crash in nsObjectLoadingContent::IsPluginEnabledForType

VERIFIED FIXED in Firefox 14

Status

()

defect
--
critical
VERIFIED FIXED
7 years ago
7 years ago

People

(Reporter: scoobidiver, Assigned: jaws)

Tracking

({crash, regression, testcase})

14 Branch
mozilla15
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox14+ verified, blocking-fennec1.0 +)

Details

(Whiteboard: [native-crash][qa+:paul.silaghi], crash signature)

Attachments

(2 attachments)

It first appeared in 14.0a1/20120422 and affects currently two users in Nightly.
The regression range might be:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=22bfdebf5cae&tochange=990f6542747b

Signature 	nsObjectLoadingContent::IsPluginEnabledForType(nsCString const&) More Reports Search
UUID	3aab2a3a-8eed-4919-842a-311712120424
Date Processed	2012-04-24 22:14:48
Uptime	2267
Last Crash	19.7 hours before submission
Install Age	7.9 hours since version was first installed.
Install Time	2012-04-24 14:22:14
Product	Firefox
Version	14.0a1
Build ID	20120424030709
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 42 stepping 7
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x0
App Notes 	
AdapterVendorID: 0x8086, AdapterDeviceID: 0x0116, AdapterSubsysID: 15001558, AdapterDriverVersion: 8.15.10.2653
Has dual GPUs. GPU #2: AdapterVendorID2: 0x10de, AdapterDeviceID2: 0x0dce, AdapterSubsysID2: 15001558, AdapterDriverVersion2: 8.17.12.9573D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
EMCheckCompatibility	True
Total Virtual Memory	4294836224
Available Virtual Memory	3477127168
System Memory Use Percentage	30
Available Page File	13615034368
Available Physical Memory	5928677376

Frame 	Module 	Signature 	Source
0 	xul.dll 	nsObjectLoadingContent::IsPluginEnabledForType 	content/base/src/nsObjectLoadingContent.cpp:523
1 	xul.dll 	nsObjectLoadingContent::LoadObject 	content/base/src/nsObjectLoadingContent.cpp:1448
2 	xul.dll 	nsObjectLoadingContent::LoadObject 	content/base/src/nsObjectLoadingContent.cpp:1254
3 	xul.dll 	nsHTMLSharedObjectElement::StartObjectLoad 	content/html/content/src/nsHTMLSharedObjectElement.cpp:486
4 	xul.dll 	nsHTMLSharedObjectElement::StartObjectLoad 	content/html/content/src/nsHTMLSharedObjectElement.cpp:144
5 	xul.dll 	nsRunnableMethodImpl<void 	obj-firefox/dist/include/nsThreadUtils.h:345
6 	xul.dll 	nsContentUtils::RemoveScriptBlocker 	content/base/src/nsContentUtils.cpp:4730
7 	xul.dll 	nsDocument::EndUpdate 	content/base/src/nsDocument.cpp:4040
8 	xul.dll 	nsHTMLDocument::EndUpdate 	content/html/document/src/nsHTMLDocument.cpp:2275
9 	xul.dll 	nsHtml5TreeOpExecutor::FlushDocumentWrite 	parser/html/nsHtml5TreeOpExecutor.cpp:654
10 	xul.dll 	nsHtml5StringParser::Tokenize 	parser/html/nsHtml5StringParser.cpp:161
11 	xul.dll 	nsContentUtils::ParseFragmentHTML 	content/base/src/nsContentUtils.cpp:3988
12 	xul.dll 	XPCConvert::NativeData2JS 	js/xpconnect/src/XPCConvert.cpp:359
13 	xul.dll 	XPCConvert::NativeData2JS 	js/xpconnect/src/xpcprivate.h:3291
14 	xul.dll 	XPCWrappedNative::CallMethod 	js/xpconnect/src/XPCWrappedNative.cpp:2408
15 	mozjs.dll 	js::PropertyCache::fill 	js/src/jspropertycache.cpp:110
16 	mozjs.dll 	js::GetPropertyHelper 	js/src/jsobj.cpp:5124
17 	mozjs.dll 	js::GetPropertyOperation 	js/src/jsinterpinlines.h:266
18 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2757
19 	mozjs.dll 	js::ContextStack::pushInvokeFrame 	js/src/vm/Stack.cpp:778
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsObjectLoadingContent%3A%3AIsPluginEnabledForType%28nsCString+const%26%29
More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsObjectLoadingContent%3A%3AIsPluginEnabledForType
Crash Signature: [@ nsObjectLoadingContent::IsPluginEnabledForType(nsCString const&)] → [@ nsObjectLoadingContent::IsPluginEnabledForType(nsCString const&)] [@ nsObjectLoadingContent::IsPluginEnabledForType]
OS: Windows 7 → All
Hardware: x86 → All
Whiteboard: [native-crash]
Posted file testcase
Tap on the button to get the crash (it opens a new window, closes it, then changes the embed src of the closed window).
blocking-fennec1.0: --- → ?
Keywords: testcase
Posted patch Patch for bugSplinter Review
Thanks for the test case Martijn. This patch checks for null on the document's window object before dereferencing it for the top window.
Assignee: nobody → jwein
Status: NEW → ASSIGNED
Attachment #619082 - Flags: review?(joshmoz)
blocking-fennec1.0: ? → +
Attachment #619082 - Flags: review?(joshmoz) → review+
Whiteboard: [native-crash] → [native-crash][waiting on bug 750661]
Whiteboard: [native-crash][waiting on bug 750661] → [native-crash]
Comment on attachment 619082 [details] [diff] [review]
Patch for bug

[Approval Request Comment]
Regression caused by (bug #): bug 711618
User impact if declined: hard to hit but easily reproducible crashes
Testing completed (on m-c, etc.): locally, just landed on mozilla-inbound
Risk to taking this patch (and alternatives if risky): none expected
String changes made by this patch: none
Attachment #619082 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/d8a01f198883
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Comment on attachment 619082 [details] [diff] [review]
Patch for bug

Review of attachment 619082 [details] [diff] [review]:
-----------------------------------------------------------------

::: content/base/src/nsObjectLoadingContent.cpp
@@ +528,1 @@
>      NS_ENSURE_SUCCESS(rv, rv);

Shouldn't this line (NS_ENSURE_SUCCESS) be removed now?
it shouldn't be removed, it should actually have rv assigned to in the line above. thanks for catching this.
Comment on attachment 619082 [details] [diff] [review]
Patch for bug

[Triage Comment]
Less crashes, noble cause.
Attachment #619082 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Fixed the typo found in comment #7 on inbound (already made the change to the Aurora patch):
https://hg.mozilla.org/integration/mozilla-inbound/rev/3be54da1aba4
Cannot reproduce the crash loading the test case on Nightly 2012-04-22, Nightly 2012-04-23, Nightly 2012-05-01. Any thoughts ?
Did you have set up Plugins to "Tap to Play" in your settings?
Sorry, I missed that. Able to see the crash on nightly 2012-04-23 with click_to_play pref set on true.
Verified fixed on FF 14b8 on Win 7, Ubuntu 12.04 and Mac OS X 10.6.
Status: RESOLVED → VERIFIED
Whiteboard: [native-crash] → [native-crash][qa+:paul.silaghi]
You need to log in before you can comment on or make changes to this bug.