Closed Bug 542700 Opened 14 years ago Closed 14 years ago

[OOPP] Plugin process crash during mochitest-3/5 [@nsDefaultComparator] or [@ nsTArray_base::Length()]

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(status1.9.2 .4-fixed)

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.3a4
Tracking Flags:
Tracking Status
status1.9.2 --- .4-fixed

People

(Reporter: cjones, Assigned: benjamin)

References

Details

(Keywords: intermittent-failure, Whiteboard: [qa-noaction-192])

Attachments

(2 files)

Prevent |ChildAsyncCallback|s from touching freed |PluginInstanceChild|s if NPP_Destroy() re-enters or races with the callback [Checkin: Comment 3]
498 bytes, patch
benjamin
: review+
Details | Diff | Splinter Review
Actually add stuff to mPendingAsyncCalls, rev. 1 [Checkin: Comment 40]
5.68 KB, patch
cjones
: review+
christian
: approval1.9.2.4+
Details | Diff | Splinter Review 
Thread 2 (crashed)
 0  xul.dll!nsDefaultComparator<mozilla::plugins::ChildAsyncCall *,mozilla::plugins::ChildAsyncCall *>::Equals(mozilla::plugins::ChildAsyncCall * const &,mozilla::plugins::ChildAsyncCall * const &) [nsTArray.h:035ca5e3ea54 : 223 + 0x6]
    eip = 0x61a2c55d   esp = 0x0121dce4   ebp = 0x0121dce8   ebx = 0x00000001
    esi = 0x003301c8   edi = 0x00000000   eax = 0x00341000   ecx = 0x0121dd48
    edx = 0x00341000   efl = 0x00010293
    Found by: given as instruction pointer in context
 1  xul.dll!nsTArray<mozilla::plugins::ChildAsyncCall *>::IndexOf<mozilla::plugins::ChildAsyncCall *,nsDefaultComparator<mozilla::plugins::ChildAsyncCall *,mozilla::plugins::ChildAsyncCall *> >(mozilla::plugins::ChildAsyncCall * const &,unsigned int,nsDefaultComparator<mozilla::plugins::ChildAsyncCall *,mozilla::plugins::ChildAsyncCall *> const &) [nsTArray.h:035ca5e3ea54 : 393 + 0xf]
    eip = 0x61a2c506   esp = 0x0121dcf0   ebp = 0x0121dd08
    Found by: call frame info
 2  xul.dll!nsTArray<mozilla::plugins::ChildAsyncCall *>::RemoveElement<mozilla::plugins::ChildAsyncCall *,nsDefaultComparator<mozilla::plugins::ChildAsyncCall *,mozilla::plugins::ChildAsyncCall *> >(mozilla::plugins::ChildAsyncCall * const &,nsDefaultComparator<mozilla::plugins::ChildAsyncCall *,mozilla::plugins::ChildAsyncCall *> const &) [nsTArray.h:035ca5e3ea54 : 700 + 0x11]
    eip = 0x61a2c46b   esp = 0x0121dd10   ebp = 0x0121dd24
    Found by: call frame info
 3  xul.dll!nsTArray<mozilla::plugins::ChildAsyncCall *>::RemoveElement<mozilla::plugins::ChildAsyncCall *>(mozilla::plugins::ChildAsyncCall * const &) [nsTArray.h:035ca5e3ea54 : 712 + 0x14]
    eip = 0x61a2c43e   esp = 0x0121dd2c   ebp = 0x0121dd3c
    Found by: call frame info
 4  xul.dll!mozilla::plugins::ChildAsyncCall::Run() [ChildAsyncCall.cpp:035ca5e3ea54 : 68 + 0x17]
    eip = 0x61a2c417   esp = 0x0121dd44   ebp = 0x0121dd4c
    Found by: call frame info
 5  xul.dll!nsThread::ProcessNextEvent(int,int *) [nsThread.cpp:035ca5e3ea54 : 527 + 0x18]
    eip = 0x61b4e2fa   esp = 0x0121dd54   ebp = 0x0121dd88
    Found by: call frame info

Looks like a use-after-free of PluginInstanceChild, probably caused by NPP_Destroy() re-entering the callback.
Probable fix.

I can't figure out a (reliable) way to make NPP_Destroy() re-enter or race with an async callback in a mochitest, so guess we'll need to fly by the seat of our pants for the time being.
Attachment #423932 - Flags: review?(benjamin)
Attachment #423932 - Flags: review?(benjamin) → review+
we'll call it fixed and reopen if necessary, please update https://wiki.mozilla.org/Plugins/OOPP_Branch_Tracking
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Looks like it reoccurred after the fix

http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1264800596.1264801559.10812.gz#err0
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Time for one of you guys to get down with record-and-replay! It's fun! Builds character!
Summary: [OOPP] Plugin process crash during mochitest-3/5 [@nsDefaultComparator] → [OOPP] Plugin process crash during mochitest-3/5 [@nsDefaultComparator] or [@ nsTArray_base::Length()]
Version: unspecified → Trunk
Blocks: 438871
Whiteboard: [orange]
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1267725817.1267729445.3014.gz
WINNT 5.2 mozilla-central debug test mochitests-3/5 on 2010/03/04 10:03:37
s: win32-slave06
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1268975329.1268978193.7280.gz
WINNT 5.2 mozilla-central debug test mochitests-3/5 on 2010/03/18 22:08:49
s: win32-slave09
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1268978253.1268981707.16107.gz
WINNT 5.2 mozilla-central debug test mochitests-3/5 on 2010/03/18 22:57:33
s: win32-slave20
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1268980626.1268983394.20474.gz
WINNT 5.2 mozilla-central debug test mochitests-3/5 on 2010/03/18 23:37:06
s: win32-slave22
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1269099691.1269101482.25805.gz
WINNT 5.2 mozilla-central debug test mochitests-3/5 on 2010/03/20 08:41:31  
s: win32-slave39
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1269132534.1269134293.31443.gz
WINNT 5.2 mozilla-central debug test mochitests-3/5 on 2010/03/20 17:48:54
s: win32-slave39
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1269138418.1269140965.12604.gz
WINNT 5.2 mozilla-central debug test mochitests-3/5 on 2010/03/20 19:26:58
s: win32-slave20
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1269145206.1269147581.24821.gz
WINNT 5.2 mozilla-central debug test mochitests-3/5 on 2010/03/20 21:20:06
s: win32-slave09
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1269172654.1269175160.28030.gz
WINNT 5.2 mozilla-central debug test mochitests-3/5 on 2010/03/21 04:57:34
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1269217055.1269218783.8148.gz
WINNT 5.2 mozilla-central debug test mochitests-3/5 on 2010/03/21 17:17:35
s: win32-slave39
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1269251710.1269253717.15869.gz
WINNT 5.2 mozilla-central debug test mochitests-3/5 on 2010/03/22 02:55:10  
s: win32-slave39
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1269300561.1269303086.7190.gz
WINNT 5.2 mozilla-central debug test mochitests-3/5 on 2010/03/22 16:29:21
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1269311218.1269313778.3850.gz
WINNT 5.2 mozilla-central debug test mochitests-3/5 on 2010/03/22 19:26:58
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1269315423.1269317964.13488.gz
WINNT 5.2 mozilla-central debug test mochitests-3/5 on 2010/03/22 20:37:03
s: win32-slave20
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1269322675.1269325306.30071.gz
WINNT 5.2 mozilla-central debug test mochitests-3/5 on 2010/03/22 22:37:55
s: win32-slave20
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1269351918.1269354528.27541.gz
WINNT 5.2 mozilla-central debug test mochitests-3/5 on 2010/03/23 06:45:18
s: win32-slave20
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1269348755.1269351566.19135.gz
WINNT 5.2 mozilla-central debug test mochitests-3/5 on 2010/03/23 05:52:35
s: win32-slave20
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1269407911.1269410580.22197.gz
WINNT 5.2 mozilla-central debug test mochitests-3/5 on 2010/03/23 22:18:31
s: win32-slave20
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1269446174.1269449124.13756.gz
WINNT 5.2 mozilla-central debug test mochitests-3/5 on 2010/03/24 08:56:14
s: win32-slave01
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1269527014.1269529547.12182.gz
WINNT 5.2 mozilla-central debug test mochitests-3/5 on 2010/03/25 07:23:34
s: win32-slave43
Boy, I feel dumb. I couldn't reproduce this in recording, but it turns out that we just never added the ChildAsyncCall to the mPendingAsyncCalls list.
Assignee: nobody → benjamin
Status: REOPENED → ASSIGNED
Attachment #434894 - Flags: review?(jones.chris.g)
Attachment #434894 - Flags: review?(jones.chris.g) → review+
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1269563434.1269565850.22484.gz
WINNT 5.2 mozilla-central debug test mochitests-3/5 on 2010/03/25 17:30:34
s: win32-slave23
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1269636826.1269639303.11504.gz
WINNT 5.2 mozilla-central debug test mochitests-3/5 on 2010/03/26 13:53:46
s: win32-slave23
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1269643325.1269644983.26525.gz
WINNT 5.2 mozilla-central debug test mochitests-3/5 on 2010/03/26 15:42:05
s: win32-slave16
http://tinderbox.mozilla.org/showlog.cgi?log=Firefox/1269818957.1269820558.9674.gz
WINNT 5.2 mozilla-central debug test mochitests-3/5 on 2010/03/28 16:29:17
s: win32-slave16
http://hg.mozilla.org/mozilla-central/rev/ca3038f38f65
Status: ASSIGNED → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → FIXED
Attachment #423932 - Attachment description: Prevent |ChildAsyncCallback|s from touching freed |PluginInstanceChild|s if NPP_Destroy() re-enters or races with the callback → Prevent |ChildAsyncCallback|s from touching freed |PluginInstanceChild|s if NPP_Destroy() re-enters or races with the callback [Checkin: Comment 3]
Attachment #434894 - Attachment description: Actually add stuff to mPendingAsyncCalls, rev. 1 → Actually add stuff to mPendingAsyncCalls, rev. 1 [Checkin: Comment 40]
Target Milestone: --- → mozilla1.9.3a4
Comment on attachment 434894 [details] [diff] [review]
Actually add stuff to mPendingAsyncCalls, rev. 1
[Checkin: Comment 40]

I need this on 1.9.2 because bug 558629 depends on it.
Attachment #434894 - Flags: approval1.9.2.4?
Comment on attachment 434894 [details] [diff] [review]
Actually add stuff to mPendingAsyncCalls, rev. 1
[Checkin: Comment 40]

a=LegNeato for 1.9.2.4
Attachment #434894 - Flags: approval1.9.2.4? → approval1.9.2.4+
Whiteboard: [orange] → [orange] [qa-noaction-192]
Whiteboard: [orange] [qa-noaction-192] → [qa-noaction-192]
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: