crash in nsObjectLoadingContent::IsPluginEnabledForType

VERIFIED FIXED in Firefox 14

Status

()

Core
Plug-ins
--
critical
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: Scoobidiver (away), Assigned: jaws)

Tracking

({crash, regression, testcase})

14 Branch
mozilla15
crash, regression, testcase
Points:
---

Firefox Tracking Flags

(firefox14+ verified, blocking-fennec1.0 +)

Details

(Whiteboard: [native-crash][qa+:paul.silaghi], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
It first appeared in 14.0a1/20120422 and affects currently two users in Nightly.
The regression range might be:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=22bfdebf5cae&tochange=990f6542747b

Signature 	nsObjectLoadingContent::IsPluginEnabledForType(nsCString const&) More Reports Search
UUID	3aab2a3a-8eed-4919-842a-311712120424
Date Processed	2012-04-24 22:14:48
Uptime	2267
Last Crash	19.7 hours before submission
Install Age	7.9 hours since version was first installed.
Install Time	2012-04-24 14:22:14
Product	Firefox
Version	14.0a1
Build ID	20120424030709
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 42 stepping 7
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x0
App Notes 	
AdapterVendorID: 0x8086, AdapterDeviceID: 0x0116, AdapterSubsysID: 15001558, AdapterDriverVersion: 8.15.10.2653
Has dual GPUs. GPU #2: AdapterVendorID2: 0x10de, AdapterDeviceID2: 0x0dce, AdapterSubsysID2: 15001558, AdapterDriverVersion2: 8.17.12.9573D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
EMCheckCompatibility	True
Total Virtual Memory	4294836224
Available Virtual Memory	3477127168
System Memory Use Percentage	30
Available Page File	13615034368
Available Physical Memory	5928677376

Frame 	Module 	Signature 	Source
0 	xul.dll 	nsObjectLoadingContent::IsPluginEnabledForType 	content/base/src/nsObjectLoadingContent.cpp:523
1 	xul.dll 	nsObjectLoadingContent::LoadObject 	content/base/src/nsObjectLoadingContent.cpp:1448
2 	xul.dll 	nsObjectLoadingContent::LoadObject 	content/base/src/nsObjectLoadingContent.cpp:1254
3 	xul.dll 	nsHTMLSharedObjectElement::StartObjectLoad 	content/html/content/src/nsHTMLSharedObjectElement.cpp:486
4 	xul.dll 	nsHTMLSharedObjectElement::StartObjectLoad 	content/html/content/src/nsHTMLSharedObjectElement.cpp:144
5 	xul.dll 	nsRunnableMethodImpl<void 	obj-firefox/dist/include/nsThreadUtils.h:345
6 	xul.dll 	nsContentUtils::RemoveScriptBlocker 	content/base/src/nsContentUtils.cpp:4730
7 	xul.dll 	nsDocument::EndUpdate 	content/base/src/nsDocument.cpp:4040
8 	xul.dll 	nsHTMLDocument::EndUpdate 	content/html/document/src/nsHTMLDocument.cpp:2275
9 	xul.dll 	nsHtml5TreeOpExecutor::FlushDocumentWrite 	parser/html/nsHtml5TreeOpExecutor.cpp:654
10 	xul.dll 	nsHtml5StringParser::Tokenize 	parser/html/nsHtml5StringParser.cpp:161
11 	xul.dll 	nsContentUtils::ParseFragmentHTML 	content/base/src/nsContentUtils.cpp:3988
12 	xul.dll 	XPCConvert::NativeData2JS 	js/xpconnect/src/XPCConvert.cpp:359
13 	xul.dll 	XPCConvert::NativeData2JS 	js/xpconnect/src/xpcprivate.h:3291
14 	xul.dll 	XPCWrappedNative::CallMethod 	js/xpconnect/src/XPCWrappedNative.cpp:2408
15 	mozjs.dll 	js::PropertyCache::fill 	js/src/jspropertycache.cpp:110
16 	mozjs.dll 	js::GetPropertyHelper 	js/src/jsobj.cpp:5124
17 	mozjs.dll 	js::GetPropertyOperation 	js/src/jsinterpinlines.h:266
18 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2757
19 	mozjs.dll 	js::ContextStack::pushInvokeFrame 	js/src/vm/Stack.cpp:778
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsObjectLoadingContent%3A%3AIsPluginEnabledForType%28nsCString+const%26%29
(Reporter)

Comment 1

5 years ago
More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsObjectLoadingContent%3A%3AIsPluginEnabledForType
Crash Signature: [@ nsObjectLoadingContent::IsPluginEnabledForType(nsCString const&)] → [@ nsObjectLoadingContent::IsPluginEnabledForType(nsCString const&)] [@ nsObjectLoadingContent::IsPluginEnabledForType]
OS: Windows 7 → All
Hardware: x86 → All
Whiteboard: [native-crash]
Created attachment 618988 [details]
testcase

Tap on the button to get the crash (it opens a new window, closes it, then changes the embed src of the closed window).

Updated

5 years ago
blocking-fennec1.0: --- → ?
Keywords: testcase
Created attachment 619082 [details] [diff] [review]
Patch for bug

Thanks for the test case Martijn. This patch checks for null on the document's window object before dereferencing it for the top window.
Assignee: nobody → jwein
Status: NEW → ASSIGNED
Attachment #619082 - Flags: review?(joshmoz)
blocking-fennec1.0: ? → +

Updated

5 years ago
Attachment #619082 - Flags: review?(joshmoz) → review+
Whiteboard: [native-crash] → [native-crash][waiting on bug 750661]
https://hg.mozilla.org/integration/mozilla-inbound/rev/d8a01f198883
Blocks: 711618
status-firefox14: --- → affected
tracking-firefox14: --- → ?
Target Milestone: --- → mozilla15
Whiteboard: [native-crash][waiting on bug 750661] → [native-crash]
tracking-firefox14: ? → +
Comment on attachment 619082 [details] [diff] [review]
Patch for bug

[Approval Request Comment]
Regression caused by (bug #): bug 711618
User impact if declined: hard to hit but easily reproducible crashes
Testing completed (on m-c, etc.): locally, just landed on mozilla-inbound
Risk to taking this patch (and alternatives if risky): none expected
String changes made by this patch: none
Attachment #619082 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/d8a01f198883
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED

Comment 7

5 years ago
Comment on attachment 619082 [details] [diff] [review]
Patch for bug

Review of attachment 619082 [details] [diff] [review]:
-----------------------------------------------------------------

::: content/base/src/nsObjectLoadingContent.cpp
@@ +528,1 @@
>      NS_ENSURE_SUCCESS(rv, rv);

Shouldn't this line (NS_ENSURE_SUCCESS) be removed now?
it shouldn't be removed, it should actually have rv assigned to in the line above. thanks for catching this.

Comment 9

5 years ago
Comment on attachment 619082 [details] [diff] [review]
Patch for bug

[Triage Comment]
Less crashes, noble cause.
Attachment #619082 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/42c6be86ed0d
status-firefox14: affected → fixed
Fixed the typo found in comment #7 on inbound (already made the change to the Aurora patch):
https://hg.mozilla.org/integration/mozilla-inbound/rev/3be54da1aba4
https://hg.mozilla.org/mozilla-central/rev/3be54da1aba4
Cannot reproduce the crash loading the test case on Nightly 2012-04-22, Nightly 2012-04-23, Nightly 2012-05-01. Any thoughts ?
Did you have set up Plugins to "Tap to Play" in your settings?
Sorry, I missed that. Able to see the crash on nightly 2012-04-23 with click_to_play pref set on true.
Verified fixed on FF 14b8 on Win 7, Ubuntu 12.04 and Mac OS X 10.6.
Status: RESOLVED → VERIFIED
status-firefox14: fixed → verified
Whiteboard: [native-crash] → [native-crash][qa+:paul.silaghi]
You need to log in before you can comment on or make changes to this bug.