[Direct2D] [Win64] Flash x64 Crash on GMail [@ mozalloc_abort(char const* const) | NS_DebugBreak_P ]

VERIFIED FIXED in mozilla9

Status

()

Core
Plug-ins
--
critical
VERIFIED FIXED
6 years ago
18 days ago

People

(Reporter: Virtual, Assigned: m_kato)

Tracking

(4 keywords)

Trunk
mozilla9
x86_64
Windows 7
crash, crashreportid, nightly-community, regression
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

Attachments

(1 attachment, 2 obsolete attachments)

User-Agent:       Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:6.0a1) Gecko/20110513 Firefox/6.0a1
Build Identifier: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:6.0a1) Gecko/20110513 Firefox/6.0a1

Creating a new message in GMail causing the Flash plug-in to crash

Reproducible: Sometimes
Crash report:
https://crash-stats.mozilla.com/report/index/bf1945d0-2b3a-4081-a823-1510f2110514
Keywords: crash, crashreportid

Updated

6 years ago
Version: unspecified → Trunk
Some more to compare if needed:
https://crash-stats.mozilla.com/report/index/bp-ce0e207b-3b23-42cc-8919-76bc62110515
https://crash-stats.mozilla.com/report/index/bp-32ce547c-0896-4235-a9d4-4d68b2110515
https://crash-stats.mozilla.com/report/index/bp-4c0ae7ba-c4c4-43cf-86da-2ba622110515
Crash Signature: [@ mozalloc_abort(char const* const) | NS_DebugBreak_P ]
Summary: [Win64] Crash [@ mozalloc_abort(char const* const) | NS_DebugBreak_P ] → [Win64] Flash Crash [@ mozalloc_abort(char const* const) | NS_DebugBreak_P ]
Summary: [Win64] Flash Crash [@ mozalloc_abort(char const* const) | NS_DebugBreak_P ] → [Win64] Flash x64 10.3.162.28 Crash [@ mozalloc_abort(char const* const) | NS_DebugBreak_P ]
Updating Flash to version 11.0.1.60 (Beta 2) now I got different crash
https://crash-stats.mozilla.com/report/index/bp-17e32f26-71c1-4727-bbd3-b9efc2110716
Crash Signature: [@ mozalloc_abort(char const* const) | NS_DebugBreak_P ] → [@ mozalloc_abort(char const* const) | NS_DebugBreak_P ] [@ npswf64_11_0_1.dll@0x17fb72 ]
Summary: [Win64] Flash x64 10.3.162.28 Crash [@ mozalloc_abort(char const* const) | NS_DebugBreak_P ] → [Win64] Flash x64 10.3.162.28 Crash [@ mozalloc_abort(char const* const) | NS_DebugBreak_P ] [@ npswf64_11_0_1.dll@0x17fb72 ]
Awww, sorry wrong copy paste...
https://crash-stats.mozilla.com/report/index/653834f1-be2e-4699-b2b7-1b9da2110717
Crash Signature: [@ mozalloc_abort(char const* const) | NS_DebugBreak_P ] [@ npswf64_11_0_1.dll@0x17fb72 ] → [@ mozalloc_abort(char const* const) | NS_DebugBreak_P ]
Summary: [Win64] Flash x64 10.3.162.28 Crash [@ mozalloc_abort(char const* const) | NS_DebugBreak_P ] [@ npswf64_11_0_1.dll@0x17fb72 ] → [Win64] Flash x64 Crash [@ mozalloc_abort(char const* const) | NS_DebugBreak_P ]
I want to add that it didn't crash in safe-mode.
So after doing some test with all add-ons, themes, personas and plug-ins (without Flash) disabled. All I can see is that after disabling Direct2D (gfx.direct2d.disabled;true), I get no crashes anymore.
Depends on: 527707
Summary: [Win64] Flash x64 Crash [@ mozalloc_abort(char const* const) | NS_DebugBreak_P ] → [Direct2D] [Win64] Flash x64 Crash on GMail [@ mozalloc_abort(char const* const) | NS_DebugBreak_P ]
Regression range:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=aa1799ffecc5&tochange=7cdcae5dee49

Works:
https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2011/04/2011-04-20-03-mozilla-central/firefox-6.0a1.en-US.win64-x86_64.zip

Fails:
https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2011/04/2011-04-21-03-mozilla-central/firefox-6.0a1.en-US.win64-x86_64.zip
Keywords: regression
Version: Trunk → 6 Branch
Component: General → Plug-ins
Product: Firefox → Core

Comment 7

6 years ago
Works fine for me... FF4 64Bit with Flash 64Bit.
Try with builds that fails (see above), because Fx4 it too old.

Comment 9

6 years ago
Gack. Sorry about that, I meant FF Nightly 64bit. No idea why I typed in the 4...
Are you sure, that you're using latest Firefox nightly from
https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mozilla-central/
and latest Flash from
http://labs.adobe.com/downloads/flashplayer11.html

If you do, please paste you Graphic info from about:support



Mine for example

Graphics
Adapter Description - NVIDIA GeForce 8600 GT
Vendor ID - 10de
Device ID - 0402
Adapter RAM - 256
Adapter Drivers - nvd3dumx,nvwgf2umx,nvwgf2umx nvd3dum,nvwgf2um,nvwgf2um
Driver Version - 8.17.12.8019
Driver Date - 7-23-2011
Direct2D Enabled - true
DirectWrite Enabled - true (6.1.7601.17563)
ClearType Parameters - ClearType parameters not found
WebGL Renderer - NVIDIA Corporation -- GeForce 8600 GT/PCI/SSE2 -- 3.3.0GPU
Accelerated Windows - 1/1 Direct3D 10

Comment 11

6 years ago
Flashplayer 11.0 d1 x86_64 beta

Definitely default 64Bit nightly from M-C, updated nightly.

Graphics infodump from about:support:

Adapter Description        ATI Mobility Radeon HD 4650
Vendor ID                  1002
Device ID                  9480
Adapter RAM                1024
Adapter Drivers            aticfx64 aticfx64 aticfx32 aticfx32 atiumd64 atidxx64 atiumdag atidxx32 atiumdva atiumd6a atitmm64
Driver Version             8.861.0.0
Driver Date                5-24-2011
Direct2D Enabled           true
DirectWrite Enabled        true (6.1.7601.17563)
ClearType Parameters       ClearType parameters not found
WebGL Renderer             ATI Technologies Inc. -- ATI Mobility Radeon HD 4650 -- 3.3.10834 Compatibility Profile Context
GPU Accelerated Windows    1/1 Direct3D 10
OK, thank you
this could be only nVidia related as I see
It also crashes on this page
http://a4tech.com/support.asp

Crash reports:
http://crash-stats.mozilla.com/report/index/bp-46f18d26-6999-4b76-a929-99b8b2110807
https://crash-stats.mozilla.com/report/index/bp-63d6f9d7-6b81-45d2-9696-75a632110807
https://crash-stats.mozilla.com/report/index/bp-82d0dc76-6b3c-4f38-b7bc-91e162110807

Comment 14

6 years ago
The flash bits crash, but my browser remains functional.
Depends on: 549116
(Assignee)

Updated

6 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
Version: 6 Branch → Trunk
(Assignee)

Updated

6 years ago
Assignee: nobody → m_kato
(Assignee)

Comment 15

6 years ago
Created attachment 555067 [details] [diff] [review]
fix v1
(Assignee)

Comment 16

6 years ago
Created attachment 555339 [details] [diff] [review]
fix v1.1
Attachment #555067 - Attachment is obsolete: true
(Assignee)

Updated

6 years ago
Attachment #555339 - Flags: review?(jones.chris.g)
Comment on attachment 555339 [details] [diff] [review]
fix v1.1

This doesn't look right.  It can result in a 64-bit process thinking the segment is one size, but a 32-bit process thinking the segment is another size.  This little hidden size field that we store at the end of the segment is only read and written as a uint32 (should be!), so I'm not sure what this patch is fixing.
Attachment #555339 - Flags: review?(jones.chris.g)
(Assignee)

Comment 18

6 years ago
Created attachment 555623 [details] [diff] [review]
fix v2
Attachment #555339 - Attachment is obsolete: true
(Assignee)

Comment 19

6 years ago
Comment on attachment 555623 [details] [diff] [review]
fix v2

or should use uint64?
Attachment #555623 - Flags: review?(jones.chris.g)
Comment on attachment 555623 [details] [diff] [review]
fix v2

Ouch, this is a nasty bug :/.  Thanks for the fix.

We don't have any use cases for >4GB shmem segments, and there are aren't any alignment problems we have to worry about so far, so uint32 is just fine.
Attachment #555623 - Flags: review?(jones.chris.g) → review+
(Assignee)

Comment 21

6 years ago
http://hg.mozilla.org/integration/mozilla-inbound/rev/4ef3f576a4b9
Whiteboard: [inbound]
http://hg.mozilla.org/mozilla-central/rev/4ef3f576a4b9
Whiteboard: [inbound]
Target Milestone: --- → mozilla9
(Assignee)

Updated

6 years ago
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
VERIFIED FIXED
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:9.0a1) Gecko/20110828 Firefox/9.0a1

Thank you!
Status: RESOLVED → VERIFIED
Keywords: nightly-community
You need to log in before you can comment on or make changes to this bug.