Leaving an applet page crashed browser - Trunk & M09 [@ nsPluginInstanceOwner::~nsPluginInstanceOwner]

VERIFIED FIXED in mozilla0.9


18 years ago
5 years ago


(Reporter: joe.chou, Assigned: blizzard)


({crash, topcrash})

Mac System 9.x
crash, topcrash

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [critical to mozilla 0.9] [seeking reviews], crash signature, URL)


(6 attachments)



18 years ago
Running a recent trunk build (at least after April 13th) on Linux and Solaris,
after loading a page with applets (i.e., www.java.sun.com), then either hit the
Back button or modify thr URL to go to another page, the browser will crash.

Comment 1

18 years ago

*** This bug has been marked as a duplicate of 75070 ***
Last Resolved: 18 years ago
Resolution: --- → DUPLICATE

Comment 2

18 years ago
------- Additional Comments From edburns@acm.org 2001-04-12 15:21 -------

I'm finding that it's segfaulting when NS_RELEASING the nsIPluginInstance that
is the java plugin.  This is here:


  if (nsnull != mInstance)
    if (mPluginHost)

This translates to the release method in 


I believe.  I'm re-assinging this to Jim so his team can look at it.


------- Additional Comments From edburns@acm.org 2001-04-12 15:44 -------

*** Bug 75515 has been marked as a duplicate of this bug. ***

------- Additional Comments From edburns@acm.org 2001-04-12 15:47 -------

It turns out that in the case of a page with more than one applet, only the
NS_RELEASE(mInstance) call on the last applet will crash.

------- Additional Comments From Robert Kaiser 2001-04-13 07:28 -------

This seems to be happening for everyone on *ix Systems when exiting a page with
a Java Plugin, interpreting what I read in bug 75515.
Should we nominate this for 0.9?

------- Additional Comments From edburns@acm.org 2001-04-13 14:41 -------

change subject to be more accurate.

------- Additional Comments From edburns@acm.org 2001-04-13 14:42 -------

*** Bug 75862 has been marked as a duplicate of this bug. ***

------- Additional Comments From edburns@acm.org 2001-04-13 14:45 -------

Jim, can you please have someone from your team investigate this bug?



------- Additional Comments From edburns@acm.org 2001-04-13 14:51 -------

*** Bug 73541 has been marked as a duplicate of this bug. ***

------- Additional Comments From edburns@acm.org 2001-04-16 22:51 -------

*** Bug 75565 has been marked as a duplicate of this bug. ***

------- Additional Comments From edburns@acm.org 2001-04-16 22:52 -------

There are at least four, and probably more bugs that are marked as dup of this 
bug.  This bug is real important.


------- Additional Comments From jpatel@netscape.com 2001-04-17 14:21 -------

Adding crash, topcrash keywords, Trunk and [@ libgklayout.so] to summary.  This 
crash has been on the Talkback topcrash list under that stack signature for a 
few days now.

The libgklayout.so crash is very easily reproducible, just go to this url:

Here are a few Talkback entries for that crash:

libgklayout.so + 0x5991d (0x4048891d) ecd5fd41
        Build: 2001041106 CrashDate: 2001-04-12 UptimeMinutes: 87  Total: 425 
        OS: Linux 2.4.1
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=29004983
     (29004983) URL: www.elendor.net
     (29004983) Comments: switched from www.elendor.net to cnn.com... This has 
been happening for several days and involves going to any java applet holding 
page and then leaving it. The applets run fine

libgklayout.so + 0x599cd (0x4103c9cd) 95475b04
        Build: 2001041208 CrashDate: 2001-04-12 UptimeMinutes: 1  Total: 48 
        OS: Linux 2.2.14-5.0smp
         Detailed : http://climate/reports/incidenttemplate.cfm?bbid=29021948
     (29021948) URL: clicked roofing materials link
     (29021948) Comments:  http://www.reroofingshowroom.com/

------- Additional Comments From edburns@acm.org 2001-04-18 13:16 -------

This is happening on Solaris with today's trunk.

------- Additional Comments From Joe Chou 2001-04-18 18:32 -------

This problem happened on trunk build on Unix, but not on OEM build. Based on the
crash stack, the problem of TalkBack reports, going to "http://www.elendor.net"
then hit Back button and crashed, has the identical stack (see below). Also the
crash happens as long as you are leaving an applet page (to a non-applet page or
another applet page or any page), and you don't have to click Back button, you
may change the URL and return to crash it. I have not tried on Waterfall yet,
since my build still has compiling problems, and I tried to launch George's
build without success.

Here is the top of the crash stack:
0xfb9a7eb8 in nsPluginInstanceOwner::~nsPluginInstanceOwner (this=0x753668, 
    __in_chrg=3) at nsObjectFrame.cpp:1506
1506        NS_RELEASE(mInstance);
(gdb) where
#0  0xfb9a7eb8 in nsPluginInstanceOwner::~nsPluginInstanceOwner (
    this=0x753668, __in_chrg=3) at nsObjectFrame.cpp:1506
#1  0xfb9a8474 in nsPluginInstanceOwner::Release (this=0x753668)
    at nsObjectFrame.cpp:1583
#2  0xfb9a2df4 in nsObjectFrame::~nsObjectFrame (this=0x7ca4dc, __in_chrg=3)
    at nsObjectFrame.cpp:267
#3  0xfb960a98 in nsFrame::Destroy (this=0x7ca4dc, aPresContext=0x725cc0)
    at nsFrame.cpp:427
#4  0xfb9594f4 in nsContainerFrame::Destroy (this=0x7ca4dc, 
    aPresContext=0x725cc0) at nsContainerFrame.cpp:98
#5  0xfb9a3b54 in nsObjectFrame::Destroy (this=0x7ca4dc, aPresContext=0x725cc0)
    at nsObjectFrame.cpp:471
#6  0xfb998368 in nsLineBox::DeleteLineList (aPresContext=0x725cc0, 
    aLine=0x7cab80) at nsLineBox.cpp:251
#7  0xfb942738 in nsBlockFrame::Destroy (this=0x7ca378, aPresContext=0x725cc0)
    at nsBlockFrame.cpp:1240
#8  0xfbb3dd6c in nsFrameList::DestroyFrames (this=0x7ca350, 
    aPresContext=0x725cc0) at nsFrameList.cpp:41
 #9  0xfb9594e4 in nsContainerFrame::Destroy (this=0x7ca31c, 
    aPresContext=0x725cc0) at nsContainerFrame.cpp:95
#10 0xfbb3dd6c in nsFrameList::DestroyFrames (this=0x80afa0, 
    aPresContext=0x725cc0) at nsFrameList.cpp:41

------- Additional Comments From Brendan Eich 2001-04-19 11:05 -------

What's the diagnosis?  Memory corruption?  Ref-count underflow (one too many
RELEASES on what mInstance pointed to)?


------- Additional Comments From Joe Chou 2001-04-19 11:18 -------

Based on the preliminary trace, in both a crashing case and a non-crash case,
the destructor was invoked twice, and in both times the pointer of minstance
seemed valid (not null nor strange value), but it crashed in the second time of
calling the release in the crashing case. It seems a memory corruption, but need
further investigation. 

Ever confirmed: true


18 years ago


18 years ago
Resolution: DUPLICATE → ---

Comment 3

18 years ago
This bug is created since the original problem of 75070 is a different problem,
which is a duplicate of 74531. This bug is to address a more serious problem
that the browser crashes when leaving any applet page.


18 years ago
Whiteboard: critical to mozilla 0.9

Comment 4

18 years ago
adding keywords from bug 75070, adding mozilla0.9 to reflect status whiteboard
summary of 75070 was "Trunk crash [@ libgklayout.so](SEGV) upon leaving a
java-enabled page (was: Segmentation fault (libgklayout.so), debugfriendly build?)"
Keywords: crash, mozilla0.9, mozilla0.9.1, topcrash

Comment 5

18 years ago
*** Bug 77163 has been marked as a duplicate of this bug. ***

Comment 6

18 years ago
Joe, I think the reason that ~nsPluginInstanceOwner is called twice is: there 
are two applets in the page.  I think the crash happens when the refcount goes 
to zero.

Comment 7

18 years ago
*** Bug 77220 has been marked as a duplicate of this bug. ***

Comment 8

18 years ago
Adding Trunk [@ nsPluginInstanceOwner::~nsPluginInstanceOwner] to summary for 
tracking.  Here is some info about the crash from today's Talkback topcrash 

nsPluginInstanceOwner::~nsPluginInstanceOwner   24 
     First BBID :29071286
     Last BBID  :29481330
     Min Runtime :43
     Max Runtime :25086
     First Appearance Date : 2001-04-13
     Last Appearance Date : 2001-04-22
     First BuildID : 2001041306
     Last BuildID : 2001042207

Some user commments and URLs:
     (29481330) URL: www.rgbgallery.com
     (29455441) URL: www.space.com
     (29455441) Comments: Pulling up space.com homepage after failing to get 
NASA TV streaming via the Real plugin at http://www.unitedspacealliance.com
     (29455158) URL: www.answermed.com
     (29291627) URL: 
     (29291627) Comments: leaving the site after playing by clicking on a link
     (29290566) URL: 
     (29290566) Comments: this time it was already stopped
     (29290519) URL: 
     (29290519) Comments: While the video is running
     (29290159) Comments: starting a realplayer in a window
     (29289963) Comments: sending a mail when switching to another mozilla 
window with a realplayer in it (stopped)
     (29283816) Comments: launcing a video from yahoo crashes.
     (29085103) URL: news/foo.com (crash on startup)
     (29071286) URL: www.vw.com
     (29071286) Comments: I was closing the real player plugin powered RadioVW 
when it crashed the browser

Summary: Leaving an applet page crashed browser → Leaving an applet page crashed browser - Trunk [@ nsPluginInstanceOwner::~nsPluginInstanceOwner]

Comment 9

18 years ago
we gotta get this fixed for 0.9...  anyone know what's going on yet, 
or what the patch might be?
Target Milestone: --- → mozilla0.9

Comment 10

18 years ago
cc'ing Peter Lubczynski for possible plugin involvement.

Comment 11

18 years ago
Eww...thanks for the cc:...It could be one of my checkins to nsObjectFrame.cpp 
but since it's been happening since the 12th and Ed Burns says:

>>------- Additional Comments From edburns@acm.org 2001-04-12 15:47 -------
>>It turns out that in the case of a page with more than one applet, only the
>>NS_RELEASE(mInstance) call on the last applet will crash.

It could also possibly be some other checkins to plugins which shutdown plugins 
when the last instance is destroyed or because of recent fixed to when Java 
starts (not till needed). cc:ing Andrei and Sean
Gussing for a fix would be to make sure that 
mPluginHost->StopPluginInstance(mInstance) isn't called for the last instance of 

Taking a look.....does someone have java and a fresh build on their Linux 
machine? Does this happen on Windows or Mac too?

Comment 12

18 years ago
This crashing problem does not happen on Windows.

Comment 13

18 years ago
nsPluginHostImpl.cpp changed on Apr 11 for bug 74485.  Part of the patch 
affected nsPluginHostImpl::StopPluginInstance() which is called from 
nsObjectFrame.cpp right before the NS_RELEASE of the plugin instance.

If the crash is actually occurring in the call to nsIPluginInstance->Release 
then it seems like there's a ref cnt problem and the mInstance value, which was 
once valid, is no longer valid.  Joe: can you confirm this?

What does the java plugin instance return for nsIPluginInstance->GetValue
(nsPluginInstanceVariable_DoCacheBool, ...)?

Comment 14

18 years ago
I'll give it a shot (removing the patch of 74485) on Solaris today, ans see if
the problem would go away.

Comment 15

18 years ago
Happens to me on a fresh pull on Linux today

Comment 16

18 years ago
Sean, I put some printf's in on someone machine and I confrim that the Java 
plugin is NOT being cached. I bet expanding the check to Java would solve this 
crash. I'll see if I can create a patch but what's the status of mozilla0.9?

Comment 17

18 years ago
Sean, I see why you are asking that. If it returns "don't cache", and I beleive 
it does, then StopPluginInstance will remove it from the active instance list, 
and if this is a last instance of the plugin we also fire TryUnloadPlugin which 
calls nsIPlugin::Shutdown and releases nsIPlugin. And then we come back to the 
nsPluginInstanceOwner::~nsPluginInstanceOwner and do this NS_RELEASE(mInstance). 
Could this be a problem? I would expect no instances existing by this point.

Comment 18

18 years ago
Yes Andrei, that's right. I'm trying to see how to fix this from the plugins 
side but I think it looks messy. I don't recall an easy way to check if a plugin 
instance is java without checking it's mime-type. Perhaps either the plugin can 
be modified to set the cache variable or perhaps when we create the Java 
instance, we set the variable.

Comment 19

18 years ago
Some of the talkbacks mention RealPlayer - so I don't think a Java specific 
solution is right - unless those urls that mention Real are also using Java.

Talking out loud: Seems like there's a refcnt problem with plugins on unix.  
But also seems like 
shouldn't happen after calling 
since if a plugin isn't cached, we try to unload the module (in which case the 
refcnt problem is on the non-unix platforms?).

Comment 20

18 years ago
OK, I think we may finally have some scant cycles to help with this bug.
What would be most helpful from the Java Plug-in team at this point?
I do not have Mozilla code expertise on my team, so we could mostly help
from the plugin side of things.  Suggestions?  Requests?

- Jim Melvin

Comment 21

18 years ago
On Linux and Solaris, are PR_UnloadLibrary() (like that in 
nsPluginTag::TryUnloadPlugin) calls protected by OS refcnts like they are on 
Windows?  If they aren't, then that could be a problem that wouldn't be 
manifested on Windows.

I think that the NS_RELEASE(mInstance) calls in both nsObjectFrame.cpp and 
nsPluginViewer.cpp should be moved up one line before the StopPluginInstance 
  if (mInstance)
  if (mPluginHost) // the plugin host still has a reference to the instance
  mInstance = nsnull;

Comment 22

18 years ago
Peter, I don't understand how Java is different from other plugins in this 
respect. And why this is specific to Unix. Looking at the code I cannot see any 
mismatched addref/release's. In fact, release in the nsPluginInstanceOwner 
destructor makes sense since we addref it in nsPluginInstanceOwner::SetInstance.

Comment 23

18 years ago
Sean, I think PR_UnloadLibrary should be refcounted by NSPR. But I think your 
suggestion might work. Can somebody try it, please?

Comment 24

18 years ago
Andrei, yep NSPR handles the PR_UnloadLibrary nicely.

Comment 25

18 years ago
I've tried removing the patch of 74485, and it did not help, still crashed at
the same spot.

I am going to tried Sean's suggestion next.

Comment 26

18 years ago
Tried Sean's suggestion, releasing mInstance before calling
StopPluginInstance(), still crash with the following stack (see below after the
code change):

in nsObjectFrame.cpp:
  PRInt32 cnt;

  // shut off the timer.
  if (mPluginTimer != nsnull) {

  if (mInstance)
  if (mPluginHost)
  mInstance = nsnull;

and in nsPluginViewer.cpp:
  if (nsnull != mInstance)
    PRBool doCache = PR_TRUE;

    // determine if the plugin wants to be cached
                        (void *) &doCache);
    if (!doCache) {
      // if not, destroy the instance
    if (doCache) {
      nsCOMPtr<nsIPluginHost> host;
      host = do_GetService(kCPluginManagerCID);
    mInstance = nsnull;

Program received signal SIGSEGV, Segmentation fault.
[Switching to LWP 4]
0xfc1af9f0 in ?? ()
(gdb) where
#0  0xfc1af9f0 in ?? ()
#1  0xfd953c0c in g_io_unix_dispatch (source_data=0x756520, 
    current_time=0xffbee670, user_data=0x635020) at giounix.c:135
#2  0xfd9558e8 in g_main_dispatch (current_time=0xffbee670) at gmain.c:656
#3  0xfd956170 in g_main_iterate (block=-40390908, dispatch=1) at gmain.c:874
#4  0xfd956384 in g_main_run (loop=0x19e730) at gmain.c:932
#5  0xfda3f9ac in gtk_main () at gtkmain.c:476
#6  0xfdbbfb84 in nsAppShell::Run (this=0x7d308) at nsAppShell.cpp:360
#7  0xfdcc66a4 in nsAppShellService::Run (this=0xab800)
    at nsAppShellService.cpp:407
#8  0x230e8 in main1 (argc=1, argv=0xffbeeafc, nativeApp=0x0)
    at nsAppRunner.cpp:1005
#9  0x24440 in main (argc=1, argv=0xffbeeafc) at nsAppRunner.cpp:1300

Comment 27

18 years ago
So the crash moved?  Any idea what was at 0xfc1af9f0 - part of the Java plugin? 
an nsIPluginInstance, nsIPlugin, nsIModule?  If you step though the 
StopPluginInstance call, does the pluginHost call PR_UnloadLibrary on the Java 
plugin?  Try a breakpoint in nsPluginTag::TryUnloadPlugin 

Comment 28

18 years ago
What about using the NS_IF_RELEASE macro?

Comment 29

18 years ago
If the problem was that mInstance was no longer valid, then the NS_IF_RELEASE
macro offers no protection since it just checks to see that the argument is
non-null, not that it's pointing to valid memory.  It could be non-null and
invalid if the plugin library was unloaded or the plugin decided to delete the
plugin instance even though the instance had outstanding references.

Comment 30

18 years ago
The call to mInstance->Release() before calling
host->StopPluginInstance(mInstance) in that last code fragment is bogus. As far 
as your code is concerned, mInstance should be considered dead after calling 
Release(), as you may have decremented the refCount to 0 at that point.

Comment 31

18 years ago
Yeah it's bogus.  This means that the plugin host can't unload plugin libraries
since it doesn't have any means of determining whether there are outstanding
references to plugin instances.  An alternative is to make the
pluginInstanceOwner's mInstance a weak reference that doesn't get addref'd or
released (the plugin host already has a strong reference to the instance).

Comment 32

18 years ago
I am just wondering why this showed up only a week ago? The biggest suspect of 
course would be my fix to 74484 which happened to be not the case. What else?

Comment 33

18 years ago
bug 77319 looks similar - WinNT / default plugin.


18 years ago
Blocks: 77319

Comment 34

18 years ago
To bring us back on track.....Sean I think you were most correct. I set a 
breakpoint (in Windows) at nsPluginTag::TryUnloadPlugin and sure enough it gets 
called along with PR_UnloadLibrary.

I think (please correct me if I'm wrong) but the Java plugin must not be 
unloaded once it is loaded. This is probably causing the crash as I looked at 
the refcount it looks correct (at least on Windows).

Since I can't reproduce this, let me try creating an experimental patch for 
someone to try for TryUnloadPlugin to NOT return if the tag is Java. Comments 

Oh, and I couldn't reproduce the stack in bug 77319 on Windows. I got another 
stack for which I attached a patch.

Comment 35

18 years ago
Sounds good.  You mentioned that there was a code change recently regarding 
when java gets started up.  Where does that code live?

Comment 36

18 years ago
What do you mean by 'TryUnloadPlugin to NOT return if the tag is Java'? To not 
unload the library? When is it going to be unloaded then? We already have a 
mechanism to postpone unloading libraries, but this one look a special case, it 
needs to not be unloaded till the application exits, right?

Comment 37

18 years ago
Created attachment 32385 [details] [diff] [review]
1st try at patch to handle Java plugin just like a cached plugin

Comment 38

18 years ago
Ok, my dirty patch should treat Java like a cached plugin in 
StopPluginInstance() so it shouldn't try to unload the library untill we shut 

Now testing on Linux....(please try as well)

Andrei, TryUnloadPlugin() was the wrong place to check. I think this patch may 
prevent or delay the crash.

Comment 39

18 years ago
Whoops - guess I wasn't following correctly.  I think that the java plugin 
instances should not be cached but rather the plugin module should not be 
unloaded when the instance count reaches zero.

As I recall, the nsPluginInstanceVariable_DoCacheBool variable was created 
specifically to address problems with caching of applets at Sun's request.

Applying the patch will tell us if we are barking up the right tree though.

Comment 40

18 years ago
I tried Peter's patch, and seemed got the same result as Sean's:

Program received signal SIGSEGV, Segmentation fault.
0xfcaaf9f0 in ?? ()
(gdb) where
#0  0xfcaaf9f0 in ?? ()
#1  0xfe933c0c in g_io_unix_dispatch (source_data=0x72f0a8, 
    current_time=0xffbee670, user_data=0x631098) at giounix.c:135
#2  0xfe9358e8 in g_main_dispatch (current_time=0xffbee670) at gmain.c:656
#3  0xfe936170 in g_main_iterate (block=-23744764, dispatch=1) at gmain.c:874
#4  0xfe936384 in g_main_run (loop=0xc2fa0) at gmain.c:932
#5  0xfdebf9ac in gtk_main () at gtkmain.c:476
#6  0xfd6bfb84 in nsAppShell::Run (this=0x7d308) at nsAppShell.cpp:360
#7  0xfd7c66a4 in nsAppShellService::Run (this=0xaba08)
    at nsAppShellService.cpp:407
#8  0x230e8 in main1 (argc=1, argv=0xffbeeafc, nativeApp=0x0)
    at nsAppRunner.cpp:1005
#9  0x24440 in main (argc=1, argv=0xffbeeafc) at nsAppRunner.cpp:1300

Comment 41

18 years ago
Joe: Any idea what was at 0xfcaaf9f0 - part of the Java plugin, the 
objectFrame, an applet?  Similar offset as the last crash you reported.  Can 
you confirm that the java plugin is still loaded at the time of the crash?

Comment 42

18 years ago
*** Bug 77957 has been marked as a duplicate of this bug. ***

Comment 43

18 years ago
*** Bug 77875 has been marked as a duplicate of this bug. ***

Comment 44

18 years ago
Ahh...good news. After spending hours on the phone with Joe Chou from Sun, it 
turns out that my patch does solve the problem of caching the Java plugin but 
the string I was comparing to was incorrect (Should have been "Java" instead of 
"Java Plug-in"). Making that change to the patch prevents the crash.

However....I don't think this is the way we should solve this problem. The 
"correct" way would be to have the Java plugin return PR_TRUE for 
nsPluginInstanceVariable_DoCacheBool for GetValue. Stanley, that's where you 
come in as I understand you make changes to the Java Plugin but only in regular 

Comment 45

18 years ago

Should we check-in my patch temporary till the Java plugin can fixed AND 
released....or create a better way of detecting Java?

Comment 46

18 years ago
Talk to Ed Burns and Stanley Ho.  They added the 
nsPluginInstanceVariable_DoCacheBool on Sept 14 because of problems starting up 
cached applets - Stanley <REALLY> didn't want java instances cached, but maybe 
that has changed.

Comment 47

18 years ago
They didn't want it so bad that they wanted to remove plugin caching 
completely.  That nsPluginInstanceVariable_DoCacheBool variable was the 
compromise that left caching intact.

Comment 48

18 years ago
Ahh...I see....Well, I don't know how to fix this crash without caching the 
Java plugin. What bug # was that? Can someone try with my [modified] patch?

What to do?

Comment 49

18 years ago
One could also use QueryInterface() to determine if you're dealing with the Java 
plugin. Java plugins must implement the nsIJVMPlugin interface.

Comment 50

18 years ago
That nsPluginInstanceVariable_DoCacheBool bug is:

Does anyone know what is actually being accessed that has already been 
deleted?  Is it a plugin, a plugin instance or the plugin module?

Is this a refcnt bug?

Comment 51

18 years ago
I tested Peter's patch and it does prevent the crash, however after leaving the
page with java, I can no longer get any Java to run on any subsequent page. So,
it is good that the crash is gone, it is bad that Java stops working. BTW:
beard's idea of the QI instead of the string search is great: much more reliable
and less vulnerable to change.

Comment 52

18 years ago
Beard good idea! 

From talking with Marc, looks like even though the crash is fixed, there are 
still huge problems. I'll attempt to create another patch, this time to GetValue 
when doCacheBool is the case. If the plugin returns FALSE, I'll do the QI to 
check for Java and if that works, then return TRUE reguardless of what the Java 
plugin wants until such time it's fixed on the other side. 

Ed, you worked on the other bug, what are your feelings about taking this 

Comment 53

18 years ago
I have a hunch that this problem would be solved by re-compiling the java 
plugin on unix with current mozilla headers.

Comment 54

18 years ago
Created attachment 32491 [details] [diff] [review]
cleaner patch using a QI

Comment 55

18 years ago
I've tried Peter's second patch, and the result is the same as what Marc saw:
no crash, but Java stopped working after that.
By the way, I also tried mozilla08.1 binary. Hitting the back button after
loading an applet page did not crash the browser, but then hitting the forward
button (to go back to the applet page) did.

Comment 56

18 years ago
I also tried mozilla08, and the problem was not there. I could toggled Back and
Forward buttons without errors. 
Therefore, the problem seems to be introduced between mozilla08 and 08.1.

Comment 57

18 years ago
So, Joe, to be clear, what you are saying is that my second patch fixes THIS bug 
but there is still an underlying bug about going Back and Forward that was 
introduced between Mozilla 0.8 and Mozilla 0.8.1.

Is there a bug already on THAT issue? If not, I suggest getting reviews and 
approval to check this patch in and open another bug on that problem. We 
probably shouldn't ship 0.9 with that not working either, but that's not my 
decision. My guess is that there is a problem in the caching logic but I'm not 

Comment 58

18 years ago
Joe, then I'd suspect that the root of the problem is the fix for bug 45009 
which made it into 0.8.1.  Is the java plugin doing anything in response to 

Feels like I'm beating a deadhorse but we really shouldn't cache applet 
instances.  I think we just need to prevent calling TryUnloadPlugin() on the 
java library once the instance count reaches zero.  Has that at least been 

Comment 59

18 years ago
Peter: Actually your second patch (same as the first patch) does stops the
crashing, but the browser also stops working with Java (can't load any Java
applets afterwords).

Sean: can you elaborate on your suggestion a little more please (prevent calling
TryUnloadPlugin() on the java library once the instance count reaches zero)? If
you put up a patch, I'll give it a try.

Comment 60

18 years ago
Joe: for a quick test, just comment out the implementation of 
nsPluginTag::TryUnloadPlugin in nsPluginHostImpl.cpp and try a simple test that 
loads an applet, go to a page without any applets, go back and then exit.

Comment 61

18 years ago
Sean: it worked! I put in the change, and I could toggled between Back and
Forward button without problems now. No crash, and Java still worked. So your
assumsion is correct. What is next? (I got to go now, but I'll check it online
from home later). 

Comment 62

18 years ago
TryUnloadPlugin does essentially two things: shutdown/release and unload the lib  
itself. Which one should be skipped to fix the crash? If this unloading lib from 
memory than we can try to employ the mechanism to postpone this which mechanism 
already exists. To quickly test this you can do the following in 
nsActivePluginList::remove implementation:

  // xpconnected plugins from the old world should postpone unloading library 
  // to avoid crash check, if so add library to the list of unloaded libraries
- if(pluginTag->mXPConnected && (pluginTag->mFlags & NS_PLUGIN_FLAG_OLDSCHOOL))
+ if(1) 
    pluginTag->mCanUnloadLibrary = PR_FALSE;
      *aUnloadLibraryLater = PR_TRUE;

Comment 63

18 years ago
Created attachment 32513 [details] [diff] [review]
New patch for nsPluginTag::TryUnloadPlugin, please try

Comment 64

18 years ago
Just yesterday I was talking to someone who anecdotally said something to the 
effect that every bug had 2 causes.

1) must ensure that the Java plugin is not shutdown/released/unloaded (yet to 
be determined whether shutdown/release needs to be avoided) by the plugin host 
even though the plugin instance count hits 0.  This alone will prevent applet 
crashes in ~nsObjectFrame.

2) nsObjectFrame (nsObjectFrame.cpp) and pluginInstanceOwner 
(nsPluginViewer.cpp) should switch from holding a plugin instance strong ref to 
a weak ref if the plugin host is to continue shutdown/release/unload of plugins 
when their instance counts reach 0.  This should prevent the crashes in 
~nsObjectFrame with Real player as reported in the talkbacks listed on the 
23rd.  I couldn't repro those on Win2K, so that's just another hunch.

Comment 65

18 years ago
I like your idea of switching to weak reference in the pluginInstanceOwner. This 
looks less hackery to me. From the other hand, there is still no guarantee that 
somebody else in future will not hold it strong, and we leave the potential 
possibility for this kind of crash to repeat. Should we vote I would cast my 
voice for the number two.

Comment 66

18 years ago
I'd go for the safer thing too - remove the call to TryUnloadPlugin from 
nsActivePluginList::remove and leave the one in nsPluginTag::~nsPluginTag as 
the only one.  Also remove all the *unusedLibrary* stuff?  Would need to see 
how javascript:navigator.plugins.refresh behaves.

Comment 67

18 years ago
That would be risky. I introduced it first time specifically to solve problems 
with this javascript command. Refreshing after _updating_ a plugin dll to a 
newer version, not just adding it. Also, this mechanism proved to be useful in 
another case -- our new way to make old style plugins scriptable. It will crash 
upon leaving the page without this unusedlibrary stuff.

Comment 68

18 years ago
And we shall not remove TryUnloadPlugin because the spec says very clearly that 
we shutdown the plugin after the last instance of it is gone.

Comment 69

18 years ago
Is there a way to find out the plugin instance count before calling 
TryUnloadPlugin()? If so, then we will only call TryUnloadPlugin() when the 
count is > 0. Would that be good enough?

Comment 70

18 years ago
*** Bug 78052 has been marked as a duplicate of this bug. ***

Comment 71

18 years ago
Andrei, I misread what your vote for number 2 actually meant.  In number 2 
there are 2 options.  Remove the strong ref or stop the host from unloading 
plugin libraries until shutdown.  If you remove the strong ref, then you still 
need a hack to keep the Java library loaded.  If you go the route of stopping 
the call to TryUnloadPlugin from within nsActivePluginList::remove then no Java 
specific hack is required.  But as you noted, removing the strong ref from 
nsObjectFrame is no guarantee that similar crashes won't occur when other 
things that hold instance refs call release.

Andrei wrote:
>our new way to make old style plugins scriptable. It will crash 
>upon leaving the page without this unusedlibrary stuff.

I don't think that's the case if you don't call TryUnloadPlugin until shutdown 
(solely from the nsPluginTag dtor).  nsPluginTags aren't destroyed until xpcom-
shutdown, therefore the libraries that plugin instances come from can still 
handle release calls made on the instances.  Just because the plugin host calls 
nsIPluginInstance::Destroy doesn't mean the plugin instance has been removed 
from memory.

>And we shall not remove TryUnloadPlugin because the spec says very clearly 
>that we shutdown the plugin after the last instance of it is gone.

The problem is that the plugin host does NOT know when the last instance is 
gone.  Only when the last instance has been stopped.  The whole problem here is 
that difference - we shouldn't unload the plugin library until the last 
reference to the instance has been *released*.  It doesn't matter that the last 
instance has been *stopped* if there are still outstanding references to it 
(things that hang onto plugin instances are nsObjectFrame, nsPluginViewer, 
xpcWrappedNative, stuff in the DOM).

Joe wrote:
>If so, then we will only call TryUnloadPlugin() when the count is > 0.

That's sure to cause crashes whenever a user leaves a page that has any plugin, 

Comment 72

18 years ago
Sean: Now I am confused. (Sean wrote: "...I think we just need to prevent 
calling TryUnloadPlugin() on the java library once the instance count reaches 

Comment 73

18 years ago
Joe, perhaps, your "when the count is > 0" should read "when the count is = 0"?

Comment 74

18 years ago
Sean, as I understand it the presense of outstanding references to the plugin 
instances is quite orthogonal to the number of running instances, and what you 
are saying (correct me if I am wrong) is that we should not unload the dll from 
memory untill the last reference is released (which is not the same thing as 
last instance is stopped and destroyed). This basically means that we confess 
that plugin dlls may stay resident indefinitely. The only 100% guarantee they 
are unloaded is exiting application. I can live with that, although those who 
think footprint may not agree. What I am mostly concerned about is 
nsIPlugin::Shutdown call which according to the spec we are obliged to fire upon 
the desruction of the last instance of the plugin. Maybe TryUnloadPlugin should 
become TryShutdownPluginObject or something like that. If we take this, I agree, 
we can get rid of all the 'unusedlibrary' stuff which is kind of alien.

Comment 75

18 years ago
Joe: As things are now, TryUnloadPlugin is called when the plugin instance 
count reaches zero and at xpcom-shutdown (the call at shutdown won't do 
anything if the first call was made).  By "prevent calling TryUnloadPlugin() on 
the java library once the instance count reaches zero" I meant don't make that 
first call to TryUnloadPlugin - I didn't mean to imply that we should start 
calling it when there's a non-zero instance count.

Comment 76

18 years ago
Andrei, calling Shutdown when the plugin host's reckoning of the instance count 
reaches 0 might be ok.  It would be good to know what call in TryUnloadPlugin 
is causing problems for Java (Shutdown, Release or PR_UnloadLibrary).  Peter 
mentioned that there's special loader code for Java.  I wasn't able to find 
it.  If it exists, then it likely does a PR_LoadLibrary on the Java plugin.  If 
that's the case, then it's unlikely that the PR_UnloadLibrary in 
TryUnloadPlugin is the problem since NSPR refcnts the module (that is, the 
plugin host has 'unloaded' the module but it is still loaded due to the code 
that explicitly started up Java much in the same way that when the plugin host 
calls PR_UnloadLibrary on my xpcom module, it is not unloaded since there is 
the outstanding load done by the component manager).  That would leave either 
nsIPlugin::Shutdown or nsIPlugin::Release as the cause of java applet crashes.

I don't know how the Java plugin is implemented or how the authors interpreted 
the nsIPlugin::Shutdown documentation.  My interpretation of the doc at 
http://www.mozilla.org/docs/plugin.html places more relevance on the 
qualification made at the end of the second sentence than on the other part 
which you place more importance on:
*Navigator calls this function* once after the last instance of your plug-in is 
destroyed, *before unloading the plug-in library itself.*

Note also that the documentation for nsIPlugin::Initialize says:
After the last instance of the plug-in has been deleted, Navigator calls 

That means that Shutdown shouldn't be called until all instance references have 
been released and all instances deleted.

I suppose part of the problem here is the ambiguity of this phrase in Shutdown:
once after the last instance of your plug-in is destroyed

Is that destroyed as in the plugin instance destructor (as stated in the 
Initialize documentation) or destroyed as in nsIPluginInstance::Destroy()?

My interpretation is that there will be no more instance calls after Shutdown.  
In my plugin, in order to prevent crashes at shutdown due to numerous plugin 
instance leaks in N6 and 6.01, my nsIPlugin::Shutdown cleans up all outstanding 
objects.  If Java does the same, then calling Shutdown before all objects are 
not released is not safe since Release calls on applet instances will deref 
freed memory.

Comment 77

18 years ago
Sean, I see what you mean. Just because the instances go away, doesn't mean the 
references (like from the DOM) have gone away as with Java and possibly other 
scriptable plugins.

Someone correct me if I'm wrong, but the OJI plugin once started isn't supposed 
to be shutdown until app shutdown? This was the case with Java in 4.x but that's 
completely different.

Calling shutdown when the refcount goes to zero sounds like a good idea.

Comment 78

18 years ago
And what to do with the obligation to "call shutdown after the last instance is 
destroyed"? I still don't see a way to solve this other than to use barometer 
length to measure the height of the building. Change spec? Forbid using strong 

Comment 79

18 years ago
*** Bug 78164 has been marked as a duplicate of this bug. ***

Comment 80

18 years ago
To answer Sean's earlier question (which of the call in TryUnloadPlugin that
caused the crash: Shutdown(), Release() or PR_UnloadLibrary()?) I did some more
trace, and found out that it was the call to PR_UnloadLibrary() causing the
crash. Inside PR_UnloadLibrary(), the Java plugin lib (libjavaplugin_oji.so) was
unloaded. Before unloaded, lib->refCount was 1. In the test case, there was one

Comment 81

18 years ago
I don't think we can forbid the use of strong refs on plugin instances 
throughout mozilla.  The spec does need to be clarified because as it is now, 
it's ambiguous and depending on the interpretation can't be implemented at this 
point.  AFAIK XPCOM module unloading is not supported at this time in mozilla 
due to strong ref problems like this.  The host needs to be able to find out 
from the plugin if it is safe to call Shutdown (the plugin will need to account 
for all of the objects that are held by mozilla), but there's no infrastructure 
for this and should be explored.

As far as calling shutdown after the last instance is destroyed, I think 
calling nsIPlugin::Shutdown at xpcom-shutdown better meets this requirement.  I 
don't see where the spec necessitates that shutdown be called as soon as the 
last instance is destroyed, only that there is a sequence of events and the 
Shutdown call occurs between 2 events: after the last instance is destroyed and 
before the module is unloaded.  By waiting until xpcom-shutdown to make the 
Shutdown call, you are more likely to have fulfilled the requirement that the 
last instance is destroyed than if Shutdown is called when the last instance is 
stopped (but still no guarantee).

It would be nice to have some unbiased third party opinion on these larger 
issues.  What's the immediate goal? Resolve all the issues or get a bandaid 
together for 0.9 (a patch that prevents the unloadLibrary call for Java and 
that turns the nsObjectFrame instance reference from strong to weak)?

Comment 82

18 years ago
Joe, just to clarify, if you comment out the PR_UnloadLibrary, then Java is 
happy (back/forward testcase)?

Comment 83

18 years ago
Yep. If the call to PR_UnloadLibrary(mLibrary) is commented out, there is no
problem to go back and forth among applet and non-applet pages.

How about getting a patch to fix the crash problem here, and opening another bug
to clean up the whole issue?

Comment 84

18 years ago
cc:ing some XPCOM folks.

Comment 85

18 years ago
Any comments on what to do about this bug next?

Comment 86

18 years ago
Joe, does this patch work?

What needs to be done to fix this bug and others like it?

Comment 87

18 years ago
Re-assigning bug to myself. This bug needs to be fixed soon so 0.9 can go out 
the door. What is actually needed to be done here? Joe says:

>>Yep. If the call to PR_UnloadLibrary(mLibrary) is commented out, there is no
>> problem to go back and forth among applet and non-applet pages.

So what if there was an additional check if for the NSPR refcnts on the module 
before it gets unloaded?
Assignee: James.Melvin → peterlubczynski

Comment 88

18 years ago
For the patch of the crash, correct me if I am wrong here. In
TryUnloadLibrary(), if it is Java plugin, then do not call PR_UnloadLibrary().
(What about Shutdown() and Release() there, should those calls be avoided too?)
About changing nsObjectFrame from strong instance to weak instance, can we leave
it to the complete cleanup (in a seperate bug)? Peter, whatever the outcome of
the discussion of the patch, when you come up with a patch, I'll test it.

For the complete cleanup of the issue that have been broght up here, can Sean or
Andrei write a new bug, please?

Comment 89

18 years ago
I've tried Peter's last patch, and it seems working fine. 

Comment 90

18 years ago
Java Plug-in cannot be unloaded once it is started, until the process exits. 
This is because the VM as well as the JDK libraries will have multiple threads 
running, and unloading the VM in the middle of browser session will be very 
tricky to do without crashing or deadlock. I think not calling TryToUnloadPlugin 
will be the proper workaround.

Comment 91

18 years ago
To get this off the radar, can I get reviews for patch #32513 unless someone 
else has input on how to better fix this for mozilla 0.9?
Keywords: patch
Whiteboard: critical to mozilla 0.9 → [critical to mozilla 0.9] [seeking reviews]

Comment 92

18 years ago
Testing the MIME type string is fragile. I'd prefer we actually test the 
nsIPlugin itself and see if it implements nsIJVMPlugin. You can do this test once 
up front. Why are we eagerly unloading plugins anyway? Shouldn't they only be 
unloaded if the window is closed, and we are tossing history?

Comment 93

18 years ago
Oops, my mistake. The line under // XXX should read:

nsCOMPtr<nsIJVMPlugin> isJava = do_QueryInterface(mEntryPoint);

Joe, can you verify that this doesn't cause a crash on shutdown or the service 
manager not being held past XPCOM shutdown?

Comment 94

18 years ago
With that change, r=beard, assuming it fixes the problem.

Comment 95

18 years ago

adding myself to the cc: list... i'd like to see a solution to this as well...

Comment 96

18 years ago
I replaced the line of code (plus added a line to include the header), and I was
able to go back and forth among applet pages (one applet or two applets
pages),and non-applet pages.
Any other test cases I should try? 

Peter, you seemed to have some test cases in mind when you said, "verify that
this doesn't cause a crash on shutdown or the service manager not being held
past XPCOM shutdown", right?


Comment 97

18 years ago
By the way, if you have access to a linux trunk build, you can apply the patch,
then build an optimized build, and try your own test cases.
To build an optimized build, simply add a file, .mozconfig to your mozilla
directory. The file should contain the following lines:

ac_add_options --disable-tests
ac_add_options --disable-debug
ac_add_options --enable-optimize
#ac_add_options --enable-mathml #uncomment to enable mathml 

Basically the file will turn off the debug mode for the build.

Comment 98

18 years ago
Joe, trying this late last night on Windows, I was seeing refcount problems with 
the plugin host that Sean and Andrei describe. Basically, if Java is installed 
on Windows, the plugin host has an extra reference to it and therefore does not 
get destroyed at XPCOM shutdown (and is leaked) even though Shutdown() and 
Release are called.

I guess you aren't seeing this and neither are other people, so perhaps it's 
something lurking in my tree. I had problems updating with CVS too last night, 
will try again today.

Actually, this was happening with and without this patch so I think it's 
something else but related.

So I assume you r=? If nobody objects, I'll try to get a super review and check 
this in.

Comment 99

18 years ago
Created attachment 32909 [details] [diff] [review]
cvs diff -u of fix for this bug, third iteration: includes qi test fo nsIJVMPlugin.  Works with 2 May 01 trunk.

Comment 100

18 years ago
*** Bug 78547 has been marked as a duplicate of this bug. ***

Comment 101

18 years ago
a= asa@mozilla.org for checkin to the MOZILLA_0_9_BRANCH
This just needs a r= right? Can we get this in as soon as the r+ becomes
available.  Thanks.

Comment 103

18 years ago
This bug is a topcrasher for M09 on Windows
Changed OS to All.

Here is a recent stack trace from a windows crash:

Incident ID 29798225 
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsObjectFrame.cpp, line 1520] 
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsObjectFrame.cpp, line 267] 
nsObjectFrame::`scalar deleting destructor' 
nsFrame::Destroy [d:\builds\seamonkey\mozilla\layout\html\base\src\nsFrame.cpp, 
line 432] 
GKLAYOUT.DLL + 0xa9cb4 (0x603b9cb4) 
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsObjectFrame.cpp, line 1593] 
OS: Linux → All
Summary: Leaving an applet page crashed browser - Trunk [@ nsPluginInstanceOwner::~nsPluginInstanceOwner] → Leaving an applet page crashed browser - Trunk & M09 [@ nsPluginInstanceOwner::~nsPluginInstanceOwner]

Comment 104

18 years ago
Can someone try the patch on Windows, and see if it fixes the crash that janc

Comment 105

18 years ago
I'll try my most recent patch on Win32.

Comment 106

18 years ago
This patch will probably only fix Linux Java crashing. janc, how did you get 
that stack trace? Is there a testcase for Windows? What plugins? We need more 
information. Bug 77319 has the same trace but is a bug on Real. I just got the 
new Real bits an hour go, will try.

This bug NEVER crashed on Windows or Mac in the first place, that's why it was 
so hard to fix.

Comment 107

18 years ago
I just tried my most recent patch with a debug build from 01 May 2001 trunk.  
Applets worked fine, modulo bug 76921.

Depends on: 76921

Comment 108

18 years ago
Peter is correct.  The attached patch will only fix ~nsObjectFrame crashes when 
an applet is involved.

Given that the talkback info posted on the 23rd shows a few Real Player 
descriptions, the java-specific patch won't address all the nsObjectFrame 

See the last comment I posted on the 27th.

Comment 109

18 years ago
Created attachment 32969 [details] [diff] [review]
cvs diff -u of fix for this bug, fourth iteration, patch taking into account recent changes to nsPluginHostImpl.cpp tested on linux.

Comment 110

18 years ago
Peter please note that nsPluginHostImpl.cpp has changed.  I've attached a patch
that reflects this change.
edburns, will we need to get the fix for 76921 on the branch for this bug's fix
to work on the branch?  Please excuse my ignorance.  I just want to make sure we
get the 0.9 branch working.

Comment 112

18 years ago
Asa, no they are orthogonal.  I include the patch as a convenience. I have 
already requested in n.p.m.builds to have bug 76921 approved for checkin on the 
branch, as I feel it is important functionality for plugins.  If you grant 
permission for me to check in 76921 on the branch I would greatly appreciate it.
yes please check into the MOZILLA_0_9_BRANCH
a= asa@mozilla.org (on behalf of drivers

Comment 114

18 years ago
Asa, do you mean for 76921?

Comment 115

18 years ago
Fine by me, r=peterl
a= asa@mozilla.org for checkin to both this bug and 76921

Comment 117

18 years ago
I see from the comments that this bug is solving the problem only for Linux.
However, but 77857 which was reported by me and was marked as a duplicate of
this one is talking about Windows 98. So either the problem occurs on Win98 as
well or it's not a dup and should be reopened.

Comment 118

18 years ago
checking into the TRUNK:

/cvsroot/mozilla/modules/plugin/nglsrc/nsPluginHostImpl.cpp,v  <--  
new revision:; previous revision:
Checking in nsPluginHostImpl.h;
/cvsroot/mozilla/modules/plugin/nglsrc/nsPluginHostImpl.h,v  <--  

Comment 119

18 years ago
Patch checked into the TRUNK. Marking FIXED.

/cvsroot/mozilla/modules/plugin/nglsrc/nsPluginHostImpl.cpp,v  <--  
new revision: 1.242; previous revision: 1.241
Checking in nsPluginHostImpl.h;
/cvsroot/mozilla/modules/plugin/nglsrc/nsPluginHostImpl.h,v  <--  
new revision: 1.53; previous revision: 1.52
Last Resolved: 18 years ago18 years ago
Resolution: --- → FIXED

Comment 120

18 years ago
oops, meant BRANCH on that last comment.
i don't see this problem anymore on the trunk on windows /linux (0503). VERIFIED

Comment 122

18 years ago
removing invalid dependency (bug 76921)
No longer depends on: 76921

Comment 123

18 years ago
Reopening since this is still crashing, just somewhere else now.

Here's my work around for the new crash on shutdown:

Index: nsPluginHostImpl.cpp
RCS file: /cvsroot/mozilla/modules/plugin/nglsrc/nsPluginHostImpl.cpp,v
retrieving revision
diff -u -r1.233.4.6 nsPluginHostImpl.cpp
--- nsPluginHostImpl.cpp        2001/05/03 21:06:35
+++ nsPluginHostImpl.cpp        2001/05/04 22:50:26
@@ -806,7 +806,9 @@
 void nsPluginTag::TryUnloadPlugin(PRBool aForceShutdown)
   // XXX This is a hack to keep Java around, see bug 76936
-  nsCOMPtr<nsIJVMPlugin> isJava = do_QueryInterface(mEntryPoint);
+  PRBool isJava = PR_FALSE;
+  if (mDescription && !strcmp(mDescription, "Java(TM) Plug-in"))
+    isJava = PR_TRUE;
   if (isJava && !aForceShutdown) return;
Resolution: FIXED → ---

Comment 124

18 years ago
How about changing:

  nsCOMPtr<nsIJVMPlugin> isJava = do_QueryInterface(mEntryPoint);


  nsCOMPtr<nsIJVMPlugin> isJava;
  if (mEntryPoint)
    isJava = do_QueryInterface(mEntryPoint);

Comment 125

18 years ago
Checking the string desciption vs. the interface makes a difference? 

I like Sean's idea better but I thought do_QueryInterface already catches null 

Comment 126

18 years ago
Christopher: How to reproduce your crash to try the new patches?

Comment 127

18 years ago
Working for me with build 2001050408, Linux 2.4.4 i686, RedHat 6.1

Comment 128

18 years ago
I had a look and there are several variants in nsCOMPtr.h/cpp. Apparently, the 
version that got picked was a version in which no error checkin is made.

Comment 129

18 years ago
I would imagine that to repro, you need the same plugins that he has 
installed.  One of them must not implement nsIPlugin.

Comment 130

18 years ago
If Sean's approach works, I like it better than checking the description.
Checking the description is almost guaranteed to break non-sun java plugins.

Comment 131

18 years ago
Leaving aside nsCOMPtr<> for a moment, you could just do:

PRBool isJava = PR_FALSE;
if (mEntryPoint) {
  nsIJVMPlugin* jvmPlugin;
  isJava = NS_SUCCEEDED(mEntryPoint->QueryInterface(NS_GET_IID(nsIJVMPlugin),    

Comment 132

18 years ago
+ the NS_IF_RELEASE, of course...

Comment 133

18 years ago
Is the real problem the version of nsCOMPtr.h/cpp? LXR only reveals one set.

Like I said, I thought do_QueryInterface is safe to call on null pointers? If 
not, I like Sean's approach.

Is there a testcase to reproduce the crash?

I thought do_QI and nsCOMPtr saved you from doing all that as the guide says:

Comment 134

18 years ago
To reproduce the crash just have the java plugin installed, start the browser,
and exit the browser.

Comment 135

18 years ago
I am observing that it isn't safe the optional 'rv' isn't specified.

I tried putting an assertion in a random place in the code, say:

NS_IMETHODIMP nsDocumentOpenInfo::OnStartRequest(nsIRequest *request, 
nsISupports * aCtxt)
  nsresult rv = NS_OK;
//  nsCOMPtr<nsIHTTPChannel> httpChannel(do_QueryInterface(request, &rv));
  nsCOMPtr<nsIHTTPChannel> httpChannel(do_QueryInterface(NULL));

and tracing this didn't gave a null httpChannel (I am reading
httpChannel.mRawPtr = 0x01abfef4 on the trace :-)

But it was safe when I tried:

 nsCOMPtr<nsIHTTPChannel> httpChannel(do_QueryInterface(NULL, &rv));
It gave null, and a failure error code for rv. 

Comment 136

18 years ago
With build 2001050408, everything works fine, except that the browser
crashes on about:plugins if the Java plugin is installed; the bottom of
the stack trace looks like:

#0  0x400df6a4 in nsCOMPtr_base::~nsCOMPtr_base () at eval.c:41
#1  0x40ed7c8d in nsPluginTag::TryUnloadPlugin ()
   from mozilla/components/libgkplugin.so
#2  0x40ed7a5f in nsPluginTag::~nsPluginTag ()
   from mozilla/components/libgkplugin.so
#3  0x40eda017 in nsPluginHostImpl::ReloadPlugins ()
   from mozilla/components/libgkplugin.so
#4  0x404b4c24 in PluginArrayImpl::Refresh ()
   from mozilla/libjsdom.so
#5  0x404b2901 in PluginArrayRefresh ()
   from mozilla/libjsdom.so
#6  0x4014e0c6 in js_Invoke () at eval.c:41
#7  0x40155005 in js_Interpret () at eval.c:41
#8  0x4014e50f in js_Execute () at eval.c:41
#9  0x40132106 in JS_EvaluateUCScriptForPrincipals () at eval.c:41
#10 0x4048a36d in nsJSContext::EvaluateString ()
   from mozilla/libjsdom.so
#11 0x40ca2a43 in HTMLContentSink::EvaluateScript ()

Is the same bug causing this, or should I open up a new bug?

Comment 137

18 years ago
Sorry peterl, I spoke too quickly. It is (should be) safe. My tests were wrong.

Comment 138

18 years ago
Okay, now this makes a little more sense to me seeing that stack. That stack is 
for bug 77319 which is highly related to this bug. That stack shows the problem 
with the nsCOMPtr. 

For whoever can reproduce this bug try doing a null pointer check as Sean 
suggests and see if the crash goes away.

Also, can someone explain this piece of code in ScanPlugins:
// load the plugin's library so we can ask it some questions, but not for 
#ifndef XP_WIN
      if (pluginFile.LoadPlugin(pluginLibrary) != NS_OK || pluginLibrary == 

Is this causing some of the PR_[Un]LoadLibrary() problems?

Ed, on Win32, I'm getting the service manager held past XPCOM shutdown doing 
what you describe. Even exit when choose profile causes this. I will the debug 
bits I got.

Comment 139

18 years ago
Okay, I just got bittin by this bug, but in a different way while debuging 
another. I see what Sean means if the plugin is 4.x. A QI won't work for a 4.x 
plugin. That's probably why the string comparision works the best.

Comment 140

18 years ago
Try this and see if it clears up THIS crash:

  // XXX This is a hack to keep Java around, see bug 76936
  PRBool isJava = PR_FALSE;
  if (mEntryPoint)
    nsIJVMPlugin* jvmPlugin;
    isJava = NS_SUCCEEDED(mEntryPoint->QueryInterface(NS_GET_IID(nsIJVMPlugin),  
    if (isJava) NS_IF_RELEASE(jvmPlugin);

Comment 141

18 years ago
Knowing not to unload Java in a navigator.plugins.refresh() situation is going 
to be a lot harder to fix. Use bug 77319 for that tracking. That WILL cause a 
crash because we are very deep in plugin destruction and it's hard to tell that 
sitation apart from when XPCOM gets shutdown. I think this solution may be too 
hacky to solve that crash. We must go back to making sure we don't call 
Shutdown() on the plugin unless it's refcount is down to one. I don't think 
doing the call to Shutdown() in TryUnload is a good idea anyway. Here's the top 
of the stack for the reload case:

nsPluginTag::TryUnloadPlugin(int 1) line 807
nsPluginTag::~nsPluginTag() line 763
DOMPluginImpl::~DOMPluginImpl() line 3092 + 11 bytes
DOMPluginImpl::`scalar deleting destructor'(unsigned int 1) + 15 bytes
DOMPluginImpl::Release(DOMPluginImpl * const 0x03b4b530) line 3139 + 154 bytes
PluginElementImpl::~PluginElementImpl() line 270 + 27 bytes
PluginElementImpl::`scalar deleting destructor'(unsigned int 1) + 15 bytes
PluginElementImpl::Release(PluginElementImpl * const 0x03b48a70) line 280 + 154 
PluginArrayImpl::Refresh(PluginArrayImpl * const 0x03b4bfc4, int 0) line 202 + 
45 bytes
PluginArrayRefresh(JSContext * 0x03b26c50, JSObject * 0x02ca4778, unsigned int 
1, long * 0x02d2ec98, long * 0x0012e2cc) line 333 + 16 bytes
js_Invoke(JSContext * 0x03b26c50, unsigned int 1, unsigned int 0) line 813 + 23 

Comment 142

18 years ago
Nit: some little changes:

  // XXX This is a hack to keep Java around, see bug 76936
  PRBool isJava = PR_FALSE;
  if (mEntryPoint) {
    nsIJVMPlugin* jvmPlugin;
    if (NS_SUCCEEDED(mEntryPoint->QueryInterface(NS_GET_IID(nsIJVMPlugin),  
                    (void**)&jvmPlugin))) {
      isJava = PR_TRUE;

Comment 143

18 years ago
I tried Peter's last patch, and it seemed working OK (I tried the
"about:plugins" and exit rightaway cases). I also tried Christopher's patch, and
it seemed working fine, too. So somehow, nsComptr seemed to cause some problem.

One thing though, in the exit-right-away case, there were two assertions (for
both patches) at the end: 

nsPluginHostImpl::Observe "xpcom-shutdown"
### beging nsCacheService::Shutdown()
### starting ~nsMemoryCacheDevice()
###!!! ASSERTION: Service Manager being held past XPCOM shutdown.: 'cnt == 0',
file nsServiceManager.cpp, line 545
###!!! Break: at file nsServiceManager.cpp, line 545
CanUnload_enumerate: skipping native
GC Cache:
        hits:  395  203   72   11   31    9    0    1    2    2
        hits: 726, misses: 244, hit percent: 74.845360%
###!!! ASSERTION: Component Manager being held past XPCOM shutdown.: 'cnt == 0',
file nsXPComInit.cpp, line 505
###!!! Break: at file nsXPComInit.cpp, line 505

Comment 144

18 years ago
Joe, can you try another plugin. Throw in Flash the Default Plugin or any other 
4.x plugin. Acrobat PDF is broken (Bug 78741) on all builds from 4-24-01. Be 
sure when you are testing the closing case and about:plugins case that you FIRST 
visit a page with the plugin in question (namely Java or Flash or lack there 
of to trigger the Default). If that works, then I think rbs' second patch should 
go in.

Yes, there is the problem of XPCOM shutdown I see on Win32. Do you see on Linux? 
Can you check the refcount of the Java OJI Plugin when ::Observe is called?

Comment 145

18 years ago
Please keep in mind that the mEntryPoint isn't NULL but when you call
QueryInterface() on it it will fall over.  So you can't use that test.  Due to
changing symbol sizes and changing structure sizes I suspect that comparing the
char * description is the safest bet, assming that the description is the same

Comment 146

18 years ago
Correct me if I'm wrong, but don't we wrap 4.x plugins in an XPCOM wrapper 
anyway (ns4xPlugin*)? Since mEntryPoint is of type nsIPlugin and hence derives 
from nsIFactory which derives from nsISupports, it should be safe to assume 
there will be a QI or am I missing something here? 

Comment 147

18 years ago
I saw this function in the file: static PRBool isJavaPlugin(nsPluginTag * tag)
Is it also a possible alternative here?

No test against nsIJVMPlugin ?
ns4xPlugin::QueryInterface(const nsIID& iid, void** instance)
    if (instance == NULL)
        return NS_ERROR_NULL_POINTER;

    if (iid.Equals(kIPluginIID))
        *instance = (void *)(nsIPlugin *)this;
        return NS_OK;

    if (iid.Equals(kIFactoryIID))
        *instance = (void *)(nsIFactory *)this;
        return NS_OK;

    if (iid.Equals(kISupportsIID))
        *instance = (void *)(nsISupports *)this;
        return NS_OK;

    return NS_NOINTERFACE;

Comment 148

18 years ago
No need to test ns4xPlugin for nsIJVMPlugin in QI because it doesn't implement 
that interface. It's not Java. Take a look at MRJPlugin.h and notice it 
implements nsIPlugin and the QI. 

[static PRBool isJavaPlugin(nsPluginTag * tag)] is used to check for the old 4.x 
npjava plugin. Loading this causes crashes.

Comment 149

18 years ago
Chris wrote:
>Please keep in mind that the mEntryPoint isn't NULL but when you call
>QueryInterface() on it it will fall over.

That's bad.  mEntryPoint is supposed to either be NULL or an nsIPlugin*.  If
it's not a valid nsIPlugin*, then after this crash is addressed, there will be a
crash in the Shutdown call which is protected by if (mEntryPoint).

Comment 150

18 years ago
OK peterl, saw it, QI isn't the cause then.

sean/blizzard, it is declared as "nsIPlugin *mEntryPoint" so assumptions aren't 
Cc'ing scc, a bit late.  Are we sure the nsCOMPtr (vs. a raw strong-ref ptr) was
a necessary condition for the problem?


Comment 152

18 years ago
May be I have found the problem... Preparing a patch so that other could
try for confirmation.

Comment 153

18 years ago
This is interesting, but there is no path through |do_QueryInterface| that
blindly calls through |NULL|.  It all must pass through


From your description of the behavior, it sounds like |mEntryPoint| isn't really
a pointer to something that inherits unambiguously from |nsISupports|.  Does
stepping into the QI jump into limbo?  Does the intermediate step look like a
vtable?  That would imply that it is an object, but the wrong kind.  If the
intermediate step doesn't even look like a vtable, that would imply the pointer
is garbage but non-|NULL|.

Here's one possibility: could it be that what |mEntryPoint| points to has
already been unloaded?  That would explain a lot.

Comment 154

18 years ago
Nope, it eliminates the crash but it *isn't* the correct fix:

NS_IMETHODIMP nsPluginHostImpl::Observe(nsISupports *aSubject,
                                        const PRUnichar *aTopic,
                                        const PRUnichar *someData)
#ifdef NS_DEBUG
  nsAutoString topic(aTopic);
  char * newString = topic.ToNewCString();
  printf("nsPluginHostImpl::Observe \"%s\"\n", newString ? newString : "");
  if (newString)
//      NS_LITERAL_STRING("quit-application") == aTopic)
  NS_IF_RELEASE(serviceManager);  < where serviceManager is the global SM in
  return NS_OK;                   < the code (it is explicitly clear in the
                                  < code that there is *no* addref of the GSM)
}                                 < nope, this is the wrong fix...

Comment 155

18 years ago
Note this interesting comment from bug #77319 (claimed to be related to this bug)

  >The crash happens on NS_ADDREF(mInstance) and taking a look at that interface 
  >pointer shows it's vtable to be invalid so no wonder it crashes. What is going 
  >on with this member variable on this page.

Comment 156

18 years ago

In the case of the Java plugin, at least on Win32, mEntryPoint shows up as 
deriving from nsIFactory, nsISupports, and there's a vtable. I realized that's 
all the info the debugger probably can tell as we have no symbols for those 
optimized bits.  Ed sent me the debug bits but they don't even seem to work, 
probably because of the reason I talk about in bug 78150.

Comment 157

18 years ago
The debugger is showing you the static type of the variable, so it's expected
that it _claims_ the inheritance is valid.  When you actually look into the
vtable and follow the appropriate entry, it should lead to a correct and
in-memory implementation of |QueryInterface|.  If it doesn't, then you will at
least understand the exact mechanism of the crash, though not the reason behind it.

Comment 158

18 years ago
I tried this with a few different plugins in different senerios and anytime that 
mEntryPoint is not null, there looks to be a valid vtable with pointers. In the 
4.x case it's ns4xPlugin and in the Java case, like I thought, it's just 3 
pointers to memory because of no symbols. This is on Win32 though, Linux is 
another story. Can someone step through and examine the vtable just before the 

Scott, if the Java plugin used an older nsCOMPtr version to build with, could it 
be possible that NULL gets through? What about this debug vs. optimized in terms 
of zeroing out pointers?

Comment 159

18 years ago
(a) no.  no version in more than a year could fail for |NULL|, but
(b) you're calling _your_ |do_QueryInterface|, not one in the plugin, right?
This code is in the body of Mozilla somewhere ... not the plugin, and that's the
|do_QueryInterface| (or really |nsQueryInterface::operator()|) we're calling,
which is just a helper routine that calls QI.  If you step into that call, what
happens?  See in particular, code around the URL I cited above.  Just after that
is where it actually queries your pointer:


Step into the query... do you get somewhere?  Or does just stepping into the
query crash you?  If you got somewhere, examine the code ... is it really an
implementation of |QueryInterface| (compare with dissasembly of a known entry
point if symbols are not available).  If this is not really an implementation of
|QueryInterface|, then that is strong evidence in favor of unloaded code or a
trashed |mEntryPoint|.

Comment 160

18 years ago
I hope no one here is under the impression that code responsible for loading or
unloading plugins respects strong references to objects whose implementations
are provided by that plugin.  _That's_ certainly not the case by default.

I'll wager that the |nsCOMPtr| is pointing to an object whose implementation has
been unloaded.  Then, any work done through that pointer, of course, leads to a
jump into limbo.  And work is guaranteed, since the |nsCOMPtr|s destructor will
try to call |Release|.

Comment 161

18 years ago
Here are some data that might perhaps prove helpful. I expanded the 
ADDREF/RELEASE macros in nsServiceManager.cpp in order to see exactly who was 
initiating the addref & release. Then, I started SeaMonkey and exited 
immediately. As far I can tell, it seems the bug is in NPOJI600, for it appears
to be doing a QI without a matching |release|:

Here is my console output (the source changes to nsServiceManager.cpp are below)

###!!! ASSERTION: ADDREF: '0', file C:\Mozilla\src-m0.9\mozilla\xpcom\components
\nsServiceManager.cpp, line 315
Type Manifest File: C:\Mozilla\src-m0.9\mozilla\dist\WIN32_D.OBJ\bin\components\
nsNativeComponentLoader: autoregistering begins.
nsNativeComponentLoader: autoregistering succeeded
nNCL: registering deferred (0)
Initialized app shell component {18c2f989-b09f-11d2-bcde-00805f0e1353}, rv=0x000
nsPluginHostImpl ctor
plugins at: C:\Mozilla\src-m0.9\mozilla\dist\WIN32_D.OBJ\bin\plugins
plugins at: C:\Program Files\Netscape\Communicator\Program\Plugins
For application/x-java-vm found plugin C:\Mozilla\src-m0.9\mozilla\dist\WIN32_D.
###!!! ASSERTION: ADDREF: '0', file C:\Mozilla\src-m0.9\mozilla\xpcom\components
\nsServiceManager.cpp, line 315
Disabling View Source StyleSheet
Enabling Quirk StyleSheet
Note: verifyreflow is disabled
Style Data Sharing is Enabled :)
Note: styleverifytree is disabled
Note: frameverifytree is disabled
###!!! ASSERTION: New URI failed: 'Error', file C:\Mozilla\src-m0.9\mozilla\netw
erk\base\src\nsProtocolProxyService.cpp, line 302
Disabling View Source StyleSheet
Start reading in bookmarks.html
Finished reading in bookmarks.html  (21000 microseconds)
Disabling View Source StyleSheet
Enabling Quirk StyleSheet
has multiple monitor apis is 1
Shut down app shell component {18c2f989-b09f-11d2-bcde-00805f0e1353}, rv=0x00000
nsPluginHostImpl::Observe "xpcom-shutdown"
### beging nsCacheService::Shutdown()
### starting ~nsMemoryCacheDevice()
###!!! ASSERTION: RELEASE: '0', file C:\Mozilla\src-m0.9\mozilla\xpcom\component
s\nsServiceManager.cpp, line 299

And this is where we get the Service Manager being held pass down msg...

Changes to nsServiceManager.cpp (could someone try to reproduce as I am
going off-line now)

//NS_IMPL_ISUPPORTS1(nsServiceManagerImpl, nsIServiceManager)
NS_IMPL_QUERY_INTERFACE1(nsServiceManagerImpl, nsIServiceManager)

NS_IMETHODIMP_(nsrefcnt) nsServiceManagerImpl::Release(void) 
  NS_PRECONDITION(0 != mRefCnt, "dup release");
  NS_LOG_RELEASE(this, mRefCnt, "nsServiceManagerImpl");      
  if (mRefCnt == 0) {                          
    mRefCnt = 1; /* stabilize */               
    return 0;                                  
  return mRefCnt;                              

//#define NS_IMPL_ADDREF(nsServiceManagerImpl)
NS_IMETHODIMP_(nsrefcnt) nsServiceManagerImpl::AddRef(void)
  NS_PRECONDITION(PRInt32(mRefCnt) >= 0, "illegal refcnt");
  NS_LOG_ADDREF(this, mRefCnt, "nsServiceManagerImpl", sizeof(*this)); 
  return mRefCnt;

The stack trace at the time of the QI by NPOJI600 (I didn't capture the head)

NTDLL! 77f9eea9()
nsDebug::Assertion(const char * 0x100ecf24, const char * 0x100ecf20, const char 
* 0x100ecedc, int 315) line 286 + 13 bytes
nsServiceManagerImpl::AddRef(nsServiceManagerImpl * const 0x004840d0) line 315 + 
34 bytes
nsServiceManagerImpl::QueryInterface(nsServiceManagerImpl * const 0x004840d0, 
const nsID & {...}, void * * 0x00338140) line 294 + 139 bytes
JPINS32! 502e5e40()
JPINS32! 502e5d41()
NPOJI600! 5039104a()
nsJVMManager::StartupJVM() line 599 + 32 bytes
nsJVMManager::MaybeStartupLiveConnect() line 780 + 20 bytes
nsJVMManager::StartupLiveConnect(nsJVMManager * const 0x01580448, JSRuntime * 
0x00e16df0, int & 0) line 128 + 11 bytes
nsJSEnvironment::nsJSEnvironment() line 1505 + 49 bytes
nsJSEnvironment::GetScriptingEnvironment() line 1446 + 27 bytes
NS_CreateScriptContext(nsIScriptGlobalObject * 0x0152b6d0, nsIScriptContext * * 
0x0155cc10) line 1545 + 5 bytes
nsDocShell::EnsureScriptEnvironment(nsDocShell * const 0x0155cb60) line 4656 + 
50 bytes
nsWebShell::GetInterface(nsWebShell * const 0x0155cb84, const nsID & {...}, void 
* * 0x0012fbd4) line 329 + 19 bytes
nsGetInterface::operator()(const nsID & {...}, void * * 0x0012fbd4) line 37 + 31 
nsCOMPtr<nsIDOMWindowInternal>::assign_from_helper(const nsCOMPtr_helper & 
{...}, const nsID & {...}) line 974 + 18 bytes
nsCOMPtr_helper & {...}) line 556
nsAppShellService::GetHiddenWindowAndJSContext(nsAppShellService * const 
0x00543630, nsIDOMWindowInternal * * 0x0012fc7c, JSContext * * 0x0012fc80) line 
713 + 32 bytes
nsAppShellService::SetXPConnectSafeContext() line 177 + 40 bytes
nsAppShellService::CreateHiddenWindow(nsAppShellService * const 0x00543630) line 
main1(int 1, char * * 0x00484460, nsISupports * 0x00000000) line 988
main(int 1, char * * 0x00484460) line 1309 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e992a6()

Comment 162

18 years ago
Changes in diff -u format:

Index: nglsrc/nsPluginHostImpl.cpp
RCS file: /cvsroot/mozilla/modules/plugin/nglsrc/nsPluginHostImpl.cpp,v
retrieving revision
diff -u -r1.233.4.6 nsPluginHostImpl.cpp
--- nsPluginHostImpl.cpp        2001/05/03 21:06:35
+++ nsPluginHostImpl.cpp        2001/05/05 07:34:55
@@ -806,7 +806,15 @@
 void nsPluginTag::TryUnloadPlugin(PRBool aForceShutdown)
   // XXX This is a hack to keep Java around, see bug 76936
-  nsCOMPtr<nsIJVMPlugin> isJava = do_QueryInterface(mEntryPoint);
+  PRBool isJava = PR_FALSE;
+  if (mEntryPoint) {
+    nsIJVMPlugin* jvmPlugin;
+    if (NS_SUCCEEDED(mEntryPoint->QueryInterface(NS_GET_IID(nsIJVMPlugin),
+                    (void**)&jvmPlugin))) {
+      NS_RELEASE(jvmPlugin);
+      isJava = PR_TRUE;
+    }
+  }

   if (isJava && !aForceShutdown) return;

Index: nsServiceManager.cpp
RCS file: /cvsroot/mozilla/xpcom/components/nsServiceManager.cpp,v
retrieving revision 3.48
diff -u -r3.48 nsServiceManager.cpp
--- nsServiceManager.cpp        2000/09/13 23:55:57     3.48
+++ nsServiceManager.cpp        2001/05/05 07:40:10
@@ -289,7 +289,35 @@

-NS_IMPL_ISUPPORTS1(nsServiceManagerImpl, nsIServiceManager)
+//NS_IMPL_ISUPPORTS1(nsServiceManagerImpl, nsIServiceManager)
+NS_IMPL_QUERY_INTERFACE1(nsServiceManagerImpl, nsIServiceManager)
+NS_IMETHODIMP_(nsrefcnt) nsServiceManagerImpl::Release(void)
+  NS_PRECONDITION(0 != mRefCnt, "dup release");
+  NS_ASSERT_OWNINGTHREAD(nsServiceManagerImpl);
+  --mRefCnt;
+  NS_LOG_RELEASE(this, mRefCnt, "nsServiceManagerImpl");
+  if (mRefCnt == 0) {
+    mRefCnt = 1; /* stabilize */
+    NS_DELETEXPCOM(this);
+    return 0;
+  }
+  return mRefCnt;
+//#define NS_IMPL_ADDREF(nsServiceManagerImpl)
+NS_IMETHODIMP_(nsrefcnt) nsServiceManagerImpl::AddRef(void)
+  NS_PRECONDITION(PRInt32(mRefCnt) >= 0, "illegal refcnt");
+  NS_ASSERT_OWNINGTHREAD(nsServiceManagerImpl);
+  ++mRefCnt;
+  NS_LOG_ADDREF(this, mRefCnt, "nsServiceManagerImpl", sizeof(*this));
+  return mRefCnt;

 nsServiceManagerImpl::GetService(const nsCID& aClass, const nsIID& aIID,

Comment 163

18 years ago
*** Bug 79019 has been marked as a duplicate of this bug. ***

Comment 164

18 years ago
OK, guys.  I'm about to make all of us feel really dumb.  Here's the correct fix:

void nsPluginTag::TryUnloadPlugin(PRBool aForceShutdown)
  // XXX This is a hack to keep Java around, see bug 76936
  PRBool isJava = PR_FALSE;
  nsCOMPtr<nsIJVMPlugin> jvm;

  if (mEntryPoint)
    jvm = do_QueryInterface(mEntryPoint);

  if (jvm) {
    isJava = PR_TRUE;
    // release before we shutdown below
    jvm = nsnull;

  if (isJava && !aForceShutdown) return;

  if (mEntryPoint)
    mEntryPoint = nsnull;

  // before we unload check if we are allowed to, see bug #61388
  if (mLibrary && mCanUnloadLibrary)

  // we should zero it anyway, it is going to be unloaded by 
  // CleanUnsedLibraries before we need to call the library 
  // again so the calling code should not be fooled and reload 
  // the library fresh
  mLibrary = nsnull;

The problem is that the nsCOMPtr destructor is trying to call Release() on a
pointer that was in a library that was unloaded by PR_LoadLibrary().  I didn't
notice this until I used step instruction through the entire function.

I think that when looking at the stack traces everyone including myselft thought
it was when we called _into_ the function since the nsCOMPtr::~nsCOMPtr call
would always show up at the beginning of the function since that's where the
destructor is located as far as the debugger is concerned.  So much for stack

Looking for real reviews here and testing.  I think this is right, though.
Do we really believe that only JVMs will want to use threads, or might be 
bothered by abrupt unloading?  I'm really nervous about this approach.

I'd prefer that we either never unload plugins, or that we _always_ unload 
plugins, and require all plugins that want to avoid that behaviour to use a new-
style plugin which returns the right thing from nsIModule::CanUnload.  (We 
currently don't ever unload components, even when they report that they can be 
unloaded, because lots of our components suck and lie to us.)

What does 4.x do here?  How does the Sun Java(TM) Plugin avoid crashing there?

Comment 166

18 years ago
Checking the string on the name of the plugin doesn't crash because it doesn't
try to release after the module has been unloaded.

Comment 167

18 years ago
>Do we really believe that only JVMs will want to use threads, or might be 
>bothered by abrupt unloading?

No.  There are MANY issues related to this bug and bug 77319 that need to be
worked out yet.  I'd prefer seeing all loaded plugin modules remain loaded until
xpcom-shutdown (see various posts throughout this bug and 77319); temporarily
until a CanUnload solution is impl'ed/tested.

>Checking the string on the name of the plugin doesn't crash because it doesn't
>try to release after the module has been unloaded.

yep.  Also explains why the patch from rbs (which used mEntryPoint but not via
nsComPtr) worked.  Sorry for throwing everyone off track with my assumption that
the QI was failing due to a NULL ptr.

Now: Why didn't the patch cause a shutdown crash before it was checked into the
0.9 branch?

Comment 168

18 years ago
blizzard: other than what I'm assuming is a small typo in your final comment
(CleanUnsedLibraries) it looks good to me.  [s]r=scc (on blizzard's implentation
provided in his comment at 2001-05-05 10:43), whichever you need.

Comment 169

18 years ago
I still crash on exit after visiting java.sun.com with a CVS build which had
blizzard's latest patch in it. Info on my system:

o Debian GNU/Linux 2.2 (Sid)
o glibc 2.2.2
o gcc-2.95.3
o Sun's Java SDK, Standard Edition. Version 1.3.0_02

I crash with the latest pre-built 0.9 release candidate too.

Comment 170

18 years ago
blizzard's nsCOMPtr-friendly patch is equivalent to mine, except that
he is explicitly destroying the plugin (i.e., mEntryPoint).

Another way to write his patch is:

  PRBool isJava = PR_FALSE;
  if (mEntryPoint) {
    nsCOMPtr<nsIJVMPlugin> jvm;
    jvm = do_QueryInterface(mEntryPoint);
    if (jvm) {
      isJava = PR_TRUE;
      // release before we shutdown below
      jvm = nsnull;

I was under the impression that the particularity with the Java plugin 
was that it needed to be kept around until shut-down? It would be great
if the plugin could indeed be destroyed at once... In that case, one would
also need to do:
      jvm = nsnull;
+     mEntryPoint = nsnull; //mEntryPoint isn't declared as a nsCOMPtr
This way, the following "if (mEntryPoint)" will always fail and there is 
never going to be an attempt at double destruction if the code ever reaches
there. And speaking of this, is setting "jvm = nsnull" the cleaner way to
destroy the plugin. Will the dtor do the right thing here? It seems one has
to call Shutdown() and then Release()?
As for the crash at exit, has anybody took a look at the service manager stuff 
that I described above?

Comment 171

18 years ago
rbs, I only changed it to use an nsCOMPtr.  The release of mEntryPoint is only
done if PR_TRUE is passed into TryUnloadPlugin which is only done at shutdown so
the jvm still isn't being released until then.  The QI that do_QueryInterface()
does does an addref and I do the release which means that I don't even unload
early at least as I understand it.

Comment 172

18 years ago
OK, got it. 

And with the fact that nsCOMPtr<> will auto-release when it goes out of scope,
the version of blizzard's nsCOMPtr patch that I would prefer would be:

  PRBool isJava = PR_FALSE;
  if (mEntryPoint) {
    nsCOMPtr<nsIJVMPlugin> jvm
    jvm = do_QueryInterface(mEntryPoint);
    if (jvm) {
      isJava = PR_TRUE;

Some will even prefer nsCOMPtr<nsIJVMPlugin> jvm(do_QueryInterface(mEntryPoint)) 
To summarize: the mistake/lesson from earlier attempts was to use the nsCOMPtr 
'jvm' as a flag; i.e., hold an extra ref to an object that we are trying to 
destroy. Very bad or "really dumb" to quote blizzard. But seeing the large 
number of people cc:ed, let's give to that the benefit of the sheer heat of
the last m0.9 bug :-)

As for the crash at exit, has anybody took a look at the service manager stuff 
that I described above?

Comment 173

18 years ago
rbs, could you attach a patch so andre can try it out on his system as he
seems to be the only one stil seeing a problem. thanks

Comment 174

18 years ago
Actually, I am not sure what andre's problem is. To be more precise, what I am 
referring to is an assertion: "service manager held pass down". And this 
assertion arises when the crash in nsPluginTag::TryUnloadPlugin() in fixed 
(either with string compare, raw QI, nsCOMPtr QI). In other words, the assertion 
won't show up in release builds.

The assertion I am referring to is also mentioned in the comments from "Joe Chou 
2001-05-04 19:54" and "Peter Lubczynski 2001-05-04 20:08" who added that it 
seemed to be win32-specific. Because it is just an assertion in debug builds, 
there shouldn't be more issues for m0.9 as far as release is concerned, but 
it shows that there is a leak of the service manager. So if there is an easy 
fix that the Java people know about, then that will be fine to get it too. 
Otherwise, it is fine too :) that wouldn't be the first and last leak anyway :)

The reason I suggested for the leak is in my comments at "rbs@maths.uq.edu.au 
2001-05-05 00:24" and the patch that will help to trace it is the one that 
changes nsServiceManager.cpp which I added in my following post -- it just 
expands ADDREF/RELEASE in nsServiceManager.cpp and shows that there is a pending 
release that should have been fired by NPOJI600 (it may be too late to 
investigate for m0.9, but could serve as a starting point).

Comment 175

18 years ago
Attached below is a backtrace that I finally managed to get with a cvs snapshot
of gdb. This backtrace was done right after mozilla crashed on exit after
visiting java.sun.com.

Comment 176

18 years ago
Created attachment 33358 [details]
A backtrace of the crash on exit I have been seeing.

Comment 177

18 years ago
Same bug with releasing, just keeps moving around. That's the trace I got 
in bug 77319. Looks like we ADDREF in GetInstance which I think may be causing 
the crash then try to release after Shutdown.

Comment 178

18 years ago
Andre, the patch hasn't been applied to the m0.9 branch. Now wonder that the
crash is still there. Folks, could I checkin this one that I have in my tree?

C:\Mozilla\src-m0.9\mozilla\modules\plugin\nglsrc>cvs diff
cvs server: Diffing .
Index: nsPluginHostImpl.cpp
RCS file: /cvsroot/mozilla/modules/plugin/nglsrc/nsPluginHostImpl.cpp,v
retrieving revision
diff -r1.233.4.6 nsPluginHostImpl.cpp
<   nsCOMPtr<nsIJVMPlugin> isJava = do_QueryInterface(mEntryPoint);
>   PRBool isJava = PR_FALSE;
>   if (mEntryPoint) {
>     nsIJVMPlugin* jvmPlugin;
>     if (NS_SUCCEEDED(mEntryPoint->QueryInterface(NS_GET_IID(nsIJVMPlugin),
>                     (void**)&jvmPlugin))) {
>       NS_RELEASE(jvmPlugin);
>       isJava = PR_TRUE;
>     }
>   }
Could someone _please_ tell me why we want this fix at all, rather than just 
turning off all plugin unloading until we can find a system (like nsIModule 
has) that won't require us to put special hacks in the code for every plugin 
that wants to use threads?

Why isn't this as simple as just removing the PR_UnloadLibrary call?

Comment 180

18 years ago
I don't know. Drivers?

Comment 182

18 years ago
Actually, this could be the orriginal reason for unloading:


4.x style plugins need to be "shutdown" when the last instance goes away. 
Isn't OJI treated as a 4.x style plugin but it can't be unloaded. On the flip 
side, correct me if i'm wrong, XPCOM stay loaded once loaded.

And then, to complicate matters, calling nav.plugins.refresh() needs to 
try to shutdown plugins (all,I think) that are running because their libraries 
may have been replaced by another updated version or removed.

Comment 183

18 years ago
The last peterl's comment is a real threat. We will definitely crash on 
javascript:navigator.plugins.refresh(1) after updating the plugin if the plugin 
dll is not unloaded. And this particular functionality has been wanted for a 
long time.
Sure, being able to unload and reload plugins is a great thing to have, but we 
_don't_ have it if we don't have it safely.  Why not ask the plugin if it's 
safe to unload?  nsIModule::canUnload gives you that, as something to follow.  
(We don't currently unload C++ modules, because many of our modules are crap 
and lie to us when we ask them if it's safe, but don't get me started on that.  
It's not a flaw in the architecture, just a flaw in our general coding 
practices.)  When you put this in, did you really think that it would be safe 
to just unload 3rd-party software like that?  That no plugins would have timers 
or other threads to worry about?  (From reading 58218, it looks like we have to 
call NPP_Shutdown on 4.x plugins, but I can't find anything that says we have 
to unload them.  73071 is analogous, but for new-style plugins.  And, for new-
style plugins, peterl says in January that we _shouldn't_ call NPP_Shutdown for 
XPCOM plugins.  Very confusing.)

"Just like 4.x but..." bothers me a lot: we have a new plugin API, lots of 
which was "designed" to meet the needs of Sun's JVM plugin, and yet we have 
fragile stuff like this, special cased to avoid one specific piece of 
fragility.  Why isn't the OJI plugin using the New Plugin API, and being kept 
in by returning false from its module's canUnload hook?  This plan, and the 
stuff that led up to it, just reeks of bandaid, to me.

(I'm more than willing to walk away from navigator.plugins.refresh(1), or have 
it only pick up new plugins that aren't already known, if we absolutely can't 
find a way to ask a plugin if it's ready to be unloaded.  But it's not like 
this is rocket science, IMO.)

Comment 185

18 years ago
rbs, please file a new bug about the service manager leak wrt java.  It's a
seperate issue than what's being dealt with in this bug.

shaver, open a new bug if you want to talk about the architecture.  Yes, there
are problems but there's so much noise here it's difficult to talk about it.  I
want to see it fixed the right way as much as the next guy but let's deal with
it seperately.

I think we're shipping as is for now.  It crashes less anyway.

edburns, you need to look at andre's stack trace since he's reporting there's
still a problem and deal with it here.  Or open a new bug since this one is so
noisy and link the two with each other with a comment.
I'll file a bug later, but I have precisely zero confidence that we'll ever do 
the right thing here once the 0.9-topcrash heat is taken off.  Another special-
case hack for Sun's JVM in our plugin code, instead of making Sun respect the 
semantics of the API they chose to use, whee.

Comment 187

18 years ago
> ----- Additional Comments From Peter Lubczynski 2001-05-04 23:19 -------
> optimized bits.  Ed sent me the debug bits but they don't even seem to work, 
> probably because of the reason I talk about in bug 78150.

Peter, do you have JDK1.3.1 rc1 and only JDK1.3.1 rc1 installed on your 
system?  Those plugin bits only work with jdk1.3.1 rc1.  Please de-install all 
other Javas on your system and go to 
url=http://developer.java.sun.com/developer/earlyAccess/j2sdk131/> and get 
1.3.1 rc2.  Unfortunately 1.3.1 rc1 is no longer offered.

Comment 188

18 years ago
Mike Shaver wrote:

> Why isn't the OJI plugin using the New Plugin API, and being kept 
> in by returning false from its module's canUnload hook?  This plan, and the 
> stuff that led up to it, just reeks of bandaid, to me.

Doch, Sun's java plugin does use the new interface:

// CNetscapePlugin.h  by Stanley Man-Kit Ho
// [...]


class CPluginView;

class CNetscapePlugin : public nsIPluginInstance 

// [...]

// CPluginModule.h  by Stanley Man-Kit Ho
// [...]


#include "resource.h"       // main symbols

#include "oji_clsid.h"

// CPluginModule
class ATL_NO_VTABLE CPluginModule : 
// [...] super secret inheritance deleted...shhhh
	public IPluginModule
    CPluginModule() {}
// [...]

    // IPluginModule
    STDMETHOD_(nsresult, NSGetFactory) (const nsCID &aClass,
					nsISupports *aSupport,
                                        nsIFactory **aFactory);
    STDMETHOD_(PRBool, NSCanUnload) (void);
    STDMETHOD_(nsresult, NSRegisterSelf) (const char* path);
    STDMETHOD_(nsresult, NSUnregisterSelf) (const char* path);


// JavaPluginFactory.h  by Stanley Man-Kit Ho
// [...]
class CJavaPluginFactory : public nsIJVMPlugin, public nsIPlugin
// [...]

But it doesn't implement nsIModule. 
If it's using the XPCOM plugin interface, then it must be an XPCOM component,
right?  Which means that something must implement nsIModule (or NSGetFactory,
but I told you to get rid of that many milestones ago, and it's going to break
hard in 0.9.1, so I'll ignore than possibility), right?  And we don't unload any
modules once we've created them, and we never _will_ until shutdown, if they
return false from canUnload.

So, from the fact that this bug is happening at all, I think it's pretty clear
that either: 
 - the Sun OJI plugin doesn't really use the new-style plugin interface, or
 - the new-style plugin interface is savagely broken in ways I didn't previously
   suspect -- and my suspicions on that front are quite well-developed -- and
   actually _does_ unload XPCOM plugins.

The plot thickens.

Comment 190

18 years ago
Just to reassure Mike:  XPCOM plugins do not actually get unloaded when the 
plugin host thinks it is unloading them (nsPluginTag::TryUnloadPlugin) because 
the component manager continues to hold a ref to the nsIModule and nsIPlugin.
Sean: that's what I expected, but thanks for the reassurance.  So, if we're
seeing this crash, and Sun's plugin is using the XPCOM plugin interfaces, what
the heck is going on?  I'll be quite surprised, and even more frightened, if
it's an XPCOM bug.

Comment 192

18 years ago
Reference has been made to special code that preloads Java.  Maybe need to look 
at that (if it exists)?

Comment 193

18 years ago
Wow, if there's still a reference in the component manager then we probably
shouldn't be calling PR_UnloadLibrary() on any XPCOM-based plugin modules. Aeii!

Comment 194

18 years ago
The plugin host also does a PR_LoadLibrary.  So as long as the refcnt code on 
libraries is working, then the plugin host's call to PR_UnloadLibrary *should* 
be ok, right?

Comment 195

18 years ago
Please see:


about the long term unloading issue.  This bug is just too noisy.

Comment 196

18 years ago
I did some more tracing on Peter's checked in patch:
  nsCOMPtr<nsIJVMPlugin> isJava;
  if (mEntryPoint) {
    isJava = do_QueryInterface(mEntryPoint);

  //if (isJava && !aForceShutdown) return;
  if (isJava) return;

and found out that the flag, aForceShutdown, played a decisive role:

a)In the case of "about:plugins", isJava was non-null, but  was 1, therefore
skipped :
	if (isJava && !aForceShutdown) return;
and went to unload and crashed.

b) In the case of leaving an applet page (and Back/Forward with other pages),
isJava was non-null, and aForceShutdown was 0, therefore returned at: 
	if (isJava && !aForceShutdown) return;
and no crash.

Therefore, I took out the checking for aForceShutdown, and it worked in both
cases, plus the case of "launch and quite". No crashes. Did that mean anything?


Comment 197

18 years ago
If someone wants to try the Linux debug build of Mozilla with the debug build of
Java plugin, there two things you may need to know:
1) Get a recent trunk build. My build was checked out on last Friday, at it was
the first time that a debug mozilla ever worked with a debug Java plugin for me.
The same Java plugin did not work with the earlier builds of mozilla.
2) Expect longer startup time of mozilla with a debugger. In my case (using
gdb), it took longer than half an hour (no kidding!) to just bring up the
browser. It used around 99% cpu and most of the memory most of the startup time.
I have a pretty fast pentium with 256 mb of memory. After the browser came up,
speed went back to normal, but most of the memory was still occupied.

Comment 198

18 years ago
Sun's plugin implements these interfaces to be an XPCOM component:

    STDMETHOD_(nsresult, NSGetFactory) (const nsCID &aClass,
					nsISupports *aSupport,
                                        nsIFactory **aFactory);
    STDMETHOD_(PRBool, NSCanUnload) (void);
    STDMETHOD_(nsresult, NSRegisterSelf) (const char* path);
    STDMETHOD_(nsresult, NSUnregisterSelf) (const char* path);

It doesn't implement nsIModule.

I'll ask Stanley to explain why they don't implement nsIModule.

Comment 199

18 years ago
Joe, this is what I was worred about with aForceShutdown. I didn't realize that 
ReloadPlugin takes almost the same code path as actually shutting down so 
aForceShutdown being true sill force the Java XPCOM plugin to shutdown and 
unload pre-maturaly. You can't remove it all together because we do need to 
shutdown for 4.x but not for XPCOM.

Hm...I have another idea, do the reverse....

try doing a modification of the QI for Java. Instead of bailing when we have a 
nsIJVMPlugin, do the oppposite: do a QI for a ns4xPlugin and if that fails, 
bail, because we are an XPCOM plugin and service manager should shut us down.

What about that approach to solve this? Skips all this unloading for XPCOM 
plugins but keeps parity with 4.x.

Comment 200

18 years ago
I also tried to just take out the "!":
 	if (isJava && aForceShutdown) return;
and it also seemed to work OK, passed all three test cases. 

Comment 201

18 years ago
Joe, try something like:

What if we did something similar to:

  if (mEntryPoint) {
    nsCOMPtr<nsI4xPlugin> the4xPlugin
    the4xPlugin = do_QueryInterface(mEntryPoint);
    if (!the4xPlugin) {
      isXPCOM = PR_TRUE;
  if (isXPCOM) return; // bail if XPCOM

My need to call Release() first, I forget what the refcount is of an XPCOM 
plugin at this point in execution.

Re-assigning to blizzard@mozilla.org to get it off my plate. Manager says I need 
to concentrate to fix Windows bugs for 0.9.1 embedding and this is bug is Linux 
(although VERY important). Please re-assign if you feel otherwise.

BTW, what is the current status of patches check-in to the trunk/branch on this 
Assignee: peterlubczynski → blizzard

Comment 202

18 years ago
Peter: I tried the last patch (using 4x plugin), and it crashed when leaving an
applet. Taking out only "!" from your checkined fix seemed working for all three
cases (leaving an applet page, launch and exit, go to about:plugins), as the
	old: if (isJava && !aForceShutdown) return;
	new: if (isJava && aForceShutdown) return;

Comment 203

18 years ago
Joe, my bad. There is no interface nsI4xPlugin, but rather ns4xPlugin implements 
nsIPlugin which is probably why that patch failed. In fact, what did you try 
since nsI4xPlugin won't compile? It makes sense that removing the bang from 
aForceShutdown fixes the problem as the code below is NEVER executed for the 
Java plugin. It prevents the crash...but only for Java. Other XPCOM plugins 
(like Real) will surely crash here.

Hm....I'm going on a hunch here that bailing for any XPCOM plugin is the right 
thing to do. Can anyone back me up?

Joe, can you try modifying my last patch. Instead of the doing the QI, check to 
see if mEntryPoints can be cast to an ns4xPlugin. If you are able to get a 
ns4xPlugin out of mEntryPoints then we have a 4.x plugin for sure and that rest 
of the code needs to be called.

I'll do some more testing when I get home.
Assuming you mean dynamic_cast<>, you can't use that in Mozilla: not all of our
compilers support it, and, in fact, we turn off RTTI on Linux explicitly.  (I
don't think static_cast<> or reinterpret_cast<> will tell you anything useful.)

Maybe we do need a (dummy) nsI4xPlugin interface, perhaps with an Unload/Reload
method where all of this logic could live?

Comment 205

18 years ago
>I'm going on a hunch here that bailing for any XPCOM plugin is the right 
>thing to do. Can anyone back me up?

Bailing during the ReloadPlugins sequence? yes.
Bailing at xpcom-shutdown for properly implemented xpcom plugins?  No way.  If
you do that, then just get rid of nsIPlugin::Initialize and nsIPlugin::Shutdown
altogether.  They weren't even being called until a couple days before 0.8.1 was
branched (bug 45009).

Comment 206

18 years ago
Wow. Just read back over bug 45009 and this bug now makes a whole lot more 
sense. Isn't that the bug that introduced holding the service manager past XPCOM 
shutdown as Andrei says that nsPluginHostImpl's dtor isn't 
called and nsIObserver was added. Ed, looks like you started with the patches, 
what's your take? cc:ing Waterson on the hook for the sr=

Question for the experts: When is the correct time to call 
nsIPlugin->Shutdown()? Shouldn't refcouting handle when shutdown gets called in 
XPCOM land? Should we call nsIPlugin->Shutdown before the RELEASE? For 4.x 
plugins it is a different case as nsIPlugin->Shutdown can be called not only at 
shutdown, but during ReloadPlugins and when the last instance gets Destroyed.

Sean says that "PR_FindSymbol(pluginTag->mLibrary, "NSGetFactory");
is not satisfactory for determining if a plugin module is an xpcom plugin or a 
4x plugin". Why? Will that not easily distinguish XPCOM plugins from 4.x at the 
library level?

I will try creating another band-aid patch to test. I'm almost all out of 
band-aids, though. :-)

Comment 207

18 years ago
>Sean says that "PR_FindSymbol(pluginTag->mLibrary, "NSGetFactory");
>is not satisfactory for determining if a plugin module is an xpcom plugin or a 
>4x plugin". Why? Will that not easily distinguish XPCOM plugins from 4.x at the
>library level?

NSGetFactory was deprecated a long time ago and is going away in 0.9.1.  XPCOM
components don't use NSGetFactory, they use NSGetModule.

>I will try creating another band-aid patch to test. I'm almost all out of 
>band-aids, though. :-)

0.9 was released today so I don't think we need another bandaid on account of it.

Comment 208

18 years ago
Peter: re bug 45009, I recommend talking to Andrei about it, since the fix that 
was checked in differed substantially from the patch I started with.  My 
interest in bug 45009 was to un-block bug 49510.

Comment 209

18 years ago
SPAM: mozilla 0.9 (and M1, and 0.8.1, etc.) has left the building.  please
update the target milestone so we can get a good idea of what's left for 0.9.1.

Comment 210

18 years ago
Patches look to be checked in and I think this is working. Marking FIXED. Please 
re-open if you think otherwise.

Note: bug 76936 will now deal with the crash in 
Last Resolved: 18 years ago18 years ago
Resolution: --- → FIXED

Comment 211

18 years ago
Oops. I mean bug 80105.
works fine on linux/win 20010517 trunk builds. Junruh, pls verify on mac. Thx!
OS: All → Mac System 9.x
QA Contact: shrir → junruh
Hardware: PC → Macintosh

Comment 213

18 years ago
Verified on Mac netscape 6 2001051708

Comment 214

16 years ago
Please reopen : this is a regression 
about:plugin crashes Mozilla

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3; MultiZilla v1.4.0.1)
Yves Lambert, <about:plugins> is not "an applet page" and not even a page with
plugins, it just lists them, it doesn't use plugins. Please file a new bug (even
if it had the same symptoms, but it doesn't).


8 years ago
Component: Java: OJI → Java: OJI
Product: Core → Core Graveyard
Crash Signature: [@ nsPluginInstanceOwner::~nsPluginInstanceOwner]
You need to log in before you can comment on or make changes to this bug.