Closed Bug 359870 Opened 18 years ago Closed 11 years ago

[@ gtk_style_realize] crash on style reset after closing tab with xembed plugins with NPPVpluginKeepLibraryInMemory

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: chpe, Assigned: asac)

References

(
URL
)

Details

(Keywords: crash, helpwanted)

Crash Data

Attachments

(1 file, 1 obsolete file)

backtrace with gtk 2.12.11 and xulrunner 1.9.0.1
81.85 KB, text/plain
Details 
(Filing here since nsPluginNativeWindowGtk2 seems to be responsible; but it also might be a widget:gtk2 or gtk+ bug.)

Steps to reproduce (taken from https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=210151 ):
0) Install totem plugin, start firefox
1) Go to a site with movie links, for example http://digital-desert.com/mpg-videos/
2) Open a non-movie link in a new tab, close the new tab [not sure this step is necessary]
3) Open a movie link in a new tab; wait for it to load in the totem plugin; close the tab
4) Right-click the movie link, Save Target As

Result:
Shortly after the gtk native filepicker shows, the application crashes.

Analysis:
There seems to be a problem with xembed plugins: when you close the tab that showed the plugin, the nsPluginNativeWindowGtk2 that wraps the GtkSocket is not destroyed yet (it is destroyed sometime later; I haven't yet noticed a pattern; at the very least it's destroyed on shutdown.) (Bug 241535 is caused by the same problem.)

Now, when the native gtk filepicker opens, it causes a style reset (#12 in trace). This is recursively propagated down the widget hierarchy, until it comes to the GtkSocket of the plugin window. That socket's widget->window at this point has a NULL colourmap, causing gtk_style_realize to segfault (NULL dereference).

Trace:
#0  0xb7bfac24 in gtk_style_realize (style=0x8bc43d0, colormap=0x0) at gtkstyle.c:839
#1  0xb7bfe1f0 in IA__gtk_style_attach (style=0x8bc3e00, window=0x88b1320) at gtkstyle.c:752
#2  0xb7ca4fe2 in gtk_widget_set_style_internal (widget=0x8d39c78, style=0x8bc3e00, initial_emission=0) at gtkwidget.c:5138
#3  0xb7ca513a in reset_rc_styles_recurse (widget=0x8d39c78, data=0x0) at gtkwidget.c:5348
#4  0xb67e49a3 in moz_container_forall (container=0x8277528, include_internals=1, callback=0xb7ca50d0 <reset_rc_styles_recurse>, callback_data=0x0)
    at mozcontainer.c:401
#5  0xb7af65fb in IA__gtk_container_forall (container=0x8277528, callback=0xb7ca50d0 <reset_rc_styles_recurse>, callback_data=0x0) at gtkcontainer.c:1261
#6  0xb7ca5129 in reset_rc_styles_recurse (widget=0x8277528, data=0x0) at gtkwidget.c:5351
#7  0xb7ab749f in gtk_bin_forall (container=0x8140738, include_internals=1, callback=0, callback_data=0x0) at gtkbin.c:133
#8  0xb7af65fb in IA__gtk_container_forall (container=0x8140738, callback=0xb7ca50d0 <reset_rc_styles_recurse>, callback_data=0x0) at gtkcontainer.c:1261
#9  0xb7ca5129 in reset_rc_styles_recurse (widget=0x8140738, data=0x0) at gtkwidget.c:5351
#10 0xb7ca518d in IA__gtk_widget_reset_rc_styles (widget=0x8140738) at gtkwidget.c:5361
#11 0xb7bcde40 in gtk_rc_reset_widgets (settings=0x8065080) at gtkrc.c:1606
#12 0xb7b54bb1 in reset_styles_idle (user_data=0x8ddda48) at gtkicontheme.c:602
#13 0xb759caa1 in g_idle_dispatch (source=0x8cbbf90, callback=0, user_data=0x8ddda48) at gmain.c:3926
#14 0xb759e802 in IA__g_main_context_dispatch (context=0x8081bc0) at gmain.c:2045
#15 0xb75a17df in g_main_context_iterate (context=0x8081bc0, block=1, dispatch=1, self=0x8123360) at gmain.c:2677
#16 0xb75a1b89 in IA__g_main_loop_run (loop=0x8e61630) at gmain.c:2881
#17 0xb7b07dfb in IA__gtk_dialog_run (dialog=0x8e80000) at gtkdialog.c:996
#18 0xb67f91bd in nsFilePicker::Show (this=0x8dee8b8, aReturn=0xbfb9f5cc) at nsFilePicker.cpp:583
[...]

Downstream bug reports: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=210151 (firefox) and http://bugzilla.gnome.org/show_bug.cgi?id=353503 (epiphany, many duplicates).
Debian testing
totem-mozilla 2.16.2-2

Crash when closing Firefox (with [X]):

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0
Talkback ID: TB25758224X.

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1) Gecko/20061106 Minefield/3.0a1
Talkback ID: TB25757932W.
Just curious, but have you tested to see if it crashes with a build with your patch from bug 241535 in it?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
Those talkbacks match bug 241535, and are fixed by the patch there.
This bug isn't fixed by the patch there.
This bug still causes many duplicate crash reports for both Epiphany and Galeon.
reinout@gmail.com: that's nice. are you volunteering to work on it?
Keywords: helpwanted
Aleksej, can you still reproduce this with both branch and trunk builds?
totem-mozilla 2.16.5-2, latest Firefox (2007030104)
1.8: TB29817710W
Trunk: TB29817976K
I'll give it a try. stay tuned.
Status: NEW → ASSIGNED
Assignee: nobody → asac
Status: ASSIGNED → NEW
Status: NEW → ASSIGNED
Attached patch maybe this (1.8 branch) (obsolete) — Splinter Review 
As mentioned by reporter, destructor is not called when nsPluginNativeWindowGtk2 gets removed. In consequence window/widget does not get properly removed from gtk widget hierachy.

This patch removed widget properly from hierachy.

I did not change destructor code (which does basically the same, but is not called), but instead set mGtkSocket = 0 in this patch ... so should be safe.

Should be the same on trunk.

Someone can please verify that this fixes 1.8 + trunk build so i can ask for review?
Comment on attachment 257133 [details] [diff] [review]
maybe this (1.8 branch)

this patch breaks other plugins.
Attachment #257133 - Attachment is obsolete: true
ok the bug is due to broken implementation of NPPVpluginKeepLibraryInMemory ... fix is not simple, so we worked around this by dropping that option from totem:

The workaround patch for totem is here:

http://bugzilla.gnome.org/show_bug.cgi?id=415389

However NPPVpluginKeepLibraryInMemory should be fixed or completely disabled at some point. So this bugs should be kept open.
Summary: crash on style reset after closing tab with xembed plugin → crash on style reset after closing tab with xembed plugins with NPPVpluginKeepLibraryInMemory
Bug 371387 comment 19 and 20 indicate that this crash also happens for plugins which don't use NPPVpluginKeepLibraryInMemory.
(In reply to comment #12)
> Bug 371387 comment 19 and 20 indicate that this crash also happens for plugins
> which don't use NPPVpluginKeepLibraryInMemory.

Yes, it happens with latest totem too. It just needs a modified testcase:

(From: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/91334)

Steps to reproduce:
1. Visit
http://www.apple.com/getamac/ads/
2. Wait for "Hello I'm a Mac" then click on the "Tech Support" video at the bottom left. A video should start to play.
3. Repeat step 2 until video area no longer starts playing the video.
4. Start
gnome-theme-manager .
5. Change the theme from Human to Mist.



This is also happening with Komodo and the Scintilla plugin, which does not use NPPVpluginKeepLibraryInMemory.

Way to reproduce this bug within Komodo:
1) After closing an opened file (plugin is removed) and then opening the native file open dialog.
2) After closing an opened file (plugin is removed) and then changing the theme.

The gdb stacktrace for Komodo is the same as posted in the main part of the bug above.

Reference: http://bugs.activestate.com/show_bug.cgi?id=64037

Is this still a problem on trunk with all the fixes that have landed in the plugins code?
I *cannot* reproduce this exact problem using a "Komodo on Mozilla trunk" build, but I am getting some nasty looking GTK errors when shutting down the application:

(gecko:10908): Gdk-CRITICAL **: gdk_screen_get_display: assertion `GDK_IS_SCREEN (screen)' failed
(gecko:10908): GLib-GObject-WARNING **: invalid (NULL) pointer instance
(gecko:10908): GLib-GObject-CRITICAL **: g_signal_handlers_disconnect_matched: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed
(gecko:10908): GLib-GObject-CRITICAL **: g_object_ref: assertion `G_IS_OBJECT (object)' failed
(gecko:10908): Gdk-CRITICAL **: gdk_screen_get_display: assertion `GDK_IS_SCREEN (screen)' failed
(gecko:10908): GLib-GObject-CRITICAL **: g_object_get_data: assertion `G_IS_OBJECT (object)' failed
(gecko:10908): Gdk-CRITICAL **: gdk_screen_get_display: assertion `GDK_IS_SCREEN (screen)' failed
(gecko:10908): GLib-GObject-CRITICAL **: g_object_get_data: assertion `G_IS_OBJECT (object)' failed

.... (same errors repeat numerous times)

verified that the testcase in https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/91334 doesn't crash firefox beta 3.

Closing bug.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Resolution: FIXED → WORKSFORME
asac: Have you also verified that it doesn't crash anymore with the steps from comment 14 ?
BTW, I think http://bugzilla.gnome.org/show_bug.cgi?id=467698 sheds some light on what's really going on here that's caused/causing the crash.
I've hit this a few times recently with xulrunner 1.9. Various beta versions and most recently with rc2.
A trace can be found at http://bugzilla.gnome.org/show_bug.cgi?id=538522. How can I re-open the bug?
Reopening bug as requested.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
reclosing. reinout@gmail.com: don't reopen bugs without getting people to specify versions.

sam@robots.org.uk: don't complain about xulrunner 1.9 beta 5 when the current release of gecko is 1.9 <final>.

sam@robots.org.uk: this bug is a bug in gtk not a bug in gecko, and you haven't specified the version of gtk you were using. you have otoh managed to make a hash out of this bug system.
Status: REOPENED → RESOLVED
Closed: 16 years ago16 years ago
Resolution: --- → INVALID
Summary: crash on style reset after closing tab with xembed plugins with NPPVpluginKeepLibraryInMemory → [@ gtk_style_realize] crash on style reset after closing tab with xembed plugins with NPPVpluginKeepLibraryInMemory
@timeless: 
- Comment 20 mentions that it also occurred on rc2, which is about code-identical to final.
- On what grounds do you claim that this is a gtk bug? In comment 19 I linked to a gnome bug report that indicates that gecko's use of gtk_widget_set_parent_window might be responsible for this problem.
sorry, i was looking at http://bugzilla.gnome.org/show_bug.cgi?id=467698#c48

if you have some evidence that a bug is still valid, you're welcome to reopen it. however i do not want qa to reopen bugs based on requests which point to old versions of products and do not specify versions of relevant libraries (the fix there is for gtk2.12, so knowing the gtk version is important).
Well am using gtk 2.12.9.
And I ran into this again with GTK+ 2.12.11. Please can someone re-open this bug?
Oh, and xulrunner 1.9.0.1 this time.
Sam, can you indicate which steps to reproduce cause a crash for you, please?
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
Unfortunately I am unable to reproduce the crash to a recipe. All I know is that Epiphany will sometimes crash with this stack trace when I close it. :(

I'll attach the exact backtrace that I got yesterday, hopefully it will help.
Hi, I don't think this issue is caused by bug #469538.

However, I looked briefly at XEMBED (through GtkPlug / GtkSocket) while debugging a problem for nspluginwrapper. It turns out Firefox never destroys the plugin window cleanly, and its not really its fault. First, Firefox never propagates NPP_SetWindow(NPP, (NPWindow){ .window = NULL }); down to the plugin. Then, DoStopPlugin() will generally delay destroy of the page window, not the plugin window. That window is destroyed at the Gdk level (through a simple g_object_unref() IIRC). However, in the best cases, that "toplevel" window destruction will trigger the destruction of the GtkSocket, but not the underlying X window.

Something important to note: GtkPlug / GtkSocket work differently depending on whether the other GtkPlug is in-process or out of process. In out-of-process case, destroying a window will destroy all subsequent windows in the hierarchy, including the plugins X windows and windows in the other process. However, in the in-process case, the X window (exposed to the plugin) is never destroyed. Nada, no call to XDestroyWindow() with that XID.

AFAIK, this is a problem for Flash that doesn't expect someone else destroying its plugin window from behind its back. It currently works in Firefox because the plugin XID is never destroyed for the lifetime of the program. However, when run through nspluginwrapper, and since I tried to respect the NPAPI specs and destroying the windows around NPP_Destroy(), it fails.

I will probably open another bug entry for this specific issue, though this is not really Firefox's fault (rather Gtk2). However, Firefox could have been cool and send NPP_SetWindow() with a NULL NPWindow::window, as mentioned in the specs. Though, Flash (even version 10) doesn't handle that case either anyway. So, we are left with a possible Gtk2 bug.

Note: I workarounded the issue at the nspluginwrapper level by forbidding propagation of WM_DELETE_EVENT (that the GtkSocket sends) + other tricks.

I am not sure I was clear enough as I was typing this away from the actual Firefox sources, but rather dumped what I had in memory. ;-)
(In reply to comment #33)
> I will probably open another bug entry for this specific issue, though this is
> not really Firefox's fault (rather Gtk2). However, Firefox could have been cool
> and send NPP_SetWindow() with a NULL NPWindow::window, as mentioned in the
> specs. Though, Flash (even version 10) doesn't handle that case either anyway.
> So, we are left with a possible Gtk2 bug.

This bug is not only about flashplugin; we saw this crash mostly with totem and other plugins; so while flash currently might not handle it, it might still be worthwhile to consider this anyway.

BTW, which "specs" are you referring to exactly?

> 
> Note: I workarounded the issue at the nspluginwrapper level by forbidding
> propagation of WM_DELETE_EVENT (that the GtkSocket sends) + other tricks.
> 
> I am not sure I was clear enough as I was typing this away from the actual
> Firefox sources, but rather dumped what I had in memory. ;-)

It made a bit sense at least :) ... thanks for your ideas on this!
yes, @nokia we learned about flash ignoring setwindow null. i had suggested it as a fix for something (in fact, quite possibly a crash w/ this signature) and then an engineer mentioned that the flash side ignored it. i was heartbroken.
See Also: → https://launchpad.net/bugs/72018
See Also: → https://launchpad.net/bugs/91334
Crash Signature: [@ gtk_style_realize]
gtk_style_realize is not found in crash-stats. 
Do you stilll see this problem?

https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/91334 last status is WONTFIX
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/72018 is also WONTFIX
Piero Mazzini added the following comment to Launchpad bug report 72018:

No, thank you.
The problem is solved.

Regards,

Piero Mazzini

Il giorno 25/mag/2013, alle ore 23.40, Vseerror ha scritto:

> gtk_style_realize is not found in crash-stats. 
> Do you stilll see this problem?
> 
> https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/91334 last status is WONTFIX
> https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/72018 is also WONTFIX
> 
> -- 
> You received this bug notification because you are subscribed to a
> duplicate bug report (86619).
> https://bugs.launchpad.net/bugs/72018
> 
> Title:
>  MASTER Firefox Crash [@gtk_style_realize] [@nsFilePicker::Show]
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/firefox/+bug/72018/+subscriptions



-- 
http://launchpad.net/bugs/72018
Closing here, please comment if there are still configurations where this is relevant.
Status: REOPENED → RESOLVED
Closed: 16 years ago11 years ago
Resolution: --- → WORKSFORME
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: