752286 - crash in nsJSNPRuntime::OnPluginDestroy @ XPCWrappedNative::GetUsedOnly

Status: RESOLVED DUPLICATE of bug 752340

(Core Graveyard :: Plug-ins, defect)

Description

[Scoobidiver (away)]

With that stack, it first appeared in 15.0a1/20120504. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=807403a04a6a&tochange=2db9df42823d

Signature 	XPCWrappedNative::GetUsedOnly(XPCCallContext&, nsISupports*, XPCWrappedNativeScope*, XPCNativeInterface*, XPCWrappedNative**) More Reports Search
UUID	82d7c9b4-4f1c-4232-b69c-b02582120506
Date Processed	2012-05-06 03:00:56
Uptime	3096
Last Crash	51.6 minutes before submission
Install Age	8.3 hours since version was first installed.
Install Time	2012-05-05 18:45:29
Product	Firefox
Version	15.0a1
Build ID	20120505030510
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7600
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 15 stepping 13
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0xffffffffdadadae2
App Notes 	
AdapterVendorID: 0x1002, AdapterDeviceID: 0x71c2, AdapterSubsysID: 01701043, AdapterDriverVersion: 8.593.100.0
D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers- 
EMCheckCompatibility	True	
Total Virtual Memory	4294836224
Available Virtual Memory	3877707776
System Memory Use Percentage	71
Available Page File	1609187328
Available Physical Memory	616361984

Frame 	Module 	Signature 	Source
0 	xul.dll 	XPCWrappedNative::GetUsedOnly 	js/xpconnect/src/XPCWrappedNative.cpp:864
1 	xul.dll 	nsXPConnect::GetWrappedNativeOfNativeObject 	js/xpconnect/src/nsXPConnect.cpp:1526
2 	xul.dll 	nsJSNPRuntime::OnPluginDestroy 	dom/plugins/base/nsJSNPRuntime.cpp:2049
3 	xul.dll 	nsNPAPIPluginInstance::Stop 	dom/plugins/base/nsNPAPIPluginInstance.cpp:218
4 	xul.dll 	nsPluginHost::StopPluginInstance 	dom/plugins/base/nsPluginHost.cpp:3175
5 	xul.dll 	nsObjectLoadingContent::DoStopPlugin 	content/base/src/nsObjectLoadingContent.cpp:2212
6 	xul.dll 	nsObjectLoadingContent::StopPluginInstance 	content/base/src/nsObjectLoadingContent.cpp:2248
7 	xul.dll 	nsObjectLoadingContent::NotifyOwnerDocumentActivityChanged 	content/base/src/nsObjectLoadingContent.cpp:761
8 	xul.dll 	NotifyActivityChanged 	content/base/src/nsDocument.cpp:3799
9 	xul.dll 	EnumerateFreezables 	content/base/src/nsDocument.cpp:8059
10 	xul.dll 	nsTHashtable<mozilla::plugins::PluginModuleChild::NPObjectData>::s_EnumStub 	obj-firefox/dist/include/nsTHashtable.h:500
11 	xul.dll 	PL_DHashTableEnumerate 	obj-firefox/xpcom/build/pldhash.cpp:750
12 	xul.dll 	nsTHashtable<nsPtrHashKey<nsIContent> >::EnumerateEntries 	obj-firefox/dist/include/nsTHashtable.h:251
13 	xul.dll 	nsDocument::RemovedFromDocShell 	content/base/src/nsDocument.cpp:7106
14 	xul.dll 	DocumentViewerImpl::Close 	layout/base/nsDocumentViewer.cpp:1478
15 	xul.dll 	nsDocShell::Destroy 	docshell/base/nsDocShell.cpp:4707
16 	xul.dll 	nsFrameLoader::Finalize 	content/base/src/nsFrameLoader.cpp:577
17 	xul.dll 	nsDocument::MaybeInitializeFinalizeFrameLoaders 	content/base/src/nsDocument.cpp:5518
18 	xul.dll 	nsDocument::EndUpdate 	content/base/src/nsDocument.cpp:4053
19 	xul.dll 	nsXULDocument::EndUpdate 	content/xul/document/src/nsXULDocument.cpp:3347
20 	xul.dll 	mozAutoDocUpdate::~mozAutoDocUpdate 	content/base/src/mozAutoDocUpdate.h:67
21 	xul.dll 	nsINode::doRemoveChildAt 	content/base/src/nsGenericElement.cpp:3875
22 	xul.dll 	nsXULElement::RemoveChildAt 	content/xul/content/src/nsXULElement.cpp:983
23 	xul.dll 	nsINode::RemoveChild 	content/base/src/nsGenericElement.cpp:538
24 	xul.dll 	nsIDOMNode_RemoveChild 	obj-firefox/js/xpconnect/src/dom_quickstubs.cpp:5462
25 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:524
26 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2772
27 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:472
28 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:540
29 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:572
30 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5448
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=XPCWrappedNative%3A%3AGetUsedOnly%28XPCCallContext%26%2C+nsISupports*%2C+XPCWrappedNativeScope*%2C+XPCNativeInterface*%2C+XPCWrappedNative**%29

Comment 1

[Scoobidiver (away)]

The regression range in comment 1 is false because there were two builds on May 4th. The right one is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=2db9df42823d&tochange=9ebf3dc839c5
It might be a regression from bug 748701 or bug 751641.

Comment 2

[Logan Rosen [:Logan]]

I am able to consistently reproduce this crash with the following steps:
1. Open any website.
2. View the source.
3. Hit File --> Print Preview and then the Esc key once in the preview.
4. Repeat Step 3 repeatedly (go right back to Print Preview after hitting Esc). It will crash after about four times doing this process repeatedly.

Comment 3

[Logan Rosen [:Logan]]

I forgot to mention that I'm running the latest nightly (20120601).

Comment 4

[Scoobidiver (away)]

I can't reproduce with the STR in comment 2 and a new profile.

Comment 5

[Scoobidiver (away)]

It's #12 top browser crasher in 15.0a2 and #50 in 16.0a1.

Some comments and correlations per module show it's related to printing:
XPCWrappedNative::GetUsedOnly(XPCCallContext&, nsISupports*, XPCWrappedNativeScope*, XPCNativeInterface*, XPCWrappedNative**)|EXCEPTION_ACCESS_VIOLATION_READ (29 crashes)
     83% (24/29) vs.  33% (1393/4167) netapi32.dll (LAN Manager)
     83% (24/29) vs.  36% (1484/4167) mpr.dll (Multiple Provider Router)
     86% (25/29) vs.  39% (1631/4167) winspool.drv (Windows Printer Spooler)

Comment 6

[Scoobidiver (away)]

Dupe of bug 752340?

Comment 7

[Alex Keybl [:akeybl]]

Given the fact that bug 748701 or bug 751641 are suspected, and this may be a dupe of bug bug 752340, including Jaws/Josh/Andrew.

Given the high correlation to netapi32.dll, starting this out with Josh.

Also adding qawanted to further attempt the STR in Comment 2.

Comment 8

[Andrew McCreight [:mccr8]]

It does sound very similar to bug 752340.  Regression range here is the same, assuming that the part of comment 1 saying that comment 1 is wrong is wrong.

Comment 9

[Martijn Wargers (dead)]

Attachment: testcase

I can reproduce this crash with this testcase, using current trunk build.
The first iframe content is this:
<html xmlns="http://www.w3.org/1999/xhtml">
<object  type="application/x-shockwave-flash" id="a"/>
</html>

Just visit the testcase, and let it reload for a while to get the crash.

https://crash-stats.mozilla.com/report/index/bp-40125c9d-ea67-4f70-96c9-176732120623
0 	mozjs.dll 	mozjs.dll@0x21f5c8 	
1 	xul.dll 	XPCWrappedNative::GetUsedOnly 	js/xpconnect/src/XPCWrappedNative.cpp:824
2 	xul.dll 	nsXPConnect::GetWrappedNativeOfNativeObject 	js/xpconnect/src/nsXPConnect.cpp:1526
3 	xul.dll 	nsJSNPRuntime::OnPluginDestroy 	dom/plugins/base/nsJSNPRuntime.cpp:2021
4 	nspr4.dll 	PR_LogFlush 	nsprpub/pr/src/io/prlog.c:533
5 	xul.dll 	_SEH_epilog4

Comment 10

[Marcia Knous [:marcia]]

Currently XPCWrappedNative::GetUsedOnly ranks as #17 top browser crash in Aurora while XPCWrappedNative::GetUsedOnly ranks #294.

Comment 11

[Andrew McCreight [:mccr8]]

This should be fixed by bug 752340, maybe in tomorrow's nightly.

Comment 12

[Scoobidiver (away)]

(In reply to Andrew McCreight [:mccr8] from comment #11)
> This should be fixed by bug 752340, maybe in tomorrow's nightly.
It seems so as crashes that happened after the fix in Nightly and Aurora have a different stack: bp-505e8092-4925-451c-a066-ca15c2120709, bp-e28b4e02-b6fe-456e-90a8-682422120709, bp-60124e08-2904-4d34-85b6-f9b0a2120710