Closed Bug 752286 Opened 9 years ago Closed 9 years ago

crash in nsJSNPRuntime::OnPluginDestroy @ XPCWrappedNative::GetUsedOnly

Categories

(Core :: Plug-ins, defect)

15 Branch
All
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 752340
Tracking Status
firefox14 --- unaffected
firefox15 - fixed
firefox16 --- fixed

People

(Reporter: scoobidiver, Unassigned)

Details

(4 keywords)

Crash Data

Attachments

(1 file)

With that stack, it first appeared in 15.0a1/20120504. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=807403a04a6a&tochange=2db9df42823d

Signature 	XPCWrappedNative::GetUsedOnly(XPCCallContext&, nsISupports*, XPCWrappedNativeScope*, XPCNativeInterface*, XPCWrappedNative**) More Reports Search
UUID	82d7c9b4-4f1c-4232-b69c-b02582120506
Date Processed	2012-05-06 03:00:56
Uptime	3096
Last Crash	51.6 minutes before submission
Install Age	8.3 hours since version was first installed.
Install Time	2012-05-05 18:45:29
Product	Firefox
Version	15.0a1
Build ID	20120505030510
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7600
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 15 stepping 13
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0xffffffffdadadae2
App Notes 	
AdapterVendorID: 0x1002, AdapterDeviceID: 0x71c2, AdapterSubsysID: 01701043, AdapterDriverVersion: 8.593.100.0
D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers- 
EMCheckCompatibility	True	
Total Virtual Memory	4294836224
Available Virtual Memory	3877707776
System Memory Use Percentage	71
Available Page File	1609187328
Available Physical Memory	616361984

Frame 	Module 	Signature 	Source
0 	xul.dll 	XPCWrappedNative::GetUsedOnly 	js/xpconnect/src/XPCWrappedNative.cpp:864
1 	xul.dll 	nsXPConnect::GetWrappedNativeOfNativeObject 	js/xpconnect/src/nsXPConnect.cpp:1526
2 	xul.dll 	nsJSNPRuntime::OnPluginDestroy 	dom/plugins/base/nsJSNPRuntime.cpp:2049
3 	xul.dll 	nsNPAPIPluginInstance::Stop 	dom/plugins/base/nsNPAPIPluginInstance.cpp:218
4 	xul.dll 	nsPluginHost::StopPluginInstance 	dom/plugins/base/nsPluginHost.cpp:3175
5 	xul.dll 	nsObjectLoadingContent::DoStopPlugin 	content/base/src/nsObjectLoadingContent.cpp:2212
6 	xul.dll 	nsObjectLoadingContent::StopPluginInstance 	content/base/src/nsObjectLoadingContent.cpp:2248
7 	xul.dll 	nsObjectLoadingContent::NotifyOwnerDocumentActivityChanged 	content/base/src/nsObjectLoadingContent.cpp:761
8 	xul.dll 	NotifyActivityChanged 	content/base/src/nsDocument.cpp:3799
9 	xul.dll 	EnumerateFreezables 	content/base/src/nsDocument.cpp:8059
10 	xul.dll 	nsTHashtable<mozilla::plugins::PluginModuleChild::NPObjectData>::s_EnumStub 	obj-firefox/dist/include/nsTHashtable.h:500
11 	xul.dll 	PL_DHashTableEnumerate 	obj-firefox/xpcom/build/pldhash.cpp:750
12 	xul.dll 	nsTHashtable<nsPtrHashKey<nsIContent> >::EnumerateEntries 	obj-firefox/dist/include/nsTHashtable.h:251
13 	xul.dll 	nsDocument::RemovedFromDocShell 	content/base/src/nsDocument.cpp:7106
14 	xul.dll 	DocumentViewerImpl::Close 	layout/base/nsDocumentViewer.cpp:1478
15 	xul.dll 	nsDocShell::Destroy 	docshell/base/nsDocShell.cpp:4707
16 	xul.dll 	nsFrameLoader::Finalize 	content/base/src/nsFrameLoader.cpp:577
17 	xul.dll 	nsDocument::MaybeInitializeFinalizeFrameLoaders 	content/base/src/nsDocument.cpp:5518
18 	xul.dll 	nsDocument::EndUpdate 	content/base/src/nsDocument.cpp:4053
19 	xul.dll 	nsXULDocument::EndUpdate 	content/xul/document/src/nsXULDocument.cpp:3347
20 	xul.dll 	mozAutoDocUpdate::~mozAutoDocUpdate 	content/base/src/mozAutoDocUpdate.h:67
21 	xul.dll 	nsINode::doRemoveChildAt 	content/base/src/nsGenericElement.cpp:3875
22 	xul.dll 	nsXULElement::RemoveChildAt 	content/xul/content/src/nsXULElement.cpp:983
23 	xul.dll 	nsINode::RemoveChild 	content/base/src/nsGenericElement.cpp:538
24 	xul.dll 	nsIDOMNode_RemoveChild 	obj-firefox/js/xpconnect/src/dom_quickstubs.cpp:5462
25 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:524
26 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2772
27 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:472
28 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:540
29 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:572
30 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5448
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=XPCWrappedNative%3A%3AGetUsedOnly%28XPCCallContext%26%2C+nsISupports*%2C+XPCWrappedNativeScope*%2C+XPCNativeInterface*%2C+XPCWrappedNative**%29
The regression range in comment 1 is false because there were two builds on May 4th. The right one is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=2db9df42823d&tochange=9ebf3dc839c5
It might be a regression from bug 748701 or bug 751641.
Crash Signature: [@ XPCWrappedNative::GetUsedOnly(XPCCallContext&, nsISupports*, XPCWrappedNativeScope*, XPCNativeInterface*, XPCWrappedNative**)] → [@ XPCWrappedNative::GetUsedOnly(XPCCallContext&, nsISupports*, XPCWrappedNativeScope*, XPCNativeInterface*, XPCWrappedNative**) ]
Crash Signature: [@ XPCWrappedNative::GetUsedOnly(XPCCallContext&, nsISupports*, XPCWrappedNativeScope*, XPCNativeInterface*, XPCWrappedNative**) ] → [@ XPCWrappedNative::GetUsedOnly(XPCCallContext&, nsISupports*, XPCWrappedNativeScope*, XPCNativeInterface*, XPCWrappedNative**)]
I am able to consistently reproduce this crash with the following steps:
1. Open any website.
2. View the source.
3. Hit File --> Print Preview and then the Esc key once in the preview.
4. Repeat Step 3 repeatedly (go right back to Print Preview after hitting Esc). It will crash after about four times doing this process repeatedly.
I forgot to mention that I'm running the latest nightly (20120601).
I can't reproduce with the STR in comment 2 and a new profile.
It's #12 top browser crasher in 15.0a2 and #50 in 16.0a1.

Some comments and correlations per module show it's related to printing:
XPCWrappedNative::GetUsedOnly(XPCCallContext&, nsISupports*, XPCWrappedNativeScope*, XPCNativeInterface*, XPCWrappedNative**)|EXCEPTION_ACCESS_VIOLATION_READ (29 crashes)
     83% (24/29) vs.  33% (1393/4167) netapi32.dll (LAN Manager)
     83% (24/29) vs.  36% (1484/4167) mpr.dll (Multiple Provider Router)
     86% (25/29) vs.  39% (1631/4167) winspool.drv (Windows Printer Spooler)
Keywords: topcrash
Dupe of bug 752340?
Given the fact that bug 748701 or bug 751641 are suspected, and this may be a dupe of bug bug 752340, including Jaws/Josh/Andrew.

Given the high correlation to netapi32.dll, starting this out with Josh.

Also adding qawanted to further attempt the STR in Comment 2.
It does sound very similar to bug 752340.  Regression range here is the same, assuming that the part of comment 1 saying that comment 1 is wrong is wrong.
Crash Signature: [@ XPCWrappedNative::GetUsedOnly(XPCCallContext&, nsISupports*, XPCWrappedNativeScope*, XPCNativeInterface*, XPCWrappedNative**)] → [@ XPCWrappedNative::GetUsedOnly(XPCCallContext&, nsISupports*, XPCWrappedNativeScope*, XPCNativeInterface*, XPCWrappedNative**)] [@ XPCWrappedNative::GetUsedOnly]
OS: Windows 7 → All
Depends on: 752340
Keywords: qawanted
Attached file testcase
I can reproduce this crash with this testcase, using current trunk build.
The first iframe content is this:
<html xmlns="http://www.w3.org/1999/xhtml">
<object  type="application/x-shockwave-flash" id="a"/>
</html>

Just visit the testcase, and let it reload for a while to get the crash.

https://crash-stats.mozilla.com/report/index/bp-40125c9d-ea67-4f70-96c9-176732120623
0 	mozjs.dll 	mozjs.dll@0x21f5c8 	
1 	xul.dll 	XPCWrappedNative::GetUsedOnly 	js/xpconnect/src/XPCWrappedNative.cpp:824
2 	xul.dll 	nsXPConnect::GetWrappedNativeOfNativeObject 	js/xpconnect/src/nsXPConnect.cpp:1526
3 	xul.dll 	nsJSNPRuntime::OnPluginDestroy 	dom/plugins/base/nsJSNPRuntime.cpp:2021
4 	nspr4.dll 	PR_LogFlush 	nsprpub/pr/src/io/prlog.c:533
5 	xul.dll 	_SEH_epilog4
Keywords: testcase
OS: All → Windows 7
Currently XPCWrappedNative::GetUsedOnly ranks as #17 top browser crash in Aurora while XPCWrappedNative::GetUsedOnly ranks #294.
This should be fixed by bug 752340, maybe in tomorrow's nightly.
(In reply to Andrew McCreight [:mccr8] from comment #11)
> This should be fixed by bug 752340, maybe in tomorrow's nightly.
It seems so as crashes that happened after the fix in Nightly and Aurora have a different stack: bp-505e8092-4925-451c-a066-ca15c2120709, bp-e28b4e02-b6fe-456e-90a8-682422120709, bp-60124e08-2904-4d34-85b6-f9b0a2120710
Status: NEW → RESOLVED
Closed: 9 years ago
No longer depends on: 752340
Resolution: --- → DUPLICATE
Duplicate of bug: 752340
You need to log in before you can comment on or make changes to this bug.