Closed Bug 560974 Opened 10 years ago Closed 10 years ago

Firefox 3.6.4 Crash [@ mozilla::plugins::PluginScriptableObjectParent::GetPropertyHelper(void*, int*, int*, _NPVariant*) ]

Categories

(Core :: Plug-ins, defect)

x86
Windows XP
defect
Not set
normal

Tracking

()

RESOLVED FIXED
Tracking Status
blocking1.9.2 --- .4+
status1.9.2 --- .4-fixed

People

(Reporter: chofmann, Assigned: bent.mozilla)

Details

(Whiteboard: [qa-examined-192])

Attachments

(1 file)

might be new in 3.6.4 and on trunk

checking --- mozilla::plugins::PluginScriptableObjectParent::GetPropertyHelper 20100420-crashdata.csv
found in: 3.6.4 3.7a5pre
release total-crashes
              mozilla::plugins::PluginScriptableObjectParent::GetPropertyHelper crashes
                         pct.
all     339993  31      9.11783e-05
3.6.4   12392   21      0.00169464
3.7a5pre        1285    10      0.0077821

os breakdown
mozilla::plugins::PluginScriptableObjectParent::GetPropertyHelperTotal 31
Win5.1  0.74
Win6.0  0.16
Win6.1  0.06

stack looks like

http://crash-stats.mozilla.com/report/index/4a22866c-fcef-4829-8483-bac792100419

0  	xul.dll  	mozilla::plugins::PluginScriptableObjectParent::GetPropertyHelper  	 dom/plugins/PluginScriptableObjectParent.cpp:1290
1 	xul.dll 	NPObjWrapper_GetProperty 	modules/plugin/base/src/nsJSNPRuntime.cpp:1356
2 	js3250.dll 	js_GetSprop 	js/src/jsscope.h:613
3 	js3250.dll 	js_NativeGet 	js/src/jsobj.cpp:4109
4 	js3250.dll 	js_Interpret 	js/src/jsops.cpp:1596
5 	js3250.dll 	js_Invoke 	js/src/jsinterp.cpp:1368
6 	js3250.dll 	js_InternalInvoke 	js/src/jsinterp.cpp:1423
7 	js3250.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5112
8 	xul.dll 	nsJSContext::CallEventHandler 	dom/base/nsJSEnvironment.cpp:2169
9 	xul.dll 	nsJSEventListener::HandleEvent 	dom/src/events/nsJSEventListener.cpp:266
10 	xul.dll 	nsEventListenerManager::HandleEventSubType 	content/events/src/nsEventListenerManager.cpp:1041
11 	xul.dll 	nsEventListenerManager::HandleEvent 	content/events/src/nsEventListenerManager.cpp:1147
12 	xul.dll 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventDispatcher.cpp:332
13 	xul.dll 	nsEventDispatcher::Dispatch 	content/events/src/nsEventDispatcher.cpp:573
14 	xul.dll 	PresShell::HandleEventInternal 	layout/base/nsPresShell.cpp:6520
15 	xul.dll 	PresShell::HandleEventWithTarget 	layout/base/nsPresShell.cpp:6381
16 	xul.dll 	nsEventStateManager::CheckForAndDispatchClick 	content/events/src/nsEventStateManager.cpp:3994
17 	xul.dll 	nsEventStateManager::PostHandleEvent

more at 

http://crash-stats.mozilla.com/report/list?range_value=2&range_unit=weeks&signature=mozilla%3A%3Aplugins%3A%3APluginScriptableObjectParent%3A%3AGetPropertyHelper%28void*%2C%20int*%2C%20int*%2C%20_NPVariant*%29&version=Firefox%3A3.6.4

a lot of the sites seem to be international.

domains of sites
   9 http://my.mail.ru
   2 http://apps.facebook.com
   1 http://www.meebo.com
   1 http://www.iranibash.com
   1 http://www.google.co.in
   1 http://www.apple.com
   1 http://win.mail.ru
   1 http://social.bidsystem.com
   1 http://love.mail.ru
   1 http://hotpads.com
   1 http://forum.iranproud.com
   1 http://finance.sina.com.cn
   1 http://chatroulette.com


2 http://apps.facebook.com/onthefarm/index.php
http://www.iranibash.com/series/Zan-Baba/Part-1
http://forum.iranproud.com/download-serial-ashpazbashi-c222#linkid5370
http://www.apple.com/ipad/

not much yet to go on yet.  need to watch more crash data post throttle adjustment.
still around in the 3.6.4 2010 05 13 builds.  currently #8 

http://people.mozilla.com/~chofmann/crash-stats/20100516/topcrash364-20105013.html
blocking1.9.2: --- → ?
bent, I think NPObjWrapper_GetProperty needs a null-check, I'm pretty sure `actor` is null at http://hg.mozilla.org/releases/mozilla-1.9.2/annotate/8fe06049502c/modules/plugin/base/src/nsJSNPRuntime.cpp#l1355, probably due to a crashed plugin object nulling it out.
Assignee: nobody → bent.mozilla
Attached patch PatchSplinter Review
Yep, should have seen that...
Attachment #445816 - Flags: review?(jst)
Attachment #445816 - Flags: review?(joshmoz)
Attachment #445816 - Flags: review?(jst) → review+
http://hg.mozilla.org/mozilla-central/rev/819d19b25ed7
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Attachment #445816 - Flags: review?(joshmoz)
Attachment #445816 - Flags: approval1.9.2.5?
Attachment #445816 - Flags: approval1.9.2.4?
Attachment #445816 - Flags: approval1.9.2.5?
Attachment #445816 - Flags: approval1.9.2.4?
Attachment #445816 - Flags: approval1.9.2.4+
Comment on attachment 445816 [details] [diff] [review]
Patch

a=LegNeato for 1.9.2.4. Please land on both mozilla-1.9.2 default and
GECKO1924_20100413_RELBRANCH
blocking1.9.2: ? → .4+
blocking1.9.2: ? → .4+
Did we identify any steps to reproduce for this issue or was it just an obvious code fix on investigation?
Whiteboard: [qa-examined-192]
Obvious code-fix. It may be possible to write a mochitest for it, though I tried and couldn't make the obvious thing crash.
Flags: in-testsuite?
Has this fix been released or will it be released in 3.6.7?
It was fixed in 3.6.4
In internal stress testing of Silverlight plugin, we are seeing crashes quiet similar but might not be the same in 3.6.4. 

STACK_TEXT:
xul!mozilla::plugins::PluginScriptableObjectParent::GetPropertyHelper+0x21
xul!NPObjWrapper_GetProperty+0xc5
js3250!js_Interpret+0x2dae
js3250!js_Invoke+0x277
js3250!js_InternalInvoke+0x103
js3250!JS_CallFunctionValue+0x27
xul!nsJSContext::CallEventHandler+0x199
xul!nsGlobalWindow::RunTimeout+0x2db
xul!nsGlobalWindow::TimerCallback+0x17
xul!nsTimerImpl::Fire+0x87
xul!nsTimerEvent::Run+0x20
xul!nsThread::ProcessNextEvent+0x210
xul!mozilla::ipc::MessagePump::Run+0x69
xul!MessageLoop::RunHandler+0x26
xul!MessageLoop::Run+0x1f
xul!nsBaseAppShell::Run+0x34
xul!nsAppStartup::Run+0x1e
xul!XRE_main+0xdc1
firefox!wmain+0x33b
firefox!__tmainCRTStartup+0x152
kernel32!BaseThreadInitThunk+0xe
ntdll!__RtlUserThreadStart+0x23
ntdll!_RtlUserThreadStart+0x1b
Please file new bugs, with real stacks using symbol-symbol debugging as noted already.
You need to log in before you can comment on or make changes to this bug.