69736 - N601 & M08 crash printing ecard [@ nsPluginInstanceOwner::GetTagType]

Status: VERIFIED FIXED

(Core Graveyard :: Plug-ins, defect)

Description

[Jay Patel [:jay]]

This is a topcrasher for N601 release.  Talkback shows a lot of different ways
to crash this, but I have found a consistent set of steps to get this crash:

1. goto www.bluemountain.com
2. create an eCard
3. while previewing the eCard, try to print the page
4. printing the ecard causes N601 to crash (although the page is still actually
printed out)

I'm guessing printing the animated .gif that a lot of these ecards use might be
the problem.

Here is the stack trace and some other user comments/URLs that might lead to the
crash (I have not tried to crash with these cases):

Stack Trace:

	 nsPluginInstanceOwner::GetTagType
[d:\builds\6.01\mozilla\layout\html\base\src\nsObjectFrame.cpp  line 1942]
	 nsPluginHostImpl::InstantiateEmbededPlugin
[d:\builds\6.01\mozilla\modules\plugin\nglsrc\nsPluginHostImpl.cpp  line 2075]
	 nsPluginStreamListenerPeer::OnStartRequest
[d:\builds\6.01\mozilla\modules\plugin\nglsrc\nsPluginHostImpl.cpp  line 1155]
	 nsHTTPFinalListener::OnStartRequest
[d:\builds\6.01\mozilla\netwerk\protocol\http\src\nsHTTPResponseListener.cpp
line 1119]
	 InterceptStreamListener::OnStartRequest
[d:\builds\6.01\mozilla\netwerk\cache\mgr\nsCachedNetData.cpp  line 1186]
	 nsHTTPServerListener::FinishedResponseHeaders
[d:\builds\6.01\mozilla\netwerk\protocol\http\src\nsHTTPResponseListener.cpp
line 1057]
	 nsHTTPServerListener::OnDataAvailable
[d:\builds\6.01\mozilla\netwerk\protocol\http\src\nsHTTPResponseListener.cpp
line 428]
	 nsOnDataAvailableEvent::HandleEvent
[d:\builds\6.01\mozilla\netwerk\base\src\nsAsyncStreamListener.cpp  line 406]
	 nsStreamListenerEvent::HandlePLEvent
[d:\builds\6.01\mozilla\netwerk\base\src\nsAsyncStreamListener.cpp  line 106]
	 PL_HandleEvent
[d:\builds\6.01\mozilla\xpcom\threads\plevent.c  line 581]
	 PL_ProcessPendingEvents
[d:\builds\6.01\mozilla\xpcom\threads\plevent.c  line 517]
	 _md_EventReceiverProc
[d:\builds\6.01\mozilla\xpcom\threads\plevent.c  line 1051]
	 nsAppShellService::Run
[d:\builds\6.01\mozilla\xpfe\appshell\src\nsAppShellService.cpp  line 408]
	 netscp6.exe + 0x167f (0x0040167f)
	 netscp6.exe + 0x11b8 (0x004011b8)
	 netscp6.exe + 0x2a47 (0x00402a47)
	 KERNEL32.DLL + 0x192a6 (0x77e792a6)

 	Source File : d:/builds/6.01/mozilla/layout/html/base/src/nsObjectFrame.cpp line
: 1942

URL:(26661914) www.kfns.com
URL:(26602854) www.classmates.com
URL:(26550340) www.alighthouse.com
URL:(26551045) www.alighthouse.com
URL:(26552606) WWW.SNOPES.COM
URL:(26613225) www.bluemountain.com
URL:(26539479) xpcom.dll at 015f:60cc65f3
	Comment: (26639136) i was trying to load a web page www.geocities.com/pokerpalace
Comment: (26667226) checking beatles lyrics
	Comment: (26576508) Closed a window
	Comment: (26622598) Looking for Asian Pride Character Pics
	Comment: (26661914) clicked on the "listen to" link
	Comment: (26563014) checking e-mail
	Comment: (26564339) i was browsing the web when the error occurred
	Comment: (26668092) GKHTML.DLL at 017f:01586bb9
	Comment: (26620250) when ever I print computer freezes and I must cut off all
switches and it is shut down impropertly
	Comment: (26606776) email- looking at a flowgo link
	Comment: (26578890) Clicking out of my email window
	Comment: (26669764) I was in http://64.224.111.164/ibelieve.htm when a little box
came up and said that the computer did an illegal operation and would be shut
down.....
	Comment: (26537655) I was accessi ng a link from my email.
	Comment: (26607524) I was just finishing sending an ecard
	Comment: (26550340) trying to open file
	Comment: (26690122) Go to sleep......don't surf more at internet.......
	Comment: (26549348) Put an html document that i had prepared in RCEDIT editor and
it failed. The document worked in other browsers.
	Comment: (26551045) trying to ope java applet and it saw netscape6 has error
ingkhtml.dll
	Comment: (26689465) i was in the middle of searching for betty boop
	Comment: (26552606) hit back button
	Comment: (26613225) looking at finished e-card
	Comment: (26629683) This is a new computer

Comment 1

[Jay Patel [:jay]]

adding crash keywords and [@ nsPluginInstanceOwner::GetTagType]
 for tracking.  NOTE:  This is a new crash introduced with the release of N601,
it was not showing up in the talkback topcrash reports for RTM (6.00).

Comment 2

[Peter Lubczynski]

I get a:

Bad Request
Your browser sent a request that this server could not understand.

Request header field is missing colon separator.

ат

in recent trunk builds.

Comment 3

[Peter Lubczynski]

I don't crash on any of the testcase in Win32, but PluginSaftey does catch it 
when I try to print. I wonder if most of the crashes are mainly on Mac?

Comment 4

[av (gone)]

Peter, I looked at it yeaterday and this seems to be an easy one. We should 
check npp->pdata for being zero and just return when it is.

Comment 5

[Peter Lubczynski]

Yeah, didn't you say something like that a few weeks ago. Shouldn't we do this 
test all the time?

I don't see npp->pdata in nsPluginInstanceOwner::GetTagType though. But you are 
probably right, we need to check for that.

Comment 6

[av (gone)]

Well, the plugin crashes on NPP_NewStream. You can just put a breakpoint at the 
beginning of nsPluginHostImpl::HandleBadPlugin to see the stack. By the way, for 
me this is QuickTime playing midi. This patch inside 
ns4xPluginStreamListener::OnStartBinding(nsIPluginStreamInfo* pluginInfo)
fixes the crash for me.

    mInst->GetCallbacks(&callbacks);
    mInst->GetNPP(&npp);

+    if((callbacks == nsnull) || (npp->pdata == nsnull))
+      return NS_ERROR_FAILURE;

Comment 7

[Peter Lubczynski]

I'm having trouble reproducing this, but I agree it should be done. This 
should fix some of those random crashers. 

r=peterl

Comment 8

[av (gone)]

Do you think it is a right time to do the same everywhere?

Comment 9

[Peter Lubczynski]

I don't see why it would hurt anything to put it everywhere?

For now, you can put an ASSERTION and see if that gets triggered in any 
testcases.

Sean,Nick,Peter: any comments?

Comment 10

[av (gone)]

Attachment: first iteration

Comment 11

[av (gone)]

Please review. It is simple but rather bulky just because I changed 
identation/tabulation on the way.

Comment 12

[av (gone)]

Attachment: first iteration in easier-to-read -wu format

Comment 13

[Johnny Stenback (:jst)]

I would suggest initializing the callbacks pointer to null in code like this:

  NPP npp;
  const NPPluginFuncs *callbacks;
 
  mInst->GetCallbacks(&callbacks);
  mInst->GetNPP(&npp);
 
  if(!callbacks || !npp->pdata)
    return NS_ERROR...

so that we'll return the error even if mInst->GetCallbacks() for some reason
doesn't set the out parameter to null.

I'm assuming you've given this a fair amount of testing, if so, and if things
still work :-), and with the change I mentioned above, sr=jst

Comment 14

[Jay Patel [:jay]]

adding M08 to summary since this is also a topcrash for the Mozilla milestone 
0.8.

Comment 15

[karnaze (gone)]

Moving to mozilla0.8.1

Comment 16

[av (gone)]

Fixed with 03-01-2001 check in.

Comment 17

[Peter Lubczynski]

*** Bug 86867 has been marked as a duplicate of this bug. ***

Comment 18

[Peter Lubczynski]

*** Bug 91024 has been marked as a duplicate of this bug. ***

Comment 19

[shrirang khanzode]

couldn't crash printing ecard, fixd a while ago, i guess.