Closed Bug 91921 Opened 23 years ago Closed 23 years ago

pressing Back button while movie is playing crashes browser

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: shrir, Assigned: serhunt)

References

(
URL
)

Details

(Whiteboard: [PDT+] fixed on branch)

Attachments

(4 files)

first try -- this patch is against branch code base
4.16 KB, patch
Details | Diff | Splinter Review
second try -- added removing listener from the list if destroyed somewhere
4.89 KB, patch
Details | Diff | Splinter Review
third try -- limiting new destroy stream logic by seekable streams only
5.40 KB, patch
Details | Diff | Splinter Review
fourth try -- a bit cleaner, jst's and pollmann's suggestions addressed
5.14 KB, patch
Details | Diff | Splinter Review 
mac only , 0723 branch, dunno if this is a regression , am yet to check on 0721 
build.

quicktime 5.0.2

steps:
go to the above link 
click on 'LARGE" (480x260 Broadband)
let the movie load and once it starts playing, click BACK button 

Observe that the browser crashes

stack :

Stack Signature   MixedMode + 0x1f4c (0x003fa18c) 9f2db325
Bug ID
Trigger Time 2001-07-23 09:59:14
User Comments quicktime 480x movie BACK button crash
Build ID 2001072303
Product ID Netscape6.10
Platform ID MacOS
Stack Trace
MixedMode + 0x1f4c (0x003fa18c)
ns4xPluginStreamListener::~ns4xPluginStreamListener() [ns4xPluginInstance.cpp, 
line 69]
ns4xPluginStreamListener::Release() [ns4xPluginInstance.cpp, line 144]
nsPluginStreamListenerPeer::~nsPluginStreamListenerPeer() [nsPluginHostImpl.cpp, 
line 1447]
nsPluginStreamListenerPeer::Release() [nsPluginHostImpl.cpp, line 1467]
nsCOMPtr_base::~nsCOMPtr_base() [nsCOMPtr.cpp, line 49]
nsStreamListenerTee::~nsStreamListenerTee() [nsStreamListenerTee.h, line 18]
nsStreamListenerTee::Release() [nsStreamListenerTee.cpp, line 6]
nsCOMPtr_base::assign_with_AddRef() [nsCOMPtr.cpp, line 58]
nsHttpChannel::OnStopRequest() [nsHttpChannel.cpp, line 2114]
nsOnStopRequestEvent::HandleEvent() [nsRequestObserverProxy.cpp, line 160]
nsARequestObserverEvent::HandlePLEvent() [nsRequestObserverProxy.cpp, line 63]
PL_HandleEvent() [plevent.c, line 590]
PL_ProcessPendingEvents() [plevent.c, line 520]
nsEventQueueImpl::ProcessPendingEvents() [nsEventQueue.cpp, line 374]
nsMacNSPREventQueueHandler::ProcessPLEventQueue() [nsToolkit.cpp, line 135]
nsMacNSPREventQueueHandler::RepeatAction() [nsToolkit.cpp, line 99]
Repeater::DoRepeaters() [nsRepeater.cpp, line 119]
nsMacMessagePump::DispatchEvent() [nsMacMessagePump.cpp, line 465]
nsMacMessagePump::DoMessagePump() [nsMacMessagePump.cpp, line 269]
nsAppShell::Run() [nsAppShell.cpp, line 110]
nsAppShellService::Run() [nsAppShellService.cpp, line 424]
Netscape 6 + 0x4c58 (0x175b2908)
I think this is a regression from bug 91140. Over to Andrei.
Assignee: peterlubczynski → av
This WFM on W2K with today's build. Mac only?
OS: Windows NT → All
Hardware: PC → Macintosh
yeah, mac only !
Nope, this happens on W2K too, I wasn't testing correctly.

Note: You must have Quicktime 5.02 and use the joy_ride testcase. I have a hard
time reproducing with Quicktime 5.01 or lower and using other movie trailers.
Hardware: Macintosh → All
yawah, my win quicktime is 5.0.2...upgrading now...
oops..i meant 5.0.1...
Okay, this sometimes happens and somtimes not. I watched Petersen play and
reload several other Quicktime 5.02 movies without crashing in today's build on Mac.
We call NPP_DestroyStream in ns4xPluginStreamListener destructor which happens 
after we supposedly destroy the plugin instance itself by NPP_Destroy. So looks 
like the better and more correct place for postponed 
ns4xPluginStreamListener::CleanUpStream is right before we call NPP_Destroy 
which happens in ns4xPluginInstance::Stop(). The problem is that 
ns4xPluginInstance object doesn't keep track of open streams. The simple linked 
list would be sufficient for this purporse.
Peter, please make mStreams member variable public and modify the stream 
listener destructor to be

ns4xPluginStreamListener::~ns4xPluginStreamListener(void)
{
#ifdef NS_DEBUG
  printf("\nns4xPluginStreamListener::~ns4xPluginStreamListener\n\n");
#endif

  // remove itself from the instance stream list
  if(mInst) {
    nsInstanceStream * prev = nsnull;
    for(nsInstanceStream *is = mInst->mStreams; is != nsnull; is = is->mNext) {
      if(is->nsPluginInstanceStream == this) {
        if(prev == nsnull)
          mInst->mStreams = is->mNext;
        else
          prev->mNext = is->mNext;

        delete is;
        break;
      }
      prev = is;
    }
  }

  NS_IF_RELEASE(mInst);
}

I am building the tree so cannot to test it right away. The new patch reflecting 
these changed is coming if solves the problem.
Ah, I can build debug and release simulteniously in the same tree, cool. There 
is a typo in the above code, sorry:

-  if(is->nsPluginInstanceStream == this) {
+  if(is->mPluginStreamListener == this) {
Andrei,

Can you attach a new, complete patch? Thanks.

Also, I'm worred about the *listener = stream assignment in
ns4xPluginInstance::NewNotifyStream(). I think we need the code at the bottom of
the above ::NewStream():

	NS_ADDREF(stream);  // Stabilize
    
    nsresult res = stream->QueryInterface(kIPluginStreamListenerIID,
(void**)listener);

    // Destabilize and avoid leaks. 
    // Avoid calling delete <interface pointer>
	NS_RELEASE(stream);

The reason for this is that "new" doesn't ADDREF so we are returning an
interface pointer that hasn't been addrefed yet! This is probably causing other
problems. In the above code, the QI should addref when it returns the interface
pointer which cancels out with the NS_RELEASE after it leaving a refcount of one
because by the NS_ADDREF before the QI.
Whiteboard: [PDT+]
In this iteration I also by Peter's suggestion changed code in NewNotifyStream 
making it exactly follow the lines of NewStream which is correct.
Much better!

Andrei, your thrid patch really looks more along the lines of "the correct way"
of fixing bug 91140.  Basically, the problem from bug 91140 was that
DestroyStream() was either being called too often or not enough. Now by
introducing the new struct nsInstanceStream we can keep track of a 4.x plugin
instance's open streams. Therefore, we are in a much better position of ensuring
DestroyStream() is called at the appropriate time. 

r=peterl
Keywords: patch
Whiteboard: [PDT+] → [PDT+] [SEEKING SUPER REVIEW]
sr=jst
Whiteboard: [PDT+] [SEEKING SUPER REVIEW] → [PDT+]
bonsai claims you checked in, updating whiteboard.  Thanks for the ultra-fast
turnaround on this!
Whiteboard: [PDT+] → [PDT+] fixed on branch
working on win and mac branch build 0724. no longer crashing...
It is in the trunk now.
Didn't I mark it fixes?
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
vtrunk
Status: RESOLVED → VERIFIED
Keywords: vtrunk
removing vtrunk, verified fixed on mac/ windows trunk 0801. No longer crashes...
Keywords: vtrunk
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: