Last Comment Bug 748701 - crash in nsObjectLoadingContent::IsPluginEnabledForType
: crash in nsObjectLoadingContent::IsPluginEnabledForType
Status: VERIFIED FIXED
[native-crash][qa+:paul.silaghi]
: crash, regression, testcase
Product: Core
Classification: Components
Component: Plug-ins (show other bugs)
: 14 Branch
: All All
: -- critical (vote)
: mozilla15
Assigned To: Jared Wein [:jaws] (please needinfo? me)
:
Mentors:
Depends on:
Blocks: 711618
  Show dependency treegraph
 
Reported: 2012-04-25 03:23 PDT by Scoobidiver (away)
Modified: 2012-06-24 23:52 PDT (History)
7 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
+
verified
+


Attachments
testcase (575 bytes, text/html)
2012-04-27 04:13 PDT, Martijn Wargers [:mwargers] (gone per 2016-05-31 :-( )
no flags Details
Patch for bug (1.32 KB, patch)
2012-04-27 10:07 PDT, Jared Wein [:jaws] (please needinfo? me)
jaas: review+
akeybl: approval‑mozilla‑aurora+
Details | Diff | Review

Description Scoobidiver (away) 2012-04-25 03:23:21 PDT
It first appeared in 14.0a1/20120422 and affects currently two users in Nightly.
The regression range might be:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=22bfdebf5cae&tochange=990f6542747b

Signature 	nsObjectLoadingContent::IsPluginEnabledForType(nsCString const&) More Reports Search
UUID	3aab2a3a-8eed-4919-842a-311712120424
Date Processed	2012-04-24 22:14:48
Uptime	2267
Last Crash	19.7 hours before submission
Install Age	7.9 hours since version was first installed.
Install Time	2012-04-24 14:22:14
Product	Firefox
Version	14.0a1
Build ID	20120424030709
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 42 stepping 7
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x0
App Notes 	
AdapterVendorID: 0x8086, AdapterDeviceID: 0x0116, AdapterSubsysID: 15001558, AdapterDriverVersion: 8.15.10.2653
Has dual GPUs. GPU #2: AdapterVendorID2: 0x10de, AdapterDeviceID2: 0x0dce, AdapterSubsysID2: 15001558, AdapterDriverVersion2: 8.17.12.9573D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
EMCheckCompatibility	True
Total Virtual Memory	4294836224
Available Virtual Memory	3477127168
System Memory Use Percentage	30
Available Page File	13615034368
Available Physical Memory	5928677376

Frame 	Module 	Signature 	Source
0 	xul.dll 	nsObjectLoadingContent::IsPluginEnabledForType 	content/base/src/nsObjectLoadingContent.cpp:523
1 	xul.dll 	nsObjectLoadingContent::LoadObject 	content/base/src/nsObjectLoadingContent.cpp:1448
2 	xul.dll 	nsObjectLoadingContent::LoadObject 	content/base/src/nsObjectLoadingContent.cpp:1254
3 	xul.dll 	nsHTMLSharedObjectElement::StartObjectLoad 	content/html/content/src/nsHTMLSharedObjectElement.cpp:486
4 	xul.dll 	nsHTMLSharedObjectElement::StartObjectLoad 	content/html/content/src/nsHTMLSharedObjectElement.cpp:144
5 	xul.dll 	nsRunnableMethodImpl<void 	obj-firefox/dist/include/nsThreadUtils.h:345
6 	xul.dll 	nsContentUtils::RemoveScriptBlocker 	content/base/src/nsContentUtils.cpp:4730
7 	xul.dll 	nsDocument::EndUpdate 	content/base/src/nsDocument.cpp:4040
8 	xul.dll 	nsHTMLDocument::EndUpdate 	content/html/document/src/nsHTMLDocument.cpp:2275
9 	xul.dll 	nsHtml5TreeOpExecutor::FlushDocumentWrite 	parser/html/nsHtml5TreeOpExecutor.cpp:654
10 	xul.dll 	nsHtml5StringParser::Tokenize 	parser/html/nsHtml5StringParser.cpp:161
11 	xul.dll 	nsContentUtils::ParseFragmentHTML 	content/base/src/nsContentUtils.cpp:3988
12 	xul.dll 	XPCConvert::NativeData2JS 	js/xpconnect/src/XPCConvert.cpp:359
13 	xul.dll 	XPCConvert::NativeData2JS 	js/xpconnect/src/xpcprivate.h:3291
14 	xul.dll 	XPCWrappedNative::CallMethod 	js/xpconnect/src/XPCWrappedNative.cpp:2408
15 	mozjs.dll 	js::PropertyCache::fill 	js/src/jspropertycache.cpp:110
16 	mozjs.dll 	js::GetPropertyHelper 	js/src/jsobj.cpp:5124
17 	mozjs.dll 	js::GetPropertyOperation 	js/src/jsinterpinlines.h:266
18 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2757
19 	mozjs.dll 	js::ContextStack::pushInvokeFrame 	js/src/vm/Stack.cpp:778
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsObjectLoadingContent%3A%3AIsPluginEnabledForType%28nsCString+const%26%29
Comment 2 Martijn Wargers [:mwargers] (gone per 2016-05-31 :-( ) 2012-04-27 04:13:53 PDT
Created attachment 618988 [details]
testcase

Tap on the button to get the crash (it opens a new window, closes it, then changes the embed src of the closed window).
Comment 3 Jared Wein [:jaws] (please needinfo? me) 2012-04-27 10:07:20 PDT
Created attachment 619082 [details] [diff] [review]
Patch for bug

Thanks for the test case Martijn. This patch checks for null on the document's window object before dereferencing it for the top window.
Comment 4 Jared Wein [:jaws] (please needinfo? me) 2012-05-03 12:11:50 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/d8a01f198883
Comment 5 Jared Wein [:jaws] (please needinfo? me) 2012-05-03 16:02:28 PDT
Comment on attachment 619082 [details] [diff] [review]
Patch for bug

[Approval Request Comment]
Regression caused by (bug #): bug 711618
User impact if declined: hard to hit but easily reproducible crashes
Testing completed (on m-c, etc.): locally, just landed on mozilla-inbound
Risk to taking this patch (and alternatives if risky): none expected
String changes made by this patch: none
Comment 6 Ed Morley [:emorley] 2012-05-04 04:03:34 PDT
https://hg.mozilla.org/mozilla-central/rev/d8a01f198883
Comment 7 Daniel Cater 2012-05-05 12:49:09 PDT
Comment on attachment 619082 [details] [diff] [review]
Patch for bug

Review of attachment 619082 [details] [diff] [review]:
-----------------------------------------------------------------

::: content/base/src/nsObjectLoadingContent.cpp
@@ +528,1 @@
>      NS_ENSURE_SUCCESS(rv, rv);

Shouldn't this line (NS_ENSURE_SUCCESS) be removed now?
Comment 8 Jared Wein [:jaws] (please needinfo? me) 2012-05-05 13:06:05 PDT
it shouldn't be removed, it should actually have rv assigned to in the line above. thanks for catching this.
Comment 9 Alex Keybl [:akeybl] 2012-05-06 19:48:30 PDT
Comment on attachment 619082 [details] [diff] [review]
Patch for bug

[Triage Comment]
Less crashes, noble cause.
Comment 10 Jared Wein [:jaws] (please needinfo? me) 2012-05-07 10:37:05 PDT
https://hg.mozilla.org/releases/mozilla-aurora/rev/42c6be86ed0d
Comment 11 Jared Wein [:jaws] (please needinfo? me) 2012-05-07 14:16:37 PDT
Fixed the typo found in comment #7 on inbound (already made the change to the Aurora patch):
https://hg.mozilla.org/integration/mozilla-inbound/rev/3be54da1aba4
Comment 12 Ed Morley [:emorley] 2012-05-08 03:17:00 PDT
https://hg.mozilla.org/mozilla-central/rev/3be54da1aba4
Comment 13 Paul Silaghi, QA [:pauly] 2012-06-22 07:40:44 PDT
Cannot reproduce the crash loading the test case on Nightly 2012-04-22, Nightly 2012-04-23, Nightly 2012-05-01. Any thoughts ?
Comment 14 Martijn Wargers [:mwargers] (gone per 2016-05-31 :-( ) 2012-06-22 07:42:51 PDT
Did you have set up Plugins to "Tap to Play" in your settings?
Comment 15 Paul Silaghi, QA [:pauly] 2012-06-24 23:52:25 PDT
Sorry, I missed that. Able to see the crash on nightly 2012-04-23 with click_to_play pref set on true.
Verified fixed on FF 14b8 on Win 7, Ubuntu 12.04 and Mac OS X 10.6.

Note You need to log in before you can comment on or make changes to this bug.