Bug ID: 7074181 DT: FF crashes upon user cancels install and reloads the page (usually happens after a few reloads)

7074181 : DT: FF crashes upon user cancels install and reloads the page (usually happens after a few reloads)

Details

Type:	Bug	Submit Date:	2011-08-02
Status:	Closed	Updated Date:	2011-11-28
Project Name:	JDK	Resolved Date:	2011-11-28
Component:	deploy	OS:	windows_xp
Sub-Component:	deployment_toolkit	CPU:	x86
Priority:	P3
Resolution:	Fixed
Affected Versions:	7-client
Fixed Versions:	7u2

Related Reports

Backport:

JDK-2214696 - DT: FF crashes upon user cancels install and reloads the page (usually happens after a few reloads)

Sub Tasks

Description

The problem can be reproduced with FF 3.6.9 with one of the following testcases.

Test 1:
-------
  1) open http://javaweb.sfbay.sun.com/~in81039/dtcrash/test_frame.html
  2) it will start installing FX
  3) cancel install
  4) reload page
  5) crash

Test 2:
--------
   1) Open http://oklahoma.us.oracle.com/www/tests/7-client/7052499/testcase.htm
     It'll show a warning dialog regarding installing old version of 6uX
   2) Hit cancel on the dialog
   3) reload page 
   
   (Typically, one needs to repeat the above steps at least twice to see the crash.)

Comments

EVALUATION

Problem: the critical section (csInstallData) was deleted when the ScriptablePluginObject was deleted while the install thread was trying to access it.

Fix: moved the creation and deletion of the critical section to DllMain.
      In DownloadDialog, changed CreateThread to _beginthreadex for the download thread.

2011-08-04

EVALUATION

Analyzing a crash dmp using windbg shows the following:

FAULTING_IP: 
ntdll!RtlpWaitForCriticalSection+8c
7c919af2 ff4010          inc     dword ptr [eax+10h]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 7c919af2 (ntdll!RtlpWaitForCriticalSection+0x0000008c)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 00000010
Attempt to write to address 00000010

PROCESS_NAME:  firefox.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  00000010

WRITE_ADDRESS:  00000010 

FOLLOWUP_IP: 
npdeployJava1!_threadstartex+64 [f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c @ 292]
06a1e242 cc              int     3

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

CRITICAL_SECTION:  06a5a514 -- (!cs -s 06a5a514)

BLOCKING_THREAD:  000011a0

DERIVED_WAIT_CHAIN:  

Dl Eid Cid     WaitType
-- --- ------- --------------------------
   28  ca8.11a0 Critical Section       

WAIT_CHAIN_COMMAND:  ~28s;k;;

FAULTING_THREAD:  0000001c

BUGCHECK_STR:  APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_BusyHang_Unowned_CriticalSection_INVALID_POINTER_WRITE

PRIMARY_PROBLEM_CLASS:  NULL_CLASS_PTR_DEREFERENCE

DEFAULT_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE

LAST_CONTROL_TRANSFER:  from 7c901046 to 7c919af2

STACK_TEXT:  
06ba5dfc 7c901046 00a5a514 06a11cb0 06a5a514 ntdll!RtlpWaitForCriticalSection+0x8c
06ba5e04 06a11cb0 06a5a514 7d3b516a 00000000 ntdll!RtlEnterCriticalSection+0x46
06baff70 06a1e1b8 0431bbb0 7d3bf0ae 00000000 npdeployJava1!InstallJREThread+0x7b3 [c:\7-client\deploy\src\plugin\win32\toolkit\common\jreinstall.cpp @ 688]
06baffa8 06a1e242 00000000 06baffec 7c80b729 npdeployJava1!_callthreadstartex+0x1b [f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c @ 314]
06baffb4 7c80b729 04312ca8 00000000 00000000 npdeployJava1!_threadstartex+0x64 [f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c @ 292]
06baffec 00000000 06a1e1de 04312ca8 00000000 kernel32!BaseThreadStart+0x37


SYMBOL_STACK_INDEX:  4

SYMBOL_NAME:  npdeployJava1!_threadstartex+64

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: npdeployJava1

IMAGE_NAME:  npdeployJava1.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4e3861de

STACK_COMMAND:  ~28s ; kb

FAILURE_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE_c0000005_npdeployJava1.dll!_threadstartex

BUCKET_ID:  APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_BusyHang_Unowned_CriticalSection_INVALID_POINTER_WRITE_npdeployJava1!_threadstartex+64

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/firefox_exe/1_9_2_3888/4c745229/ntdll_dll/5_1_2600_6055/4d00f27d/c0000005/00019af2.htm?Retriage=1
--------
The problem seems to due to the critical section is no longer valid when it's being accessed in JREInstall.cpp.

2011-08-02

SELECT A COUNTRY/REGION
Africa Operation Argentina Australia Austria Bahrain Bangladesh Belgium & Luxembourg Belize Bhutan Bolivia Bosnia & Herzegovina Brasil Brunei Bulgaria Cambodia Canada - English Canada - French Chile China Colombia	Costa Rica Croatia Cyprus Czech Republic Denmark Ecuador Egypt Estonia Finland France Germany Greece Guatemala Honduras Hong Kong Hungary India Indonesia Iraq Ireland	Israel Italy Japan Jordan Kazakhstan Korea Kuwait Laos Latvia Lebanon Lithuania Malaysia Maldives Malta Mexico Moldova Nepal Netherlands New Zealand Nicaragua	Norway Oman Pakistan Panama Paraguay Peru Philippines Poland Portugal Puerto Rico Qatar Romania Russia Saudi Arabia Serbia & Montenegro Singapore Slovakia Slovenia South Africa Spain	Sri Lanka Sweden Switzerland -- French Switzerland -- German Taiwan Thailand Turkey Ukraine United Arab Emirates United Kingdom United States Uruguay Venezuela Vietnam Yemen

Hardware and Software, Engineered to Work Together