Closed Bug 901963 Opened 9 years ago Closed 9 years ago

crash in mozilla::plugins::PluginInstanceChild::SetWindowLongPtrWHook

Categories

(Core :: Plug-ins, defect, P2)

25 Branch
x86_64
Windows 7
defect

Tracking

()

RESOLVED FIXED
mozilla26
Tracking Status
firefox24 --- unaffected
firefox25 --- affected
firefox26 --- fixed

People

(Reporter: scoobidiver, Assigned: m_kato)

References

Details

(4 keywords)

Crash Data

Attachments

(1 file)

It started spiking in 26.0a1/20130806 although there's one crash in 25.0a1/20130805. The regression range for the spike is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=482b9d04974a&tochange=a0dd80f800e2
It might be a regression from bug 899026.

Comments talk about Flash unusable.

Stack traces are various and still buggy on 64-bit builds.

It's not a blocker as long as it's restricted to 64-bit builds but the crash volume is worth it (about 400 crashes an hour).

More reports at:
https://crash-stats.mozilla.com/report/list?product=Firefox&signature=mozilla%3A%3Aplugins%3A%3APluginInstanceChild%3A%3ASetWindowLongPtrWHook%28HWND__*%2C+int%2C+__int64%29
https://crash-stats.mozilla.com/report/list?product=Firefox&signature=SetWindowLongPtrWHook%28HWND__*%2C+int%2C+__int64%29
latest crash when i clicked on youtube player window
https://crash-stats.mozilla.com/report/index/78386a1f-8738-47b4-b7d2-0fe872130806

first crash when youtube page start playing a video.
https://crash-stats.mozilla.com/report/index/39524148-e7ac-4e45-8d0f-764572130806

I will return with more information as i collect them.
This appears as if it will always crash when attempting to instantiate a Flash process on win64. That's a pretty serious functional regression.

Makoko, could you have a look please?
Assignee: nobody → m_kato
Priority: -- → P2
Crash Signature: [@ mozilla::plugins::PluginInstanceChild::SetWindowLongPtrWHook(HWND__*, int, __int64)] [@ SetWindowLongPtrWHook(HWND__*, int, __int64) ] → [@ mozilla::plugins::PluginInstanceChild::SetWindowLongPtrWHook(HWND__*, int, __int64)] [@ SetWindowLongPtrWHook(HWND__*, int, __int64) ] [@ SetWindowLongPtrAHook(HWND__*, int, __int64) ]
Attached patch fixSplinter Review
Comment on attachment 786714 [details] [diff] [review]
fix

This is a regression by bug 899026.  jmp rel32 offset and disp32 are signed, not unsigned.
Attachment #786714 - Flags: review?(ehsan)
Blocks: 899026
Version: 26 Branch → 25 Branch
Crash Signature: [@ mozilla::plugins::PluginInstanceChild::SetWindowLongPtrWHook(HWND__*, int, __int64)] [@ SetWindowLongPtrWHook(HWND__*, int, __int64) ] [@ SetWindowLongPtrAHook(HWND__*, int, __int64) ] → [@ mozilla::plugins::PluginInstanceChild::SetWindowLongPtrWHook(HWND__*, int, __int64)] [@ SetWindowLongPtrWHook(HWND__*, int, __int64) ] [@ SetWindowLongPtrAHook(HWND__*, int, __int64) ] [@ SetPluginHidden ] [@ PL_DHashTableOperate | nsLocalFile::Rel…
Tracking flags are for versions that are going to be released. 64-bit Firefox 25 and 26 are not scheduled.
Comment on attachment 786714 [details] [diff] [review]
fix

Review of attachment 786714 [details] [diff] [review]:
-----------------------------------------------------------------

Oops!
Attachment #786714 - Flags: review?(ehsan) → review+
https://hg.mozilla.org/mozilla-central/rev/0c0680a788be
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
Makoto, did you want to request Aurora uplift for this and bug 899026?
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #9)
> Makoto, did you want to request Aurora uplift for this and bug 899026?

No.  But I want to back out bug 899026 on aurora.
I just started testing 64bit builds on Windows 7. I see this as a high volume crash in bughunter debug builds on Beta/25 Win7 x86_64 with a number of urls.

For example, 
http://video-links.info/nv.php?url=zvdwb3xhbxa86

EXCEPTION_ACCESS_VIOLATION_EXEC

mozilla::plugins::PluginInstanceChild::SetWindowLongPtrWHook NPSWF64_11_9_900_117.dll@0x14583ff NPSWF64_11_9_900_117.dll@0x28ecf8 NPSWF64_11_9_900_117.dll@0x28f025 NPSWF64_11_9_900_117.dll@0x10fe5bf

breakpad's exploitability rates this as a medium.

MS' !exploitable rates this as exploitable due to DEP violation.

In opt nightly just prior to this fix with http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013/08/2013-08-08-03-02-05-mozilla-central/firefox-26.0a1.en-US.win64-x86_64.zip, I get bp-e0b72383-19ff-4ca4-9171-31f592131012

0 		@0x177877634 	
1 	xul.dll 	xul.dll@0xb6c8cf 	
2 	NPSWF64_11_9_900_117.dll 	F1149524817___________________________

bug 899026 appears to be on Beta/25 and has not been backed out. This patch is on both aurora and central but not beta.

Benjamin, do you think we can get this on beta/25 ?
Flags: needinfo?(benjamin)
I'm not sure why we're testing FF25 win64 builds, but this is very unlikely to be actually exploitable and we're only shipping nightly in win64 mode as far as I know, so I don't think there's a strong reason to uplift this to beta.
Flags: needinfo?(benjamin)
Comment 11 is private: false
You need to log in before you can comment on or make changes to this bug.