Closed Bug 563741 Opened 10 years ago Closed 10 years ago

Crash in [@ mozilla::plugins::PStreamNotifyParent::Send__delete__(mozilla::plugins::PStreamNotifyParent*, short const&) ]

Categories

(Core :: Plug-ins, defect)

1.9.2 Branch
x86
All
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
blocking1.9.2 --- .4+
status1.9.2 --- .4-fixed

People

(Reporter: marcia, Assigned: mwu)

References

()

Details

(Keywords: crash, regression, verified1.9.2)

Crash Data

Attachments

(1 file)

Seen while testing  Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.4) Gecko/20100503 Firefox/3.6.4 (.NET CLR 3.5.30729)

STR:
1. I had a bunch of tabs open with video content. Many of them were links open from http://www.tubeshared.com/
2. I closed one tab and then the whole browser crashed.

https://crash-stats.mozilla.com/report/index/bp-da7a9f44-6b58-4c9b-adc6-e754f2100504

Frame  	Module  	Signature [Expand]  	Source
0 	xul.dll 	mozilla::plugins::PStreamNotifyParent::Send__delete__ 	obj-firefox/ipc/ipdl/PStreamNotifyParent.cpp:83
1 	xul.dll 	mozilla::plugins::PluginInstanceParent::NPP_URLNotify 	dom/plugins/PluginInstanceParent.cpp:757
2 	xul.dll 	mozilla::plugins::PluginModuleParent::NPP_URLNotify 	dom/plugins/PluginModuleParent.cpp:495
3 		@0x6c28e4b 	
4 	xul.dll 	nsNPAPIPluginStreamListener::CleanUpStream 	modules/plugin/base/src/nsNPAPIPluginInstance.cpp:301
5 	xul.dll 	nsNPAPIPluginInstance::Stop 	modules/plugin/base/src/nsNPAPIPluginInstance.cpp:1177
6 	xul.dll 	DoStopPlugin 	layout/generic/nsObjectFrame.cpp:2283
7 	xul.dll 	nsStopPluginRunnable::Run 	layout/generic/nsObjectFrame.cpp:2333
8 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:527
9 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:118
10 	xul.dll 	xul.dll@0x9b8307 	
11 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:199
12 	mozcrt19.dll 	malloc 	obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:5790
13 	xul.dll 	xul.dll@0x312783 	
14 	xul.dll 	xul.dll@0x357307 	
15 	firefox.exe 	firefox.exe@0x1b97 	
16 	kernel32.dll 	GetCodePageFileInfo 	
17 	kernel32.dll 	BaseProcessStart 	
18 	firefox.exe 	firefox.exe@0x183f
Was just able to reproduce this issue: Installed addons:

Microsoft .NET Framework Assistant	1.1	true	{20a82645-c095-46ed-80e3-08825760534b}
Google Gears	0.5.36.0	false	{000a9d1c-beef-4f90-9363-039d445309b8}
RealPlayer Browser Record Plugin	1.1.2	true	{ABDE892B-13A8-4d1b-88E6-365A6E755758}
AI Roboform Toolbar for Firefox	6.9.98	false	{22119944-ED35-4ab1-910B-E619EA06A115}
Java Quick Starter	1.0	true	jqs@sun.com
Norton IPS	2.0	false	{BBDA0591-3099-440a-AA10-41764D9DB4DB}
Norton Toolbar	4.6	false	{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}
Java Console	6.0.16	true	{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
Java Console	6.0.19	true	{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
Java Console	6.0.20	true	{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
blocking1.9.2: --- → ?
Benjamin, can you catch this in a debugger with Marcia's STR?
I can try. Marcia, do you know if any of those addons help with reproduction? I'd like to keep my setup as clean as possible so that record and replay doesn't barf.
Assignee: nobody → benjamin
I will go down to the QA lab now and try in safe mode without any extensions and see if I am able to get the same results. Then I will try to add each ext one at a time and report back.
Alas, when I came back to the machine in the lab I haven't yet been able to reproduce this in regular mode with the set of addons listed in Comment 1. In re: my STR, I might have used the "x" to close the browser window instead of actually using the "x" to close the tab. My recollection is that I did have multiple browser windows open both times the crash occurred and there was for sure videos playing in various tabs.  Will keep trying.
Marcia, do you know if Flash crashed at any point in these steps (maybe check about:crashes on that machine)? That might help narrow down the possibilities.
Benjamin: Not sure about whether it did crash the second time, it might have the first time. Here are all the recent crashes on the machine that I have had while testing 3.6.4:
    
bp-14e4c1db-a0ab-4201-8476-06d1d2100505	5/5/2010	2:41 PM
bp-da7a9f44-6b58-4c9b-adc6-e754f2100504	5/4/2010	11:21 AM
bp-eea8bc9c-0e26-4b2a-8bf7-3a0ec2100503	5/3/2010	5:02 PM
bp-2364dac8-f134-4d2f-88c9-4aed72100503	5/3/2010	4:27 PM
bp-442d1db0-ce7d-4c71-a57f-3e6e32100503	5/3/2010	4:25 PM

(In reply to comment #6)
> Marcia, do you know if Flash crashed at any point in these steps (maybe check
> about:crashes on that machine)? That might help narrow down the possibilities.
looking back through all the reports from the last week I don't seen any with this signature that crashed in the plugin/container.

count fx_ver  build_id     hang_id    reason               process_type
   3 3.6.3pl1 20100405102637 \N EXCEPTION_ACCESS_VIOLATION 
   8 3.6.3pl1 20100405102637 \N EXCEPTION_ACCESS_VIOLATION \N
  18 3.6.4    20100413172113 \N EXCEPTION_ACCESS_VIOLATION 
  45 3.6.4    20100413172113 \N EXCEPTION_ACCESS_VIOLATION \N
   1 3.6.4    20100502221517 \N EXCEPTION_ACCESS_VIOLATION \N
 101 3.6.4    20100503122926 \N EXCEPTION_ACCESS_VIOLATION 
 361 3.6.4    20100503122926 \N EXCEPTION_ACCESS_VIOLATION \N
  38 3.6.4    20100513144105 \N EXCEPTION_ACCESS_VIOLATION \N
   1 3.6.5pre 20100415050153 \N EXCEPTION_ACCESS_VIOLATION \N
   1 3.6.5pre 20100510052530 \N EXCEPTION_ACCESS_VIOLATION 
   4 3.6.5pre 20100511042448 \N EXCEPTION_ACCESS_VIOLATION \N
I can now reproduce this by following these steps (thanks to chofmann for the URLs in Comment 9)

1. Open in a http://www.animefuel.com/naruto-shippuuden-episode-159/ tab by itself.
2. Close the tab using the "X" in the upper right hand corner.

I crash 100% of the time following these steps on Win XP using  Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.4) Gecko/20100513 Firefox/3.6.4 (.NET CLR 3.5.30729) using Shockwave Flash 10.1 r53.
It also crashes on Linux (Ubuntu), Flash 10.1 rc4, Fx 3.6.4build4:

bp-8254236b-9709-4d05-a042-8b55a2100517
OS: Windows XP → All
no crash on (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.4) Gecko/20100503 Firefox/3.6.4
Keywords: regression
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.4) Gecko/20100413
Firefox/3.6.4
Shockwave Flash 10.1 r53
It also crashes for me in Windows Vista 
Steps to reproduce : 
1. Open above mentioned urls in Comment 9 in separate tabs.
2. Try to close one of the tabs.
Result : Crash
http://crash-stats.mozilla.com/report/index/5d505ec0-a789-4d3e-8d3e-b14102100517
Got this in recording, it's pretty simple. The plugin is making a NPN_GetURLNotify("http://"). The plugin host returns NPERR_GENERIC_ERROR, but then when the plugin instance is destroyed, it calls NPN_URLNotify, which is definitely not expected.

Josh, can you take this? clegnitto, this sounds like it should block based on crash frequency.
Assignee: benjamin → joshmoz
Yeah, we noticed this bug in the stats the other day during triage. Marking as blocking.
blocking1.9.2: ? → .4+
This is a logic error in nsPluginHost::NewPluginURLStream:

http://hg.mozilla.org/releases/mozilla-1.9.2/annotate/default/modules/plugin/base/src/nsPluginHost.cpp#l5469

listenerPeer is addrefed, NS_NewChannel fails at line 5490, and we early-exit in line 5496 leaking the listener peer. The nsRefPtr from bug 273025 has already fixed this on mozilla-central.
mwu's going to take this since he did bug 273025
Assignee: joshmoz → mwu
Depends on: 273025
This patch backports the nsRefPtr part of the fix in bug 273025. Was able to reproduce the crash without the fix, and wasn't able to reproduce the crash with the fix.
Attachment #446051 - Flags: review?(benjamin)
Comment on attachment 446051 [details] [diff] [review]
Switch to using nsRefPtr to keep track of listenerPeer

I'll update test_streamNotify.html to cover this case as well.
Attachment #446051 - Flags: review?(benjamin)
Attachment #446051 - Flags: review?
Attachment #446051 - Flags: review+
Attachment #446051 - Flags: review?
Comment on attachment 446051 [details] [diff] [review]
Switch to using nsRefPtr to keep track of listenerPeer

a=LegNeato for 1.9.2.4. Please land on both mozilla-1.9.2 default and
GECKO1924_20100413_RELBRANCH
(pre-approving)
Attachment #446051 - Flags: approval1.9.2.4+
This is a 1.9.2.4 blocker -- please land this fix on mozilla-central and the 1.9.2 branch(es) as described in comment 20.
status1.9.2: --- → ?
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/79121c00eebf for GECKO1924_20100413_RELBRANCH
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Note that this fix is branch-only because bug 273025 fixed this on trunk a while back.
(In reply to comment #13)

> Shockwave Flash 10.1 r53
> It also crashes for me in Windows Vista 
> Steps to reproduce : 
> 1. Open above mentioned urls in Comment 9 in separate tabs.
> 2. Try to close one of the tabs.
> Result : Crash
> http://crash-stats.mozilla.com/report/index/5d505ec0-a789-4d3e-8d3e-b14102100517

I verified that this crashed with the build 4 of 3.6.4 (our last official build) and does not crash on the same machine with my own build using the STR above.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.4) Gecko/20100520 Namoroka/3.6.4 (.NET CLR 3.5.30729)

Verified1.9.2.
Keywords: verified1.9.2
Crash Signature: [@ mozilla::plugins::PStreamNotifyParent::Send__delete__(mozilla::plugins::PStreamNotifyParent*, short const&) ]
You need to log in before you can comment on or make changes to this bug.