Closed
Bug 552002
Opened 15 years ago
Closed 13 years ago
Crash in [@ nsDOMEvent::QueryInterface(nsID const&, void**) ]
Categories
(Core Graveyard :: Plug-ins, defect)
Tracking
(firefox5- wontfix, firefox6- wontfix, firefox7+ fixed, firefox8+ fixed, blocking2.0 -, status2.0 wontfix, status1.9.2 wontfix, status1.9.1 wontfix)
People
(Reporter: marcia, Unassigned)
References
()
Details
(Keywords: crash, Whiteboard: [sg:critical?][to be fixed by asynchronous plugin painting][qa?])
Crash Data
Attachments
(1 file)
27.29 KB,
text/plain
|
Details |
Seen while reviewing crash data and 100% reproducible on the site in the URL using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.3a3pre) Gecko/20100312 Minefield/3.7a3pre
STR:
1. Load site in URL
2. Perform and right click event and then scroll. Crash.
https://crash-stats.mozilla.com/report/index/36fa4e87-e61f-42cc-abce-b6cc92100312
https://crash-stats.mozilla.com/report/index/762c0b32-8f02-4c28-9f83-ac3852100312
https://crash-stats.mozilla.com/report/index/bp-85a1d79c-5fb1-4364-9e00-b14092100312
are my three crash reports and my flash version is below.
File: Flash Player.plugin
Version: 10.1.51.95
Shockwave Flash 10.1 d51
Reporter | ||
Comment 1•15 years ago
|
||
I am able to reproduce the crash on Windows using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a3pre) but I do get a completely different stack than Mac: http://crash-stats.mozilla.com/report/index/32439b8a-6242-44dc-922d-4291c2100312 where I crash in [@ _filbuf ].
Version: 10.0.45.2
Shockwave Flash 10.0 r45
OS: Mac OS X → All
Hardware: x86 → All
Comment 2•15 years ago
|
||
Smells like memory corruption of some sort... :(
Whiteboard: [sg:investigate]
Comment 3•15 years ago
|
||
We're not using [sg:investigate] any more. Please use [sg:critical] or [sg:critical?] for scary crashes with testcases, like this one.
(There's no special marking for "this crash would be scary if it had a testcase". We want those bugs to be public to give them a shot at being fixed, but we don't want to draw too much evil attention to them.)
Comment 4•15 years ago
|
||
I'm having trouble reproducing on Mac OS X 10.5. Which is sad, because it's a platform where Valgrind works, and Valgrind is good at tracking down the source of memory corruption.
Am I supposed to right-click on the Flash? And then scroll with the mouse wheel / trackpad? While the context menu is still up?
Comment 5•15 years ago
|
||
Is this a trunk only problem?
Comment 6•15 years ago
|
||
I can reproduce this, I haven't been able to reproduce this in a 2010-03-11 build. There I get flash context menus that get 'stuck' and a Minefield that is basically unusable.
In a debug build, I see this in a debug build before the crash
###!!! ASSERTION: Adding a script runner when that is prevented!: 'Error', file
c:/mozilla-build/src/content/base/src/nsContentUtils.cpp, line 4599
Comment 7•15 years ago
|
||
Comment 8•15 years ago
|
||
I forgot, I had to disable html5 rendering, because it interfered with the page, somehow, causing a blank page.
Comment 9•15 years ago
|
||
I'm seeing these crashes too on http://www.vanderaa.net/afterlife-video-trailer
When right-clicking on one of the "audio excerpts" flash things (they are also flashing in a weird way, I suspect that is a direct2d bug of some sort).
I also managed once to crash with a different stack on that site:
http://crash-stats.mozilla.com/report/index/bp-19419c7f-f8ea-42d8-a7ac-b653a2100314
I think (tentative) steps to reproduce: right-click on the main video, then minimize window, then close tab or something.
Comment 10•15 years ago
|
||
Over to bent who will have a look at this...
Assignee: nobody → bent.mozilla
Comment 11•15 years ago
|
||
This looks like a bug in plugin code, not in DOM events.
But feel free to change back the component and assign this bug to me if
the bug is somewhere in events code.
Component: DOM: Events → Plug-ins
QA Contact: events → plugins
I think this is going to end up a dup of bug 535651 or bug 449129. In this case I think we're running NPRuntime stuff inside a paint.
Reporter | ||
Comment 13•15 years ago
|
||
I cannot reproduce this using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3, but it easily reproduced on the trunk nightly.
(In reply to comment #5)
> Is this a trunk only problem?
Reporter | ||
Comment 14•15 years ago
|
||
Martijn: Are you still able to crash on the sites you mention in Comment 9?
Comment 15•15 years ago
|
||
No, I can't reproduce those anymore with the latest trunk build.
Updated•15 years ago
|
Whiteboard: [sg:critical?] → [sg:critical?][critsmash:investigating]
Reporter | ||
Comment 16•15 years ago
|
||
marcia will try to reproduce using the branch build tomorrow.
Comment 17•15 years ago
|
||
(In reply to comment #6)
> In a debug build, I see this in a debug build before the crash
> ###!!! ASSERTION: Adding a script runner when that is prevented!: 'Error', file
> c:/mozilla-build/src/content/base/src/nsContentUtils.cpp, line 4599
Jonas, Roc, I never really understood why nsContentUtils::AddScriptBlockerAndPreventAddingRunners()
is ok.
The assertion was added in http://hg.mozilla.org/mozilla-central/rev/9584d6bce9c1
IIRC the idea was that it marks a section where we really should never be adding any script runners. I.e. a section where script blockers technically shouldn't even be needed.
However if we get something wrong and do accidentally attempt to add a scriptrunner, then we'll simply not run the runner. In an attempt to avoid exploitable crashes. I.e. we're attempting to turn an exploitable crash into a mere broken functionality.
That's part of the truth.
See
http://mxr.mozilla.org/mozilla-central/source/layout/generic/nsGfxScrollFrame.cpp#1740
The main reason is that blocking script execution suppresses flushing in nsPresShell, so we want to be able to add a script blocker to do that, but we want to be able to remove that blocker at a time when it is actually not safe to run scripts.
Roc, if the main purpose is to suppress flushing, not suppress scripts, then would it make sense to instead add a flag to nsPresShell which disabled flushing and temporarily set that?
We actually need to do both. I don't really know what crazy stuff Windows might do here.
Reporter | ||
Comment 22•15 years ago
|
||
I cannot reproduce this issue using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.4) Gecko/20100413 Firefox/3.6.4 or the equivalent Windows 3.6.4 version.
(In reply to comment #16)
> marcia will try to reproduce using the branch build tomorrow.
Updated•15 years ago
|
Depends on: 449129
Whiteboard: [sg:critical?][critsmash:investigating] → [sg:critical?][critsmash:depends on 449129]
Updated•15 years ago
|
Whiteboard: [sg:critical?][critsmash:depends on 449129] → [sg:critical?][critsmash:investigating] depends on bug 449129
Reporter | ||
Comment 23•14 years ago
|
||
http://tinyurl.com/3xmcm7z indicates there were several crashes with the 20100611 build, so apparently people are still hitting it in low volume.
Comment 24•14 years ago
|
||
Did the fix for bug 449129 take care of this case? Note that you'll still experience the plugin bug as a crash, but it will be a safe NS_RUNTIMEABORT in RPCChannel::SpinInternalEventLoop rather than a possibly exploitable crash in some random DOM code.
Comment 25•14 years ago
|
||
Blocking final here until we have some sort of resolution.
blocking2.0: --- → final+
Reporter | ||
Comment 26•14 years ago
|
||
The site in the URL has changed quite a bit since the initial crash and I am not able to crash using either Windows or Mac latest trunk nightly.
Of late, the 3.6.x branch is showing 23 Windows crashes - http://tinyurl.com/234c4ls, but the branch does not have the patch in Bug 449129 yet.
Updated•14 years ago
|
Whiteboard: [sg:critical?][critsmash:investigating] depends on bug 449129 → [sg:critical?][critsmash:investigating] waiting for firefox 4 to ship to get data to decide whether to take a branch fix
Comment 27•14 years ago
|
||
Do we need to do what Roc says in Comment 21?
Updated•14 years ago
|
blocking2.0: final+ → ---
Whiteboard: [sg:critical?][critsmash:investigating] waiting for firefox 4 to ship to get data to decide whether to take a branch fix → [sg:critical?][critsmash:investigating][1.9.2 branch and older] waiting for firefox 4 to ship to get data to decide whether to take a branch fix
Version: Trunk → 1.9.2 Branch
This needs a new owner.
Assignee: bent.mozilla → nobody
Updated•14 years ago
|
Whiteboard: [sg:critical?][critsmash:investigating][1.9.2 branch and older] waiting for firefox 4 to ship to get data to decide whether to take a branch fix → [sg:critical?][critsmash:investigating][1.9.2 branch and older][waiting on async plugins]waiting for firefox 4 to ship to get data to decide whether to take a branch fix
Comment 29•14 years ago
|
||
Talking about this more:
1) This is to be fixed by async plugin painting,
2) This is wontfix on branches.
Updated•14 years ago
|
status1.9.1:
--- → wontfix
status1.9.2:
--- → wontfix
Whiteboard: [sg:critical?][critsmash:investigating][1.9.2 branch and older][waiting on async plugins]waiting for firefox 4 to ship to get data to decide whether to take a branch fix → [sg:critical?][to be fixed by asynchronous plugin painting]
Updated•14 years ago
|
blocking2.0: --- → -
Updated•14 years ago
|
tracking-firefox6:
--- → +
Updated•14 years ago
|
status-firefox5:
--- → wontfix
Updated•14 years ago
|
tracking-firefox5:
--- → -
Comment 30•14 years ago
|
||
There's nothing to track for Firefox 6 here, mac async painting is going to land for 7.
Updated•14 years ago
|
Assignee | ||
Updated•13 years ago
|
Crash Signature: [@ nsDOMEvent::QueryInterface(nsID const&, void**) ]
Comment 31•13 years ago
|
||
Bug 598425 landed in early June, so this is fixed in 7 and beyond!
Status: NEW → RESOLVED
Closed: 13 years ago
status-firefox7:
--- → fixed
status-firefox8:
--- → fixed
tracking-firefox8:
--- → +
Resolution: --- → FIXED
Comment 32•13 years ago
|
||
As per testcase-wanted keyword, is there something QA can do to verify this fix (apart from checking Socorro)?
Whiteboard: [sg:critical?][to be fixed by asynchronous plugin painting] → [sg:critical?][to be fixed by asynchronous plugin painting][qa?]
Updated•11 years ago
|
Group: core-security
Updated•9 years ago
|
Keywords: testcase-wanted
Updated•3 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•