560974 - Firefox 3.6.4 Crash [@ mozilla::plugins::PluginScriptableObjectParent::GetPropertyHelper(void*, int*, int*, _NPVariant*) ]

Status: RESOLVED FIXED

(Core Graveyard :: Plug-ins, defect)

Description

[chris hofmann]

might be new in 3.6.4 and on trunk

checking --- mozilla::plugins::PluginScriptableObjectParent::GetPropertyHelper 20100420-crashdata.csv
found in: 3.6.4 3.7a5pre
release total-crashes
              mozilla::plugins::PluginScriptableObjectParent::GetPropertyHelper crashes
                         pct.
all     339993  31      9.11783e-05
3.6.4   12392   21      0.00169464
3.7a5pre        1285    10      0.0077821

os breakdown
mozilla::plugins::PluginScriptableObjectParent::GetPropertyHelperTotal 31
Win5.1  0.74
Win6.0  0.16
Win6.1  0.06

stack looks like

http://crash-stats.mozilla.com/report/index/4a22866c-fcef-4829-8483-bac792100419

0  	xul.dll  	mozilla::plugins::PluginScriptableObjectParent::GetPropertyHelper  	 dom/plugins/PluginScriptableObjectParent.cpp:1290
1 	xul.dll 	NPObjWrapper_GetProperty 	modules/plugin/base/src/nsJSNPRuntime.cpp:1356
2 	js3250.dll 	js_GetSprop 	js/src/jsscope.h:613
3 	js3250.dll 	js_NativeGet 	js/src/jsobj.cpp:4109
4 	js3250.dll 	js_Interpret 	js/src/jsops.cpp:1596
5 	js3250.dll 	js_Invoke 	js/src/jsinterp.cpp:1368
6 	js3250.dll 	js_InternalInvoke 	js/src/jsinterp.cpp:1423
7 	js3250.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5112
8 	xul.dll 	nsJSContext::CallEventHandler 	dom/base/nsJSEnvironment.cpp:2169
9 	xul.dll 	nsJSEventListener::HandleEvent 	dom/src/events/nsJSEventListener.cpp:266
10 	xul.dll 	nsEventListenerManager::HandleEventSubType 	content/events/src/nsEventListenerManager.cpp:1041
11 	xul.dll 	nsEventListenerManager::HandleEvent 	content/events/src/nsEventListenerManager.cpp:1147
12 	xul.dll 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventDispatcher.cpp:332
13 	xul.dll 	nsEventDispatcher::Dispatch 	content/events/src/nsEventDispatcher.cpp:573
14 	xul.dll 	PresShell::HandleEventInternal 	layout/base/nsPresShell.cpp:6520
15 	xul.dll 	PresShell::HandleEventWithTarget 	layout/base/nsPresShell.cpp:6381
16 	xul.dll 	nsEventStateManager::CheckForAndDispatchClick 	content/events/src/nsEventStateManager.cpp:3994
17 	xul.dll 	nsEventStateManager::PostHandleEvent

more at 

http://crash-stats.mozilla.com/report/list?range_value=2&range_unit=weeks&signature=mozilla%3A%3Aplugins%3A%3APluginScriptableObjectParent%3A%3AGetPropertyHelper%28void*%2C%20int*%2C%20int*%2C%20_NPVariant*%29&version=Firefox%3A3.6.4

a lot of the sites seem to be international.

domains of sites
   9 http://my.mail.ru
   2 http://apps.facebook.com
   1 http://www.meebo.com
   1 http://www.iranibash.com
   1 http://www.google.co.in
   1 http://www.apple.com
   1 http://win.mail.ru
   1 http://social.bidsystem.com
   1 http://love.mail.ru
   1 http://hotpads.com
   1 http://forum.iranproud.com
   1 http://finance.sina.com.cn
   1 http://chatroulette.com


2 http://apps.facebook.com/onthefarm/index.php
http://www.iranibash.com/series/Zan-Baba/Part-1
http://forum.iranproud.com/download-serial-ashpazbashi-c222#linkid5370
http://www.apple.com/ipad/

not much yet to go on yet.  need to watch more crash data post throttle adjustment.

Comment 1

[chris hofmann]

still around in the 3.6.4 2010 05 13 builds.  currently #8 

http://people.mozilla.com/~chofmann/crash-stats/20100516/topcrash364-20105013.html

Comment 2

[Benjamin Smedberg]

bent, I think NPObjWrapper_GetProperty needs a null-check, I'm pretty sure `actor` is null at http://hg.mozilla.org/releases/mozilla-1.9.2/annotate/8fe06049502c/modules/plugin/base/src/nsJSNPRuntime.cpp#l1355, probably due to a crashed plugin object nulling it out.

Comment 3

[Ben Turner (not reading bugmail, use the needinfo flag!)]

Attachment: Patch

Yep, should have seen that...

Comment 4

[Ben Turner (not reading bugmail, use the needinfo flag!)]

http://hg.mozilla.org/mozilla-central/rev/819d19b25ed7

Comment 5

[LegNeato]

Comment on attachment 445816 [details] [diff] [review]
Patch

a=LegNeato for 1.9.2.4. Please land on both mozilla-1.9.2 default and
GECKO1924_20100413_RELBRANCH

Comment 6

[Ben Turner (not reading bugmail, use the needinfo flag!)]

RELBRANCH: http://hg.mozilla.org/releases/mozilla-1.9.2/rev/fbd3e6d9bff0
default: http://hg.mozilla.org/releases/mozilla-1.9.2/rev/83a98299baca

Comment 7

[Al Billings [:abillings - ex-MoCo]]

Did we identify any steps to reproduce for this issue or was it just an obvious code fix on investigation?

Comment 8

[Benjamin Smedberg]

Obvious code-fix. It may be possible to write a mochitest for it, though I tried and couldn't make the obvious thing crash.

Comment 9

[Sunil]

Has this fix been released or will it be released in 3.6.7?

Comment 10

[Benjamin Smedberg]

It was fixed in 3.6.4

Comment 11

[Sunil]

In internal stress testing of Silverlight plugin, we are seeing crashes quiet similar but might not be the same in 3.6.4. 

STACK_TEXT:
xul!mozilla::plugins::PluginScriptableObjectParent::GetPropertyHelper+0x21
xul!NPObjWrapper_GetProperty+0xc5
js3250!js_Interpret+0x2dae
js3250!js_Invoke+0x277
js3250!js_InternalInvoke+0x103
js3250!JS_CallFunctionValue+0x27
xul!nsJSContext::CallEventHandler+0x199
xul!nsGlobalWindow::RunTimeout+0x2db
xul!nsGlobalWindow::TimerCallback+0x17
xul!nsTimerImpl::Fire+0x87
xul!nsTimerEvent::Run+0x20
xul!nsThread::ProcessNextEvent+0x210
xul!mozilla::ipc::MessagePump::Run+0x69
xul!MessageLoop::RunHandler+0x26
xul!MessageLoop::Run+0x1f
xul!nsBaseAppShell::Run+0x34
xul!nsAppStartup::Run+0x1e
xul!XRE_main+0xdc1
firefox!wmain+0x33b
firefox!__tmainCRTStartup+0x152
kernel32!BaseThreadInitThunk+0xe
ntdll!__RtlUserThreadStart+0x23
ntdll!_RtlUserThreadStart+0x1b

Comment 12

[Benjamin Smedberg]

Please file new bugs, with real stacks using symbol-symbol debugging as noted already.