:userInfo:] 	
22 	Foundation 	-[NSNotificationCenter postNotificationName:object:] 	
23 	AppKit 	-[NSWindow becomeMainWindow] 	
24 	AppKit 	-[NSWindow _changeKeyAndMainLimitedOK:] 	
25 	AppKit 	-[NSWindow _orderOutAndCalcKeyWithCounter:stillVisible:docWindow:] 	
26 	AppKit 	-[NSWindow _reallyDoOrderWindow:relativeTo:findKey:forCounter:force:isModal:] 	
27 	AppKit 	-[NSWindow orderWindow:relativeTo:] 	
28 	AppKit 	-[NSWindow orderOut:] 	
29 	quakelive 	quakelive@0xdc3d6 	
30 	quakelive 	quakelive@0xdc4ef 	
31 	quakelive 	quakelive@0x140a2 	
32 	quakelive 	quakelive@0x5ea56 	
33 	quakelive 	quakelive@0x60b52 	
34 	quakelive 	quakelive@0x76bb9 	
35 	quakelive 	quakelive@0x74fd0 	
36 	quakelive 	quakelive@0x7a7fd 	
37 	quakelive 	quakelive@0xe1502 	
38 	quakelive 	quakelive@0xe39b0 	
39 	libSystem.B.dylib 	_pthread_start 	
40 	libSystem.B.dylib 	thread_start

Comment 1

[chris hofmann]

maybe we should turn this into a tracking bug for crashes on the quake site.  There are 3 different signatures reported, but there might be 1-3 or even more problems across those signatures.

There is a low volume JS_YieldRequest crash on 3.6beta (mac only so far)

There is a low volume QuakeLivePlugin crash on 3.5.x and 3.6beta (mac only)

and

There is a high volume  JS_RestoreFrameChain on 3.0,3.5,3.6 beta crash that is cross platform and also might be multiple crash problems, part of which can be seen on the quake site.




1-7  crashes per day for JS_YieldRequest on  200911 * -crashdata

    Correlation to releases
    checking --- 20091126-crashdata.csv JS_YieldRequest
        release total-crashes
              JS_YieldRequest crashes
                         pct.
    all     211758  7       3.30566e-05
    3.0.15  45831           0
    3.5.5   110383          0
    3.6b4   3254    1       0.000307314
    3.6b3   12942   6       0.000463607
    3.6b2   1318            0
    3.6b1   2801            0

    os breakdown
    4       0.571429        Mac OS X10.5.8 9L30
    2       0.285714        Mac OS X10.6.2 10C540
    1       0.142857        Mac OS X10.5.8 9L31a

    4 JS_YieldRequest Mac OS X 10.5.8 9L30
    2 JS_YieldRequest Mac OS X 10.6.2 10C540
    1 JS_YieldRequest Mac OS X 10.5.8 9L31a


1-10  crashes per day for QuakeLivePlugin on 200911 * -crashdata 

    all releases
       3 3.5.2
       7 3.5.5

    os breakdown
    5       0.5     Mac OS X10.6.2 10C540
    5       0.5     Mac OS X10.5.8 9L31a


109 - 191  crashes for JS_RestoreFrameChain on  200911 * -crashdata  with increase at the end of the month

 Correlation to releases

checking --- 20091130-crashdata.csv JS_RestoreFrameChain
release total-crashes
              JS_RestoreFrameChain crashes
                         pct.
all     233706  191     0.000817266
3.0.15  50334   37      0.00073509
3.5.5   122547  104     0.000848654
3.6b4   16576   18      0.00108591
3.6b3   2703    3       0.00110988
3.6b2   1193            0
3.6b1   2776    3       0.00108069

os breakdown
77      0.403141        Windows NT5.1.2600 Service Pack 3
41      0.21466 Windows NT5.1.2600 Service Pack 2
23      0.120419        Windows NT6.0.6002 Service Pack 2
13      0.0680628       Windows NT6.0.6001 Service Pack 1
13      0.0680628       Windows NT6.0.6000
4       0.0209424       Windows NT6.1.7600
4       0.0209424       Mac OS X10.5.8 9L30
3       0.0157068       Mac OS X10.5.8 9L31a
2       0.0104712       Windows NT5.1.2600 Service Pack 1
2       0.0104712       Windows NT5.1.2600 Dodatek Service Pack 3
2       0.0104712       Windows NT5.1.2600 Dodatek Service Pack 2
2       0.0104712       Mac OS X10.6.2 10C540
2       0.0104712       Mac OS X10.4.11 8S2167
1       0.0052356       Windows NT6.1.7100
1       0.0052356       Windows NT5.1.2600

Comment 2

[Marcia Knous [:marcia]]

Bug 532777 is now on file for the [ @ JS_RestoreFrameChain ] crashes. I will create a separate bug for Yield Request and then leave this as the QuakeLive Plugin crash.

Comment 3

[Marcia Knous [:marcia]]

Bug 532780 is on file for  [ @ JS_YieldRequest ]. Updating bug summary to reflect that fact.

Comment 4

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

bug 520639 seems to have fixed a bunch of crashes related to unloading of plugins.  Might it have fixed these too?

Comment 5

[Marcia Knous [:marcia]]

I still use crash using the latest 1.9.2 nightly - see https://bugzilla.mozilla.org/show_bug.cgi?id=532780#c1. Even though the stack is slightly different it is the same set of STR which results in a crash.

Comment 6

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Do the same steps cause a crash on 3.5 (and 3.0)?

Comment 7

[Marcia Knous [:marcia]]

Just tried using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 and I crash following the same steps.

The Quakelive Plugin Version # is 0.1.0.277.

(In reply to comment #6)
> Do the same steps cause a crash on 3.5 (and 3.0)?

Comment 8

[Marcia Knous [:marcia]]

Using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.0.15) Gecko/2009101600 Firefox/3.0.15, the plugin does not seem to be recognized so I cannot actually enter the game since the setup never finishes.

Comment 9

[Marcia Knous [:marcia]]

Using the latest trunk build, Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.3a2pre) Gecko/20100211 Minefield/3.7a2pre I get a crash in  [@ JS_DeleteProperty ] when performing the same STR on Mac. http://crash-stats.mozilla.com/report/index/63629de4-0782-4415-a850-87cc62100211 is my report.

Comment 10

[Blake Kaplan (:mrbkap) (inactive)]

Josh, Neil: These crashes seem to indicate that we're receiving an OSX focus event on a thread that is not the main thread, which ends up calling into main-thread-only code on the wrong thread. Could this be our fault for not proxying OSX focus things to the main thread (or otherwise censoring these events when they're off the main thread)? Or is this QuakeLive calling an illegal function off the main thread?

Comment 11

[Marcia Knous [:marcia]]

Note this happens on Windows as well. I see it while testing  Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.4) Gecko/20100413 Firefox/3.6.4 (.NET CLR 3.5.30729). In this instance I did not get a crash report.

Comment 12

[Marcia Knous [:marcia]]

I get a similar crash while running 4.0 Beta 1. Here are the steps for this reproducible crash:

1. Open the game and click on the "Skills test" link
2. The browser opens full screen
3. Click the link which says "Play in Browser"

I crash right after Step 4 consistently.

http://crash-stats.mozilla.com/report/index/598c9b49-c7dc-4b61-a8e0-36f292100629

Comment 13

[Johnny Stenback (:jst)]

Looking at Marcia's crash linked to in the previous comment shows that we get into our event dispatching code on a thread other than the main thread. By that time we've already lost.

Josh, this is either a bug in the quake plugin, or we need to protect against activateInWindow (or something around that code in the stack in comment 0) from ever calling into our code if it's ever called off the main thread.

Comment 14

[Josh Aas]

Quake Live should not be calling things like "-[NSWindow orderOut:]" on any thread other than the main thread. We should contact them about it.

Comment 15

[Josh Aas]

Email sent to Quake Live developers.

Comment 16

[David Koenig (id Software)]

Thanks for the report.  We'll be taking a look as soon as possible.

Comment 18

[timeless]

Attachment: patch from my tree

josh: i've had this patch in my tree for ages. (Well, since Jul 7 at least)

Comment 19

[Josh Aas]

Comment on attachment 466491 [details] [diff] [review]
patch from my tree

I don't want to get into doing main thread checks all over the place in our widget code. Let's just let id software take care of this. It is easy enough to tell what is going wrong when this happens.

Comment 20

[Marcia Knous [:marcia]]

Today while running the nightly I tested this again to see if we still crash. Since the plugin runs only in 32 bit mode, I restated and I still crash on Mac, but the stack is a bit different: [@ XPCJSContextStack::Push ], 

https://crash-stats.mozilla.com/report/index/bp-43ab18d2-bbc3-463e-824d-cdeb32110217 is that report.

Comment 21

[Benjamin Smedberg]

Closing old bugs in the Plugins component. We aren't going to track issues in 3rd-party plugins in the Mozilla bug tracker. In addition, support for NPAPI plugins will be removed at the end of this year; for more details see the post at https://blog.mozilla.org/futurereleases/2015/10/08/npapi-plugins-in-firefox/

If there is a serious bug in Firefox, it needs to be filed in the "Core" product, "Plug-Ins" component.