Closed Bug 760960 Opened 8 years ago Closed 7 years ago

crash in nsNPAPIPluginInstance::GetJSObject with LightShot plugin

Categories

(Core :: Plug-ins, defect, critical)

13 Branch
x86
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox13 + ---

People

(Reporter: scoobidiver, Assigned: benjamin)

References

Details

(4 keywords, Whiteboard: [qa+])

Crash Data

Attachments

(1 file)

It's #271 top browser crasher in 12.0, #1263 in 13.0b5, #295 in 13.0b6, #14 in 13.0b7. The regression range is:
http://hg.mozilla.org/releases/mozilla-beta/pushloghtml?fromchange=5dd4dde1d4eb&tochange=91bf09009594
It's likely a regression from bug Bug 759788.

Signature 	nsNPAPIPluginInstance::GetJSObject(JSContext*, JSObject**) More Reports Search
UUID	dd8261f9-b945-45a3-8c5c-4877e2120602
Date Processed	2012-06-02 12:46:43
Uptime	85
Last Crash	1.6 minutes before submission
Install Age	5.5 minutes since version was first installed.
Install Time	2012-06-02 12:40:29
Product	Firefox
Version	13.0
Build ID	20120531155942
Release Channel	beta
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 37 stepping 2
Crash Reason	EXCEPTION_ACCESS_VIOLATION_EXEC
Crash Address	0xad80138
User Comments	There was an update in firefox. now its getting crashed again and again...:(
App Notes 	
AdapterVendorID: 0x10de, AdapterDeviceID: 0x0a66, AdapterSubsysID: 00000000, AdapterDriverVersion: 8.16.11.9133
D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers- 
EMCheckCompatibility	True	
Total Virtual Memory	4294836224
Available Virtual Memory	3844378624
System Memory Use Percentage	50
Available Page File	5849452544
Available Physical Memory	2061496320

Frame 	Module 	Signature 	Source
0 		@0xad80138 	
1 	xul.dll 	nsNPAPIPluginInstance::GetJSObject 	dom/plugins/base/nsNPAPIPluginInstance.cpp:843
2 	xul.dll 	nsHTMLPluginObjElementSH::GetPluginJSObject 	dom/base/nsDOMClassInfo.cpp:9837
3 	xul.dll 	nsHTMLPluginObjElementSH::SetupProtoChain 	dom/base/nsDOMClassInfo.cpp:9614
4 	xul.dll 	xpc_UnmarkGrayObject 	js/xpconnect/src/xpcpublic.h:189
5 	xul.dll 	XPCWrappedNative::GetNewOrUsed 	js/xpconnect/src/XPCWrappedNative.cpp:709
6 	xul.dll 	XPCCallContext::Init 	js/xpconnect/src/XPCCallContext.cpp:157
7 	xul.dll 	XPCCallContext::Init 	js/xpconnect/src/XPCCallContext.cpp:186
8 	xul.dll 	mozilla::dom::binding::XPCOMObjectToJsval 	js/xpconnect/src/dombindings.cpp:113
9 	xul.dll 	mozilla::dom::binding::ListBase<mozilla::dom::binding::ListClass<nsIHTMLCollecti 	js/xpconnect/src/dombindings.cpp:1126

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsNPAPIPluginInstance%3A%3AGetJSObject%28JSContext*%2C+JSObject**%29
Is there any correlation with a specific plugin?
Keywords: needURLs
(In reply to Mats Palmgren [:mats] from comment #1)
> Is there any correlation with a specific plugin?
Here are correlations per module and extension:
    100% (88/88) vs.   0% (169/42706) npLightshot.dll (LightShot plugin)
        100% (88/88) vs.   0% (163/42706) 2.0.5.15
     99% (87/88) vs.   0% (179/42706) {394DCBA4-1F92-4f8e-8EC9-8D2CB90CB69B} (LightShot (screenshot tool))
          9% (8/88) vs.   0% (20/42706) 2.0.1
         90% (79/88) vs.   0% (159/42706) 2.5.0
Summary: crash in nsNPAPIPluginInstance::GetJSObject → crash in nsNPAPIPluginInstance::GetJSObject with LightShot plugin
I was able to reproduce this with Firefox 13.0b7 on Windows 7 64-bit with JRE 6u31 and LightShot 2.5.0 from AMO installed.

I don't have a definitive steps to reproduce. Here's what I did:

1) Start Firefox with a new profile
2) Install LightShot 2.5.0 from AMO and restart Firefox
> Thank You for installing LightShot page loads in a 2nd tab
3) Click the feather icon and select an area in the content of the tab
4) Click one of the activity buttons
5) Wait for the function to complete and then repeat from step 3 until a crash occurs
> Crash occurs when clicking the feather after performing one of the functions
With Firefox 13.0b6 I was unable to reproduce this crash, but I did get an OS crash. Here is the stack information.

Problem signature:
  Problem Event Name:	APPCRASH
  Application Name:	firefox.exe
  Application Version:	13.0.0.4531
  Application Timestamp:	4fc4317c
  Fault Module Name:	StackHash_d569
  Fault Module Version:	6.1.7601.17514
  Fault Module Timestamp:	4ce7ba58
  Exception Code:	c0000374
  Exception Offset:	000ce653
  OS Version:	6.1.7601.2.1.0.256.48
  Locale ID:	1033
  Additional Information 1:	d569
  Additional Information 2:	d569a0891ed95f795592a1bfb725bdb8
  Additional Information 3:	791b
  Additional Information 4:	791baffc9e04f52f5d35d25d1190bd53
Attached file stack
It's easy to reproduce in a local mozilla-inbound debug build too.
The crash is in npLightshot.dll.
Keywords: needURLs
(In reply to Scoobidiver from comment #2)
> (In reply to Mats Palmgren [:mats] from comment #1)
> > Is there any correlation with a specific plugin?
> Here are correlations per module and extension:
>     100% (88/88) vs.   0% (169/42706) npLightshot.dll (LightShot plugin)
>         100% (88/88) vs.   0% (163/42706) 2.0.5.15
>      99% (87/88) vs.   0% (179/42706) {394DCBA4-1F92-4f8e-8EC9-8D2CB90CB69B}
> (LightShot (screenshot tool))
>           9% (8/88) vs.   0% (20/42706) 2.0.1
>          90% (79/88) vs.   0% (159/42706) 2.5.0

Lightshot only represents <1% of crashes in this bug, however. Based upon volume, doesn't this appear to be taking the place of bug 760190, which appeared to take the place of bug 719117?

We need to continue working on this in case we decide to roll a 13.0.1 for this issue. It'd be great to get a possible fix into our next beta.
Assignee: nobody → benjamin
Blocks: 759788
Today's correlations confirm it's 100% correlated to LigthShot:
* 13:0:
    100% (62/62) vs.   0% (117/30293) npLightshot.dll
     98% (61/62) vs.   0% (125/30293) {394DCBA4-1F92-4f8e-8EC9-8D2CB90CB69B}
* 12.0:
    100% (200/201) vs.   0% (319/101438) npLightshot.dll
     98% (196/201) vs.   0% (314/101438) {394DCBA4-1F92-4f8e-8EC9-8D2CB90CB69B}
It's #21 top browser crasher in 13.0b7 while only #191 in 12.0.
Based on the dupe volume in 13.0b7, it seems more easily reproducible in 13.0b7.
Adding [qa+] to track for QA. Please add qawanted if there is something specific you want tested.
Whiteboard: [qa+]
(In reply to Scoobidiver from comment #7)
> Today's correlations confirm it's 100% correlated to LigthShot:

Looks like I misread the correlation report. We should consider blocklisting.

First, QA - can you confirm that with the add-on disabled your STR are impossible?
Keywords: qawanted
(In reply to Alex Keybl [:akeybl] from comment #9)
> (In reply to Scoobidiver from comment #7)
> > Today's correlations confirm it's 100% correlated to LigthShot:
> 
> Looks like I misread the correlation report. We should consider blocklisting.
> 
> First, QA - can you confirm that with the add-on disabled your STR are
> impossible?

Not sure what you are asking for since my STR require Lightshot.
(In reply to Anthony Hughes, Mozilla QA (irc: ashughes) from comment #10)
> (In reply to Alex Keybl [:akeybl] from comment #9)
> > (In reply to Scoobidiver from comment #7)
> > > Today's correlations confirm it's 100% correlated to LigthShot:
> > 
> > Looks like I misread the correlation report. We should consider blocklisting.
> > 
> > First, QA - can you confirm that with the add-on disabled your STR are
> > impossible?
> 
> Not sure what you are asking for since my STR require Lightshot.

Babylon, for instance, installs both a DLL and an add-on - both of which change Firefox's behavior. It sounds like the answer is that we haven't found STR that work with the add-on disabled.
CC'ing Jorge on this bug to discuss the possibility of blocklisting LightShot.

* Crash comments suggest that this crash occurs on each browser startup for some users
* 44.746% of crashes are happening in the first minute
* On the flip side, our STR have not caused startup crashes yet

I think we should consider it given the high number of startup crashes. Anthony believes that an add-on blocklist addition will do the trick.
(In reply to Alex Keybl [:akeybl] from comment #11)
> > Not sure what you are asking for since my STR require Lightshot.
> 
> Babylon, for instance, installs both a DLL and an add-on - both of which
> change Firefox's behavior. It sounds like the answer is that we haven't
> found STR that work with the add-on disabled.

Right, we've not found STR that work with the add-on disabled. Though, we've not been instructed of correlations or leads which do not involve this add-on. I'm not convinced blocking LightShot will eliminate these crashes for ALL users, but it should remove LightShot from the equation and allow us to drill down if necessary.
Keywords: reproducible
I don't see a lightshot 2.5 on AMO:

https://addons.mozilla.org/en-US/firefox/addon/lightshot/versions/?page=1

lists 
Version 2.6.0 Released June 4, 2012 660.5 KB Works with Firefox 2.0 and later

    Source code released under Custom License
    What's this?

Version 2.0.1 Released June 18, 2011 660.5 KB Works with Firefox 2.0 and later
* moved from XPCOM to NPAPI plugin
* fixed 16bit color probrem (black screenshots)
* added "Search similar images" 

Is it possible that they released a fix late yesterday? Assuming there actually was a 2.5 version, can I get a copy of it? Cn I get in contact with the developers to discuss whether the problem was our or just in the plugin?
Yeah, the developer removed it from AMO yesterday. We have an archived version in bug 761339:

https://bugzilla.mozilla.org/attachment.cgi?id=630001
Depends on: 761339
There are 2 crashes in 13.0.1.
Keywords: topcrash
I worked with them, they had a refcounting error in NPRuntime goop which is now fixed in newer versions.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.