| Issue 33467: | Flash plugin crashed WebPluginDelegateImpl::FireIdleEvent() | |
| 3 people starred this issue and may be notified of changes. | Back to list |
Sign in to add a comment
|
Platform: Mac OS X Version 10.5.8 (Build 9L31a) Processor: 1 Intel 1.50 GHz RAM: 1024 MB Chrome: Chrome version: 5.0.307.1 r37331 QuickTime Player: 7.6.4 Flash Player: 10.0.22 I was running Youtube.com, cnn.com, hulu.com and yahoo.com videos when flash crashed. I also had NPR news extension. I don't have the steps to reproduce for this. I will update the bug when I get one. Thread 0 (crashed) 0 Google Chrome Framew0.307.1.0 0x03af8918 WebPluginDelegateImpl::FireIdleEvent() + 0x0 (webplugin_delegate_impl_mac.mm:953) 1 Google Chrome Framew0.307.1.0 0x03af8e0a (anonymous namespace)::CarbonIdleEventSource::SendHiddenPluginEvents() + 0xa (webplugin_delegate_impl_mac.mm:146) 2 Google Chrome Framew0.307.1.0 0x02bea62a MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) + 0x7 (message_loop.cc:320) 3 Google Chrome Framew0.307.1.0 0x02bea828 MessageLoop::DoDelayedWork(base::Time*) + 0xe (message_loop.cc:462) 4 Google Chrome Framew0.307.1.0 0x02bc6431 base::MessagePumpCFRunLoopBase::RunDelayedWork() + 0x17 (message_pump_mac.mm:324) 5 CoreFoundation 0.476.19.0 0x953c040e CFRunLoopRunSpecific + 0xc8e 6 CoreFoundation 0.476.19.0 0x953c0aa7 CFRunLoopRunInMode + 0x57 7 HIToolbox 0.353.0.0 0x9589a2ab RunCurrentEventLoopInMode + 0x11a 8 HIToolbox 0.353.0.0 0x9589a0c4 ReceiveNextEventCommon + 0x175 9 HIToolbox 0.353.0.0 0x95899f38 BlockUntilNextEventMatchingListInMode + 0x69 10 AppKit 0.949.54.0 0x9022d6d4 _DPSNextEvent + 0x290 11 AppKit 0.949.54.0 0x9022cf87 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 0x7f 12 AppKit 0.949.54.0 0x90225f9e -[NSApplication run] + 0x31a 13 Google Chrome Framew0.307.1.0 0x02bc62fc base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*) + 0x19 (message_pump_mac.mm:677) 14 Google Chrome Framew0.307.1.0 0x02bc5a85 base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) + 0xb (message_pump_mac.mm:213) 15 Google Chrome Framew0.307.1.0 0x02bea573 MessageLoop::Run() + 0xb (message_loop.cc:205) 16 Google Chrome Framew0.307.1.0 0x03bfdc96 PluginMain(MainFunctionParams const&) + 0xc (plugin_main.cc:131) 17 Google Chrome Framew0.307.1.0 0x0267efc6 ChromeMain + 0xd (chrome_dll_main.cc:673) 18 Google Chrome Helper 0x00001fc5 19
,
Jan 29, 2010
Actually, I think this is actually the same as bug 33467 , having reproduced that and looked at the state of the stack. The event source structures look sane, but the iteration has come up with a bogus pointer, so trying to dereference into it (e.g., to read instance_) gets garbage.
Status: Started
Labels: ForMerge
,
Jan 29, 2010
Issue 33469 has been merged into this issue.
,
Jan 29, 2010
I see what's happening. During the idle event handling, the plugin can make a synchronous call; while waiting for the reply, an update geometry call can come in and the set gets modified during iteration. I should have a fix shortly.
,
Jan 29, 2010
(No comment was entered for this change.)
Status: Fixed
,
Jan 31, 2010
Issue 33888 has been merged into this issue.
Cc: jer...@chromium.org pinker...@chromium.org j...@chromium.org
,
Jan 31, 2010
Issue 33887 has been merged into this issue.
,
Feb 1, 2010
The following revision refers to this bug:
http://src.chromium.org/viewvc/chrome?view=rev&revision=37539
------------------------------------------------------------------------
r37539 | stuartmorgan@chromium.org | 2010-01-29 13:38:18 -0800 (Fri, 29 Jan 2010) | 6 lines
Changed paths:
M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/glue/plugins/webplugin_delegate_impl_mac.mm?r1=37539&r2=37538
Fix possible iterator corruption in Carbon plugin idle event handling
BUG=33467
TEST=Scroll a Carbon plugin on and off screen repeatedly; it should not crash.
Review URL: http://codereview.chromium.org/556078
------------------------------------------------------------------------
,
Feb 1, 2010
The following revision refers to this bug:
http://src.chromium.org/viewvc/chrome?view=rev&revision=37542
------------------------------------------------------------------------
r37542 | stuartmorgan@chromium.org | 2010-01-29 13:40:49 -0800 (Fri, 29 Jan 2010) | 9 lines
Changed paths:
M http://src.chromium.org/viewvc/chrome/branches/307/src/webkit/glue/plugins/webplugin_delegate_impl_mac.mm?r1=37542&r2=37541
Merge 37539 - Fix possible iterator corruption in Carbon plugin idle event handling
BUG=33467
TEST=Scroll a Carbon plugin on and off screen repeatedly; it should not crash.
Review URL: http://codereview.chromium.org/556078
TBR=stuartmorgan@chromium.org
Review URL: http://codereview.chromium.org/556081
------------------------------------------------------------------------
,
Feb 3, 2010
Platform: Hostname: Mac-SrikanthK.local Mac OS X Version 10.5.8 (Build 9L30) Processor: 2 Intel 2.40 GHz RAM: 2048 MB Chrome: Chrome version: 5.0.307.5 r37950 <<<Release/Debug>>> QuickTime Player: 7.6.4 QuickTime PlayerX: <unknown> Flash Player: 10.0.42
Status: Verified
,
Feb 4, 2010
Is this the same crash, then? http://crash/reportdetail?reportid=381ef5f45e2e2081
,
Feb 4, 2010
Ugh. Given the scattering of bugs, most significantly http://crash/reportdetail?reportid=6cac873033e7017a it does look like there's still something bad happening to this iteration :( Maybe we'll get lucky with the new version and get repro steps again.
Status: Assigned
,
Feb 4, 2010
Oh wait, I have a theory about how this could still be happening (and how to test). I'll update when I know more.
,
Feb 4, 2010
Yes, I can force this to happen by deliberately triggering a case like what I originally fixed; the difference is that it now requires at least two instances of the same plugin on a page. Unfortunately, that's not terribly uncommon with Flash. I'll put together a more complete fix tomorrow morning. This may well mean yet another rev of 307 :(
,
Feb 5, 2010
Second (and hopefully final) fix landed.
Status: Fixed
,
Feb 5, 2010
Stuart, I've marked up the cases for SendHiddenPluginEvents() and FireIdleEvent(). I see that there was a further fix, so I think that makes sense - please let me know if I'm just adding noise rather than signal.
,
Feb 5, 2010
Um, "marked up" == "associated crashes with bugid".
,
Feb 5, 2010
Yes, I expect that all those 307.5 crashes are indeed this bug and should now be fixed (again), so that makes sense.
,
Feb 6, 2010
The following revision refers to this bug:
http://src.chromium.org/viewvc/chrome?view=rev&revision=38216
------------------------------------------------------------------------
r38216 | stuartmorgan@chromium.org | 2010-02-05 09:39:36 -0800 (Fri, 05 Feb 2010) | 10 lines
Changed paths:
M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/glue/plugins/webplugin_delegate_impl_mac.mm?r1=38216&r2=38215
Make Carbon plugin idle event source robust against changes during iteration
Ensure that removing any plugin from the idle event source during iteration is safe (not just the currently-firing plugin). Also bullet-proofs against the possibility of nested iteration.
Refactors the idle event source to use a helper class, to reduce duplicate code.
BUG=33467
TEST=Scroll rapidly on a page with multiple instances of a Cabon plugin.
Review URL: http://codereview.chromium.org/575023
------------------------------------------------------------------------
,
Feb 6, 2010
The following revision refers to this bug:
http://src.chromium.org/viewvc/chrome?view=rev&revision=38223
------------------------------------------------------------------------
r38223 | stuartmorgan@chromium.org | 2010-02-05 10:21:11 -0800 (Fri, 05 Feb 2010) | 13 lines
Changed paths:
M http://src.chromium.org/viewvc/chrome/branches/307/src/webkit/glue/plugins/webplugin_delegate_impl_mac.mm?r1=38223&r2=38222
Merge 38216 - Make Carbon plugin idle event source robust against changes during iteration
Ensure that removing any plugin from the idle event source during iteration is safe (not just the currentlyfiring plugin). Also bulletproofs against the possibility of nested iteration.
Refactors the idle event source to use a helper class, to reduce duplicate code.
BUG=33467
TEST=Scroll rapidly on a page with multiple instances of a Cabon plugin.
Review URL: http://codereview.chromium.org/575023
TBR=stuartmorgan@chromium.org
Review URL: http://codereview.chromium.org/572037
------------------------------------------------------------------------
,
Feb 10, 2010
Verified on URL : http://www.readwriteweb.com/archives/top_10_youtube_videos_of_all_time.php Platform: Hostname: Macintosh-0023dfded9ed.local Mac OS X Version 10.5.8 (Build 9L31a) Processor: 4 Intel 2.66 GHz RAM: 2048 MB Chrome: Chrome version: 5.0.307.7 r38400 <<<Release/Debug>>> QuickTime Player: 7.6.4 QuickTime PlayerX: <unknown> Flash Player: 10.0.42
Status: Verified
,
Feb 14, 2010
Merged, verified: removing formerge label.
Labels: -ForMerge
,
Mar 18, 2011
Platform: Mac OS X Version 10.5.8 (Build 9L31a) Processor: 1 Intel 1.50 GHz RAM: 1024 MB Chrome: Chrome version: 5.0.307.1 r37331 QuickTime Player: 7.6.4 Flash Player: 10.0.22 I was running Youtube.com, cnn.com, hulu.com and yahoo.com videos when flash crashed. I also had NPR news extension. I don't have the steps to reproduce for this. I will update the bug when I get one. Thread 0 (crashed) 0 Google Chrome Framew0.307.1.0 0x03af8918 WebPluginDelegateImpl::FireIdleEvent() + 0x0 (webplugin_delegate_impl_mac.mm:953) 1 Google Chrome Framew0.307.1.0 0x03af8e0a (anonymous namespace)::CarbonIdleEventSource::SendHiddenPluginEvents() + 0xa (webplugin_delegate_impl_mac.mm:146) 2 Google Chrome Framew0.307.1.0 0x02bea62a MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) + 0x7 (message_loop.cc:320) 3 Google Chrome Framew0.307.1.0 0x02bea828 MessageLoop::DoDelayedWork(base::Time*) + 0xe (message_loop.cc:462) 4 Google Chrome Framew0.307.1.0 0x02bc6431 base::MessagePumpCFRunLoopBase::RunDelayedWork() + 0x17 (message_pump_mac.mm:324) 5 CoreFoundation 0.476.19.0 0x953c040e CFRunLoopRunSpecific + 0xc8e 6 CoreFoundation 0.476.19.0 0x953c0aa7 CFRunLoopRunInMode + 0x57 7 HIToolbox 0.353.0.0 0x9589a2ab RunCurrentEventLoopInMode + 0x11a 8 HIToolbox 0.353.0.0 0x9589a0c4 ReceiveNextEventCommon + 0x175 9 HIToolbox 0.353.0.0 0x95899f38 BlockUntilNextEventMatchingListInMode + 0x69 10 AppKit 0.949.54.0 0x9022d6d4 _DPSNextEvent + 0x290 11 AppKit 0.949.54.0 0x9022cf87 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 0x7f 12 AppKit 0.949.54.0 0x90225f9e -[NSApplication run] + 0x31a 13 Google Chrome Framew0.307.1.0 0x02bc62fc base::MessagePumpNSApplication::DoRun(base::MessagePump::Delegate*) + 0x19 (message_pump_mac.mm:677) 14 Google Chrome Framew0.307.1.0 0x02bc5a85 base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) + 0xb (message_pump_mac.mm:213) 15 Google Chrome Framew0.307.1.0 0x02bea573 MessageLoop::Run() + 0xb (message_loop.cc:205) 16 Google Chrome Framew0.307.1.0 0x03bfdc96 PluginMain(MainFunctionParams const&) + 0xc (plugin_main.cc:131) 17 Google Chrome Framew0.307.1.0 0x0267efc6 ChromeMain + 0xd (chrome_dll_main.cc:673) 18 Google Chrome Helper 0x00001fc5 19
Labels: -Crash bulkmove Stability-Crash
|
||||||||||
| ► Sign in to add a comment | |||||||||||
Owner: stuartmo...@chromium.org
Labels: Internals-Plugins OS-Mac Mstone-5