[plugin]启动时崩溃

patwonder commented 12 years ago

Firefox 12.0b4 已确认由 commit 659b6360b7d5362e44595a690b55f29bb41bfa94 引起使用“恢复上一次标签页”设置，在Firefox刚启动时在界面上移动鼠标，可能导致Firefox假死或崩溃

patwonder commented 12 years ago

faint...应该是 commit 659b6360b7d5362e44595a690b55f29bb41bfa94

yxl commented 12 years ago

@patwonder 应该是CIEHostWindwo::m_pNavigateParams的问题，多线程操作时没加锁。

你测试一下。

patwonder commented 12 years ago

还是崩溃。。

yxl commented 12 years ago

@patwonder 能拿到崩溃时候的函数栈吗？我这里没法重现这个bug。

patwonder commented 12 years ago

@yxl 每次都不一样不过似乎经常会在HookMgr里面

未标记       9508    0   主线程   主线程   std::_Iterator012<std::bidirectional_iterator_tag,std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *>,int,std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *> const *,std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *> const &,std::_Iterator_base12>::_Iterator012<std::bidirectional_iterator_tag,std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *>,int,std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *> const *,std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *> const &,std::_Iterator_base12> 正常
                        npfireie32.dll!std::_Iterator012<std::bidirectional_iterator_tag,std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *>,int,std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *> const *,std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *> const &,std::_Iterator_base12>::_Iterator012<std::bidirectional_iterator_tag,std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *>,int,std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *> const *,std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *> const &,std::_Iterator_base12>(const std::_Iterator012<std::bidirectional_iterator_tag,std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *>,int,std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *> const *,std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *> const &,std::_Iterator_base12> & __that={...})  + 0x1d 字节    
                        npfireie32.dll!std::_Tree_unchecked_const_iterator<std::_Tree_val<std::_Tmap_traits<int (__stdcall*)(void),BrowserHook::HookItem *,std::less<int (__stdcall*)(void)>,std::allocator<std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *> >,0> >,std::_Iterator_base12>::_Tree_unchecked_const_iterator<std::_Tree_val<std::_Tmap_traits<int (__stdcall*)(void),BrowserHook::HookItem *,std::less<int (__stdcall*)(void)>,std::allocator<std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *> >,0> >,std::_Iterator_base12>(const std::_Tree_unchecked_const_iterator<std::_Tree_val<std::_Tmap_traits<int (__stdcall*)(void),BrowserHook::HookItem *,std::less<int (__stdcall*)(void)>,std::allocator<std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *> >,0> >,std::_Iterator_base12> & __that={...})  + 0x2f 字节    
                        npfireie32.dll!std::_Tree_const_iterator<std::_Tree_val<std::_Tmap_traits<int (__stdcall*)(void),BrowserHook::HookItem *,std::less<int (__stdcall*)(void)>,std::allocator<std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *> >,0> > >::_Tree_const_iterator<std::_Tree_val<std::_Tmap_traits<int (__stdcall*)(void),BrowserHook::HookItem *,std::less<int (__stdcall*)(void)>,std::allocator<std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *> >,0> > >(const std::_Tree_const_iterator<std::_Tree_val<std::_Tmap_traits<int (__stdcall*)(void),BrowserHook::HookItem *,std::less<int (__stdcall*)(void)>,std::allocator<std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *> >,0> > > & __that=(0x768348e3, 0x0af98640 {hModule=0x72b40000 szImportModule=0x0af98690 "Kernel32.dll" szFunc=0x0af986e0 "LoadLibraryExA" ...}))  + 0x2f 字节     
                        npfireie32.dll!std::_Tree_iterator<std::_Tree_val<std::_Tmap_traits<int (__stdcall*)(void),BrowserHook::HookItem *,std::less<int (__stdcall*)(void)>,std::allocator<std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *> >,0> > >::_Tree_iterator<std::_Tree_val<std::_Tmap_traits<int (__stdcall*)(void),BrowserHook::HookItem *,std::less<int (__stdcall*)(void)>,std::allocator<std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *> >,0> > >(const std::_Tree_iterator<std::_Tree_val<std::_Tmap_traits<int (__stdcall*)(void),BrowserHook::HookItem *,std::less<int (__stdcall*)(void)>,std::allocator<std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *> >,0> > > & __that=(0x768348e3, 0x0af98640 {hModule=0x72b40000 szImportModule=0x0af98690 "Kernel32.dll" szFunc=0x0af986e0 "LoadLibraryExA" ...}))  + 0x2f 字节   
                        npfireie32.dll!std::_Pair_base<std::_Tree_iterator<std::_Tree_val<std::_Tmap_traits<int (__stdcall*)(void),BrowserHook::HookItem *,std::less<int (__stdcall*)(void)>,std::allocator<std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *> >,0> > >,bool>::_Pair_base<std::_Tree_iterator<std::_Tree_val<std::_Tmap_traits<int (__stdcall*)(void),BrowserHook::HookItem *,std::less<int (__stdcall*)(void)>,std::allocator<std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *> >,0> > >,bool>(std::_Tree_iterator<std::_Tree_val<std::_Tmap_traits<int (__stdcall*)(void),BrowserHook::HookItem *,std::less<int (__stdcall*)(void)>,std::allocator<std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *> >,0> > > && _Val1=(0x768348e3, 0x0af98640 {hModule=0x72b40000 szImportModule=0x0af98690 "Kernel32.dll" szFunc=0x0af986e0 "LoadLibraryExA" ...}), bool && _Val2=true)  行 145 + 0x57 字节     
                        npfireie32.dll!std::pair<std::_Tree_iterator<std::_Tree_val<std::_Tmap_traits<int (__stdcall*)(void),BrowserHook::HookItem *,std::less<int (__stdcall*)(void)>,std::allocator<std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *> >,0> > >,bool>::pair<std::_Tree_iterator<std::_Tree_val<std::_Tmap_traits<int (__stdcall*)(void),BrowserHook::HookItem *,std::less<int (__stdcall*)(void)>,std::allocator<std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *> >,0> > >,bool>(std::_Tree_iterator<std::_Tree_val<std::_Tmap_traits<int (__stdcall*)(void),BrowserHook::HookItem *,std::less<int (__stdcall*)(void)>,std::allocator<std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *> >,0> > > && _Val1=(0x768348e3, 0x0af98640 {hModule=0x72b40000 szImportModule=0x0af98690 "Kernel32.dll" szFunc=0x0af986e0 "LoadLibraryExA" ...}), bool && _Val2=true)  行 228   
                        npfireie32.dll!std::_Tree<std::_Tmap_traits<int (__stdcall*)(void),BrowserHook::HookItem *,std::less<int (__stdcall*)(void)>,std::allocator<std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *> >,0> >::_Linsert(std::_Tree_nod<std::_Tmap_traits<int (__stdcall*)(void),BrowserHook::HookItem *,std::less<int (__stdcall*)(void)>,std::allocator<std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *> >,0> >::_Node * _Node=0x0af98878, bool _Leftish=false)  行 973 + 0x4c 字节    
                        npfireie32.dll!std::_Tree<std::_Tmap_traits<int (__stdcall*)(void),BrowserHook::HookItem *,std::less<int (__stdcall*)(void)>,std::allocator<std::pair<int (__stdcall*const)(void),BrowserHook::HookItem *> >,0> >::insert<std::pair<int (__stdcall*)(void),BrowserHook::HookItem *> >(std::pair<int (__stdcall*)(void),BrowserHook::HookItem *> && _Val=(0x768348e3, 0x0af98640 {hModule=0x72b40000 szImportModule=0x0af98690 "Kernel32.dll" szFunc=0x0af986e0 "LoadLibraryExA" ...}))  行 756 + 0x24 字节    
                        npfireie32.dll!BrowserHook::HookMgr::InstallHookForOneModule(HINSTANCE__ * hModule=0x72b40000, const char * szImportModule=0x14b21758, const char * szFunc=0x14b21724, int (void)* pHookFunc=0x145a74df)  行 47 + 0x26 字节   
                        npfireie32.dll!BrowserHook::AtlDepHook::InstallHooksForNewModule(HINSTANCE__ * hModule=0x72b40000)  行 304  
                        npfireie32.dll!BrowserHook::AtlDepHook::Install()  行 284   
                        npfireie32.dll!BrowserHook::CoGetClassObject_hook(const _GUID & rclsid={...}, unsigned long dwClsContext=1, void * pvReserved=0x00000000, const _GUID & riid={...}, void * * ppv=0x00309438)  行 106    
                        urlmon.dll!764fdfe7()    
                        [下面的框架可能不正确和/或缺失，没有为 urlmon.dll 加载符号]    
                        urlmon.dll!7650d2a6()    
                        urlmon.dll!7650d280()    
                        urlmon.dll!7650ba5a()    
                        urlmon.dll!7651212e()    
                        urlmon.dll!76509bca()    
                        urlmon.dll!764f65f5()    
                        ieframe.dll!635bad5b()   
                        ieframe.dll!636183c9()   
                        user32.dll!763f6d91()    
                        user32.dll!76400d27()    
                        user32.dll!76400d4d()    
                        npfireie32.dll!CWnd::DefWindowProcW(unsigned int nMsg=17, unsigned int wParam=14549300, long lParam=14549300)  行 1089 + 0x20 字节    
                        npfireie32.dll!CWnd::Default()  行 291  
                        00000007()   
                        00000047()

yxl commented 12 years ago

我突然想起来stl里的那些容器都不是线程安全的。。我都没加锁……

patwonder commented 12 years ago

恢复的所有标签页： All Tabs

patwonder commented 12 years ago

@yxl 但以前都没什么问题二分查找到这个commit才出问题的

yxl commented 12 years ago

@patwonder 再测一下，呵呵。

yxl commented 12 years ago

659b636 使扩展的一些操作由以前的单线程变多线程了，让一些线程安全方面的问题暴露出来了。我猜可能是这样的。。。

patwonder commented 12 years ago

@yxl 依然崩溃我发个profile你测试一下？

patwonder commented 12 years ago

确认和IE设置了PAC有关

    ntdll.dll!_ZwRaiseException@12()  + 0x12 字节 
    ntdll.dll!_ZwRaiseException@12()  + 0x12 字节 
    jscript.dll!ArrayObj::EnsureNameList()  + 0x16 字节   
    jscript.dll!ArrayObj::EnsureNameList()  + 0x16 字节   
    msvcrt.dll!_malloc()  + 0x57 字节 
    jscript.dll!ArrayObj::Create()  + 0x55 字节   
    jscript.dll!CScriptRuntime::Run()  + 0x29e80 字节 
    jscript.dll!ScrFncObj::CallWithFrameOnStack()  + 0xf3 字节    
    jscript.dll!ScrFncObj::Call()  + 0x84 字节    
    jscript.dll!CSession::Execute()  + 0x144 字节 
    jscript.dll!COleScript::ExecutePendingScripts()  + 0x29d 字节 
    jscript.dll!COleScript::SetScriptState()  - 0x90e2 字节   
    jsproxy.dll!CScriptSite::Init()  + 0x245 字节 
    jsproxy.dll!_CreateScriptSite()  + 0x43 字节  
    jsproxy.dll!_InternetInitializeAutoProxyDllEx@24()  + 0x56 字节   
    wininet.dll!AUTO_PROXY_LIST_ENTRY::ProxyDllInit()  + 0x48 字节    
    wininet.dll!AutoProxyResolver::DownloadProxyInfo()  + 0x3d6 字节  
    wininet.dll!AutoProxyResolver::DoNestedProxyInfoDownload()  + 0x52 字节   
    wininet.dll!AutoProxyResolver::DetectAndDownloadProxyScript()  + 0x1f9 字节   
    wininet.dll!AutoProxyResolver::ProcessRefresh()  + 0xa3 字节  
    wininet.dll!AutoProxyResolver::OnRefresh()  + 0x24 字节   
    wininet.dll!AutoProxyResolver::ProcessMessages()  + 0x111d 字节   
    wininet.dll!AutoProxyResolver::AutoProxyThread()  + 0xf2 字节 
    wininet.dll!AutoProxyResolver::AutoProxyThreadStart()  + 0xd 字节 
    kernel32.dll!@BaseThreadInitThunk@12()  + 0x12 字节   
    ntdll.dll!___RtlUserThreadStart@8()  + 0x27 字节  
    ntdll.dll!__RtlUserThreadStart@8()  + 0x1b 字节

patwonder commented 12 years ago

刚刚firefox又崩了一次。。也是jscript.dll出的问题。。

yxl commented 12 years ago

把Stop、Refresh、Back、Forward等操作改回同步方式吧。。。。

patwonder commented 12 years ago

使用MiniHook后暂未发生过此问题，close之。。

yxl / Fire-IE

[plugin]启动时崩溃 #44