Closed Bug 535280 Opened 15 years ago Closed 15 years ago

[OOPP] Videos on youporn.com crash browser after the videos end (NSFW Links) [@ Abort ]

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: u88484, Unassigned)

References

(
URL
)

Details

(Keywords: crash, crashreportid, regression)

Crash Data

At least a few of the videos on youporn.com crash the browser right after the video ends.  The link is NSFW so turn off the sound if you need to reproduce there.  Also, you can just skip to a few seconds before the end to reproduce without watching the video.

Version: 10.0.32.18
Shockwave Flash 10.0 r32

Using the 1216 trunk nightly
Summary: [OOPP]: Videos on youporn.com crash browser after the videos end (NSFW Links) → [OOPP] Videos on youporn.com crash browser after the videos end (NSFW Links)
Component: IPC → Plug-ins
QA Contact: ipc → plugins
Do you have crash report IDs, by any chance?
Nope, crash reporter does not launch.
Using today's second nightly, Firefox still crashes but the crash reporter did catch it.

http://crash-stats.mozilla.com/report/index/bp-74bdda94-a49a-47f1-bec8-07bfe2091216

I restored the same tab, Firefox hung after page loaded, killed the mozilla-runtime.exe process and got this crash

http://crash-stats.mozilla.com/report/index/c4aeefbc-26d2-4131-8b77-548b32091216

OT: Weird because I thought with Flash 10.1 (I updated to that after filing this bug) prohibited the crash reporter from launching.
Keywords: crashreportid
Summary: [OOPP] Videos on youporn.com crash browser after the videos end (NSFW Links) → [OOPP] Videos on youporn.com crash browser after the videos end (NSFW Links) [@ Abort ]
Signature	Abort
UUID	74bdda94-a49a-47f1-bec8-07bfe2091216
Time 	2009-12-16 22:21:42.77942
Uptime	81
Last Crash	44692 seconds before submission
Product	Firefox
Version	3.7a1pre
Build ID	20091216100208
Branch	1.9.3
OS	Windows NT
OS Version	6.1.7600
CPU	x86
CPU Info	AuthenticAMD family 15 model 104 stepping 2
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0x0
User Comments	
Processor Notes 	
Related Bugs

Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	Abort 	xpcom/base/nsDebugImpl.cpp:376
1 	NPSWF32.dll 	NPSWF32.dll@0x156561 	
2 	xul.dll 	mozilla::plugins::PStreamNotifyParent::Call__delete__ 	obj-firefox/ipc/ipdl/PStreamNotifyParent.cpp:64
3 	xul.dll 	mozilla::plugins::PluginInstanceParent::AnswerPStreamNotifyConstructor 	dom/plugins/PluginInstanceParent.cpp:289
4 	xul.dll 	mozilla::plugins::PPluginInstanceParent::OnCallReceived 	obj-firefox/ipc/ipdl/PPluginInstanceParent.cpp:893
5 	xul.dll 	mozilla::plugins::PPluginModuleParent::OnCallReceived 	obj-firefox/ipc/ipdl/PPluginModuleParent.cpp:415
6 	xul.dll 	mozilla::ipc::RPCChannel::DispatchIncall 	ipc/glue/RPCChannel.cpp:347
Signature	mozilla::plugins::PStreamNotifyChild::Register(mozilla::ipc::RPCChannel::RPCListener*)
UUID	c4aeefbc-26d2-4131-8b77-548b32091216
Time 	2009-12-16 22:22:25.566427
Uptime	40
Last Crash	46 seconds before submission
Product	Firefox
Version	3.7a1pre
Build ID	20091216100208
Branch	1.9.3
OS	Windows NT
OS Version	6.1.7600
CPU	x86
CPU Info	AuthenticAMD family 15 model 104 stepping 2
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0x44
User Comments	
Processor Notes 	
Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	mozilla::plugins::PStreamNotifyChild::Register 	obj-firefox/ipc/ipdl/PBrowserStreamParent.cpp:333
1 	xul.dll 	mozilla::plugins::PPluginInstanceParent::DestroySubtree 	obj-firefox/ipc/ipdl/PPluginInstanceParent.cpp:1115
2 	xul.dll 	mozilla::plugins::PPluginModuleParent::DestroySubtree 	obj-firefox/ipc/ipdl/PPluginModuleParent.cpp:549
3 	xul.dll 	mozilla::plugins::PPluginModuleParent::OnChannelError 	obj-firefox/ipc/ipdl/PPluginModuleParent.cpp:489
4 	xul.dll 	mozilla::ipc::AsyncChannel::NotifyMaybeChannelError 	ipc/glue/AsyncChannel.cpp:279
5 	xul.dll 	MessageLoop::RunTask 	ipc/chromium/src/base/message_loop.cc:326
Comment #5 and Comment #6 are completely different bugs... let's make this one about comment #5, because there are other bugs about corrupted DestroySubtree stuff already.

The relevant code that's aborting in PStreamNotifyParent::Call__delete__ is

if ((1) == ((actor)->mId)) {
  NS_RUNTIMEABORT("actor has been delete'd");
}

ignoring the apostrophe, this either means:
1. that deleting an actor from within its constructor doesn't work
2. that the plugin host is calling NPP_URLNotify from within this stack frame (which destroys the actor), but then returns an error code which tries to destroy the actor again.

I'm going to try and figure out which it is next. cjones, do you know if #1 should work?
(In reply to comment #7)
> 1. that deleting an actor from within its constructor doesn't work

From within its C++ ctor or AnswerCtor()?  The former won't and shouldn't work, the latter should, testshell does that.
Can't repro on linux, although there's another fun bug where the (windowless) plugin starts to only draw when the browser is *invisible*.  Luckily I can repro with another page ;).
I'm pretty sure the bug of comment 5 is bug 536437, being caught by IPDL use-after-free checking instead of segfaulting because of jemalloc DEBUG freed-memory clobbering.
Hmm, this now WFM.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
You too Ben?  I was looking for confirmation that this also works for others.  I'm assuming bug 536437 somehow fixed this.
I didn't test youporn, no, but I'll take your word for it and we can reopen later if necessary.
Crash Signature: [@ Abort ]
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.