If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Blip.tv video player crashes [@libpango] [@_releaseobject] [@NPObjWrapper_NewResolve]

RESOLVED WORKSFORME

Status

()

Core
Plug-ins
--
critical
RESOLVED WORKSFORME
8 years ago
6 years ago

People

(Reporter: Matthew Cline, Assigned: jst)

Tracking

({crash, reproducible})

Trunk
x86
Linux
crash, reproducible
Points:
---

Firefox Tracking Flags

(blocking2.0 -)

Details

(crash signature, URL)

(Reporter)

Description

8 years ago
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.3a1pre) Gecko/20100131 Minefield/3.7a1pre ID:20100131030748

Flash Player 10.1 beta 2 (10.1.51.66)

Whatever movie player is being used at the "Yu-Gi-Oh: The Abridged Series" site is causing Firefox to crash repeatedly, in a different place each time, none of them directly inside of libflashplayer.so:

bp-bccf4de5-f845-481c-ae22-0d44a2100131: libpango-1.0.so.0.2600.1@0x11791

bp-d3a7c734-4f40-4245-b23f-59e402100131: mozilla::plugins::parent::_releaseobject(NPObject*)

bp-8316e7e6-4e53-4841-bd10-602aa2100131:  	_ZL23NPObjWrapper_NewResolveP9JSContextP8JSObjectijPS2_ [NPObjWrapper_NewResolve]

Sometimes it takes watching several episodes for it to show up, sometimes less than a minute.
(Reporter)

Comment 1

8 years ago
Looks like it's the blip.tv video player:

<embed src="http://blip.tv/play/hO0TApywLQ%2Em4v" type="application/x-shockwave-flash" width="750" height="400" allowscriptaccess="always" allowfullscreen="true"></embed>
Summary: YGO:TAS movie player crashes [@libpango] [@_releaseobject] [@NPObjWrapper_NewResolve] → Blip.tv video player crashes [@libpango] [@_releaseobject] [@NPObjWrapper_NewResolve]
(Reporter)

Comment 2

8 years ago
Another instance of it crashing in NPObjWrapper_NewResolve: bp-4020c4ec-40ae-4d9f-9f17-3f73f2100131

And some more info: right before the crash, the output to stdout/stderr was like this:

  (child won, so we're not deferring)
  (child won, so we're deferring)
  (processing deferred in-call)
  ###!!! [Child][RPCChannel] Error: Channel Error: cannot send/recv (seven times in a row)
(Reporter)

Comment 3

8 years ago
More info since I managed to reproduce the NPObjWrapper_NewResolve() crash using a debug build:

1) The "[Child][RPCChannel] Error" actually comes after the segmentation fault is received (in my previous comment I was looking in my log file after the crash had finished).

2) The crash happens at "!npobj->_class->hasProperty":

(gdb) p npobj->_class
$1 = (NPClass *) 0x8
(gdb) p npobj
$2 = (NPObject *) 0xa89ccd0
(gdb) p *npobj
$3 = {_class = 0x8, referenceCount = 2832693892}

3) objp points to NULL:

(gdb) p *objp
$6 = (JSObject *) 0x0

4) Calling DumpJSStack() leads to a crash in the exact same place.  However, looking at the mData member of the aScript parameter to nsJSContext::EvaluateStringWithValue(), the line currently being executed was:

try { __flash__toXML(ScanScout.AdUtils.isFullScreenCapable()) ; } catch(e) {
"<undefined/>"; }

Updated

8 years ago
Assignee: nobody → jst

Comment 4

7 years ago
I just crashed trying to update Silverlight via Mozilla's plugincheck page with the latest Minefield nightly on Mac OS X 10.6.5. I clicked on the update button for Silverlight and crashed on the following Silverlight page:

http://www.microsoft.com/silverlight/get-started/install/default.aspx

My crash report is here:

http://crash-stats.mozilla.com/report/index/bp-c471f3a3-03df-4c14-b5c7-a76fd2101202

Comment 5

7 years ago
Pretty easy to repro by reloading the microsoft.com URL I posted in comment 4. I only have to reload the page a couple of times to get it to happen.

Comment 6

7 years ago
The nsJSContext::EvaluateStringWithValue() crasher indicates the Flash plug-in looking to eval() some JavaScript at the time of the crash. Please advise if this is a plugin refcounting issue and not unique to Flash. I'm not clear on how the Silverlight issue is relevant in this case, except seeing that plugin also requesting JS access at crash time.
Nominating based on reproducibility, popularity of Silverlight, and likely scenario users might find themselves in (upgrading the plugin), even though the original description doesn't mention that plugin.
blocking2.0: --- → ?
Keywords: reproducible
Can someone help answer Jethro's question in Comment 6? Doesn't look to be high volume on the trunk, but shows up in crash stats for 3.6.12 in low volume.

Comment 9

7 years ago
With low crash ranking I don't think this needs to block. Is this mac-only? The bug seems to have morphed several times, and it's probably not a good idea to combine the Flash and Silverlight bugs here, even if they have the same signature.
blocking2.0: ? → -
Crash Signature: [@libpango] [@_releaseobject] [@NPObjWrapper_NewResolve]

Comment 10

6 years ago
This seems mostly confined to 3.6. I see a handful in 7.0.1 but only 5 in the last week.
Crash Signature: [@libpango] [@_releaseobject] [@NPObjWrapper_NewResolve] → [@libpango] [@_releaseobject] [@NPObjWrapper_NewResolve]

Comment 11

6 years ago
We are going to resolve this since all bug a handful of the crashes are in 3.0, 3.5 and 3.6.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.