849613 - crash in mozilla::Selection::Extend with Java plugin

Status: RESOLVED WORKSFORME

(Core Graveyard :: Plug-ins, defect, P2)

Description

[Scoobidiver (away)]

It first showed up in 21.0a2/20130224 and is currently #7 top crasher in 21.0a2 on Mac OS X.
It might be bug 839750.

Signature 	mozalloc_abort(char const*) | NS_DebugBreak_P | mozilla::Selection::Extend(nsINode*, int) More Reports Search
UUID	eb66176d-18a8-4ff1-8291-f8b742130310
Date Processed	2013-03-10 09:29:19
Process Type	plugin Java-appletplugin Version:14.6.1 Filename: JavaAppletPlugin.plugin
Uptime	32
Install Age	1.6 days since version was first installed.
Install Time	2013-03-08 19:55:13
Product	Firefox
Version	21.0a2
Build ID	20130308042013
Release Channel	aurora
OS	Mac OS X
OS Version	10.8.2 12C60
Build Architecture	amd64
Build Architecture Info	family 6 model 23 stepping 6
Crash Reason	EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Crash Address	0x0
App Notes 	
AdapterVendorID: 0x10de, AdapterDeviceID: 0x 863GL Context? GL Context+ GL Layers? GL Layers+ 
Processor Notes 	sp-processor03.phx1.mozilla.com_9903:2008; MDSW emitted too many frames, triggering truncation; exploitablity tool: ERROR: unable to analyze dump
EMCheckCompatibility	True
Adapter Vendor ID	0x10de
Adapter Device ID	0x 863

Frame 	Module 	Signature 	Source
0 	libmozalloc.dylib 	mozalloc_abort 	memory/mozalloc/mozalloc_abort.cpp:30
1 	XUL 	NS_DebugBreak_P 	xpcom/base/nsDebugImpl.cpp:379
2 	XUL 	mozilla::Selection::Extend 	layout/generic/nsSelection.cpp:4749
3 	libdyld.dylib 	LockHelper::~LockHelper 	
4 	libsystem_c.dylib 	__vfprintf 	
5 	libdyld.dylib 	dyld_stub_binder_ 	
6 	XUL 	_ZZL11toHexStringPKhjR19nsACString_internalE6digits 	
7 	libmozglue.dylib 	arena_malloc 	jemalloc.c:1714
8 	libmozglue.dylib 	je_malloc 	jemalloc.c:4239
9 	libsystem_c.dylib 	malloc_zone_malloc 	
10 	libsystem_c.dylib 	malloc 	
11 	XUL 	nsACString_internal::MutatePrep 	xpcom/string/src/nsSubstring.cpp:177
12 	XUL 	_ZZL11toHexStringPKhjR19nsACString_internalE6digits 	
13 	XUL 	nsACString_internal::ReplacePrepInternal 	obj-firefox/x86_64/dist/include/nsCharTraits.h:395
14 	XUL 	_ZZL11toHexStringPKhjR19nsACString_internalE6digits 	
15 	XUL 	nsACString_internal::ReplaceASCII 	obj-firefox/x86_64/dist/include/nsCharTraits.h:395
16 	libmozglue.dylib 	arena_malloc 	jemalloc.c:1714
17 	plugin-container 	plugin-container@0xa3 	
18 	XUL 	_ZZL11toHexStringPKhjR19nsACString_internalE6digits 	
19 	XUL 	mozilla::plugins::PPluginScriptableObjectChild::FatalError const 	obj-firefox/x86_64/ipc/ipdl/PPluginScriptableObjectChild.cpp:1252
20 	XUL 	mozilla::plugins::PPluginScriptableObjectChild::CallGetParentProperty 	obj-firefox/x86_64/ipc/ipdl/PPluginScriptableObjectChild.cpp:576
21 	XUL 	_ZZL11toHexStringPKhjR19nsACString_internalE6digits 	
22 	XUL 	mozilla::plugins::PluginScriptableObjectChild::ScriptableGetProperty 	dom/plugins/ipc/PluginScriptableObjectChild.cpp:232
23 	XUL 	mozilla::plugins::child::_getproperty 	dom/plugins/ipc/PluginModuleChild.cpp:1427
24 	JavaAppletPlugin 	JavaAppletPlugin@0x24a8 	
25 	JavaAppletPlugin 	JavaAppletPlugin@0x1fbc 	
26 	JavaAppletPlugin 	JavaAppletPlugin@0x26bb 	
27 	XUL 	mozilla::plugins::PluginInstanceChild::UpdateWindowAttributes 	dom/plugins/ipc/PluginInstanceChild.cpp:3207
28 	CoreFoundation 	CFBasicHashFindBucket 	
29 	XUL 	mozilla::plugins::PluginInstanceChild::DoAsyncSetWindow 	dom/plugins/ipc/PluginInstanceChild.cpp:2823
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=mozalloc_abort%28char+const*%29+|+NS_DebugBreak_P+|+mozilla%3A%3ASelection%3A%3AExtend%28nsINode*%2C+int%29

Comment 1

[Benjamin Smedberg]

This stack is busted, mozilla::plugins::PPluginScriptableObjectChild::FatalError is the relevant frame. I think this basically the same as bug 841916, bug 841914, and bug 845735. The new java plugin on mac really sucks.

Comment 2

[Georg Fritzsche [:gfritzsche]]

Let's watch the crash-stats for this to see if it got fixed by bug 831768 too.