Closed Bug 561844 Opened 14 years ago Closed 3 years ago

Retaining the window NPObject for in-process plugins doesn't work like it does for OOPP

Tracking

(Not tracked)

Status:

RESOLVED WONTFIX

People

(Reporter: cjones, Unassigned)

Details

Attachments

(1 file, 1 obsolete file)

Test case 14 years ago Chris Jones [:cjones] inactive; ni?/f?/r? if you need me 14.02 KB, patch		Details \| Diff \| Splinter Review
Test case (updated to trunk) 14 years ago Chris Jones [:cjones] inactive; ni?/f?/r? if you need me 14.18 KB, patch		Details \| Diff \| Splinter Review

Chris Jones [:cjones] inactive; ni?/f?/r? if you need me

Reporter

Description

•

14 years ago

Attached patch Test case (obsolete) — Details — Splinter Review

For bug 560246, I modified the testplugin to not release the window NPObject it gets in NPP_New, and instead release it in NPP_Destroy (the test uses the NPObject in a timing-sensitive test case).  This works fine for OOPP, but results in a crash for IPP.  It seems like this should work, and it not working might explain why we see plugins grab the window NPObject so frequently.

Here's what valgrind says

NPP_Destroy
WARNING: NS_ENSURE_TRUE(sgo) failed: file /home/cjones/mozilla/mozilla-central/modules/plugin/base/src/nsJSNPRuntime.cpp, line 362
--DOMWINDOW == 16 (0x1f978038) [serial = 21] [outer = 0x1a6feae0] [url = http://mochi.test:8888/tests/modules/plugin/test/test_crash_nested_loop.html]
--DOMWINDOW == 15 (0x11b8edb8) [serial = 22] [outer = (nil)] [url = http://mochi.test:8888/tests/modules/plugin/test/crashing_subpage.html]
--DOMWINDOW == 14 (0x1faa15b8) [serial = 23] [outer = (nil)] [url = about:blank]
==23237== Invalid read of size 4
==23237==    at 0x8FC25DD: ??? (os_Linux_x86_64.s:64)
==23237==    by 0x66C6EC2: mozilla::plugins::parent::_releaseobject(NPObject*) (nsNPAPIPlugin.cpp:1473)
==23237==    by 0x66EB27C: DelayedReleaseGCCallback(JSContext*, JSGCStatus) (nsJSNPRuntime.cpp:243)
==23237==    by 0x56C68EE: XPCJSRuntime::GCCallback(JSContext*, JSGCStatus) (xpcjsruntime.cpp:773)
==23237==    by 0x606D70E: DOMGCCallback(JSContext*, JSGCStatus) (nsJSEnvironment.cpp:3729)
==23237==    by 0x568D153: XPCCycleCollectGCCallback(JSContext*, JSGCStatus) (nsXPConnect.cpp:413)
==23237==    by 0x834B722: FireGCEnd(JSContext*, JSGCInvocationKind) (jsgc.cpp:3364)
==23237==    by 0x834BA8D: js_GC (jsgc.cpp:3473)
==23237==    by 0x82EA1A3: JS_GC (jsapi.cpp:2301)
==23237==    by 0x568D272: nsXPConnect::Collect() (nsXPConnect.cpp:479)
==23237==    by 0x6B7F356: nsCycleCollector::Collect(unsigned int) (nsCycleCollector.cpp:2520)
==23237==    by 0x6B7F8C3: nsCycleCollector_collect() (nsCycleCollector.cpp:3217)
==23237==  Address 0x1fafa878 is 8 bytes inside a block of size 32 free'd
==23237==    at 0x4C24D68: free (vg_replace_malloc.c:325)
==23237==    by 0x6BA733F: moz_free (nsTraceMalloc.c:1264)
==23237==    by 0x6B78FBD: NS_Free_P (nsMemoryImpl.cpp:303)
==23237==    by 0x568B82D: nsMemory::Free(void*) (nsMemory.h:74)
==23237==    by 0x66C5F19: mozilla::plugins::parent::_memfree(void*) (nsNPAPIPlugin.cpp:1143)
==23237==    by 0x2F8ABED3: NPN_MemFree (nptest.cpp:1401)
==23237==    by 0x2F8AC4BB: scriptableDeallocate(NPObject*) (nptest.cpp:1566)
==23237==    by 0x66C6F4B: mozilla::plugins::parent::_releaseobject(NPObject*) (nsNPAPIPlugin.cpp:1483)
==23237==    by 0x2F8ABE92: NPN_ReleaseObject (nptest.cpp:1389)
==23237==    by 0x2F8AAD22: NPP_Destroy (nptest.cpp:937)
==23237==    by 0x66CED16: nsNPAPIPluginInstance::Stop() (nsNPAPIPluginInstance.cpp:1025)
==23237==    by 0x5B49C91: DoStopPlugin(nsPluginInstanceOwner*, int) (nsObjectFrame.cpp:2216)
==23237==
###!!! ASSERTION: Uh, hash not empty?: 'sJSObjWrappers.entryCount == 0', file /home/cjones/mozilla/mozilla-central/modules/plugin/base/src/nsJSNPRuntime.cpp, line 278
OnWrapperDestroyed (/home/cjones/mozilla/mozilla-central/modules/plugin/base/src/nsJSNPRuntime.cpp:282)
DelayedReleaseGCCallback (/home/cjones/mozilla/mozilla-central/modules/plugin/base/src/nsJSNPRuntime.cpp:240)
XPCJSRuntime::GCCallback(JSContext*, JSGCStatus) (/home/cjones/mozilla/mozilla-central/js/src/xpconnect/src/xpcjsruntime.cpp:773)
DOMGCCallback (/home/cjones/mozilla/mozilla-central/dom/base/nsJSEnvironment.cpp:3729)
XPCCycleCollectGCCallback (/home/cjones/mozilla/mozilla-central/js/src/xpconnect/src/nsXPConnect.cpp:413)
FireGCEnd (/home/cjones/mozilla/mozilla-central/js/src/jsgc.cpp:3370)
js_GC (/home/cjones/mozilla/mozilla-central/js/src/jsgc.cpp:3473)
JS_GC (/home/cjones/mozilla/mozilla-central/js/src/jsapi.cpp:2302)
nsXPConnect::Collect() (/home/cjones/mozilla/mozilla-central/js/src/xpconnect/src/nsXPConnect.cpp:480)
nsCycleCollector::Collect(unsigned int) (/home/cjones/mozilla/mozilla-central/xpcom/base/nsCycleCollector.cpp:2520)
nsCycleCollector_collect() (/home/cjones/mozilla/mozilla-central/xpcom/base/nsCycleCollector.cpp:3217)
nsJSContext::CC() (/home/cjones/mozilla/mozilla-central/dom/base/nsJSEnvironment.cpp:3543)
nsJSContext::IntervalCC() (/home/cjones/mozilla/mozilla-central/dom/base/nsJSEnvironment.cpp:3632)
nsJSContext::CCIfUserInactive() (/home/cjones/mozilla/mozilla-central/dom/base/nsJSEnvironment.cpp:3623)
GCTimerFired(nsITimer*, void*) (/home/cjones/mozilla/mozilla-central/dom/base/nsJSEnvironment.cpp:3646)
nsTimerImpl::Fire() (/home/cjones/mozilla/mozilla-central/xpcom/threads/nsTimerImpl.cpp:428)
nsTimerEvent::Run() (/home/cjones/mozilla/mozilla-central/xpcom/threads/nsTimerImpl.cpp:521)
nsThread::ProcessNextEvent(int, int*) (/home/cjones/mozilla/mozilla-central/xpcom/threads/nsThread.cpp:527)
NS_ProcessNextEvent_P(nsIThread*, int) (/home/cjones/mozilla/ff-dbg/xpcom/build/nsThreadUtils.cpp:250)
mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (/home/cjones/mozilla/mozilla-central/ipc/glue/MessagePump.cpp:118)
MessageLoop::RunInternal() (/home/cjones/mozilla/mozilla-central/ipc/chromium/src/base/message_loop.cc:217)
MessageLoop::RunHandler() (/home/cjones/mozilla/mozilla-central/ipc/chromium/src/base/message_loop.cc:200)
MessageLoop::Run() (/home/cjones/mozilla/mozilla-central/ipc/chromium/src/base/message_loop.cc:173)
nsBaseAppShell::Run() (/home/cjones/mozilla/mozilla-central/widget/src/xpwidgets/nsBaseAppShell.cpp:180)
nsAppStartup::Run() (/home/cjones/mozilla/mozilla-central/toolkit/components/startup/src/nsAppStartup.cpp:182)
XRE_main (/home/cjones/mozilla/mozilla-central/toolkit/xre/nsAppRunner.cpp:3536)
main (/home/cjones/mozilla/mozilla-central/browser/app/nsBrowserApp.cpp:158)
__libc_start_main (/build/buildd/eglibc-2.10.1/csu/libc-start.c:252)
_start (/build/buildd/eglibc-2.10.1/csu/../sysdeps/x86_64/elf/start.S:116)
###!!! ASSERTION: Uh, hash not empty?: 'sNPObjWrappers.entryCount == 0', file /home/cjones/mozilla/mozilla-central/modules/plugin/base/src/nsJSNPRuntime.cpp, line 288
OnWrapperDestroyed (/home/cjones/mozilla/mozilla-central/modules/plugin/base/src/nsJSNPRuntime.cpp:292)
DelayedReleaseGCCallback (/home/cjones/mozilla/mozilla-central/modules/plugin/base/src/nsJSNPRuntime.cpp:240)
XPCJSRuntime::GCCallback(JSContext*, JSGCStatus) (/home/cjones/mozilla/mozilla-central/js/src/xpconnect/src/xpcjsruntime.cpp:773)
DOMGCCallback (/home/cjones/mozilla/mozilla-central/dom/base/nsJSEnvironment.cpp:3729)
XPCCycleCollectGCCallback (/home/cjones/mozilla/mozilla-central/js/src/xpconnect/src/nsXPConnect.cpp:413)
FireGCEnd (/home/cjones/mozilla/mozilla-central/js/src/jsgc.cpp:3370)
js_GC (/home/cjones/mozilla/mozilla-central/js/src/jsgc.cpp:3473)
JS_GC (/home/cjones/mozilla/mozilla-central/js/src/jsapi.cpp:2302)
nsXPConnect::Collect() (/home/cjones/mozilla/mozilla-central/js/src/xpconnect/src/nsXPConnect.cpp:480)
nsCycleCollector::Collect(unsigned int) (/home/cjones/mozilla/mozilla-central/xpcom/base/nsCycleCollector.cpp:2520)
nsCycleCollector_collect() (/home/cjones/mozilla/mozilla-central/xpcom/base/nsCycleCollector.cpp:3217)
nsJSContext::CC() (/home/cjones/mozilla/mozilla-central/dom/base/nsJSEnvironment.cpp:3543)
nsJSContext::IntervalCC() (/home/cjones/mozilla/mozilla-central/dom/base/nsJSEnvironment.cpp:3632)
nsJSContext::CCIfUserInactive() (/home/cjones/mozilla/mozilla-central/dom/base/nsJSEnvironment.cpp:3623)
GCTimerFired(nsITimer*, void*) (/home/cjones/mozilla/mozilla-central/dom/base/nsJSEnvironment.cpp:3646)
nsTimerImpl::Fire() (/home/cjones/mozilla/mozilla-central/xpcom/threads/nsTimerImpl.cpp:428)
nsTimerEvent::Run() (/home/cjones/mozilla/mozilla-central/xpcom/threads/nsTimerImpl.cpp:521)
nsThread::ProcessNextEvent(int, int*) (/home/cjones/mozilla/mozilla-central/xpcom/threads/nsThread.cpp:527)
NS_ProcessNextEvent_P(nsIThread*, int) (/home/cjones/mozilla/ff-dbg/xpcom/build/nsThreadUtils.cpp:250)
mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (/home/cjones/mozilla/mozilla-central/ipc/glue/MessagePump.cpp:118)
MessageLoop::RunInternal() (/home/cjones/mozilla/mozilla-central/ipc/chromium/src/base/message_loop.cc:217)
MessageLoop::RunHandler() (/home/cjones/mozilla/mozilla-central/ipc/chromium/src/base/message_loop.cc:200)
MessageLoop::Run() (/home/cjones/mozilla/mozilla-central/ipc/chromium/src/base/message_loop.cc:173)
nsBaseAppShell::Run() (/home/cjones/mozilla/mozilla-central/widget/src/xpwidgets/nsBaseAppShell.cpp:180)
nsAppStartup::Run() (/home/cjones/mozilla/mozilla-central/toolkit/components/startup/src/nsAppStartup.cpp:182)
XRE_main (/home/cjones/mozilla/mozilla-central/toolkit/xre/nsAppRunner.cpp:3536)
main (/home/cjones/mozilla/mozilla-central/browser/app/nsBrowserApp.cpp:158)
__libc_start_main (/build/buildd/eglibc-2.10.1/csu/libc-start.c:252)
_start (/build/buildd/eglibc-2.10.1/csu/../sysdeps/x86_64/elf/start.S:116)
++DOMWINDOW == 15 (0x259a09a8) [serial = 27] [outer = 0x1a6feae0]
++DOCSHELL 0x1ad50fe0 == 9
++DOMWINDOW == 16 (0x1ae910f8) [serial = 28] [outer = (nil)]
--DOCSHELL 0x1e8267c0 == 8
++DOMWINDOW == 17 (0x1a6a8268) [serial = 29] [outer = 0x1ae910a0]
NPP_Destroy
--DOMWINDOW == 16 (0x276aefd8) [serial = 24] [outer = 0x1a6feae0] [url = http://mochi.test:8888/tests/modules/plugin/test/test_crashing.html]
###!!! ASSERTION: Whaaa, unbalanced created/destroyed calls!: 'sWrapperCount', file /home/cjones/mozilla/mozilla-central/modules/plugin/base/src/nsJSNPRuntime.cpp, line 274
OnWrapperDestroyed (/home/cjones/mozilla/mozilla-central/modules/plugin/base/src/nsJSNPRuntime.cpp:276)
DelayedReleaseGCCallback (/home/cjones/mozilla/mozilla-central/modules/plugin/base/src/nsJSNPRuntime.cpp:240)
XPCJSRuntime::GCCallback(JSContext*, JSGCStatus) (/home/cjones/mozilla/mozilla-central/js/src/xpconnect/src/xpcjsruntime.cpp:773)
DOMGCCallback (/home/cjones/mozilla/mozilla-central/dom/base/nsJSEnvironment.cpp:3729)
XPCCycleCollectGCCallback (/home/cjones/mozilla/mozilla-central/js/src/xpconnect/src/nsXPConnect.cpp:413)
FireGCEnd (/home/cjones/mozilla/mozilla-central/js/src/jsgc.cpp:3370)
js_GC (/home/cjones/mozilla/mozilla-central/js/src/jsgc.cpp:3473)
JS_GC (/home/cjones/mozilla/mozilla-central/js/src/jsapi.cpp:2302)
nsXPConnect::Collect() (/home/cjones/mozilla/mozilla-central/js/src/xpconnect/src/nsXPConnect.cpp:480)
nsCycleCollector::Collect(unsigned int) (/home/cjones/mozilla/mozilla-central/xpcom/base/nsCycleCollector.cpp:2520)
nsCycleCollector_collect() (/home/cjones/mozilla/mozilla-central/xpcom/base/nsCycleCollector.cpp:3217)
nsJSContext::CC() (/home/cjones/mozilla/mozilla-central/dom/base/nsJSEnvironment.cpp:3543)
nsJSContext::IntervalCC() (/home/cjones/mozilla/mozilla-central/dom/base/nsJSEnvironment.cpp:3632)
nsJSContext::CCIfUserInactive() (/home/cjones/mozilla/mozilla-central/dom/base/nsJSEnvironment.cpp:3623)
nsJSContext::LoadEnd() (/home/cjones/mozilla/mozilla-central/dom/base/nsJSEnvironment.cpp:3689)
DocumentViewerImpl::LoadComplete(unsigned int) (/home/cjones/mozilla/mozilla-central/layout/base/nsDocumentViewer.cpp:1080)
nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned int) (/home/cjones/mozilla/mozilla-central/docshell/base/nsDocShell.cpp:5755)
nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, unsigned int) (/home/cjones/mozilla/mozilla-central/docshell/base/nsDocShell.cpp:5632)
nsDocLoader::FireOnStateChange(nsIWebProgress*, nsIRequest*, int, unsigned int) (/home/cjones/mozilla/mozilla-central/uriloader/base/nsDocLoader.cpp:1317)
nsDocLoader::doStopDocumentLoad(nsIRequest*, unsigned int) (/home/cjones/mozilla/mozilla-central/uriloader/base/nsDocLoader.cpp:940)
nsDocLoader::DocLoaderIsEmpty(int) (/home/cjones/mozilla/mozilla-central/uriloader/base/nsDocLoader.cpp:807)
nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) (/home/cjones/mozilla/mozilla-central/uriloader/base/nsDocLoader.cpp:703)
nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, unsigned int) (/home/cjones/mozilla/mozilla-central/netwerk/base/src/nsLoadGroup.cpp:680)
nsDocument::DoUnblockOnload() (/home/cjones/mozilla/mozilla-central/content/base/src/nsDocument.cpp:7273)
nsDocument::UnblockOnload(int) (/home/cjones/mozilla/mozilla-central/content/base/src/nsDocument.cpp:7219)
nsDocument::DispatchContentLoadedEvents() (/home/cjones/mozilla/mozilla-central/content/base/src/nsDocument.cpp:4138)
nsRunnableMethod<nsDocument, void>::Run() (/home/cjones/mozilla/ff-dbg/content/base/src/../../../dist/include/nsThreadUtils.h:283)
nsThread::ProcessNextEvent(int, int*) (/home/cjones/mozilla/mozilla-central/xpcom/threads/nsThread.cpp:527)
NS_ProcessNextEvent_P(nsIThread*, int) (/home/cjones/mozilla/ff-dbg/xpcom/build/nsThreadUtils.cpp:250)
nsThread::Shutdown() (/home/cjones/mozilla/mozilla-central/xpcom/threads/nsThread.cpp:467)
NS_InvokeByIndex_P (/home/cjones/mozilla/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:208)
nsProxyObjectCallInfo::Run() (/home/cjones/mozilla/mozilla-central/xpcom/proxy/src/nsProxyEvent.cpp:181)
nsThread::ProcessNextEvent(int, int*) (/home/cjones/mozilla/mozilla-central/xpcom/threads/nsThread.cpp:527)
NS_ProcessNextEvent_P(nsIThread*, int) (/home/cjones/mozilla/ff-dbg/xpcom/build/nsThreadUtils.cpp:250)
mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (/home/cjones/mozilla/mozilla-central/ipc/glue/MessagePump.cpp:118)
MessageLoop::RunInternal() (/home/cjones/mozilla/mozilla-central/ipc/chromium/src/base/message_loop.cc:217)
MessageLoop::RunHandler() (/home/cjones/mozilla/mozilla-central/ipc/chromium/src/base/message_loop.cc:200)
MessageLoop::Run() (/home/cjones/mozilla/mozilla-central/ipc/chromium/src/base/message_loop.cc:173)
nsBaseAppShell::Run() (/home/cjones/mozilla/mozilla-central/widget/src/xpwidgets/nsBaseAppShell.cpp:180)
nsAppStartup::Run() (/home/cjones/mozilla/mozilla-central/toolkit/components/startup/src/nsAppStartup.cpp:182)
XRE_main (/home/cjones/mozilla/mozilla-central/toolkit/xre/nsAppRunner.cpp:3536)
main (/home/cjones/mozilla/mozilla-central/browser/app/nsBrowserApp.cpp:158)
__libc_start_main (/build/buildd/eglibc-2.10.1/csu/libc-start.c:252)

Chris Jones [:cjones] inactive; ni?/f?/r? if you need me

Reporter

Comment 1

•

14 years ago

Karl notes bp-84588e1e-744f-4f08-bdba-2fc4b2100424, which might be related.

Chris Jones [:cjones] inactive; ni?/f?/r? if you need me

Reporter

Comment 2

•

14 years ago

Attached patch Test case (updated to trunk) — Details — Splinter Review

Attachment #441595 - Attachment is obsolete: true

Benjamin Smedberg

Updated

•

11 years ago

Assignee: benjamin → nobody

Priority: -- → P3

BMO Automation

Comment 3

•

3 years ago

Resolving as wont fix, plugin support deprecated in Firefox 85.

Status: NEW → RESOLVED

Closed: 3 years ago

Resolution: --- → WONTFIX

BMO Automation

Updated

•

2 years ago

Product: Core → Core Graveyard

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Retaining the window NPObject for in-process plugins doesn't work like it does for OOPP

Categories

(Core Graveyard :: Plug-ins, defect, P3)

Tracking

(Not tracked)

People

(Reporter: cjones, Unassigned)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file, 1 obsolete file)

Description

Comment 1

Comment 2

Updated

Comment 3

Updated

Attachment

General

Description

File Name

Content Type