656006 - Crash [@ nsPluginStreamListenerPeer::OnStartRequest(nsIRequest*, nsISupports*) ] | ASSERTION: You can't dereference a NULL nsRefPtr with operator->().: 'mRawPtr != 0

Status: VERIFIED FIXED

(Core Graveyard :: Plug-ins, defect)

Description

[Bob Clary [:bc] (inactive)]

see also Bug 623638
	
1. http://www.babista.de/shop/Mode-fuer-Maenner/Themen/Outdoor-Bekleidung-Hemd/product/142003/group/167390/Produktzoom-Flashviewer.a1405.0.html

2. ASSERTION: You can't dereference a NULL nsRefPtr with operator->().: 'mRawPtr != 0', file c:\work\mozilla\builds\2.0.0\mozilla\firefox-debug\dist\include\nsAutoPtr.h, line 1117

3. Crash nightly: bp-1de6430a-e70d-4fdc-8e9d-132582110510
         1.9.2  : bp-6a6b023c-d7e0-4244-b3d4-ca48f2110510

 	xul.dll!nsRefPtr<nsNPAPIPluginInstance>::operator->()  Line 1117 + 0x23 bytes	C++
 	xul.dll!nsPluginStreamListenerPeer::OnStartRequest(nsIRequest * request=0x06551ddc, nsISupports * aContext=0x00000000)  Line 557 + 0xb bytes	C++
 	xul.dll!nsObjectLoadingContent::OnStartRequest(nsIRequest * aRequest=0x06551ddc, nsISupports * aContext=0x00000000)  Line 739 + 0x2d bytes	C++
 	xul.dll!nsHttpChannel::CallOnStartRequest()  Line 773 + 0x44 bytes	C++
 	xul.dll!nsHttpChannel::ContinueProcessNormal(unsigned int rv=0)  Line 1224 + 0x8 bytes	C++
 	xul.dll!nsHttpChannel::ProcessNormal()  Line 1162	C++
 	xul.dll!nsHttpChannel::ProcessResponse()  Line 1111 + 0x8 bytes	C++
 	xul.dll!nsHttpChannel::OnStartRequest(nsIRequest * request=0x067c7e00, nsISupports * ctxt=0x00000000)  Line 3899 + 0xe bytes	C++
 	xul.dll!nsInputStreamPump::OnStateStart()  Line 441 + 0x2c bytes	C++
 	xul.dll!nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream * stream=0x05a98920)  Line 397 + 0xb bytes	C++
 	xul.dll!nsInputStreamReadyEvent::Run()  Line 115	C++
 	xul.dll!nsThread::ProcessNextEvent(int mayWait=1, int * result=0x0012d730)  Line 618 + 0x19 bytes	C++
 	xul.dll!NS_ProcessNextEvent_P(nsIThread * thread=0x04624df0, int mayWait=1)  Line 250 + 0x16 bytes	C++
 	xul.dll!mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate * aDelegate=0x0039fcf8)  Line 134 + 0xe bytes	C++
 	xul.dll!MessageLoop::RunInternal()  Line 219	C++
 	xul.dll!MessageLoop::RunHandler()  Line 203	C++
 	xul.dll!MessageLoop::Run()  Line 177	C++
 	xul.dll!nsBaseAppShell::Run()  Line 191	C++
 	xul.dll!nsAppShell::Run()  Line 248 + 0x9 bytes	C++

A quick save and test didn't reproduce. :-(

Comment 1

[Marcia Knous [:marcia]]

I can reproduce on a Mac nightly - https://crash-stats.mozilla.com/report/index/fc7b4f85-9810-4b12-98e2-99cba2110510

Comment 2

[Bob Clary [:bc] (inactive)]

update crash bugs to critical per guidelines.

Comment 3

[Bob Clary [:bc] (inactive)]

There are only a hand full of crashes in the last week (7 total). Two involve Flash (10.3.183.7 and 10.3.183.10) but I can not reproduce them nor the original url in automation or locally. I think this is wfm and any further reproducible instances deserve a new bug.

Comment 4

[Josh Aas]

I was reading code for something else, noticed a bug that should cause crashes, and sure enough here is the report. This is our bug, not surprised it is hard to repro though. Patch coming up.

Comment 5

[Josh Aas]

Attachment: fix v1.0

Comment 6

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 572097 [details] [diff] [review]
fix v1.0

r=me

Comment 7

[Josh Aas]

Attachment: aurora fix v1.0

Comment 8

[Josh Aas]

pushed to mozilla-inbound

http://hg.mozilla.org/integration/mozilla-inbound/rev/b820af78bed1

Comment 9

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/b820af78bed1

Comment 10

[LegNeato]

Comment on attachment 572112 [details] [diff] [review]
aurora fix v1.0

[triage comment]

Approved for aurora. Please land today if at all possible.

Comment 11

[Josh Aas]

pushed to mozilla-aurora

http://hg.mozilla.org/releases/mozilla-aurora/rev/3ed4686333f2

Comment 12

[Paul Silaghi, QA [:pauly]]

Could you please tell me how to test this ?

Comment 13

[Bob Clary [:bc] (inactive)]

Paul, normally just loading the url would be sufficient however I can no longer reproduce the crash on older builds so it is not possible to test a crashing build then test a non crash build to see if the patch actually fixed this particular issue. I think we just need to punt.

Comment 14

[Bob Clary [:bc] (inactive)]

FWIW, I just retested the 3 urls I had for this crash in the automation on Beta/9, Aurora/10, Nightly/11 on Linux, Mac, Windows and did not reproduce any crashes. I'll call it verified.

Comment 15

[Paul Silaghi, QA [:pauly]]

I agree. The issue is not reproducible on:

Mozilla/5.0 (Windows NT 5.1; rv:9.0) Gecko/20100101 Firefox/9.0
Mozilla/5.0 (Windows NT 5.1; rv:10.0a2) Gecko/20111127 Firefox/10.0a2
Mozilla/5.0 (Windows NT 5.1; rv:11.0a1) Gecko/20111127 Firefox/11.0a1

Mozilla/5.0 (Windows NT 6.1; rv:9.0) Gecko/20100101 Firefox/9.0
Mozilla/5.0 (Windows NT 6.1; rv:10.0a2) Gecko/20111127 Firefox/10.0a2
Mozilla/5.0 (Windows NT 6.1; rv:11.0a1) Gecko/20111127 Firefox/11.0a1

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0a2) Gecko/20111127 Firefox/10.0a2
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0a1) Gecko/20111127 Firefox/11.0a1

Mozilla/5.0 (X11; Linux i686; rv:9.0) Gecko/20100101 Firefox/9.0
Mozilla/5.0 (X11; Linux i686; rv:10.0a2) Gecko/20111128 Firefox/10.0a2
Mozilla/5.0 (X11; Linux i686; rv:11.0a1) Gecko/20111128 Firefox/11.0a1