Closed Bug 562442 Opened 10 years ago Closed 8 years ago

Crash in [@ nsPluginInstanceOwner::ReleasePluginPort(void*)]

Categories

(Core :: Plug-ins, defect, critical)

x86
Windows 7
defect
Not set
critical

Tracking

()

VERIFIED FIXED
Tracking Status
firefox7 --- affected
firefox8 --- affected
firefox9 --- fixed
firefox10 --- fixed
status1.9.2 --- unaffected

People

(Reporter: marcia, Assigned: jaas)

Details

(Keywords: crash, verified-aurora, verified-beta, Whiteboard: [sg:high][qa!])

Crash Data

Attachments

(2 files, 1 obsolete file)

Seen while running Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.3a5pre) Gecko/20100428 Minefield/3.7a5pre

https://crash-stats.mozilla.com/report/index/7c982f11-1f35-42ca-bb03-c34a92100428

STR:
1. I was composing an email in Gmail.
2. Added http://www.caltrain.com/pdf/Holiday_Schedules/Caltrain_Weekend_Holiday_Schedule_08-31-2009.pdf to the email and hit Send.
3. The crash occurred

Have not been able to repro

Frame  	Module  	Signature [Expand]  	Source
0 	xul.dll 	nsPluginInstanceOwner::ReleasePluginPort 	layout/generic/nsObjectFrame.cpp:5725
1 	xul.dll 	nsObjectFrame::CallSetWindow 	layout/generic/nsObjectFrame.cpp:1057
2 	xul.dll 	nsObjectFrame::DidReflow 	layout/generic/nsObjectFrame.cpp:1149
3 	xul.dll 	nsLineLayout::ReflowFrame 	layout/generic/nsLineLayout.cpp:967
4 	xul.dll 	nsBlockFrame::ReflowInlineFrame 	layout/generic/nsBlockFrame.cpp:3716
5 	xul.dll 	nsBlockFrame::DoReflowInlineFrames 	layout/generic/nsBlockFrame.cpp:3511
6 	xul.dll 	nsBlockFrame::ReflowInlineFrames 	layout/generic/nsBlockFrame.cpp:3365
7 	xul.dll 	nsBlockFrame::ReflowLine 	layout/generic/nsBlockFrame.cpp:2461
8 	xul.dll 	nsBlockFrame::ReflowDirtyLines 	layout/generic/nsBlockFrame.cpp:1907
9 	xul.dll 	nsBlockFrame::Reflow 	layout/generic/nsBlockFrame.cpp:1009
10 	xul.dll 	nsContainerFrame::ReflowChild 	layout/generic/nsContainerFrame.cpp:736
11 	xul.dll 	nsHTMLReflowState::Init 	layout/generic/nsHTMLReflowState.cpp:285
12 	xul.dll 	nsCSSFrameConstructor::RestyleElement 	layout/base/nsCSSFrameConstructor.cpp:8007
13 		@0x3802a3f
Summary: Crash in [@nsPluginInstanceOwner::ReleasePluginPort(void*)] → Crash in [@ nsPluginInstanceOwner::ReleasePluginPort(void*)]
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.3a5pre) Gecko/20100603 Minefield/3.7a5pre
Works for me in the latest trunk build.
Crash Signature: [@ nsPluginInstanceOwner::ReleasePluginPort(void*)]
Assignee: nobody → joshmoz
Group: core-security
Attached patch fix v1.0 (obsolete) — Splinter Review
This will fix the crash but in cases where we would crash we'll leak the plugin port on Windows. That's much better than what happens now but this patch could be expanded to avoid the leak if someone takes the time to figure out how to re-factor the plugin port memory management here. We could file a separate bug on that and fix it later, a strategy that makes even more sense if we want to lower risk porting this patch to aurora and beta.
Attachment #570328 - Flags: review?(bzbarsky)
Attachment #570328 - Flags: review?(bzbarsky)
Attached patch fix v1.1Splinter Review
Includes a fix for the memory leak.
Attachment #570328 - Attachment is obsolete: true
Attachment #570696 - Flags: review?(jmathies)
Whiteboard: sg:high
Comment on attachment 570696 [details] [diff] [review]
fix v1.1

Looks ok to me.
Attachment #570696 - Flags: review?(jmathies) → review+
Attached patch aurora fix v1.0Splinter Review
Attachment #571075 - Flags: approval-mozilla-aurora?
pushed to mozilla-central

http://hg.mozilla.org/mozilla-central/rev/978002c0b0ad
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Comment on attachment 571075 [details] [diff] [review]
aurora fix v1.0

a=drivers per today's meeting.
Attachment #571075 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Adding [qa+] for bug verification. We can try the steps in comment #0, but since we can't reproduce reliably we can check crash-stats before and after fix.
Whiteboard: sg:high → sg:high,[qa+]
I'm seeing no instances of this crash on crash-stats for anything newer than Firefox 8. Marking verified.
Status: RESOLVED → VERIFIED
Whiteboard: sg:high,[qa+] → sg:high,[qa!]
Whiteboard: sg:high,[qa!] → [sg:high][qa!]
Group: core-security
You need to log in before you can comment on or make changes to this bug.