Crasher in the plugin code. To reproduce, you must have the flash player installed. Then, 1. visit `about:plugins' 2. visit `http://www.macromedia.com/' Crash is at http://lxr.mozilla.org/mozilla/source/dom/src/base/nsMimeTypeArray.cpp#171 It looks like pluginArray->Item() is returning a null pointer in `plugin' with an NS_OK. So either we're not checking when the item is inserted into the plugin array, or we need to do a null-pointer check on the way out. Stack below. MimeTypeArrayImpl::GetMimeTypes(MimeTypeArrayImpl * const 0x0012ecd8) line 171 + 10 bytes MimeTypeArrayImpl::NamedItem(MimeTypeArrayImpl * const 0x02f70294, const basic_nsAReadableString<unsigned short> & {...}, nsIDOMMimeType * * 0x0012ee54) line 131 GetMimeTypeArrayProperty(JSContext * 0x0215b008, JSObject * 0x00000000, long 49544084, long * 0x0012eff4) line 117 js_GetProperty(JSContext * 0x0215b008, JSObject * 0x02f40850, long 50103384, long * 0x0012eff4) line 2075 + 84 bytes js_Interpret(JSContext * 0x0215b008, long * 0x0012f17c) line 2455 + 494 bytes js_Execute(JSContext * 0x00000000, JSObject * 0x021251d0, JSScript * 0x02fda820, JSFunction * 0x00000000, JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012f17c) line 958 JS_EvaluateUCScriptForPrincipals(JSContext * 0x0215b008, JSObject * 0x021251d0, JSPrincipals * 0x0220b468, const unsigned short * 0x02f69fe0, unsigned int 2667, const char * 0x0220b4b8, unsigned int 5, long * 0x0012f17c) line 3217 + 19 bytes nsJSContext::EvaluateString(nsJSContext * const 0x00000000, const basic_nsAReadableString<unsigned short> & {...}, void * 0x021251d0, nsIPrincipal * 0x02f69fe0, const char * 0x0220b4b8, unsigned int 5, const char * 0x002a01e0 `string', basic_nsAWritableString<unsigned short> & {...}, int * 0x0012f268) line 606 + 60 bytes HTMLContentSink::EvaluateScript(HTMLContentSink * const 0x0012ecd8, nsString & {"?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú ?ú?ú?ú?û?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú?ú"}, nsIURI * 0x022497f0, int 5, const char * 0x002a01e0 `string') line 4680 HTMLContentSink::ProcessSCRIPTTag(HTMLContentSink * const 0x0012ecd8, const nsIParserNode & {...}) line 5027 HTMLContentSink::AddLeaf(HTMLContentSink * const 0x02fb2d60, const nsIParserNode & {...}) line 3184 CNavDTD::AddLeaf(CNavDTD * const 0x0012ecd8, const nsIParserNode * 0x01c4b398) line 3762 + 10 bytes CNavDTD::AddHeadLeaf(CNavDTD * const 0x0012ecd8, nsIParserNode * 0x00000005) line 3883 + 10 bytes

I see this on today's trunk(0117). Severity:critical

The problem is that ndPluginHost reports more plugins than actually present. Investigating... Null-check may be good thing to do anyway.

OK, this is going to go away with bug 61388 fix. It does not refresh the plugin list properly (doesn't destroy the previous version before rescanning plugins). Marking dependency.

Tried the same on Solaris 2.8 machine with NS6 OEM branch for Netscape6 for Solaris. Load about:plugins load www.macromedia.com Browser crashes with bus error ->>>>>>>>>>>>>> Write Clipboard to memory ->>>>>>>>>>>>>> Write Clipboard to memory Document about:plugins loaded successfully ->>>>>>>>>>>>>> Write Clipboard to memory ->>>>>>>>>>>>>> Write Clipboard to memory ->>>>>>>>>>>>>> Write Clipboard to memory Bus Error - core dumped

Tried the same on Solaris 2.8 machine with NS6 OEM branch for Netscape6 for Solaris. Load about:plugins load www.macromedia.com Browser crashes with bus error ->>>>>>>>>>>>>> Write Clipboard to memory ->>>>>>>>>>>>>> Write Clipboard to memory Document about:plugins loaded successfully ->>>>>>>>>>>>>> Write Clipboard to memory ->>>>>>>>>>>>>> Write Clipboard to memory ->>>>>>>>>>>>>> Write Clipboard to memory Bus Error - core dumped

Tried this on build 2001012806, Linux i686, and there was no problem.

Does not crash on NT4.0 with applied patch from bug 61388.

Bug 61388 is fixed now in the trunk. Marking fixed.

yeah this is fixed..verified on the trunk build on windows 0219. No crash after doing the steps mentioned initially.