Java crashes if content policy is present (Adblock Plus, NoScript, GreaseMonkey...)

RESOLVED INCOMPLETE

Status

defect
RESOLVED INCOMPLETE
9 years ago
3 years ago

People

(Reporter: gaubugzilla, Unassigned)

Tracking

(Blocks 1 bug)

Dependency tree / graph

Details

()

Attachments

(2 attachments, 3 obsolete attachments)

1.40 KB, application/x-xpinstall
Details
163.96 KB, text/plain
Details
This issue has been reported in the Adblock Plus forum. It took me a while to reproduce because for me it is intermittent - it only happens very rarely. The original reporter apparently sees that issue every time, both in Firefox 3.6.13 and 4.0b7 (maybe due to different network latency times?). To reproduce go to http://sat.wrh.noaa.gov/satellite/loopsat.php?wfo=otx&area=west&type=ir&size=2. The applet will be loading images, eventually it should finish loading them and start animation. Sometimes however you only see a black rectangle after the images are loaded. I see that the plugin process is gone, and the Java icon in the taskbar disappeared as well. But the crash reporter didn't come up so maybe Java decided to terminate the process for whatever reason.

The configuration for this issue:
* Confirmed for Firefox 3.6.13, 4.0b7 or Minefield 20101215 nightly
* Windows XP (original reporter) or Windows 7 (me)
* Java 6u22 or 6u23
* Any extension using the content policies mechanism (Adblock Plus or the minimal content policy extension attached)
https://developer.mozilla.org/en/How_to_get_a_stacktrace_with_WinDbg

you should be able to attach windbg, i have one reporter who has been seeing java kill itself and crash and stuff...
Keywords: stackwanted
Component: Plug-ins → Java (Sun)
Product: Core → Plugins
QA Contact: plugins → sun-java
Version: Trunk → 6.x
see bug 619338
Posted file WinDbg log (obsolete) —
You probably want to skip to the end of the debug log - it took me some time to
figure out which exception is the relevant one (CpupSyscallStub it seems, the
access violations happen when the images are still loading and don't cause a
crash).
Note that java.exe apparently continues running while its parent process jp2launcher.exe exits.
Keywords: stackwanted
Can you please install and use the 32bit version of windbg?

> ModLoad: 00000000`74cf0000 00000000`74d28000   C:\Windows\SysWOW64\fwpuclnt.dll
> (c78.1458): Access violation - code c0000005 (first chance)
> First chance exceptions are reported before any exception handling.
> This exception may be expected and handled.
> 00000000`026afe97 3b01            cmp     eax,dword ptr [ecx] ds:002b:00000000`00000000=????????
> 2:068:x86> g

This was a crash (in process 2 on thread 68)


> (1384.c98): Access violation - code c0000005 (first chance)
> First chance exceptions are reported before any exception handling.
> This exception may be expected and handled.
> *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Java\jre6\bin\client\jvm.dll - 
> jvm+0x1017:
> 00000000`6d7f1017 c7040801000000  mov     dword ptr [eax+ecx],1 ds:002b:00000000`00280780=00000001
> 2:061:x86> g

this was a crash (in process 2 on thread 61), I believe the caller was in jvm. There are a bunch of crashes floating around here....

I'm told that it's possible to get pdb files for java7ea, please feel free to try to get that to work (or try to find them for java5/java6)
OS: Windows XP → All
OS: All → Windows XP
Posted file WinDbg log (obsolete) —
Now the log created with WinDbg x86 and with a debug JDK version downloaded from http://download.java.net/jdk6/6u23/promoted/b01/binaries/. Interestingly, with the debugger attached the crash happens every time - I guess that it is being triggered by the additional delay.
Attachment #497838 - Attachment is obsolete: true
ok, before you start running ('g'), please try:

sxe ud awt

(where awt is the evil module)
OS: Windows XP → All
Posted file WinDbg log (obsolete) —
Attachment #498099 - Attachment is obsolete: true
oops, i didn't really give good instructions there.

> Unload module c:\Rab\tmp\jdk1.6.0_23\fastdebug\jre\bin\awt.dll at 025c0000
> eax=00000000 ebx=005d7994 ecx=00000000 edx=00000000 esi=005d6b40 edi=00000000
> eip=7782fc22 esp=000df7c8 ebp=000df848 iopl=0         nv up ei pl nz na po nc
> cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
> ntdll!ZwUnmapViewOfSection+0x12:
> 7782fc22 83c404          add     esp,4
> 2:039>

At this point, we need at least a stack trace before continuing ('g').

I've tried using '|* ~* kp' in instructions in the wiki, but i'm having trouble figuring out if it actually works, so please prefer that notation, but if it fails, please fall back to:

'~* kp; |0 ~* kp' to talk to the evil process and then process 0 (should be minefield), my guess is that process 1 is adobe reader or some other irrelevant plugin - the log to this point will tell you (the first number in "?:???> is a process number).
Posted file WinDbg log
(In reply to comment #9)
> oops, i didn't really give good instructions there.

Please be patient with me - I never used WinDbg before and it is everything but self-explaining.

> I've tried using '|* ~* kp' in instructions in the wiki, but i'm having trouble
> figuring out if it actually works, so please prefer that notation, but if it
> fails, please fall back to:
> 
> '~* kp; |0 ~* kp' to talk to the evil process and then process 0 (should be
> minefield), my guess is that process 1 is adobe reader or some other irrelevant
> plugin - the log to this point will tell you (the first number in "?:???> is a
> process number).

There is only one plugin. Process 1 is jp2launcher.exe which in turn launched java.exe (process 2). I already mentioned this in comment 4. Anyway, that stack doesn't look terribly useful to me but maybe you can read something from it.
Attachment #498391 - Attachment is obsolete: true
don't worry, i'm walking you through commands i don't use, which means you have to be tolerant of my remote bumbling :)

> Unload module c:\Rab\tmp\jdk1.6.0_23\fastdebug\jre\bin\awt.dll at 023c0000
> eax=00000000 ebx=002e7964 ecx=00000000 edx=00000000 esi=002e6f80 edi=00000000
> eip=7782fc22 esp=000df7c8 ebp=000df848 iopl=0         nv up ei pl nz na po nc
> cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
> ntdll!ZwUnmapViewOfSection+0x12:
> 7782fc22 83c404          add     esp,4
> 2:014> |* ~* kp

> . 14  Id: cf0.10d4 Suspend: 1 Teb: 7efdd000 Unfrozen
> ChildEBP RetAddr  
> 000df7c8 77864888 ntdll!ZwUnmapViewOfSection+0x12
> 000df848 778510d1 ntdll!LdrpUnloadDll+0x276
> 000df88c 7788f72d ntdll!LdrUnloadDll+0x4a
> 000df9f8 7784c10a ntdll!LdrpLoadDll+0x438
> 000dfa2c 762f1d2a ntdll!LdrLoadDll+0x92
> 000dfa64 762f1d7a KERNELBASE!LoadLibraryExW+0x178
> 000dfa84 76344bf7 KERNELBASE!LoadLibraryExA+0x26
> 000dfaa4 00405c78 kernel32!LoadLibraryA+0xba
> WARNING: Stack unwind information not available. Following frames may be wrong.
> 000dfbcc 00405b06 java+0x5c78
> 000dfbe8 00401308 java+0x5b06
> 000dfeac 0040e1e2 java+0x1308
> 000dff88 76343677 java+0xe1e2
> 000dff94 77849d42 kernel32!BaseThreadInitThunk+0xe
> 000dffd4 77849d15 ntdll!__RtlUserThreadStart+0x70
> 000dffec 00000000 ntdll!_RtlUserThreadStart+0x1b

So, here java released awt, that's the basic cause of our problem. from here we need symbols for java (see referenced bug for some possible path there)

>  41  Id: cf0.14ac Suspend: 1 Teb: 7efda000 Unfrozen
ChildEBP RetAddr  
> 0060fa64 082c6415 jvm!os::jvm_path(char * buf = 0x0060fca8 "", int buflen = 260)+0x65 [c:\build_area\jdk6_23\hotspot\src\os\windows\vm\os_windows.cpp @ 1672]

So, this is interesting, you have symbols for part of java6u23. bug 619543 comment 3 has instructions for generating a symstore and using it. That'll help us work around the fact that getting symbols loaded is painful.
I don't think that getting the symbols loaded is the problem. WinDbg loaded all the PDB files from the JRE automatically, without a symbol store. It seems however that there is no PDB file for java.exe. The file java.pdb belongs to java.dll. I did generate a symstore but the result is the same:

*** WARNING: Unable to verify checksum for java.exe
*** ERROR: Module load completed but symbols could not be loaded for java.exe

Are the symbols for Java 7 more complete?
oh, cute.

re java7, dunno, please try?

and if you could complain to oracle about the missing pdb, that'd be great....
Java7 b122 doesn't have PDB files for executables either... I submitted a report on bugs.sun.com (which won't be public until approved).
This will be the bug link once it becomes visible: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7007866
An Adblock Plus user reported a very similar Java crash on https://connect.raiffeisen.ru/rba/dispatch-online-payment.do (the applet crashing is essential for payment). I cannot verify because you have to be a client of the bank to get there but he reproduced the issue with a minimal content policy as well. The crash happen about 10 seconds after the applet (rca.AuthApplet.class in https://connect.raiffeisen.ru/rcas/Reg.jar) loads.
I wonder if this is related to bug 841892, although they probably aren't the same (bug 841892 manifests even in Safe Mode, whereas this bug seems to require Adblock, etc.).
Closing old bugs in the Plugins component. We aren't going to track issues in 3rd-party plugins in the Mozilla bug tracker. In addition, support for NPAPI plugins will be removed at the end of this year; for more details see the post at https://blog.mozilla.org/futurereleases/2015/10/08/npapi-plugins-in-firefox/

If there is a serious bug in Firefox, it needs to be filed in the "Core" product, "Plug-Ins" component.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
Product: Plugins → Plugins Graveyard
You need to log in before you can comment on or make changes to this bug.