1022135 - Using DOM inspector addon crashes [@gfxContext::gfxContext][@nsRenderingContext::Init] in gtk3 build

Status: RESOLVED DUPLICATE of bug 1013552

(Core :: Widget: Gtk, defect)

Description

[Mike Hommey [:glandium]]

STR:
- Install DOM Inspector addon: https://addons.mozilla.org/en-US/firefox/addon/dom-inspector-6622/?src=search
- Restart gtk3 firefox.
- Open web page.
- Open DOM Inspector (F10 to show the menubar, Tools> Web Developer> DOM Inspector (*not* Inspector)
- Click the icon under the "File" menu. The one with the tooltip saying "Find a node to inspect by clicking on it"
- Click somewhere in the web page.
- Crash.

That works without that icon, simply by developing the DOM tree in the left pane and selecting visible elements.

Backtrace:
#0  gfxContext::gfxContext (this=0x7fffb4a21160, surface=0x0)
    at /tmp/buildd/firefox-32.0~a1+20140606030206/gfx/thebes/gfxContext.cpp:88
No locals.
#1  0x00007fffe8a7c9a2 in nsRenderingContext::Init (this=this@entry=0x7fffbd3cba80, aContext=0x7fffc89fe860, aThebesSurface=0x0)
    at /tmp/buildd/firefox-32.0~a1+20140606030206/gfx/src/nsRenderingContext.cpp:72
No locals.
#2  0x00007fffe95b9c7d in inFlasher::DrawElementOutline (this=0x7fffb4abc920, aElement=<optimized out>)
    at /tmp/buildd/firefox-32.0~a1+20140606030206/layout/inspector/inFlasher.cpp:134
        rect = {<mozilla::gfx::BaseRect<int, nsRect, nsPoint, nsSize, nsMargin>> = {x = -20224, y = 32767, width = -386702873, 
            height = 32767}, <No data fields>}
        isLastFrame = <optimized out>
        offset = {<mozilla::gfx::BasePoint<int, nsPoint>> = {x = 36930, y = 12200}, <No data fields>}
        widget = 0x7ffff6c56830
        window = {<nsCOMPtr_base> = {mRawPtr = 0x7fffc9922820}, <No data fields>}
        presShell = {<nsCOMPtr_base> = {mRawPtr = 0x7fffc89a5800}, <No data fields>}
        frame = 0x7fffc8526c58
        isFirstFrame = true
#3  0x00007fffe8665b46 in NS_InvokeByIndex (that=<optimized out>, methodIndex=<optimized out>, paramCount=<optimized out>, 
    params=<optimized out>)
    at /tmp/buildd/firefox-32.0~a1+20140606030206/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:164
        nr_stack = <optimized out>
        gpregs = {140736600685848, 140736555091760, 140736224822016, 140736600685824, 208432219914410296, 0}
        d0 = <optimized out>
        d5 = <optimized out>
        a1 = <optimized out>
        result = <optimized out>
        d1 = <optimized out>
        d6 = <optimized out>
        a2 = <optimized out>
        methodAddress = <optimized out>
        d2 = <optimized out>
        d7 = <optimized out>
        a3 = <optimized out>
        stack = 0x7fffffffb020
        fpregs = {6.9533558068464778e-310, 6.9533297541203157e-310, 6.9533362454949844e-310, 5.1567068557972845e+63, 
          2.0912018606438872e-296, 6.9533377637797612e-310, 1.4693719670179912e+206, 6.9533279363472722e-310}
        d3 = <optimized out>
        a4 = <optimized out>
        d4 = <optimized out>
        a0 = <optimized out>
        a5 = <optimized out>
#4  0x00007fffe8f4b630 in Invoke (this=0x7fffffffb1e8)
    at /tmp/buildd/firefox-32.0~a1+20140606030206/js/xpconnect/src/XPCWrappedNative.cpp:2389
        argc = <optimized out>
#5  Call (this=0x7fffffffb1e8) at /tmp/buildd/firefox-32.0~a1+20140606030206/js/xpconnect/src/XPCWrappedNative.cpp:1730
        foundDependentParam = <optimized out>
#6  XPCWrappedNative::CallMethod (ccx=..., mode=mode@entry=XPCWrappedNative::CALL_METHOD)
    at /tmp/buildd/firefox-32.0~a1+20140606030206/js/xpconnect/src/XPCWrappedNative.cpp:1697
        rv = <optimized out>
#7  0x00007fffe8f50254 in XPC_WN_CallMethod (cx=0x7fffcb173d00, argc=1, vp=0x7fffde6021e8)
    at /tmp/buildd/firefox-32.0~a1+20140606030206/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1273
        funobj = {<js::RootedBase<JSObject*>> = {<No data fields>}, stack = 0x7fffcb173d18, prev = 0x7fffffffbf90, 
          ptr = 0x7fffb4b08280}
        obj = {<js::RootedBase<JSObject*>> = {<No data fields>}, stack = 0x7fffcb173d18, prev = 0x7fffffffb398, ptr = 0x7fffb4c29e20}
        member = 0x7fffb4929558
        args = {<JS::detail::CallArgsBase<(JS::detail::UsedRval)0>> = {<JS::CallReceiver> = {<JS::detail::CallReceiverBase<(JS::detail::UsedRval)0>> = {<JS::detail::UsedRvalBase<(JS::detail::UsedRval)1>> = {<No data fields>}, 
                argv_ = 0x7fffde6021f8}, <No data fields>}, argc_ = 1}, <No data fields>}
        ccx = {<nsAXPCNativeCallContext> = {_vptr.nsAXPCNativeCallContext = 0x7fffeba152a0 <vtable for XPCCallContext+16>}, mAr = {
            mContext = 0x7fffcb173d00}, mState = XPCCallContext::READY_TO_CALL, mXPC = {mRawPtr = 0x7fffe5983290}, 
          mXPCContext = 0x7fffcb0e3f70, mJSContext = 0x7fffcb173d00, mCallerLanguage = XPCContext::LANG_JS, 
          mPrevCallerLanguage = XPCContext::LANG_UNKNOWN, mPrevCallContext = 0x0, mWrapper = 0x7fffb4ab4b80, 
          mTearOff = 0x7fffb4ab4bc0, mScriptableInfo = 0x0, mSet = 0x7fffb4abc8e0, mInterface = 0x7fffb4929500, 
          mMember = 0x7fffb4929558, mName = {<js::RootedBase<jsid>> = {<No data fields>}, stack = 0x7fffcb173d58, 
            prev = 0x7fffffffbff0, ptr = {asBits = 140736409004664}}, mStaticMemberIsLocal = false, mArgc = 1, 
          mArgv = 0x7fffde6021f8, mRetVal = 0x7fffde6021e8, mMethodIndex = 9}
        iface = 0x7fffb4929500
#8  0x00007fffe9df5308 in CallJSNative (args=..., native=0x7fffe8f50087 <XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*)>, 
    cx=0x7fffcb173d00) at /tmp/buildd/firefox-32.0~a1+20140606030206/js/src/jscntxtinlines.h:239
        ok = <optimized out>
#9  js::Invoke (cx=0x7fffcb173d00, args=..., construct=<optimized out>)
    at /tmp/buildd/firefox-32.0~a1+20140606030206/js/src/vm/Interpreter.cpp:455
        gcIfNeeded = {cx_ = 0x7fffcb173d00}
        state = {<js::RunState> = {_vptr.RunState = 0x0, kind_ = (unknown: 3029505280), 
            script_ = {<js::RootedBase<JSScript*>> = {<No data fields>}, stack = 0x7fffffffb698, prev = 0x7fffffffb748, 
              ptr = 0x7fffffffb8d0}}, args_ = @0x7fffe9d3a215, initial_ = (js::INITIAL_CONSTRUCT | unknown: 4294948176), 
          useNewType_ = 255}
        ok = <optimized out>
        initial = <optimized out>
#10 0x00007fffe9dea222 in Interpret (cx=0x7fffcb173d00, state=...)
    at /tmp/buildd/firefox-32.0~a1+20140606030206/js/src/vm/Interpreter.cpp:2561
        construct = false
(snip)

Comment 1

[Mike Hommey [:glandium]]

This crash is not really surprising. The NULL pointer that is passed down to gfxContext::gfxContext comes from widget->GetThebesSurface()

nsIWidget defines GetThebesSurface as
  virtual gfxASurface *GetThebesSurface() = 0;


nsBaseWidget, which derives from nsIWidget defines it as:
  virtual gfxASurface*    GetThebesSurface();

and has an implementation that returns a null pointer.

gtk's nsWindow, which derives from nsBaseWidget, defines it as:
  gfxASurface       *GetThebesSurface(); for GTK2
and
  gfxASurface       *GetThebesSurface(cairo_t *cr); for GTK3

IOW, GTK3 doesn't have a proper implementation of GetThebesSurface.

Comment 2

[Tom S [:evilpie]]

GetThebesSurface is going away, see bug 991640.

Comment 3

[Mike Hommey [:glandium]]

It seems to me the definition of GetThebesSurface() should be removed from nsIWidget and nsBaseWidget. layout/inspector/inFlasher.cpp is the last place where it's used outside of widget code. And in fact, even in widget code, it seems to be dead code for windows and gonk.

Comment 4

[Mike Hommey [:glandium]]

Heh. looks like my analysis matches bug 991640 :)

Comment 5

[Mike Hommey [:glandium]]

So, in practice, this is going to be fixed by the removal of nsIFlasher in bug 1018324.

Comment 6

[Cork]

A dup of bug 991272