Last Comment Bug 752286 - crash in nsJSNPRuntime::OnPluginDestroy @ XPCWrappedNative::GetUsedOnly
: crash in nsJSNPRuntime::OnPluginDestroy @ XPCWrappedNative::GetUsedOnly
Status: RESOLVED DUPLICATE of bug 752340
: crash, regression, testcase, topcrash
Product: Core
Classification: Components
Component: Plug-ins (show other bugs)
: 15 Branch
: All Windows 7
: -- critical (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-05 23:26 PDT by Scoobidiver (away)
Modified: 2012-07-16 07:51 PDT (History)
8 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
unaffected
-
fixed
fixed


Attachments
testcase (642 bytes, text/html)
2012-06-23 11:06 PDT, Martijn Wargers [:mwargers] (not working for Mozilla)
no flags Details

Description Scoobidiver (away) 2012-05-05 23:26:35 PDT
With that stack, it first appeared in 15.0a1/20120504. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=807403a04a6a&tochange=2db9df42823d

Signature 	XPCWrappedNative::GetUsedOnly(XPCCallContext&, nsISupports*, XPCWrappedNativeScope*, XPCNativeInterface*, XPCWrappedNative**) More Reports Search
UUID	82d7c9b4-4f1c-4232-b69c-b02582120506
Date Processed	2012-05-06 03:00:56
Uptime	3096
Last Crash	51.6 minutes before submission
Install Age	8.3 hours since version was first installed.
Install Time	2012-05-05 18:45:29
Product	Firefox
Version	15.0a1
Build ID	20120505030510
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7600
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 15 stepping 13
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0xffffffffdadadae2
App Notes 	
AdapterVendorID: 0x1002, AdapterDeviceID: 0x71c2, AdapterSubsysID: 01701043, AdapterDriverVersion: 8.593.100.0
D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers- 
EMCheckCompatibility	True	
Total Virtual Memory	4294836224
Available Virtual Memory	3877707776
System Memory Use Percentage	71
Available Page File	1609187328
Available Physical Memory	616361984

Frame 	Module 	Signature 	Source
0 	xul.dll 	XPCWrappedNative::GetUsedOnly 	js/xpconnect/src/XPCWrappedNative.cpp:864
1 	xul.dll 	nsXPConnect::GetWrappedNativeOfNativeObject 	js/xpconnect/src/nsXPConnect.cpp:1526
2 	xul.dll 	nsJSNPRuntime::OnPluginDestroy 	dom/plugins/base/nsJSNPRuntime.cpp:2049
3 	xul.dll 	nsNPAPIPluginInstance::Stop 	dom/plugins/base/nsNPAPIPluginInstance.cpp:218
4 	xul.dll 	nsPluginHost::StopPluginInstance 	dom/plugins/base/nsPluginHost.cpp:3175
5 	xul.dll 	nsObjectLoadingContent::DoStopPlugin 	content/base/src/nsObjectLoadingContent.cpp:2212
6 	xul.dll 	nsObjectLoadingContent::StopPluginInstance 	content/base/src/nsObjectLoadingContent.cpp:2248
7 	xul.dll 	nsObjectLoadingContent::NotifyOwnerDocumentActivityChanged 	content/base/src/nsObjectLoadingContent.cpp:761
8 	xul.dll 	NotifyActivityChanged 	content/base/src/nsDocument.cpp:3799
9 	xul.dll 	EnumerateFreezables 	content/base/src/nsDocument.cpp:8059
10 	xul.dll 	nsTHashtable<mozilla::plugins::PluginModuleChild::NPObjectData>::s_EnumStub 	obj-firefox/dist/include/nsTHashtable.h:500
11 	xul.dll 	PL_DHashTableEnumerate 	obj-firefox/xpcom/build/pldhash.cpp:750
12 	xul.dll 	nsTHashtable<nsPtrHashKey<nsIContent> >::EnumerateEntries 	obj-firefox/dist/include/nsTHashtable.h:251
13 	xul.dll 	nsDocument::RemovedFromDocShell 	content/base/src/nsDocument.cpp:7106
14 	xul.dll 	DocumentViewerImpl::Close 	layout/base/nsDocumentViewer.cpp:1478
15 	xul.dll 	nsDocShell::Destroy 	docshell/base/nsDocShell.cpp:4707
16 	xul.dll 	nsFrameLoader::Finalize 	content/base/src/nsFrameLoader.cpp:577
17 	xul.dll 	nsDocument::MaybeInitializeFinalizeFrameLoaders 	content/base/src/nsDocument.cpp:5518
18 	xul.dll 	nsDocument::EndUpdate 	content/base/src/nsDocument.cpp:4053
19 	xul.dll 	nsXULDocument::EndUpdate 	content/xul/document/src/nsXULDocument.cpp:3347
20 	xul.dll 	mozAutoDocUpdate::~mozAutoDocUpdate 	content/base/src/mozAutoDocUpdate.h:67
21 	xul.dll 	nsINode::doRemoveChildAt 	content/base/src/nsGenericElement.cpp:3875
22 	xul.dll 	nsXULElement::RemoveChildAt 	content/xul/content/src/nsXULElement.cpp:983
23 	xul.dll 	nsINode::RemoveChild 	content/base/src/nsGenericElement.cpp:538
24 	xul.dll 	nsIDOMNode_RemoveChild 	obj-firefox/js/xpconnect/src/dom_quickstubs.cpp:5462
25 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:524
26 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2772
27 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:472
28 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:540
29 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:572
30 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5448
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=XPCWrappedNative%3A%3AGetUsedOnly%28XPCCallContext%26%2C+nsISupports*%2C+XPCWrappedNativeScope*%2C+XPCNativeInterface*%2C+XPCWrappedNative**%29
Comment 1 Scoobidiver (away) 2012-05-05 23:36:09 PDT
The regression range in comment 1 is false because there were two builds on May 4th. The right one is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=2db9df42823d&tochange=9ebf3dc839c5
It might be a regression from bug 748701 or bug 751641.
Comment 2 Logan Rosen [:Logan] 2012-06-01 17:41:15 PDT
I am able to consistently reproduce this crash with the following steps:
1. Open any website.
2. View the source.
3. Hit File --> Print Preview and then the Esc key once in the preview.
4. Repeat Step 3 repeatedly (go right back to Print Preview after hitting Esc). It will crash after about four times doing this process repeatedly.
Comment 3 Logan Rosen [:Logan] 2012-06-01 17:49:55 PDT
I forgot to mention that I'm running the latest nightly (20120601).
Comment 4 Scoobidiver (away) 2012-06-01 22:44:33 PDT
I can't reproduce with the STR in comment 2 and a new profile.
Comment 5 Scoobidiver (away) 2012-06-10 23:21:38 PDT
It's #12 top browser crasher in 15.0a2 and #50 in 16.0a1.

Some comments and correlations per module show it's related to printing:
XPCWrappedNative::GetUsedOnly(XPCCallContext&, nsISupports*, XPCWrappedNativeScope*, XPCNativeInterface*, XPCWrappedNative**)|EXCEPTION_ACCESS_VIOLATION_READ (29 crashes)
     83% (24/29) vs.  33% (1393/4167) netapi32.dll (LAN Manager)
     83% (24/29) vs.  36% (1484/4167) mpr.dll (Multiple Provider Router)
     86% (25/29) vs.  39% (1631/4167) winspool.drv (Windows Printer Spooler)
Comment 6 Scoobidiver (away) 2012-06-12 14:28:08 PDT
Dupe of bug 752340?
Comment 7 Alex Keybl [:akeybl] 2012-06-18 16:20:48 PDT
Given the fact that bug 748701 or bug 751641 are suspected, and this may be a dupe of bug bug 752340, including Jaws/Josh/Andrew.

Given the high correlation to netapi32.dll, starting this out with Josh.

Also adding qawanted to further attempt the STR in Comment 2.
Comment 8 Andrew McCreight [:mccr8] 2012-06-18 16:39:30 PDT
It does sound very similar to bug 752340.  Regression range here is the same, assuming that the part of comment 1 saying that comment 1 is wrong is wrong.
Comment 9 Martijn Wargers [:mwargers] (not working for Mozilla) 2012-06-23 11:06:48 PDT
Created attachment 636102 [details]
testcase

I can reproduce this crash with this testcase, using current trunk build.
The first iframe content is this:
<html xmlns="http://www.w3.org/1999/xhtml">
<object  type="application/x-shockwave-flash" id="a"/>
</html>

Just visit the testcase, and let it reload for a while to get the crash.

https://crash-stats.mozilla.com/report/index/bp-40125c9d-ea67-4f70-96c9-176732120623
0 	mozjs.dll 	mozjs.dll@0x21f5c8 	
1 	xul.dll 	XPCWrappedNative::GetUsedOnly 	js/xpconnect/src/XPCWrappedNative.cpp:824
2 	xul.dll 	nsXPConnect::GetWrappedNativeOfNativeObject 	js/xpconnect/src/nsXPConnect.cpp:1526
3 	xul.dll 	nsJSNPRuntime::OnPluginDestroy 	dom/plugins/base/nsJSNPRuntime.cpp:2021
4 	nspr4.dll 	PR_LogFlush 	nsprpub/pr/src/io/prlog.c:533
5 	xul.dll 	_SEH_epilog4
Comment 10 Marcia Knous [:marcia - use ni] 2012-06-25 07:15:01 PDT
Currently XPCWrappedNative::GetUsedOnly ranks as #17 top browser crash in Aurora while XPCWrappedNative::GetUsedOnly ranks #294.
Comment 11 Andrew McCreight [:mccr8] 2012-07-03 09:03:23 PDT
This should be fixed by bug 752340, maybe in tomorrow's nightly.
Comment 12 Scoobidiver (away) 2012-07-10 07:55:06 PDT
(In reply to Andrew McCreight [:mccr8] from comment #11)
> This should be fixed by bug 752340, maybe in tomorrow's nightly.
It seems so as crashes that happened after the fix in Nightly and Aurora have a different stack: bp-505e8092-4925-451c-a066-ca15c2120709, bp-e28b4e02-b6fe-456e-90a8-682422120709, bp-60124e08-2904-4d34-85b6-f9b0a2120710

*** This bug has been marked as a duplicate of bug 752340 ***

Note You need to log in before you can comment on or make changes to this bug.