Closed Bug 560584 Opened 14 years ago Closed 14 years ago

Firefox 3.6.4 Crash Report [@ ]


(Core Graveyard :: Plug-ins, defect)

1.9.2 Branch
Not set


(status2.0 ?, blocking1.9.2 -)

Tracking Status
status2.0 --- ?
blocking1.9.2 --- -


(Reporter: chofmann, Unassigned)



(Keywords: crash, user-doc-needed)

Crash Data

there is a possible new crash in 3.6.4 

checking --- 20100419-crashdata.csv
found in: 3.6.4
release total-crashes
all     366784  12      3.27168e-05
3.6.4   11871   12      0.00101087

with a stack that looks like

Frame  	Module  	Signature [Expand]  	Source
19 	mozilla::plugins::PluginInstanceChild::AnswerNPP_SetWindow 	dom/plugins/PluginInstanceChild.cpp:598
20 	mozilla::plugins::PPluginInstanceChild::OnCallReceived 	PPluginInstanceChild.cpp:1072
21 	mozilla::plugins::PPluginModuleChild::OnCallReceived 	PPluginModuleChild.cpp:380
22 	mozilla::ipc::RPCChannel::DispatchIncall 	ipc/glue/RPCChannel.cpp:485
23 	mozilla::ipc::RPCChannel::Incall 	ipc/glue/RPCChannel.cpp:471
24 	mozilla::ipc::RPCChannel::OnMaybeDequeueOne 	ipc/glue/RPCChannel.cpp:413
25 	RunnableMethod<mozilla::ipc::RPCChannel, void 	ipc/chromium/src/base/tuple.h:383
26 	mozilla::ipc::RPCChannel::DequeueTask::Run 	RPCChannel.h:421
27 	MessageLoop::RunTask 	ipc/chromium/src/base/
28 	MessageLoop::DeferOrRunPendingTask 	ipc/chromium/src/base/
29 	MessageLoop::DoWork 	ipc/chromium/src/base/
30 	base::MessagePumpForUI::HandleDispatch 	ipc/chromium/src/base/
31 		ipc/chromium/src/base/
35 	base::MessagePumpForUI::RunWithDispatcher 	ipc/chromium/src/base/
36 	base::MessagePumpForUI::Run 	ipc/chromium/src/base/message_pump_glib.h:59
37 	MessageLoop::RunInternal 	ipc/chromium/src/base/
38 	MessageLoop::RunHandler 	ipc/chromium/src/base/
39 	MessageLoop::Run 	ipc/chromium/src/base/
40 	base::Thread::ThreadMain 	ipc/chromium/src/base/
41 	ThreadFunc 	ipc/chromium/src/base/

more reports at

no urls and not much to go on at this point.

nominating to make sure we keep an eye on it for the next few days, and to see if anyone spots a problem in ipc or plugin code that might affect just Linux or be cross platform.
There are several crash reports with this signature in 3.6.4, but none in 3.6.3plugin1 nor in 3.6.5pre, at least none in the top 300, and all of these happened in Linux.
(In reply to comment #1)
> There are several crash reports with this signature in 3.6.4, but none in
> 3.6.3plugin1 nor in 3.6.5pre, at least none in the top 300, and all of these
> happened in Linux.

likely to be a beta popluation deal where we need over 100k beta testers to start seeing it and even at that level only 12 crashes were generated on the 19th.
All crashes are on
"Linux #1 SMP Thu Apr 2 12:53:13 EDT 2009 x86_64"
running an x86 firefox.

This looks like a fairly old OS.

Module identifier is:  	 	9F60EA7237C2DB7834E97F0BDD08661D0

Other different crash reports have:  	 	9BC43748D925AB0C97B43BB3C7019E210

I suspect this is an older version of Flash Player.

(In reply to comment #0)
> Frame      Module      Signature [Expand]      Source
> 0     
> 1     
> 2     
> 3     
> 4     
> 5     
> 6     
> 7     
> 8     

Similarities to bug 545819 make me suspect a crash in a Flash Player atexit handler.

> 9     
> 10     
> 11     
> 12     
> 13     
> 14     
> 15     
> 16     
> 17     
> 18     
> 19 mozilla::plugins::PluginInstanceChild::AnswerNPP_SetWindow

Old old versions of Flash Player are not XEmbed but Xt plugins.

Xt plugins will exit when run OOP - bug 544088.

A consolation is that we are probably doing this person a favor by not
running their old Flash plugin.
Blocks: OOPP
should a fix for this or bug 544088 be blocking 1.9.2?   or 1.9.3?

the fact that this is showing up in crash data means at least some people are hitting it in the early beta data, although I suspect this will get burried by windows and mac crashes pretty quickly.

if this wasn't a security and stability release we could pre-announce drop in support for Xt Plugins.
blocking1.9.2: --- → ?
status2.0: --- → ?
The current plan for 1.9.2 is to only whitelist plugins for OOPP that are known XEmbed plugins.  We didn't consider Flash Player versions prior to Flash Player 9 Update 3, version identifier 9,0,115,0, which have the same filename and so are enabled by the same pref but are Xt plugins.

I guess we could do something to enable these, but disabling them may be quite appropriate for a security release.

For 1.9.3, we are currently blacklisting known Xt plugins (bug 543802), though we don't know what other Xt plugins are out there.  We should consider whether bug 544088 blocks 1.9.3.
karlt: as these bugs have stack traces, i'm going to move them to plugins:, if you want a bug for blocking things, i think you can file one which isn't tagged as crash.
Component: Plug-ins → Flash (Adobe)
Product: Core → Plugins
QA Contact: plugins → adobe-flash
Version: Trunk → unspecified
blizzard, any thoughts on the impact of this?  

We are seeing crashes show up for Xt plugins in the crash data.

Karl outline some possibilities for how by maybe backing off OOPP whitelisting until a major release or maybe some advanced blocklisting for 3.6.4 to get people to move forward to non-Xt versions.

timeless, I'm going to move this back to core plugins as our blocking tracker bug sinces its unlikely we will get a fix for this on the plugin side.
Component: Flash (Adobe) → Plug-ins
Product: Plugins → Core
QA Contact: adobe-flash → plugins
Version: unspecified → 1.9.2 Branch
Blocking, as this reads to me as "Linux users with older versions of Flash have a bad time with OOPP" - this is either a dupe of bug 544088 (if you want that to mean that we need to blockist Xt plugins) at which point that should block, or if you interpret bug 544088 to mean that we should implement OOPP support for Xt plugins, then this is the one that should block.

Confused yet?
blocking1.9.2: ? → .4+
Yes, absolutely. I thought the answer to this was going to be "those versions of Flash are hopeless insecure, and we should refuse to load them altogether". Because they all have the same filename and don't export version numbers, it would be *very* difficult to blacklist this, and implementing Xt plugins is a multi-week project.
They don't export version numbers, but we can tell from the description, can't we?
I don't know, does anyone know where I can download these older versions?

In case it's not clear, I think this bug should be WONTFIX, or we should implement an even more aggresive blocking strategy.
There are flash archives out there.  If you want I can try and dig up the URL.

There's a flag in the NSAPI for if a plugin uses the new XEmbed stuff.  (It might actually be a callback?)  If it doesn't, shouldn't we just not load it?
The net effect of dropping support for Xt Plugins on short notice would
probably mean at least some users just find the update to 3.6.4 crashier since
there this crashes the browser, right? 

Some users might stick on  or go back to 3.6.3 or earlier.   Thats not a good
option for those users either.  

It would also be good to try and get some numbers that breakdown flash version
distribution on linux.  Any ideas there?  I see if I can find some.

Looks like the release date was Dec 2007 so we are dealing with plugins more
than 2 years out of date -->
No, this isn't crashing the browser, it's only crashing the plugin process. Due to the uniformity of the reports, I'd wager that this is a single user.
ominature was no help to get a breakdown of linux + flash version as far as I could see.

I grabbed a sample of 200 crash reports on linux where libflashplayer running and here was the breakdown.  If the debug ID's can be used as a proxy for version numbers then this would be the distribution. Only 25% running what hopefully is one of most recent versions might mean slow flash update patterns, but this is just guessing.  Charles, do you know if there is an easy way to translate the debug id's, or have some numbers that you could share with us in the bug or privately?

50 617F25534A9BB6F7F0A0820B6216D3530
32 9BC43748D925AB0C97B43BB3C7019E210
22 745026564F2B12E0E3B2715D145A0F690
19 72973D3A409794225D71BF5796E80EBC0
10 E8E4615D8D0DFC9AE0BE3E3E69920AB80
10 87934424747BF50DA30C8528037E75EE0
5 E68208AF7DD76CE7A5016EB5EF110AC00
5 75C4D5A84AA5F22F07AD159D020895EF0
5 3F4FE6DB0E1FC865B3049718AC3521980
4 D708CF1409A7A3DE15F591C53914549B0
4 ADF15068159E275F6F66F9A3D006F2F90
4 9BF4278859263B0053642AE35840B3610
4 74E1B5911E3F3E5E80BB24EC2CDC5F660
3 FCDA6F558B67CF6B4063475C74EBBF4B0
3 9F60EA7237C2DB7834E97F0BDD08661D0
2 B90802BF65F9CE3B9841550D7C0FDE400
2 49ACE7A2810BC1EE5958F095C25F09E20
2 390DEC869F4C2E7D7C03885CD7A231440
1 F1490E942E837412B93F7F6A82C744AD0
1 F0B1F424C57BBC81825967A5591BE82D0
1 CF1E82198F9EC8CB28BA0D972D7FDDB70
1 CD5D2174D75A0118490922BAE78C3B230
1 AB1A186B5B8C190D5E9A2C683D85461F0
1 9EF10ADE595DA88B6297999314BB04D90
1 3EE4F5D300F6AA9410F47A6BA24ECB900
1 23AE5B6205B1D58FBE4150AB185049FC0
1 01E9F2FB89FF8A927955CA54DDF8F4920
total 200
The debug ids are google breakpad's own brand of identifier.  The method
changed recently (for 3.6.4) from an md5sum of the text section to something
like an XOR of the first 4096 bytes of the text section.

This means that the same file has different identifiers before and after this
change and so how to match the ids in comment 16 depends on which versions the
crash reports were from.

> 50 617F25534A9BB6F7F0A0820B6216D3530

This is the old id for x86_32 LNX 10,0,45,2 (latest stable).

> 32 9BC43748D925AB0C97B43BB3C7019E210

This is the new id for x86_32 LNX 10,0,45,2 (latest stable).

> 4 D708CF1409A7A3DE15F591C53914549B0

This is the new id for x86_64 LNX 10,0,45,2 (latest stable).
I guess we would only have new ids for x86_64.
chofmann: ok
Debug ids for the versions at
with numbers of crashes from comment 16:

x86_32 Xt versions:

> 4 ADF15068159E275F6F66F9A3D006F2F90
> 1 23AE5B6205B1D58FBE4150AB185049FC0

old (74e1b5911e3f3e5e80bb24ec2cdc5f66)
> 3 FCDA6F558B67CF6B4063475C74EBBF4B0

x86_32 XEmbed versions:

old (7d7e1c4c87e80d6a377824c7622a119f)
new (1E22D0749A8E26FA2843391E4A4349030)

> 22 745026564F2B12E0E3B2715D145A0F690
new (F62B236AB783ADE90966D7196294880A0)

old (b57a2d934a231511f92727454d476012)
new (07136AC2BC0942CB6E42E914950709FE0)

old (a3a7882f07a851da11537d43091f1715)
new (8771458B40782B2A54BC1F3543C823480)

> 2 B90802BF65F9CE3B9841550D7C0FDE400
new (49894D868298C97B68494F8F2CA95BAB0)

9,0,246,0 (July or August 2009 - February 2010)
> 1 AB1A186B5B8C190D5E9A2C683D85461F0
new (9DAAE6B6BD74568B0C1888D6066082F00)

9,0,262,0 latest Flayer Player 9
> 10 87934424747BF50DA30C8528037E75EE0
new (D8744156EECF9DF8DD4E635E865993C40)

> 5 E68208AF7DD76CE7A5016EB5EF110AC00
new (441EBC7C89F93C9C514821ADA595FE600)

> 1 9EF10ADE595DA88B6297999314BB04D90
new (CA13026CF51DC8A87603CC3A1510E5040)

> 10 E8E4615D8D0DFC9AE0BE3E3E69920AB80
> 1 F1490E942E837412B93F7F6A82C744AD0

10,0,32,18 (July or August - December 2009)
> 19 72973D3A409794225D71BF5796E80EBC0
> 5 3F4FE6DB0E1FC865B3049718AC3521980

10,0,42,34 (Dec 2009 - February 2010)
> 5 EECE3AF0BC567DB9F2692ACAAA974F7F0
> 4 9BF4278859263B0053642AE35840B3610

LNX 10,0,45,2 (latest stable).
> 50 617F25534A9BB6F7F0A0820B6216D3530
> 32 9BC43748D925AB0C97B43BB3C7019E210

So, of the 175 reports with a regular x86_32 distribution Flash Player plugin,

92 (53%) are with the latest stable version (of Flash Player 9 or 10).

126 (72%) are from people who updated sometime in the last 9 months.
49 (28%) are from people who have not updated in the last 9 months.

8 (5%) are from people using Xt versions.

We could ask whether this is representative of proportions of people using
older versions or whether older versions show up more because of more crashes.

I also don't know whether the sample in comment 16 came from and what
proportion are likely to upgrade Firefox because they upgrade Flash Player.

However, the question is really:
Should we be engineering to enable people to run plugins that are old enough
that they likely have known security holes?
A few of the other ids I recognize (11 of the reports in comment 16):

x86_32 10,1,53,7 (10_1_rc_linux_040510)
> 1 CD5D2174D75A0118490922BAE78C3B230
> 2 390DEC869F4C2E7D7C03885CD7A231440

x86_64 10,0,45,2 (latest stable).
> 4 D708CF1409A7A3DE15F591C53914549B0

x86_64 10,0,32,18
> 1 CF1E82198F9EC8CB28BA0D972D7FDDB70

The id in this bug report for an Xt plugin (new id)
> 3 9F60EA7237C2DB7834E97F0BDD08661D0

And 14 other reports have unrecognized ids:

> 5 75C4D5A84AA5F22F07AD159D020895EF0
> 4 74E1B5911E3F3E5E80BB24EC2CDC5F660
> 2 49ACE7A2810BC1EE5958F095C25F09E20
> 1 F0B1F424C57BBC81825967A5591BE82D0
> 1 3EE4F5D300F6AA9410F47A6BA24ECB900
> 1 01E9F2FB89FF8A927955CA54DDF8F4920
(In reply to comment #19)
> I also don't know whether the sample in comment 16 came from and what
> proportion are likely to upgrade Firefox because they upgrade Flash Player.

Er, after proof reading:
I also don't know where the sample in comment 16 came from and what
proportion are likely to upgrade Firefox before they upgrade Flash Player.
The sample is from linux crash reports received on 2010 04 22.
Should we just blocklist these ancient versions of flash and WONTFIX this bug?
As I currently understand it, we don't actually have the capability to blocklist these: Flash on Linux doesn't export version numbers, so we can't use the AMO blocklist, and we don't have a DLL blocklist on Linux either.
If its a case where "Flash doesn't seem to work any more after I upgraded to 3.6.4" thats a bit easier to guide users to a fix and evangelize, than "Firefox seems more crashy with 3.6.4.   we could "user-doc-needed" this bug, and maybe start some evalgelism outreach to linux magazine and press contacts to inform users of the need to update flash for a number of reasons.
Closed: 14 years ago
Keywords: user-doc-needed
Resolution: --- → WONTFIX
Cheng; please see above. Firefox 3.6.4 will break Flash for some Linux users who had really old (and insecure) versions. They'll need to update.

Chris: how will they be able to update?
blocking1.9.2: .4+ → -
I think this page does auto sniffing of platform to provide the right package 

and there are some installation instructions for the various .deb, tar.gz, .rpm, APT and YUM installer formats here
Re: user-doc-needed
I've filed an article request at <>
Crash Signature: [@ ]
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.