The default bug view has changed. See this FAQ.

[adbe 3283045] crash in F_2000061728 @ PluginDestructionGuard::PluginDestructionGuard from Flash 11.3.300.262

RESOLVED FIXED

Status

()

Core
Plug-ins
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: Scoobidiver (away), Unassigned)

Tracking

(Blocks: 1 bug, {crash, topcrash})

13 Branch
x86
Windows 7
crash, topcrash
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox13-, firefox14-)

Details

(Whiteboard: [flash-11.3][fixed in Flash 11.3.300.265], crash signature)

(Reporter)

Description

5 years ago
It's #32 top browser crasher in 14.0b8.
There are similar crash signatures containing PluginDestructionGuard::PluginDestructionGuard across all versions but not at this crash volume.
The regression range is:
http://hg.mozilla.org/releases/mozilla-beta/pushloghtml?fromchange=1cbedcda8204&tochange=f8d3886db65a
It might be a regression from bug 758361.

It's correlated to the latest Flash version:
11.3.300.262 	99.615 % 	259
11.2.202.235 	0.385 % 	1 

Signature 	nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>::nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>(`anonymous namespace''::KillCloseEventRunnable*) | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) More Reports Search
UUID	cc69dd4f-6b16-4ab7-a132-b0e6e2120625
Date Processed	2012-06-25 07:07:50
Uptime	10386
Last Crash	2.9 hours before submission
Install Age	3.1 days since version was first installed.
Install Time	2012-06-22 05:07:19
Product	Firefox
Version	14.0
Build ID	20120619191901
Release Channel	beta
OS	Windows NT
OS Version	6.1.7601 Service Pack 1
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 23 stepping 10
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x4
App Notes 	
AdapterVendorID: 0x1002, AdapterDeviceID: 0x9555, AdapterSubsysID: 3661103c, AdapterDriverVersion: 8.672.4.0
Has dual GPUs. GPU #2: AdapterVendorID2: 0x8086, AdapterDeviceID2: 0x2a42, AdapterSubsysID2: 3661103c, AdapterDriverVersion2: 8.672.4.0D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers- 
EMCheckCompatibility	True
Adapter Vendor ID	0x1002
Adapter Device ID	0x9555
Total Virtual Memory	4294836224
Available Virtual Memory	3771064320
System Memory Use Percentage	46
Available Page File	5893378048
Available Physical Memory	2262544384

Frame 	Module 	Signature 	Source
0 	xul.dll 	nsRefPtr<`anonymous namespace'::KillCloseEventRunnable>::nsRefPtr<`anonymous nam 	obj-firefox/dist/include/nsAutoPtr.h:932
1 	xul.dll 	PluginDestructionGuard::PluginDestructionGuard 	dom/plugins/base/nsPluginHost.h:358
2 	xul.dll 	mozilla::plugins::parent::_invalidaterect 	dom/plugins/base/nsNPAPIPlugin.cpp:1249
3 	NPSWF32_11_3_300_262.dll 	F_2000061728_____________________________________________________________ 	F638169906_____________________________________________________________________________________________:1164
4 	NPSWF32_11_3_300_262.dll 	F1760839211_____________________________________________________________________ 	F1116131810____________________________________________________________________:1162
5 	NPSWF32_11_3_300_262.dll 	F1470906166_________________________________________________ 	F638169906_____________________________________________________________________________________________:942
6 	NPSWF32_11_3_300_262.dll 	F909392315_____________________________________ 	F_197916418____________________________________________________________________:644
7 	NPSWF32_11_3_300_262.dll 	F_305312235__________________________________________ 	F638169906_____________________________________________________________________________________________:914
8 	user32.dll 	InternalCallWinProc 	
9 	user32.dll 	UserCallWinProcCheckWow 	
10 	user32.dll 	DispatchMessageWorker 	
11 	user32.dll 	DispatchMessageW 	
12 	xul.dll 	nsAppShell::ProcessNextNativeEvent 	widget/windows/nsAppShell.cpp:351
13 	xul.dll 	nsBaseAppShell::OnProcessNextEvent 	widget/xpwidgets/nsBaseAppShell.cpp:306
14 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:618
15 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:114
16 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:201
17 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:175
18 	xul.dll 	nsBaseAppShell::Run 	widget/xpwidgets/nsBaseAppShell.cpp:189
19 	xul.dll 	nsAppShell::Run 	widget/windows/nsAppShell.cpp:267
20 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:295
21 	xul.dll 	XREMain::XRE_mainRun 	toolkit/xre/nsAppRunner.cpp:3780
22 	xul.dll 	XREMain::XRE_main 	toolkit/xre/nsAppRunner.cpp:3857
23 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3933
24 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:107
25 	firefox.exe 	__tmainCRTStartup 	crtexe.c:552
26 	kernel32.dll 	BaseThreadInitThunk 	
27 	ntdll.dll 	__RtlUserThreadStart 	
28 	ntdll.dll 	_RtlUserThreadStart

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsRefPtr%3C%60anonymous+namespace%27%27%3A%3AKillCloseEventRunnable%3E%3A%3AnsRefPtr%3C%60anonymous+namespace%27%27%3A%3AKillCloseEventRunnable%3E%28%60anonymous+namespace%27%27%3A%3AKillCloseEventRunnable*%29+|+PluginDestructionGuard%3A%3APluginDestructionGuard%28nsNPAPIPluginInstance*%29
(Reporter)

Comment 1

5 years ago
It might be related to bug 767883 that affects all Firefox versions.
On nightly the signature is changing every night:

20120624030537:
nsRefPtr<mozilla::a11y::HTMLTextFieldAccessible>::nsRefPtr<mozilla::a11y::HTMLTextFieldAccessible>(mozilla::a11y::HTMLTextFieldAccessible*) | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*)
and PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) 

20120623030532:
nsCOMPtr<nsICacheEntryInfo>::nsCOMPtr<nsICacheEntryInfo>(nsICacheEntryInfo*) | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*)

20120622030533:
nsCOMPtr<nsISHEntry>::nsCOMPtr<nsISHEntry>(nsISHEntry*) | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) 

The signature for 14.0b7 is:

nsRefPtr<nsDOMStringMap>::nsRefPtr<nsDOMStringMap>(nsDOMStringMap*) | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) 

I suspect that this is a bug related to Flash 11.3 which happens to show up around the same time as 14.0b7. Does this show across all versions equally, or primarily on Vista/Win7? I don't know yet whether this is a Flash bug or a Firefox bug, but given what I know about the Flash sandbox I expect it may be a Flash bug.
Crash Signature: [@ nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>::nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>(`anonymous namespace''::KillCloseEventRunnable*) | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*)] → [@ nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>::nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>(`anonymous namespace''::KillCloseEventRunnable*) | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*)] [@ n&hellip;
Also, it appears that every crash I've loaded here has Flash running in-process, which is a configuration that Adobe may not have checked and may be relying on additional race protections inherent in OOPP which are not present when running in-process.
(Reporter)

Updated

5 years ago
Crash Signature: [@ nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>::nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>(`anonymous namespace''::KillCloseEventRunnable*) | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*)] [@ n&hellip; → [@ nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>::nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>(`anonymous namespace''::KillCloseEventRunnable*) | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*)] [@ nsR&hellip;
Summary: crash in PluginDestructionGuard::PluginDestructionGuard with Flash 11.3 → crash in PluginDestructionGuard::PluginDestructionGuard from Flash 11.3.300.262
Looks as if Win 7/Vista hit this more on Beta with nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>::nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>(`anonymous namespace''::KillCloseEventRunnable*) | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*)

Windows 7 	79.615 %	207
Windows Vista 	17.308 %	 45
Windows 8 	2.692 %	         7
Windows XP 	0.385 %	         1 (

In reply to Benjamin Smedberg  [:bsmedberg] from comment #2)

> 
> I suspect that this is a bug related to Flash 11.3 which happens to show up
> around the same time as 14.0b7. Does this show across all versions equally,
> or primarily on Vista/Win7? I don't know yet whether this is a Flash bug or
> a Firefox bug, but given what I know about the Flash sandbox I expect it may
> be a Flash bug.
(Reporter)

Comment 5

5 years ago
It's #270 crasher in 14.0b7 released on June 14 while #32 in 14.0b8 released on June 22. As Flash 11.3.300.262 was released on June 21, it's not a regression.

It's also #53 crasher in 13.0.1.
tracking-firefox13: --- → ?
Keywords: regression
Version: 14 Branch → 13 Branch
(Reporter)

Updated

5 years ago
Duplicate of this bug: 768385
(Reporter)

Updated

5 years ago
Crash Signature: [@ nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>::nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>(`anonymous namespace''::KillCloseEventRunnable*) | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*)] [@ nsR&hellip; → [@ nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>::nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>(`anonymous namespace''::KillCloseEventRunnable*) | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*)] [@ nsR&hellip;

Updated

5 years ago
tracking-firefox13: ? → -
tracking-firefox14: ? → +

Comment 7

5 years ago
Actually, we'll just make sure to include this in a roll-up of Flash 11.3 issues to Adobe, since this bug is apparent in multiple versions of Firefox. No need to track for release.
tracking-firefox14: + → -
(Reporter)

Updated

5 years ago
Crash Signature: [@ nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>::nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>(`anonymous namespace''::KillCloseEventRunnable*) | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*)] [@ nsR&hellip; → [@ PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) ] [@ nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>::nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>(`anonymous namespace''::KillCloseEventRunnable*) | Pl&hellip;
Summary: crash in PluginDestructionGuard::PluginDestructionGuard from Flash 11.3.300.262 → crash in F_2000061728 @ PluginDestructionGuard::PluginDestructionGuard from Flash 11.3.300.262
(Reporter)

Updated

5 years ago
Crash Signature: [@ PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) ] [@ nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>::nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>(`anonymous namespace''::KillCloseEventRunnable*) | Pl&hellip; → [@ PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) ] [@ @0x0 | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) ] [@ nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>::nsRefPtr<`anonymous namesp&hellip;
Whiteboard: [flash-11.3]
Duplicate of this bug: 767883
(Reporter)

Updated

5 years ago
Crash Signature: [@ PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) ] [@ @0x0 | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) ] [@ nsRefPtr<`anonymous namespace''::KillCloseEventRunnable>::nsRefPtr<`anonymous namesp&hellip; → [@ F_2000061728_____________________________________________________________] [@ PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) ] [@ @0x0 | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) ] [@ nsRef&hellip;

Comment 9

5 years ago
are there any steps to reproduce for this?  unfortunately, i'm not able to reproduce with the player running in process.  i ran through our automation and did some casual URL testing without any browser crashes.  thanks...
(Reporter)

Updated

5 years ago
Crash Signature: [@ F_2000061728_____________________________________________________________] [@ PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) ] [@ @0x0 | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) ] [@ nsRef&hellip; → [@ F_2000061728_____________________________________________________________] [@ PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) ] [@ @0x0 | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) ] [@ nsRef&hellip;
(Reporter)

Updated

5 years ago
Crash Signature: [@ F_2000061728_____________________________________________________________] [@ PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) ] [@ @0x0 | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) ] [@ nsRef&hellip; → [@ F_2000061728_____________________________________________________________] [@ msvcr100.dll@0x8af06 ] [@ PluginDestructionGuard::PluginDestructionGuard(nsNPAPIPluginInstance*) ] [@ @0x0 | PluginDestructionGuard::PluginDestructionGuard(nsNPAPIP&hellip;
I don't have specific STR (you could probably deduce them better from the Flash backtrace), but I strongly suspect that this is a race condition. The user is closing a page while a Flash movie is running. As or after we call NPP_Destroy on the instance, the sandbox process is still sending invalidate messages (the crashing call is NPN_InvalidateRect on a dead NPP instance).

This would only be a problem for windowless plugins.
Also, I believe bug 767775 is the equivalent crash which occurs when OOPP is enabled.
Blocks: 767775

Comment 12

5 years ago
thanks.  we are tracking internally in #3283045.  it is currently in review...
Summary: crash in F_2000061728 @ PluginDestructionGuard::PluginDestructionGuard from Flash 11.3.300.262 → [adbe 3283045] crash in F_2000061728 @ PluginDestructionGuard::PluginDestructionGuard from Flash 11.3.300.262
Blocks: 772731
Kairo/scoobidiver, can you check whether this signature is gone or better with FP 11.3.300.265?

Comment 14

5 years ago
We're closing 3283045 as Fixed on our side.  If this issue resurfaces, please let me know.
(Reporter)

Comment 15

5 years ago
Based on crash stats, it's fixed in Flash 11.3.300.265.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Whiteboard: [flash-11.3] → [flash-11.3][fixed in Flash 11.3.300.265]
You need to log in before you can comment on or make changes to this bug.