Closed Bug 445043 Opened 16 years ago Closed 16 years ago

Flash 10 beta 2 (build d525) plug-in causes crash at Doc Searls Weblog.

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED DUPLICATE of bug 435764

People

(Reporter: stephen.moehle, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.15) Gecko/20080706 Fedora/1.1.10-1.fc9 SeaMonkey/1.1.10
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.2pre) Gecko/2008071210 Firefox/3.0.2pre

Flash 10 beta 2 (build d525) plug-in causes crash at above URL.

Using a self-built debug version of Firefox 3 trunk, I get a crash in _create_temp_xlib_surface because the dpy parameter is NULL and it gets dereferenced in DefaultScreen.

In nsPluginInstanceOwner::Paint(), window is:

$1 = {window = 0x0, x = 74, y = 1443, width = 400, height = 320, clipRect = {
    top = 0, left = 0, bottom = 320, right = 400}, ws_info = 0xaf0ef5e0, 
  type = nsPluginWindowType_Drawable}

and ws_info is:

$2 = {type = 0, display = 0x0, visual = 0x0, colormap = 0, depth = 0}

When using Flash 9, this code path is never invoked and there is no crash.

The back trace:

#0  0x011a1c76 in _create_temp_xlib_surface (cr=0xaf086400, dpy=0x0, 
    width=400, height=320, capabilities=27) at cairo-xlib-utils.c:328
#1  0x011a2316 in cairo_draw_with_xlib (cr=0xaf086400, 
    callback=0x11bfed0 <NativeRendering>, closure=0xbfe80b64, dpy=0x0, 
    width=400, height=320, is_opaque=CAIRO_XLIB_DRAWING_TRANSPARENT, 
    capabilities=27, result=0x0) at cairo-xlib-utils.c:541
#2  0x011c0079 in gfxXlibNativeRenderer::Draw (this=0xbfe80bf0, dpy=0x0, 
    ctx=0xab630da0, width=400, height=320, flags=54, output=0x0)
    at gfxXlibNativeRenderer.cpp:101
#3  0xb7046221 in nsPluginInstanceOwner::Paint (this=0xaf0f0880, 
    aRenderingContext=@0xab631b80, aDirtyRect=@0xbfe80c98)
    at nsObjectFrame.cpp:4076
#4  0xb70462d3 in nsObjectFrame::PaintPlugin (this=0xaf0de2a8, 
    aRenderingContext=@0xab631b80, aDirtyRect=@0xbfe80c98)
    at nsObjectFrame.cpp:1400
#5  0xb704649c in PaintPlugin (aFrame=0xaf0de2a8, aCtx=0xab631b80, 
    aDirtyRect=@0xbfe80d54, aPt={x = -1075311396, y = 1200})
    at nsObjectFrame.cpp:1096
#6  0xb7009bf0 in nsDisplayGeneric::Paint (this=0xaf00793c, 
    aBuilder=0xbfe80dcc, aCtx=0xab631b80, aDirtyRect=@0xbfe80d54)
    at ./../../../../../base/nsDisplayList.h:862
#7  0xb6f71ac1 in nsDisplayList::Paint (this=0xaf007bb4, aBuilder=0xbfe80dcc, 
    aCtx=0xab631b80, aDirtyRect=@0xbfe80d54) at nsDisplayList.cpp:296
#8  0xb6f71b05 in nsDisplayWrapList::Paint (this=0xaf007ba8, 
    aBuilder=0xbfe80dcc, aCtx=0xab631b80, aDirtyRect=@0xbfe80d54)
    at nsDisplayList.cpp:693
#9  0xb6f71b94 in nsDisplayClip::Paint (this=0xaf007ba8, aBuilder=0xbfe80dcc, 
    aCtx=0xab631b80, aDirtyRect=@0xbfe8112c) at nsDisplayList.cpp:887
#10 0xb6f71ac1 in nsDisplayList::Paint (this=0xbfe81058, aBuilder=0xbfe80dcc, 
    aCtx=0xab631b80, aDirtyRect=@0xbfe8112c) at nsDisplayList.cpp:296
#11 0xb6f9cdef in nsLayoutUtils::PaintFrame (aRenderingContext=0xab631b80, 
    aFrame=0xaf509388, aDirtyRegion=@0xbfe8110c, aBackground=4294967295)
    at nsLayoutUtils.cpp:988
#12 0xb6faedff in PresShell::Paint (this=0xb0173800, aView=0xb011e880, 
    aRenderingContext=0xab631b80, aDirtyRegion=@0xbfe8110c)
    at nsPresShell.cpp:5413
#13 0xb747d300 in nsViewManager::RenderViews (this=0xb011e820, 
    aView=0xaf544eb0, aRC=@0xab631b80, aRegion=@0xbfe811c0)
    at nsViewManager.cpp:614
#14 0xb747e0e2 in nsViewManager::Refresh (this=0xb011e820, aView=0xaf544eb0, 
    aContext=0xab631b80, aRegion=0xab631640, aUpdateFlags=1)
    at nsViewManager.cpp:502
#15 0xb747e745 in nsViewManager::DispatchEvent (this=0xb011e820, 
    aEvent=0xbfe81470, aStatus=0xbfe81390) at nsViewManager.cpp:1134
#16 0xb74746dd in HandleEvent (aEvent=0xbfe81470) at nsView.cpp:168
#17 0x0548e215 in nsCommonWidget::DispatchEvent (this=0xaf5cc800, 
    aEvent=0xbfe81470, aStatus=@0xbfe814bc) at nsCommonWidget.cpp:158
#18 0x05480b27 in nsWindow::OnExposeEvent (this=0xaf5cc800, 
    aWidget=0xb7e72420, aEvent=0xbfe81b54) at nsWindow.cpp:1763
#19 0x05481021 in expose_event_cb (widget=0xb7e72420, event=0xbfe81b54)
    at nsWindow.cpp:4529


Reproducible: Always
Version: unspecified → Trunk
This is a duplicate of bug 435764. Sorry about that.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Verified duplicate, based on the stack.
Status: RESOLVED → VERIFIED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.