Closed Bug 557595 Opened 14 years ago Closed 7 years ago

[10.6.3] Crashes (various) caused by QuickTime plugin 7.6.6, triggered by enabling support for Core Animation drawing

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: marcia, Unassigned)

References

(
URL
)

Details

(Keywords: crash)

Attachments

(1 file)

malloc_printf stack trace
1.72 KB, text/plain
Details 
Seen while running Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.3a4pre) Gecko/20100406 Minefield/3.7a4pre

STR:
1. Load the site in the URL
2. Select the "Medium" trailer on the top under Ipod
3. After the trailer loads, right click on it.

I crash 100% of the time. https://crash-stats.mozilla.com/report/index/65767feb-1ca9-4100-aa4b-431322100406 is the report.

QuickTime Plug-in 7.6.6 is the version I am using
Adding Steven for help with what bucket this belongs in.
Component: General → Plug-ins
Product: Firefox → Core
QA Contact: general → plugins
Your STR doesn't work for me, Marcia (testing with today's Minefield
nightly	on OS X	10.6.3, using the same version of the QuickTime plugin).

A very similar one does work (it crashes the browser), but I see very
different crash stacks, not all of which are the same.

My STR:

1) Visit the site in the URL
   (http://trailers.apple.com/trailers/independent/thelivingwake/).

2) Select the Medium trailer.

3) Wait until the trailer starts playing.

   To make the trailer start displaying, you may need to mouse over it
   (another, different bug).

4) Right-click on the trailer and choose About QuickTime PlugIn.

5) Click OK in the About dialog to dismiss it.

6) Go back to step 4.

   Usually I crash at this point.

My crash ids:

bp-dee09688-a777-413e-afdf-12b032100406
bp-f29ad031-642d-434b-b485-7a0f22100406
bp-c31b9951-d670-4c1f-a1ce-dc4e22100406
bp-647aa207-f3f6-4091-a929-f47102100406
bp-b52bfe41-be6b-474f-b693-abab92100406

Please be more specific about your STR, Marcia.  Also it'd help to
find a regression range.  I don't see these crashes in FF 3.6.3.
I don't see any crashes on OS X 10.5.8, even with today's Minefield nightly.

Same QuickTime Plugin version (7.6.6).

Josh, do you know if this version of the QuickTime plugin uses the
Cocoa event model?  Does our plugin-hosting code behave differently on
OS X 10.5 and 10.6 (on the trunk) in ways that might be relevant?
Steven: In my case I did not have to go through the entire set of STR you have in Comment 2. I simply loaded the trailer, right clicked and I crashed. I did not have to dismiss any dialogs.

The reason I visited that site in the first place was to investigate a crash I saw showing up in crash-stats that shows a completely different stack - see https://crash-stats.mozilla.com/report/index/808bc822-cd68-43ff-8061-171672100406 for that report which references the same URL.
I don't see these crashes on OS X 10.6.2 (with today's Minefield
nightly and QuickTime Plugin 7.6.3).  But in this case the context
menu doesn't appear when I right-click on the trailer.
Here's another STR, and some more stacks (different again, but two of
which are the same as Marcia reported).	Once again I used today's
Minefield nightly on OS X 10.6.3.

1) Visit the site in the URL
   (http://trailers.apple.com/trailers/independent/thelivingwake/).

2) Select the Medium trailer.

3) Wait until the trailer starts playing.

   To make the trailer start displaying, you may need to mouse over it
   (another, different bug).

4) Right-click on the trailer and choose About QuickTime PlugIn.

   A context menu should appear.

5) Wait a second or two, without moving the mouse, and right-click again. 

   At this point I usually crash.

More crash reports:

bp-b58b061f-e7c7-4030-8b6a-e1eb52100406
bp-88b0374e-1978-449e-84e9-812542100406
bp-5609773a-acb7-4e97-b41d-ceb612100406
bp-ce357cc1-b599-4f82-81a9-a6ba52100406
bp-d531430b-11f7-415f-9b68-8bad22100406
> but two of which are the same as Marcia reported

Oops.  Only one of them is:

bp-d531430b-11f7-415f-9b68-8bad22100406
> 4) Right-click on the trailer and choose About QuickTime PlugIn.
>
>   A context menu should appear.

4) Right-click on the trailer.

   A context menu should appear.
I've found the regression range for my STRs from comment #2 and
comment #6:

firefox-2010-03-23-03-mozilla-central
http://hg.mozilla.org/mozilla-central/rev/e9b7e0b5821d
firefox-2010-03-24-03-mozilla-central
http://hg.mozilla.org/mozilla-central/rev/e9312d05488f

http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2010-03-23+01%3A29%3A00&enddate=2010-03-24+02%3A44%3A00

I suspect this implicates the patch for bug 497225:

http://hg.mozilla.org/mozilla-central/rev/e687f97bbb6e

Marcia, please check if the regression range for your crashes is the
same.
> To make the trailer start displaying, you may need to mouse over it
> (another, different bug).

This (different) bug has the same regression range.
I'll take a look if this is caused by the Core Animation drawing model.
(In reply to comment #9)
> I've found the regression range for my STRs from comment #2 and
> comment #6:
> 
> firefox-2010-03-23-03-mozilla-central
> http://hg.mozilla.org/mozilla-central/rev/e9b7e0b5821d
> firefox-2010-03-24-03-mozilla-central
> http://hg.mozilla.org/mozilla-central/rev/e9312d05488f
> 
Yes, I see the same regression range for my crashes. 

> http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2010-03-23+01%3A29%3A00&enddate=2010-03-24+02%3A44%3A00
> 
> I suspect this implicates the patch for bug 497225:
> 
> http://hg.mozilla.org/mozilla-central/rev/e687f97bbb6e
> 
> Marcia, please check if the regression range for your crashes is the
> same.
I can't reproduce the crash. I am using 10.6.2 with QuickTime Plug-in 7.6.3.
See comment #5.

You "need" OS X 10.6.3 and QuickTime Plugin 7.6.6.
(QuickTime 7.6.6 comes with OS X 10.6.3, I think.)
Unlike comment #5 I do get the right click menu.

I will apply my system updates to debug this problem. From the stacktrace it does not appear to be related to Core Animation directly. I wonder if Quicktime only uses Cocoa if Core Animation is available which would explain why it appears to be caused by Core Animation.
As Steven points out in Comment #3, this crash does not occur using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.3a4pre) Gecko/20100407 Minefield/3.7a4pre with 7.6.6 Quicktime.
I've gotten very close to confirming that the patch for bug 497225
triggered these crashes.

A trunk build with all patches up to
http://hg.mozilla.org/mozilla-central/rev/386f417ef8a8 doesn't have
any problems.  (This is the rev that landed just before the patch for
bug 497225.)

I haven't been able to get a build with all patches up to
http://hg.mozilla.org/mozilla-central/rev/e687f97bbb6e (the patch for
bug 497225) to crash.  But with the STR from comment #6 (as corrected
by comment #8) I get the following error in the console:

malloc: *** error for object 0xfe8de8: pointer being freed was not allocated
*** set a breakpoint in malloc_error_break to debug

I've attached a	gdb stack trace from breaking on malloc_printf (the
advice to break on malloc_error_break is wrong, of course).
Interestingly, this error seems to take place in QuickTime plugin
code.  And the name OOPMoviePluginLayer seems to indicate that it
supports out-of-process operation, and perhaps is trying to do that.

So these crashes are very likely to be the result of one or more
QuickTime plugin bugs.  But the patch for bug 497225 does (somehow)
seem to trigger it/them.

All my tests have been with opt builds -- which might make a
difference.
OOPMoviePluginLayer is the internal Core Animation Layer that Quicktime. This code path would not be taken if Core Animation is not enabled so bug 497225 is surely what uncovered the bug.

It would be interesting to know if the bug is happening using the latest Safari nightly or chromium nightly (with the core animation flag).
Version 7.6.6 of the QuickTime plugin on OS X 10.6.3 has the OOPMoviePluginLayer symbol, but the same version on 10.5.8 doesn't.

So these are actually different versions of the QuickTime plugin, though they have the same version number.
QuickTime does not support the Core Animation drawing model on 10.5. There must be different binaries for 10.5/10.6 if the symbol is not there.
Summary: Crash in [@ TEventTypeIndex::ContainsType(unsigned long, unsigned long) ] when right clicking on Apple trailer → [10.6.3] Crashes (various) caused by QuickTime plugin 7.6.6, triggered by enabling support for Core Animation drawing
Benoit, do you want to take this?

I really don't have time to work on it now.
Yup, I just want to finish my current path before I look at it.
Assignee: nobody → bgirard
Status: NEW → ASSIGNED
I've upgraded to 10.6.3 and I am running Quicktime 7.6.6. The trailer link posted is not working at the moment. I have tried the following trailer:

http://trailers.apple.com/trailers/disney/toystory3/

The right click menu does not open but I do not crash. Can anyone reproduce the crash with this trailer?
I've just tested this trailer with the Chrome/Webkit nightly and they both display their HTML right click menu so perhaps this trailer type ignores right clicks. Can anyone confirm what right click behavior they get on this?
I still crash when I visit http://trailers.apple.com/trailers/independent/thelivingwake/ using  Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.3a5pre) Gecko/20100409 Minefield/3.7a5pre. I don't get a crash on the other site when I right click on the video while it is playing.
I still crash with
http://trailers.apple.com/trailers/independent/thelivingwake/, using
today's Minefield nightly and 2010-04-06's (the one I originally
tested with), and the STR from comment #6 (corrected by comment #8).

Once I didn't crash ... and saw the error message (in the console)
from comment #18.

When I do crash I've see a different message in the console.  (It may
also have been there in my previous tests -- I forgot to look.)

*** __NSAutoreleaseNoPool():
  Object 0xeb010c0 of class NSThread autoreleased with no pool in place - just leaking

For the moment I'm no longer able to access the trailers at
http://trailers.apple.com/trailers/independent/thelivingwake/, or
similar trailers at
http://trailers.apple.com/trailers/independent/beetlequeenconquerstokyo/.

I don't crash with the trailers at
http://trailers.apple.com/trailers/disney/toystory3/.  But these seem
to have a different format, and right-clicking on them has no effect.
> *** __NSAutoreleaseNoPool():
>   Object 0xeb010c0 of class NSThread autoreleased with no pool in place
>   - just leaking

Oops, this is unrelated (a different bug).  It happens without viewing
any of Apple's trailers.  All I have to do to see it is start a recent
Minefield nightly.

I'll open a new bug.
> I'll open a new bug.

It's bug 558489.
I tested this using WebKit-SVN-r57408 and the crash does not happen.

I find http://crash-stats.mozilla.com/report/index/5609773a-acb7-4e97-b41d-ceb612100406 very interesting because it shows Quicktime is using Carbon for the right click menu. Is this an issue for the OOPP case Josh?
I haven't been able to reproduce the right-click crash on several test cases where the right-click menu works perfectly. I'm un-assigning this bug until we can confirm this is still occurring.

I did notice that under some cases Quicktime fails to display. I have filled bug 579235 to track this issue.
Assignee: b56girard → nobody
Status: ASSIGNED → NEW
I'm marking this bug as WONTFIX per bug #1269807.

For more information see - https://blog.mozilla.org/futurereleases/2015/10/08/npapi-plugins-in-firefox/
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: