Closed Bug 559425 Opened 14 years ago Closed 14 years ago

###!!! ASSRTION: Null cx in doInvoke!: 'Error'

Categories

(Core Graveyard :: Plug-ins, defect)

1.9.2 Branch
x86
Windows XP
defect
Not set
normal

Tracking

(blocking1.9.2 -, status1.9.2 wanted)

RESOLVED FIXED
Tracking Status
blocking1.9.2 --- -
status1.9.2 --- wanted

People

(Reporter: cbook, Assigned: benjamin)

References

()

Details

(Keywords: assertion, Whiteboard: [sg:nse])

Attachments

(1 file)

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.5pre) Gecko/20100413 Firefox/3.6.5pre

Steps to reproduce:
-> Load the url from 535651 - http://n.yam.com/view/mkvideopage.php/20091202455780
Filing as Security bug because of bug 535651

Cause this assertion:

###!!! ASSRTION: Null cx in doInvoke!: 'Error', file c:/work/mozilla/builds/1.9.
2/mozilla/modules/plugin/base/src/nsJSNPRuntime.cpp, line 657
xul!nsJSObjWrapper::NP_Invoke+0x0000000000000028 (c:\work\mozilla\builds\1.9.2\m
ozilla\modules\plugin\base\src\nsjsnpruntime.cpp, line 751)
xul!mozilla::plugins::parent::_invoke+0x000000000000010A (c:\work\mozilla\builds
\1.9.2\mozilla\modules\plugin\base\src\nsnpapiplugin.cpp, line 1849)
xul!mozilla::plugins::PluginScriptableObjectParent::AnswerInvoke+0x0000000000000
327 (c:\work\mozilla\builds\1.9.2\mozilla\dom\plugins\pluginscriptableobjectpare
nt.cpp, line 785)
xul!mozilla::plugins::PPluginScriptableObjectParent::OnCallReceived+0x0000000000
000870 (c:\work\mozilla\builds\1.9.2\mozilla\firefox-debug\ipc\ipdl\ppluginscrip
tableobjectparent.cpp, line 1202)
xul!mozilla::plugins::PPluginModuleParent::OnCallReceived+0x0000000000000066 (c:
\work\mozilla\builds\1.9.2\mozilla\firefox-debug\ipc\ipdl\ppluginmoduleparent.cp
p, line 418)
xul!mozilla::ipc::RPCChannel::DispatchIncall+0x00000000000000BC (c:\work\mozilla
\builds\1.9.2\mozilla\ipc\glue\rpcchannel.cpp, line 485)
xul!mozilla::ipc::RPCChannel::Incall+0x00000000000001DB (c:\work\mozilla\builds\
1.9.2\mozilla\ipc\glue\rpcchannel.cpp, line 472)
xul!mozilla::ipc::RPCChannel::Call+0x0000000000000AA6 (c:\work\mozilla\builds\1.
9.2\mozilla\ipc\glue\rpcchannel.cpp, line 316)
xul!mozilla::plugins::PPluginInstanceParent::CallNPP_Destroy+0x00000000000000C9
(c:\work\mozilla\builds\1.9.2\mozilla\firefox-debug\ipc\ipdl\pplugininstancepare
nt.cpp, line 407)
xul!mozilla::plugins::PluginInstanceParent::Destroy+0x0000000000000015 (c:\work\
mozilla\builds\1.9.2\mozilla\dom\plugins\plugininstanceparent.cpp, line 137)
xul!mozilla::plugins::PluginModuleParent::NPP_Destroy+0x0000000000000043 (c:\wor
k\mozilla\builds\1.9.2\mozilla\dom\plugins\pluginmoduleparent.cpp, line 390)
xul!nsNPAPIPluginInstance::Stop+0x000000000000024C (c:\work\mozilla\builds\1.9.2
\mozilla\modules\plugin\base\src\nsnpapiplugininstance.cpp, line 1184)
xul!DoStopPlugin+0x00000000000001A5 (c:\work\mozilla\builds\1.9.2\mozilla\layout
\generic\nsobjectframe.cpp, line 2274)
xul!nsStopPluginRunnable::Run+0x0000000000000175 (c:\work\mozilla\builds\1.9.2\m
ozilla\layout\generic\nsobjectframe.cpp, line 2333)
xul!nsThread::ProcessNextEvent+0x00000000000001FA (c:\work\mozilla\builds\1.9.2\
mozilla\xpcom\threads\nsthread.cpp, line 527)
xul!NS_ProcessNextEvent_P+0x0000000000000053 (c:\work\mozilla\builds\1.9.2\mozil
la\firefox-debug\xpcom\build\nsthreadutils.cpp, line 250)
xul!mozilla::ipc::MessagePump::Run+0x00000000000000FD (c:\work\mozilla\builds\1.
9.2\mozilla\ipc\glue\messagepump.cpp, line 118)
xul!MessageLoop::RunInternal+0x0000000000000056 (c:\work\mozilla\builds\1.9.2\mo
zilla\ipc\chromium\src\base\message_loop.cc, line 217)
xul!MessageLoop::RunHandler+0x0000000000000082 (c:\work\mozilla\builds\1.9.2\moz
illa\ipc\chromium\src\base\message_loop.cc, line 200)
xul!MessageLoop::Run+0x0000000000000043 (c:\work\mozilla\builds\1.9.2\mozilla\ip
c\chromium\src\base\message_loop.cc, line 174)
xul!nsBaseAppShell::Run+0x0000000000000050 (c:\work\mozilla\builds\1.9.2\mozilla
\widget\src\xpwidgets\nsbaseappshell.cpp, line 180)
xul!nsAppStartup::Run+0x000000000000006A (c:\work\mozilla\builds\1.9.2\mozilla\t
oolkit\components\startup\src\nsappstartup.cpp, line 183)
xul!XRE_main+0x0000000000003208 (c:\work\mozilla\builds\1.9.2\mozilla\toolkit\xr
e\nsapprunner.cpp, line 3483)
firefox!NS_internal_main+0x00000000000002B2 (c:\work\mozilla\builds\1.9.2\mozill
a\browser\app\nsbrowserapp.cpp, line 158)
firefox!wmain+0x000000000000011E (c:\work\mozilla\builds\1.9.2\mozilla\toolkit\x
re\nswindowswmain.cpp, line 120)
firefox!__tmainCRTStartup+0x00000000000001A6 (f:\dd\vctools\crt_bld\self_x86\crt
\src\crtexe.c, line 594)
firefox!wmainCRTStartup+0x000000000000000D (f:\dd\vctools\crt_bld\self_x86\crt\s
rc\crtexe.c, line 414)
kernel32!RegisterWaitForInputIdle+0x0000000000000049
  (processing deferred in-call)
For video/x-ms-wvx found plugin npdsplay.dll
pldhash: for the table at address 072BECC8, the given entrySize of 48 probably f
avors chaining over double hashing.
++DOCSHELL 072BEC60 == 9
also for the typo in this assertion i filed Bug 559427
Assignee: nobody → jst
Whiteboard: [sg:critical?]
Nominating to block 1.9.2.4.  This looks like a regression due to OOPP.
blocking1.9.2: --- → ?
Keywords: regression
Blocks: OOPP
Summary: ###!!! ASSRTION: Null cx in doInvoke!: 'Error' → ###!!! ASSERTION: Null cx in doInvoke!: 'Error'
I think this is just a bad assertion. The stack is:

>	xul.dll!doInvoke(NPObject * npobj=0x07e76e48, void * method=0x07012b54, const _NPVariant * args=0x003cc9ac, unsigned int argCount=0x00000002, int ctorCall=0x00000000, _NPVariant * result=0x003cc974)  Line 654	C++
 	xul.dll!nsJSObjWrapper::NP_Invoke(NPObject * npobj=0x07e76e48, void * method=0x07012b54, const _NPVariant * args=0x003cc9ac, unsigned int argCount=0x00000002, _NPVariant * result=0x003cc974)  Line 751 + 0x1b bytes	C++
 	xul.dll!mozilla::plugins::parent::_invoke(_NPP * npp=0x07ec5c98, NPObject * npobj=0x07e76e48, void * method=0x07012b54, const _NPVariant * args=0x003cc9ac, unsigned int argCount=0x00000002, _NPVariant * result=0x003cc974)  Line 1474 + 0x1e bytes	C++
 	xul.dll!mozilla::plugins::PluginScriptableObjectParent::AnswerInvoke(mozilla::plugins::PPluginIdentifierParent * aId=0x07e26b20, const nsTArray<mozilla::plugins::Variant> & aArgs={...}, mozilla::plugins::Variant * aResult=0x003ccf84, bool * aSuccess=0x003ccf83)  Line 785 + 0x3e bytes	C++
 	xul.dll!mozilla::plugins::PPluginScriptableObjectParent::OnCallReceived(const IPC::Message & msg={...}, IPC::Message * & reply=0x00000000)  Line 1203 + 0x26 bytes	C++
 	xul.dll!mozilla::plugins::PPluginModuleParent::OnCallReceived(const IPC::Message & msg={...}, IPC::Message * & reply=0x00000000)  Line 459 + 0x15 bytes	C++
 	xul.dll!mozilla::ipc::RPCChannel::DispatchIncall(const IPC::Message & call={...})  Line 485 + 0x20 bytes	C++
 	xul.dll!mozilla::ipc::RPCChannel::Incall(const IPC::Message & call={...}, unsigned int stackDepth=0x00000001)  Line 472	C++
 	xul.dll!mozilla::ipc::RPCChannel::Call(IPC::Message * msg=0x078106a8, IPC::Message * reply=0x003cd3ec)  Line 316	C++
 	xul.dll!mozilla::plugins::PPluginInstanceParent::CallNPP_Destroy(short * rv=0x003cd454)  Line 455 + 0x16 bytes	C++
 	xul.dll!mozilla::plugins::PluginInstanceParent::Destroy()  Line 148 + 0xc bytes	C++
 	xul.dll!mozilla::plugins::PluginModuleParent::NPP_Destroy(_NPP * instance=0x07ec5c98, _NPSavedData * * __formal=0x003cd4c4)  Line 390 + 0x8 bytes	C++
 	xul.dll!nsNPAPIPluginInstance::Stop()  Line 1025 + 0x51 bytes	C++
 	xul.dll!DoStopPlugin(nsPluginInstanceOwner * aInstanceOwner=0x07505010, int aDelayedStop=0x00000000)  Line 2209	C++
 	xul.dll!nsStopPluginRunnable::Run()  Line 2256 + 0x13 bytes	C++
 	xul.dll!nsThread::ProcessNextEvent(int mayWait=0x00000000, int * result=0x003cd5c8)  Line 527 + 0x19 bytes	C++
 	xul.dll!NS_ProcessNextEvent_P(nsIThread * thread=0x00795ad0, int mayWait=0x00000000)  Line 250 + 0x16 bytes	C++


In nsJSNPRuntime.cpp GetJSContext, the call to nsIDocument->GetContainer hands back a null container, so I presume that the iframe containing the flash advertisement has already navigated away. I think we should just remove the assertion.
No longer blocks: OOPP
Keywords: regression
Summary: ###!!! ASSERTION: Null cx in doInvoke!: 'Error' → ###!!! ASSRTION: Null cx in doInvoke!: 'Error'
Assignee: jst → benjamin
Status: NEW → ASSIGNED
Attachment #440325 - Flags: review?(jst)
Comment on attachment 440325 [details] [diff] [review]
Remove bogus assertions, rev. 1

Fair enough. r=jst
Attachment #440325 - Flags: review?(jst) → review+
Group: core-security
Whiteboard: [sg:critical?] → [sg:nse]
Not blocking anything.
blocking1.9.2: ? → ---
I don't think this blocks if it's not a regression, but if the patch is baked and nominated, we'll take it.
blocking1.9.2: --- → -
What's left here? Can we close this bug now?
Heh yeah, I meant to with comment 8.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: