Closed Bug 545186 Opened 15 years ago Closed 12 years ago

[OOPP] Crash with Moonlight 2.0 [@ @0x0 | mozilla::plugins::PPluginModuleParent::OnCallReceived(IPC::Message const&, IPC::Message*&) ]

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(status1.9.2 unaffected)

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
status1.9.2 --- unaffected

People

(Reporter: underpass_bugzilla, Assigned: cjones)

References

Details

(Whiteboard: [OOPPTestday])

Attachments

(1 file)

valgrind use-after-free errors in PluginScriptableObjectChild
22.45 KB, text/plain
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; it; rv:1.9.2) Gecko/20100115 Firefox/3.6 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.3a2pre) Gecko/20100209 Minefield/3.7a2pre Debian GNU/Linux, testing branch, 2.6.32.6 kernel Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.3a2pre) Gecko/20100209 Minefield/3.7a2pre Installed plugins: gecko-mediaplayer 0.98 Shockwave Flash 10.1 (beta) Java 1.6.0_16 Adobe Reader 9.3 Reproducible: Always Steps to Reproduce: 1. Install and enable Moonlight 2.0 from http://www.go-mono.com/moonlight/ (raising compatibility to 3.7 to install the xpi) 2. Visit http://tv.repubblica.it/copertina/ciancimino-attacco-a-forza-italia/42318?video 3. You get a crash (the plugin component still runs in background)
Blocks: OOPP
Whiteboard: [OOPPTestday]
Confirmed plugin crash with Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.3a2pre) Gecko/20100209 Minefield/3.7a2pre on aforementioned URL. Plugins: Moonlight 2.0: libmoonloaderxpi.so 3.0.40818.0 Crash @ libgdk-x11-2.0.so.0.1800.3 report: http://crash-stats.mozilla.com/report/index/0f24bcdf-e3ee-40b0-a68e-2ced92100209
Status: UNCONFIRMED → NEW
Ever confirmed: true
The crash I get is with Flash..
With OOPP disabled (dom.ipc.plugins.enabled;false): Firefox does not crash (but gecko-mediaplayer seems to start instead of Moonlight) Crash Signature: @0x0 | mozilla::plugins::PPluginModuleParent::OnCallReceived(IPC::Message const&, IPC::Message*&) This bug may be related to Bug 544058 but that one involves another plugin (mplayer-plugin, that the author does not mantain anymore).
Version: unspecified → Trunk
Assignee: nobody → jones.chris.g
There are two problems exposed by this site. I can reliably crash on http://tv.repubblica.it/copertina/ciancimino-attacco-a-forza-italia/42318?video, but it's the same flash crash with/without Moonlight. The error is the same as in bug 540114. With Moonlight and no flash, I can repro. STR 0. Uninstall or disable flash 1. Install and enable Moonlight 2.0 from http://www.go-mono.com/moonlight/ (raising compatibility to 3.7 to install the xpi) 2. Visit http://tv.repubblica.it/copertina/ciancimino-attacco-a-forza-italia/42318?video 3. Click "Allow popups" 4. Firefox crashes when the popup loads The crash looks to have the same underlying cause as bug 543917, will check.
Didn't repro the browser crash first time around, but caught some npruntime errors. Moonlight itself has a *ton* of valgrind errors in the log (excised from the attached), so it's possible that this is actually a bug in its npapi wrapper code.
Hmm, meant to CC bent, must have missed.
Sorry, forgot to post the backtrace that leads me to believe this is bug 543917 Program received signal SIGSEGV, Segmentation fault. 0x00007ffff6ba24eb in mozilla::plugins::PBrowserStreamParent::OnCallReceived (this=0x7fffd774eac0, msg=..., reply=@0x7fffffffd5c0) at PBrowserStreamParent.cpp:297 #0 0x00007ffff6ba24eb in mozilla::plugins::PBrowserStreamParent::OnCallReceived (this=0x7fffd774eac0, msg=..., reply=@0x7fffffffd5c0) at PBrowserStreamParent.cpp:297 #1 0x00007ffff6b85219 in mozilla::plugins::PPluginModuleParent::OnCallReceived (this=0x7fffd7b2ac00, msg=..., reply=@0x7fffffffd5c0) at PPluginModuleParent.cpp:434 #2 0x00007ffff6b7ceb0 in mozilla::ipc::RPCChannel::DispatchIncall (this=0x7fffd7b2ac10, call=...) at /home/cjones/mozilla/electrolysis/ipc/glue/RPCChannel.cpp:429 #3 0x00007ffff6b7cdc8 in mozilla::ipc::RPCChannel::Incall (this=0x7fffd7b2ac10, call=..., stackDepth=1) at /home/cjones/mozilla/electrolysis/ipc/glue/RPCChannel.cpp:414 #4 0x00007ffff6b7c515 in mozilla::ipc::RPCChannel::Call (this=0x7fffd7b2ac10, msg=0x7fffd65dfc40, reply=0x7fffffffd790) at /home/cjones/mozilla/electrolysis/ipc/glue/RPCChannel.cpp:259 #5 0x00007ffff6ba1bdb in mozilla::plugins::PBrowserStreamParent::CallNPP_Write (this=0x7fffd774eac0, offset=@0x7fffffffd844, data=..., consumed=0x7fffffffd86c) at PBrowserStreamParent.cpp:106 #6 0x00007ffff6b74bd3 in mozilla::plugins::BrowserStreamParent::Write (this=0x7fffd774eac0, offset=0, len=12222, buffer=0x7fffd64a9000) at /home/cjones/mozilla/electrolysis/dom/plugins/BrowserStreamParent.cpp:74 #7 0x00007ffff6b66594 in mozilla::plugins::PluginModuleParent::NPP_Write (instance=0x7fffd89c3e20, stream=0x7fffd77fe308, offset=0, len=12222, buffer=0x7fffd64a9000) at /home/cjones/mozilla/electrolysis/dom/plugins/PluginModuleParent.cpp:357 #8 0x00007ffff69041a0 in nsNPAPIPluginStreamListener::OnDataAvailable (this=0x7fffd77fe2c0, pluginInfo=0x7fffd89eeca0, input=0x7fffd87c6280, length=0) at /home/cjones/mozilla/electrolysis/modules/plugin/base/src/nsNPAPIPluginInstance.cpp:657 #9 0x00007ffff690d404 in nsPluginStreamListenerPeer::OnDataAvailable (this=0x7fffd630e190, request=0x7fffd77f0450, aContext=0x0, aIStream=0x7fffd87c61c0, sourceOffset=0, aLength=12222) at /home/cjones/mozilla/electrolysis/modules/plugin/base/src/nsPluginHost.cpp:1372 #10 0x00007ffff5a5e8c8 in nsHTTPCompressConv::do_OnDataAvailable (this=0x7fffd8824100, request=0x7fffd77f0450, context=0x0, offset=0, buffer=0x7fffd62d7000 " \t\n\n\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\n\t<head>\n\t\t\n<title>Ciancimino"..., count=12222) at /home/cjones/mozilla/electrolysis/netwerk/streamconv/converters/nsHTTPCompressConv.cpp:375 #11 0x00007ffff5a5e6a1 in nsHTTPCompressConv::OnDataAvailable (this=0x7fffd8824100, request=0x7fffd77f0450, aContext=0x0, iStr=0x7fffd87c6180, aSourceOffset=0, aCount=4084) at /home/cjones/mozilla/electrolysis/netwerk/streamconv/converters/nsHTTPCompressConv.cpp:319 #12 0x00007ffff5a38ee8 in nsStreamListenerTee::OnDataAvailable (this=0x7fffd8795fc0, request=0x7fffd77f0450, context=0x0, input=0x7fffd5289698, offset=0, count=4084) at /home/cjones/mozilla/electrolysis/netwerk/base/src/nsStreamListenerTee.cpp:107 #13 0x00007ffff5af8e0d in nsHttpChannel::OnDataAvailable (this=0x7fffd77f0400, request=0x7fffd6475900, ctxt=0x0, input=0x7fffd5289698, offset=0, count=4084) at /home/cjones/mozilla/electrolysis/netwerk/protocol/http/src/nsHttpChannel.cpp:5369 #14 0x00007ffff5a00ee1 in nsInputStreamPump::OnStateTransfer (this=0x7fffd6475900) at /home/cjones/mozilla/electrolysis/netwerk/base/src/nsInputStreamPump.cpp:508 #15 0x00007ffff5a00a35 in nsInputStreamPump::OnInputStreamReady (this=0x7fffd6475900, stream=0x7fffd5289698) at /home/cjones/mozilla/electrolysis/netwerk/base/src/nsInputStreamPump.cpp:398 #16 0x00007ffff6d282c3 in nsInputStreamReadyEvent::Run (this=0x7fffd89bffc0) at /home/cjones/mozilla/electrolysis/xpcom/io/nsStreamUtils.cpp:112 #17 0x00007ffff6d558dd in nsThread::ProcessNextEvent (this=0x7fffebd30280, mayWait=0, result=0x7fffffffde5c) at /home/cjones/mozilla/electrolysis/xpcom/threads/nsThread.cpp:527 #18 0x00007ffff6ce61e4 in NS_ProcessNextEvent_P (thread=0x7fffebd30280, mayWait=0) at nsThreadUtils.cpp:250 This isn't 100% reproducible; needs constant refreshing. Still haven't caught it under valgrind.
Still no dice in valgrind on the browser crash. Although, bent, I do catch the PluginScriptableObjectChild use-after-free errors every time. Let me know if I can help debug.
Depends on: 543917
Depends on: 532208
No longer depends on: 543917
status1.9.2: --- → unaffected
My firefox 3.6.12 crashes repeatedly with moonlight 2.0 installed. Browser will open to homepage and to other pages but will usually crash within a short time - seconds. Clicking on Tools>Add-ons will crash firefox immediately every time. Only way to keep firefox open is to remove moonlight. Apologies if this is not the appropriate place to report this bug.
Either not reproducing anymore or not a priority.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: