Closed
Bug 183313
Opened 22 years ago
Closed 19 years ago
Flash: Crash in MyActivateTSMDocument() [@ HIToolbox.221.0.0 + 0x87f98 (0x931a8f98)]
Categories
(Camino Graveyard :: Plug-ins, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
Camino1.0
People
(Reporter: sfraser_bugs, Assigned: sfraser_bugs)
References
()
Details
(Keywords: crash, fixed1.8)
Crash Data
Attachments
(4 files, 1 obsolete file)
(deleted),
text/plain
|
Details | |
(deleted),
patch
|
mark
:
review-
|
Details | Diff | Splinter Review |
(deleted),
text/html
|
Details | |
(deleted),
patch
|
mark
:
review+
mikepinkerton
:
superreview+
mscott
:
approval1.8rc1+
|
Details | Diff | Splinter Review |
Talkback shows this crash as faily common:
MyActivateTSMDocument()
MyActivateTSMDocument()
0x04612d8c
0x046070bc
0x04606ae0
ns4xPluginInstance::HandleEvent()
[/src/chimera/trunk/mozilla/modules/plugin/base/src/ns4xPluginInstance.cpp, line
1182]
nsPluginInstanceOwner::ProcessEvent()
[/src/chimera/trunk/mozilla/layout/html/base/src/nsObjectFrame.cpp, line 3524]
nsPluginInstanceOwner::DispatchFocusToPlugin()
[/src/chimera/trunk/mozilla/layout/html/base/src/nsObjectFrame.cpp, line 3178]
nsEventListenerManager::HandleEvent()
[/src/chimera/trunk/mozilla/content/events/src/nsEventListenerManager.cpp, line
1760]
nsGenericElement::HandleDOMEvent()
[/src/chimera/trunk/mozilla/content/base/src/nsGenericElement.cpp, line 1688]
nsEventStateManager::PreHandleEvent()
[/src/chimera/trunk/mozilla/content/events/src/../../../dist/include/xpcom/nsCOMPtr.h,
line 631]
PresShell::HandleEventInternal()
[/src/chimera/trunk/mozilla/layout/html/base/src/../../../../dist/include/xpcom/nsCOMPtr.h,
line 643]
PresShell::HandleEvent()
[/src/chimera/trunk/mozilla/layout/html/base/src/nsPresShell.cpp, line 6150]
nsViewManager::HandleEvent()
[/src/chimera/trunk/mozilla/view/src/nsViewManager.cpp, line 2037]
nsViewManager::DispatchEvent()
[/src/chimera/trunk/mozilla/view/src/../../dist/include/xpcom/nsUnitConversion.h,
line 90]
GlobalWindowImpl::Deactivate()
[/src/chimera/trunk/mozilla/dom/src/base/nsGlobalWindow.cpp, line 2330]
nsWebBrowser::Deactivate()
[/src/chimera/trunk/mozilla/embedding/browser/webBrowser/nsWebBrowser.cpp, line
1647]
-[CHBrowserView setActive:]()
[/src/chimera/trunk/mozilla/chimera//src/chimera/trunk/mozilla/dist/include/xpcom/nsCOMPtr.h,
line 649]
_nsNotificationCenterCallBack()
_postNotification()
_CFNotificationCenterPostLocalNotification()
-[NSWindow resignKeyWindow]()
endKeyAndMain()
-[NSApplication sendEvent:]()
-[NSApplication run]()
NSApplicationMain()
_start() [/SourceCache/Csu/Csu-45//SourceCache/Csu/Csu-45/crt.c, line 267]
start()
Comment 1•22 years ago
|
||
Updated•22 years ago
|
Attachment #108266 -
Attachment is obsolete: true
Comment 2•22 years ago
|
||
Just happened to me on a flash site.
Comment 3•22 years ago
|
||
Just had this crash with build 2002121904, with macosx10.2.3.
Comment 4•22 years ago
|
||
What version of the flash plugin are you using ?
Assignee | ||
Comment 5•22 years ago
|
||
Also, can you provide steps to reproduce?
Comment 6•22 years ago
|
||
if another trace is useful, i've got one. i don't know how to reproduce it, but
it occured at
http://my.yahoo.com/
when Navigator had just lost focus (i was Cmd-TABbing through apps).
Comment 7•22 years ago
|
||
By the definitions on <http://bugzilla.mozilla.org/bug_status.html#severity> and
<http://bugzilla.mozilla.org/enter_bug.cgi?format=guided>, crashing and dataloss
bugs are of critical or possibly higher severity. Only changing open bugs to
minimize unnecessary spam. Keywords to trigger this would be crash, topcrash,
topcrash+, zt4newcrash, dataloss.
Severity: normal → critical
Is bug 183586 the same issue?
Can't reproduce using Build ID: 2003082702.
Steps / other URLs where people experience this?
Assignee | ||
Comment 10•21 years ago
|
||
This is a crash with the Flash plugin.
Summary: Crash in MyActivateTSMDocument() → Flash: Crash in MyActivateTSMDocument()
Comment 11•21 years ago
|
||
Works for me
Comment 12•21 years ago
|
||
works for me 2003090102 on 10.2.6 [I have a fairly recent flash plug-in).
Comment 13•21 years ago
|
||
Doesn't crash, and I think that the Flash plugin is working fine,but
I get this ASSERTION failure:
###!!! ASSERTION: OnStopDecode called multiple times.: '!(mState &
onStopDecode)', file ../../../../src/modules/libpr0n/src/imgRequest.cpp, line 518
Break: at file ../../../../src/modules/libpr0n/src/imgRequest.cpp, line 518
Comment 14•21 years ago
|
||
*** Bug 211864 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 15•20 years ago
|
||
This apparently still occurs with Shockwave Flash 7.0 r24.
Blocks: 225397
Comment 16•19 years ago
|
||
This bug has occurred on Safari 2.0 as well. We (the Flash Player team) will
investigate a fix.
Assignee | ||
Comment 17•19 years ago
|
||
Any changes here with Flash 8?
Comment 18•19 years ago
|
||
Unfortunately, no changes with Flash Player 8, and I'm very sorry. I had seen
references to this issue but I didn't have enough information about what was
happening until recently, and now it's too late for Flash Player 8. But we have
it on our list to investigate in the future.
Comment 19•19 years ago
|
||
I think the crash is triggered after flash opened a new window. I got my simple
test case here. I think it's related to this bug.
1. Go to http://ktml.net/camino/newwin.html
2. Click on the "click here to open a new window" button (you may have to
unblock the popup window)
3. Close the popup window
4. Switch away from Camino to other applications
5. Wait a few seconds
6. Here! One big crash!
It works every time for me. Try it!
Comment 20•19 years ago
|
||
sorry, forgot to mention:
You can download the source code of the newwin.swf at
http://ktml.net/camino/newwin.fla
What the flash button do is just call the javascript function Launchform() in
the newwin.html :
<script language="JavaScript" type="text/javascript">
function Launchform() {
OpenWin =
this.open('blank.html','','scrollbars=yes,menubar=no,height=400,width=500,resizable=no,toolbar=no,location=no,status=no');
}
</script>
Assignee | ||
Comment 21•19 years ago
|
||
ktml: nice testcase, thanks! (Note that you have to turn off popup blocking for
the site).
Assignee | ||
Updated•19 years ago
|
Summary: Flash: Crash in MyActivateTSMDocument() → Flash: Crash in MyActivateTSMDocument() [HIToolbox.221.0.0 + 0x87f98 (0x931a8f98)]
Assignee | ||
Comment 22•19 years ago
|
||
Does this still happen with Flash8?
Assignee | ||
Comment 23•19 years ago
|
||
I can't reproduce this with a recent nightly trunk build. Maybe the
focus/activate changes from bug 297343 fixed it?
(In reply to comment #23)
> I can't reproduce this with a recent nightly trunk build. Maybe the
> focus/activate changes from bug 297343 fixed it?
It's the #2 topcrasher for 1.0a1 and the current topcrasher for the branch.
However, so far there have been no reported crahses since the 5th (when bug
297343 landed), so it seems possible that the changes from bug 297343 fixed it.
There was a gap of no crashes between between the previous occurrences, though,
so you might want to wait a few more days or for 1.0a2 to be sure before closing
this.
Summary: Flash: Crash in MyActivateTSMDocument() [HIToolbox.221.0.0 + 0x87f98 (0x931a8f98)] → Flash: Crash in MyActivateTSMDocument() [@ HIToolbox.221.0.0 + 0x87f98 (0x931a8f98)]
Assignee | ||
Comment 25•19 years ago
|
||
Spoke too soon. We're still seeing 1.0a1+ branch crashers for this.
Flags: camino1.0+
Priority: -- → P1
Target Milestone: Future → Camino1.0
Assignee | ||
Comment 26•19 years ago
|
||
I can reliably reproduce this again now (maybe the fix for bug 311683 "helped").
I debugged by setting breakpoints on NewTSMDocument, ActivateTSMDocument and
DeleteTSMDocument, and looking at $r3. Here's the sequence for the steps in
comment 19:
1. Load the page with the Flash plugin
Flash calls NewTSMDocument (creating TSMDoc A)
NSTSMInputContext calls NewTSMDocument (creating TSMDoc B)
NSTSMInputContext calls ActivateTSMDocument with TSMDoc B
2. Click the Flash plugin
Gecko sets focus on the plugin; Flash calls ActivateTSMDocument(A)
(presumably storing current document B)
Plugin makes a new window
Gecko deactivates the Flash plugin, which calls ActivateTSMDocument(B)
3. New window appears
NSTSMInputContext calls NewTSMDocument, creating TSMDoc C
NSTSMInputContext calls ActivateTSMDocument(C)
NSTSMInputContext calls NewTSMDocument, creating TSMDoc D
NSTSMInputContext calls ActivateTSMDocument(D)
4. User closes window. Previous window (containing Flash) is activated.
Gecko activates the Flash plugin, which calls ActivateTSMDocument(A)
(presumably storing current document D)
NSTSMInputContext calls ActivateTSMDocument(B)
We hit the event loop, autorelease kicks in.
NSTSMInputContext calls DeleteTSMDocument(C)
NSTSMInputContext calls DeleteTSMDocument(D)
5. User switches to another app.
Gecko deactivates Flash, which calls ActivateTSMDocument(D) <-- BOOM!
So the issue here is that Flash is holding on to a pointer to a TSMDocument
which belonged to the popup window, and has been deleted.
Assignee | ||
Comment 27•19 years ago
|
||
This patch works around the issue by deactivating the current TSM document
every time we close a window (the change is in -windowWillClose:). This should
set the active TSM doc to null, which appears to be safe. Flash will then cache
0x00000000 as the active TSM doc when we activate it, rather than the
soon-to-be-deleted TSM doc that belongs to NSTSMInputContext.
Attachment #199364 -
Flags: superreview?(mikepinkerton)
Attachment #199364 -
Flags: review?(mark)
Comment 28•19 years ago
|
||
Comment on attachment 199364 [details] [diff] [review]
Workaround patch
I don't think Camino's BWC is the right place to handle this. Doesn't it
belong in the Cocoa widget library?
The patch here will still allow a crash when the evil disappearing context is a
tab instead of a window, because -windowWillClose: doesn't get called in that
case.
Attachment #199364 -
Flags: review?(mark) → review-
Assignee | ||
Comment 29•19 years ago
|
||
Mark: you're right. Here are some other steps that won't be fixed by that patch:
1. Load http://ktml.net/camino/newwin.html in a tab, and click on the Flash (but
not on the text, so don't make a new window).
2. Make a new tab, click in the content area.
3. Click the close box of the new tab.
4. Click on another app.
You'll now crash because Flash again cached a pointer to a TSM document that is
about to go away.
Status: NEW → ASSIGNED
Assignee | ||
Comment 30•19 years ago
|
||
Here's another way to crash (similar to first):
1. On any Flash applet, context-click, and choose Settings... from the context menu.
2. Close the resulting browser window.
3. Switch to another app.
Assignee | ||
Comment 31•19 years ago
|
||
Here's a testcase to repro the crash entirely within a single web page (with a
disappearing iframe).
Updated•19 years ago
|
Attachment #199364 -
Flags: superreview?(mikepinkerton)
Assignee | ||
Comment 32•19 years ago
|
||
This patch clears the active TSM document before we focus any plugin. This will
prevent Flash from stashing a pointer to a doomed TSM doc. It fixes the crash
for me, but needs testing to see if it breaks IME.
Attachment #199437 -
Flags: review?(mark)
Assignee | ||
Comment 33•19 years ago
|
||
Suggested new comment:
// Work around an issue in the Flash plugin, which can cache a pointer
// to a doomed TSM document (one that belongs to a NSTSMInputContext)
// and try to activate it after it has been deleted. See bug 183313.
Comment 34•19 years ago
|
||
Comment on attachment 199437 [details] [diff] [review]
Patch in nsObjectFrame
This covers all of the cases I can cook up, and doesn't seem to do anything
evil to text input, although I haven't tested anything "interesting" like
Japanese input.
Attachment #199437 -
Flags: review?(mark) → review+
Assignee | ||
Comment 35•19 years ago
|
||
Comment on attachment 199437 [details] [diff] [review]
Patch in nsObjectFrame
Seeking 1.5rc1 approval. This patch only affects Camino (the
NS_FOCUS_EVENT_START -> NS_FOCUS_CONTENT change is a no-op), and is required to
fix a top crasher.
Attachment #199437 -
Flags: superreview?(mikepinkerton)
Attachment #199437 -
Flags: approval1.8rc1?
Comment 36•19 years ago
|
||
Comment on attachment 199437 [details] [diff] [review]
Patch in nsObjectFrame
sr=pink
Attachment #199437 -
Flags: superreview?(mikepinkerton) → superreview+
Assignee | ||
Comment 37•19 years ago
|
||
Fixed on trunk. Needs approval for 1.8 branch.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Comment 38•19 years ago
|
||
Comment on attachment 199437 [details] [diff] [review]
Patch in nsObjectFrame
approving this camino only change.
Attachment #199437 -
Flags: approval1.8rc1? → approval1.8rc1+
Assignee | ||
Comment 39•19 years ago
|
||
Checking in nsObjectFrame.cpp;
/cvsroot/mozilla/layout/generic/nsObjectFrame.cpp,v <-- nsObjectFrame.cpp
new revision: 1.510.2.4; previous revision: 1.510.2.3
Keywords: fixed1.8
Updated•14 years ago
|
Crash Signature: [@ HIToolbox.221.0.0 + 0x87f98 (0x931a8f98)]
You need to log in
before you can comment on or make changes to this bug.
Description
•