Last Comment Bug 767882 - [adbe 3283045] crash in F_2000061728 @ PluginDestructionGuard::PluginDestructionGuard from Flash 11.3.300.262
: [adbe 3283045] crash in F_2000061728 @ PluginDestructionGuard::PluginDestruct...
[flash-11.3][fixed in Flash 11.3.300....
: crash, topcrash
Product: Core
Classification: Components
Component: Plug-ins (show other bugs)
: 13 Branch
: x86 Windows 7
-- critical (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
: Benjamin Smedberg [:bsmedberg]
: 767883 768385 (view as bug list)
Depends on:
Blocks: 772731 767775
  Show dependency treegraph
Reported: 2012-06-25 01:07 PDT by Scoobidiver (away)
Modified: 2012-07-19 23:29 PDT (History)
8 users (show)
See Also:
Crash Signature:
[@ F_2000061728_____________________________________________________________ ]
[@ msvcr100.dll@0x8af06 ]
[@ PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) ]
[@ @0x0 | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) ]
[@ nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>::nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>(`anonymous namespace''::KillCloseEventRunnable*) | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) ]
[@ nsRefPtr<nsIDOMGeoPositionCoords>::nsRefPtr<nsIDOMGeoPositionCoords>(nsIDOMGeoPositionCoords*) | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) ]
[@ nsRefPtr<nsDOMStringMap>::nsRefPtr<nsDOMStringMap>(nsDOMStringMap*) | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) ]
[@ nsRefPtr<nsSplitterFrameInner>::nsRefPtr<nsSplitterFrameInner>(nsSplitterFrameInner*) | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) ]
[@ nsRefPtr<nsSocketTransport>::nsRefPtr<nsSocketTransport>(nsSocketTransport*) | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) ]
[@ nsRefPtr<nsISMILAnimationElement>::nsRefPtr<nsISMILAnimationElement>(nsISMILAnimationElement*) | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) ]
[@ nsRefPtr<mozilla::a11y::HTMLTextFieldAccessible>::nsRefPtr<mozilla::a11y::HTMLTextFieldAccessible>(mozilla::a11y::HTMLTextFieldAccessible*) | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) ]
[@ nsRefPtr<nsDownload>::nsRefPtr<nsDownload>(nsDownload*) | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) ]
[@ nsRefPtr<nsSVGFECompositeElement>::nsRefPtr<nsSVGFECompositeElement>(nsSVGFECompositeElement*) | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) ]
[@ nsRefPtr<`anonymous namespace''::SetWithCredentialsRunnable>::nsRefPtr<`anonymous namespace''::SetWithCredentialsRunnable>(`anonymous namespace''::SetWithCredentialsRunnable*) | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) ]
[@ gfxTextRun::SetPotentialLineBreaks(unsigned int, unsigned int, unsigned char*, gfxContext*) ]
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image Scoobidiver (away) 2012-06-25 01:07:20 PDT
It's #32 top browser crasher in 14.0b8.
There are similar crash signatures containing PluginDestructionGuard::PluginDestructionGuard across all versions but not at this crash volume.
The regression range is:
It might be a regression from bug 758361.

It's correlated to the latest Flash version:
11.3.300.262 	99.615 % 	259 	0.385 % 	1 

Signature 	nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>::nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>(`anonymous namespace''::KillCloseEventRunnable*) | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) More Reports Search
UUID	cc69dd4f-6b16-4ab7-a132-b0e6e2120625
Date Processed	2012-06-25 07:07:50
Uptime	10386
Last Crash	2.9 hours before submission
Install Age	3.1 days since version was first installed.
Install Time	2012-06-22 05:07:19
Product	Firefox
Version	14.0
Build ID	20120619191901
Release Channel	beta
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 23 stepping 10
Crash Address	0x4
App Notes 	
AdapterVendorID: 0x1002, AdapterDeviceID: 0x9555, AdapterSubsysID: 3661103c, AdapterDriverVersion: 8.672.4.0
Has dual GPUs. GPU #2: AdapterVendorID2: 0x8086, AdapterDeviceID2: 0x2a42, AdapterSubsysID2: 3661103c, AdapterDriverVersion2: 8.672.4.0D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers- 
EMCheckCompatibility	True
Adapter Vendor ID	0x1002
Adapter Device ID	0x9555
Total Virtual Memory	4294836224
Available Virtual Memory	3771064320
System Memory Use Percentage	46
Available Page File	5893378048
Available Physical Memory	2262544384

Frame 	Module 	Signature 	Source
0 	xul.dll 	nsRefPtr<`anonymous namespace'::KillCloseEventRunnable>::nsRefPtr<`anonymous nam 	obj-firefox/dist/include/nsAutoPtr.h:932
1 	xul.dll 	PluginDestructionGuard::PluginDestructionGuard 	dom/plugins/base/nsPluginHost.h:358
2 	xul.dll 	mozilla::plugins::parent::_invalidaterect 	dom/plugins/base/nsNPAPIPlugin.cpp:1249
3 	NPSWF32_11_3_300_262.dll 	F_2000061728_____________________________________________________________ 	F638169906_____________________________________________________________________________________________:1164
4 	NPSWF32_11_3_300_262.dll 	F1760839211_____________________________________________________________________ 	F1116131810____________________________________________________________________:1162
5 	NPSWF32_11_3_300_262.dll 	F1470906166_________________________________________________ 	F638169906_____________________________________________________________________________________________:942
6 	NPSWF32_11_3_300_262.dll 	F909392315_____________________________________ 	F_197916418____________________________________________________________________:644
7 	NPSWF32_11_3_300_262.dll 	F_305312235__________________________________________ 	F638169906_____________________________________________________________________________________________:914
8 	user32.dll 	InternalCallWinProc 	
9 	user32.dll 	UserCallWinProcCheckWow 	
10 	user32.dll 	DispatchMessageWorker 	
11 	user32.dll 	DispatchMessageW 	
12 	xul.dll 	nsAppShell::ProcessNextNativeEvent 	widget/windows/nsAppShell.cpp:351
13 	xul.dll 	nsBaseAppShell::OnProcessNextEvent 	widget/xpwidgets/nsBaseAppShell.cpp:306
14 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:618
15 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:114
16 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/
17 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/
18 	xul.dll 	nsBaseAppShell::Run 	widget/xpwidgets/nsBaseAppShell.cpp:189
19 	xul.dll 	nsAppShell::Run 	widget/windows/nsAppShell.cpp:267
20 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:295
21 	xul.dll 	XREMain::XRE_mainRun 	toolkit/xre/nsAppRunner.cpp:3780
22 	xul.dll 	XREMain::XRE_main 	toolkit/xre/nsAppRunner.cpp:3857
23 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3933
24 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:107
25 	firefox.exe 	__tmainCRTStartup 	crtexe.c:552
26 	kernel32.dll 	BaseThreadInitThunk 	
27 	ntdll.dll 	__RtlUserThreadStart 	
28 	ntdll.dll 	_RtlUserThreadStart

More reports at:*%29+|+PluginDestructionGuard%3A%3APluginDestructionGuard%28nsNPAPIPluginInstance*%29
Comment 1 User image Scoobidiver (away) 2012-06-25 01:17:15 PDT
It might be related to bug 767883 that affects all Firefox versions.
Comment 2 User image Benjamin Smedberg [:bsmedberg] 2012-06-25 08:16:36 PDT
On nightly the signature is changing every night:

nsRefPtr<mozilla::a11y::HTMLTextFieldAccessible>::nsRefPtr<mozilla::a11y::HTMLTextFieldAccessible>(mozilla::a11y::HTMLTextFieldAccessible*) | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*)
and PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) 

nsCOMPtr<nsICacheEntryInfo>::nsCOMPtr<nsICacheEntryInfo>(nsICacheEntryInfo*) | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*)

nsCOMPtr<nsISHEntry>::nsCOMPtr<nsISHEntry>(nsISHEntry*) | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) 

The signature for 14.0b7 is:

nsRefPtr<nsDOMStringMap>::nsRefPtr<nsDOMStringMap>(nsDOMStringMap*) | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) 

I suspect that this is a bug related to Flash 11.3 which happens to show up around the same time as 14.0b7. Does this show across all versions equally, or primarily on Vista/Win7? I don't know yet whether this is a Flash bug or a Firefox bug, but given what I know about the Flash sandbox I expect it may be a Flash bug.
Comment 3 User image Benjamin Smedberg [:bsmedberg] 2012-06-25 08:20:27 PDT
Also, it appears that every crash I've loaded here has Flash running in-process, which is a configuration that Adobe may not have checked and may be relying on additional race protections inherent in OOPP which are not present when running in-process.
Comment 4 User image Marcia Knous [:marcia - use ni] 2012-06-25 09:18:18 PDT
Looks as if Win 7/Vista hit this more on Beta with nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>::nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>(`anonymous namespace''::KillCloseEventRunnable*) | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*)

Windows 7 	79.615 %	207
Windows Vista 	17.308 %	 45
Windows 8 	2.692 %	         7
Windows XP 	0.385 %	         1 (

In reply to Benjamin Smedberg  [:bsmedberg] from comment #2)

> I suspect that this is a bug related to Flash 11.3 which happens to show up
> around the same time as 14.0b7. Does this show across all versions equally,
> or primarily on Vista/Win7? I don't know yet whether this is a Flash bug or
> a Firefox bug, but given what I know about the Flash sandbox I expect it may
> be a Flash bug.
Comment 5 User image Scoobidiver (away) 2012-06-25 09:38:56 PDT
It's #270 crasher in 14.0b7 released on June 14 while #32 in 14.0b8 released on June 22. As Flash 11.3.300.262 was released on June 21, it's not a regression.

It's also #53 crasher in 13.0.1.
Comment 6 User image Scoobidiver (away) 2012-06-26 03:29:33 PDT
*** Bug 768385 has been marked as a duplicate of this bug. ***
Comment 7 User image Alex Keybl [:akeybl] 2012-06-26 12:56:02 PDT
Actually, we'll just make sure to include this in a roll-up of Flash 11.3 issues to Adobe, since this bug is apparent in multiple versions of Firefox. No need to track for release.
Comment 8 User image Benjamin Smedberg [:bsmedberg] 2012-06-29 05:27:46 PDT
*** Bug 767883 has been marked as a duplicate of this bug. ***
Comment 9 User image smadayag 2012-06-29 10:34:34 PDT
are there any steps to reproduce for this?  unfortunately, i'm not able to reproduce with the player running in process.  i ran through our automation and did some casual URL testing without any browser crashes.  thanks...
Comment 10 User image Benjamin Smedberg [:bsmedberg] 2012-07-09 07:31:21 PDT
I don't have specific STR (you could probably deduce them better from the Flash backtrace), but I strongly suspect that this is a race condition. The user is closing a page while a Flash movie is running. As or after we call NPP_Destroy on the instance, the sandbox process is still sending invalidate messages (the crashing call is NPN_InvalidateRect on a dead NPP instance).

This would only be a problem for windowless plugins.
Comment 11 User image Benjamin Smedberg [:bsmedberg] 2012-07-09 09:22:27 PDT
Also, I believe bug 767775 is the equivalent crash which occurs when OOPP is enabled.
Comment 12 User image smadayag 2012-07-10 11:26:00 PDT
thanks.  we are tracking internally in #3283045.  it is currently in review...
Comment 13 User image Benjamin Smedberg [:bsmedberg] 2012-07-13 13:13:57 PDT
Kairo/scoobidiver, can you check whether this signature is gone or better with FP 11.3.300.265?
Comment 14 User image Jeromie Clark 2012-07-19 18:50:49 PDT
We're closing 3283045 as Fixed on our side.  If this issue resurfaces, please let me know.
Comment 15 User image Scoobidiver (away) 2012-07-19 23:29:40 PDT
Based on crash stats, it's fixed in Flash 11.3.300.265.

Note You need to log in before you can comment on or make changes to this bug.