06-24 build OS 10.1.5 1. Go to espn.go.com 2. On the right side of screen, click on one of the radio buttons to vote. 3. Click "Submit vote". Application crashes. Crash log to come.

dupe of the plugin timer crash

Simply reloading the page results in a crash too. Form submission not required.

Confirmed using Chimera/20020625. Stack shows activity around PluginInstanceOwner. Will attach.

Brian, looks like this is a reproducable crash on reload of ESPN

Is this now fixed?

Yes. This should be fixed. Though difficult to verify. Last time I went to the site, there was no vote...

Brian, I am using today's build (07-09-05). Just went to espn.go.com, submitted my vote (on the right hand side of the page) and chimera still crashed. Reopening...

Hmm, so the coolest thing about this site appears to be that if you have cookies disabled, you get colored bars instead of radio buttons and a submit button. ;) After looking at this on win2k, I'd guess that the timer is firing during or after the deletion of the applet. I need to do some additional testing.

This works for me now... someone double check please

Just tried this again using the 07-16 build. Went to espn.com, let the page finish loading, hit reload, and the app crashed. From what I can tell, the stack is the same as the one I attached on 6-24.

*** Bug 157300 has been marked as a duplicate of this bug. ***

Encountered this again using Chimera/20020718 to access URL in bug 158244.

This bug definitely still exists, just go to www.digitalexpressions.nu and it'll crash after clicking a link or two. Please fix soon, it drives me nuts ;) thanks. Chimera rocks!

*** Bug 159380 has been marked as a duplicate of this bug. ***

*** Bug 159721 has been marked as a duplicate of this bug. ***

*** Bug 159710 has been marked as a duplicate of this bug. ***

*** Bug 159922 has been marked as a duplicate of this bug. ***

*** Bug 160901 has been marked as a duplicate of this bug. ***

grrr... so many dupes. really gotta fix this one.

*** Bug 161295 has been marked as a duplicate of this bug. ***

*** Bug 161350 has been marked as a duplicate of this bug. ***

*** Bug 161728 has been marked as a duplicate of this bug. ***

After a whole lot of debugging, printf's, and false leads, I think I'm on the right track now. This, and probably many of the other plugin crashers as well, appears to be releated to problems with the fCallbacks structure in the plugin. This is a table of function pointers that the browser can call to tell the plugin to do things (read, write, paint, etc.) Under mach-o, these CFM callbacks need to be "wrapped" with some glue code. I believe this table is being corrupted and/or not refreshed properly when plugins are load, unloaded, and reloaded.

*** Bug 163574 has been marked as a duplicate of this bug. ***

*** Bug 163833 has been marked as a duplicate of this bug. ***

*** Bug 164418 has been marked as a duplicate of this bug. ***

*** Bug 165258 has been marked as a duplicate of this bug. ***

*** Bug 166079 has been marked as a duplicate of this bug. ***

just as a me too, I'm seeing the same crash on 10.1.5 with 2002082705 and 2002090405 builds reliably and repeatedly by simply clicking(trying to click) a link on the espn.com home page

*** Bug 166870 has been marked as a duplicate of this bug. ***

*** Bug 167348 has been marked as a duplicate of this bug. ***

*** Bug 167604 has been marked as a duplicate of this bug. ***

*** Bug 168163 has been marked as a duplicate of this bug. ***

*** Bug 166841 has been marked as a duplicate of this bug. ***

*** Bug 169541 has been marked as a duplicate of this bug. ***

*** Bug 170242 has been marked as a duplicate of this bug. ***

*** Bug 170819 has been marked as a duplicate of this bug. ***

still experiencing this, seems more frequent with the more recent builds. The strange thing is that sometimes it's smooth even though I just click on the same link that crashed a few seconds ago.

Ok, so not refcounting the plugin library is a bad idea... patch coming.

Comment on attachment 101320 [details] [diff] [review] Refcount (and remove debugging code r/sr=sfraser

Nice catch. Would this be affecting the current CFM builds too?

No this bug only exists in the chimera tree. Unfortunately, this patch appears to cause the component manager to shutdown prematurely. In NS_ShutdownXPCOM the call to: nsComponentManagerImpl::gComponentManager->FreeServices(); causes the last nsComponentManagerImpl reference to be released, which unfortunately looks like it is supposed to happen about 11 lines later at the rv = (nsComponentManagerImpl::gComponentManager)->Shutdown(); call. This causes a second call to Shutdown which throws an assertion because it has already been shutdown. This seems to imply that we are not holding enough references to the component manager.

I am experiencing a crash that also contains nsPluginInstanceOwner::Notify(nsITimer*), and might be related. I ran into the crash on Build ID: 2002100204. I opened www.exploitationnow.com, which is a "keenspot" comic in a Tab. I switched to that tab, began scrolling down the page using the scroll wheel and Navigator crashed. I will attach the new crash.log.

See comments by Paul Pichardo in the bug.

I verified that I was wrong about the component manager problem. This exists without my patch as well. I will open a new bug with my findings. Patch checked in.

Using the 2002-10-10-14, I can no longer crash Chimera by either submitting a form or reloading the page. Shouldn't this bug be closed out ?

Chris, I closed it on 10/2. Verifying based on your comments.