Closed Bug 1293832 Opened 8 years ago Closed 7 years ago

Crash in libgdk-3.so.0.1800.9@0x3d6f0 < CallSetWindow < FlushPendingNotifications < AnswerNPN_Evaluate < NPP_New

Categories

(Core Graveyard :: Plug-ins, defect)

Unspecified
Linux
defect
Not set
critical

Tracking

(firefox48 affected)

RESOLVED INCOMPLETE
Tracking Status
firefox48 --- affected

People

(Reporter: u279076, Unassigned)

Details

(Keywords: crash, Whiteboard: [gfx-noted])

Crash Data

This bug was filed from the Socorro interface and is 
report bp-88530417-2236-4e1d-a50b-5b7672160809.
=============================================================
Ø 0 	libgdk-3.so.0.1800.9 	libgdk-3.so.0.1800.9@0x3d6f0 	
1 	libxul.so 	nsPluginNativeWindowGtk::CreateXEmbedWindow 	/build/firefox-6p7T67/firefox-48.0+build2/dom/plugins/base/nsPluginNativeWindowGtk.cpp:184
2 	libxul.so 	nsPluginNativeWindowGtk::CallSetWindow 	/build/firefox-6p7T67/firefox-48.0+build2/dom/plugins/base/nsPluginNativeWindowGtk.cpp:105
3 	libxul.so 	nsPluginFrame::CallSetWindow 	/build/firefox-6p7T67/firefox-48.0+build2/layout/generic/nsPluginFrame.cpp:664
4 	libxul.so 	nsPluginFrame::ReflowFinished 	/build/firefox-6p7T67/firefox-48.0+build2/layout/generic/nsPluginFrame.cpp:547
5 	libxul.so 	PresShell::HandlePostedReflowCallbacks 	/build/firefox-6p7T67/firefox-48.0+build2/layout/base/nsPresShell.cpp:3904
6 	libxul.so 	PresShell::DidDoReflow 	/build/firefox-6p7T67/firefox-48.0+build2/layout/base/nsPresShell.cpp:9086
7 	libxul.so 	PresShell::ProcessReflowCommands 	/build/firefox-6p7T67/firefox-48.0+build2/layout/base/nsPresShell.cpp:9448
8 	libxul.so 	PresShell::FlushPendingNotifications 	/build/firefox-6p7T67/firefox-48.0+build2/layout/base/nsPresShell.cpp:4098
9 	libxul.so 	PresShell::FlushPendingNotifications 	/build/firefox-6p7T67/firefox-48.0+build2/layout/base/nsPresShell.cpp:3945
10 	libxul.so 	nsDocument::FlushPendingNotifications 	/build/firefox-6p7T67/firefox-48.0+build2/dom/base/nsDocument.cpp:8344
11 	libxul.so 	mozilla::dom::Element::GetPrimaryFrame 	/build/firefox-6p7T67/firefox-48.0+build2/dom/base/Element.cpp:2121
12 	libxul.so 	mozilla::dom::Element::GetStyledFrame 	/build/firefox-6p7T67/firefox-48.0+build2/dom/base/Element.cpp:579
13 	libxul.so 	nsGenericHTMLElement::GetOffsetRect 	/build/firefox-6p7T67/firefox-48.0+build2/dom/html/nsGenericHTMLElement.cpp:333
14 	libxul.so 	mozilla::dom::HTMLElementBinding::get_offsetLeft 	/build/firefox-6p7T67/firefox-48.0+build2/dom/html/nsGenericHTMLElement.h:286
15 	libxul.so 	mozilla::dom::GenericBindingGetter 	/build/firefox-6p7T67/firefox-48.0+build2/dom/bindings/BindingUtils.cpp:2715
16 	libxul.so 	js::InternalCallOrConstruct 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/jscntxtinlines.h:240
17 	libxul.so 	js::Call 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:544
18 	libxul.so 	js::CallGetter 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:656
19 	libxul.so 	CallGetter 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/NativeObject.cpp:1735
20 	libxul.so 	js::NativeGetProperty 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/NativeObject.cpp:1783
21 	libxul.so 	js::CrossCompartmentWrapper::get 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/NativeObject.h:1475
22 	libxul.so 	js::Proxy::get 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/proxy/Proxy.cpp:299
23 	libxul.so 	js::GetProperty 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/NativeObject.h:1474
24 	libxul.so 	Interpret 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:217
25 	libxul.so 	js::RunScript 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:426
26 	libxul.so 	js::InternalCallOrConstruct 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:498
27 	libxul.so 	js::jit::DoCallFallback 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/jit/BaselineIC.cpp:5964
28 		@0x7f5493e9d7cf 	
29 		@0x7f5447f493e7 	
30 		@0x7f5493e9484e 	
31 	libxul.so 	EnterBaseline 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/jit/BaselineJIT.cpp:156
32 	libxul.so 	js::jit::EnterBaselineAtBranch 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/jit/BaselineJIT.cpp:262
33 	libxul.so 	Interpret 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:1836
34 	libxul.so 	js::RunScript 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:426
35 	libxul.so 	js::InternalCallOrConstruct 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:498
36 	libxul.so 	js::jit::DoCallFallback 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/jit/BaselineIC.cpp:5964
37 		@0x7f5493e9d7cf 	
38 		@0x7f5447ef0687 	
39 		@0x7f5493e9484e 	
40 	libxul.so 	EnterBaseline 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/jit/BaselineJIT.cpp:156
41 	libxul.so 	js::jit::EnterBaselineMethod 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/jit/BaselineJIT.cpp:194
42 	libxul.so 	js::RunScript 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:416
43 	libxul.so 	js::InternalCallOrConstruct 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:498
44 	libxul.so 	js::jit::DoCallFallback 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/jit/BaselineIC.cpp:5964
45 		@0x7f5493e9d7cf 	
46 		@0x7f5447ea74af 	
47 		@0x7f5493e9484e 	
48 	libxul.so 	EnterBaseline 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/jit/BaselineJIT.cpp:156
49 	libxul.so 	js::jit::EnterBaselineMethod 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/jit/BaselineJIT.cpp:194
50 	libxul.so 	js::RunScript 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:416
51 	libxul.so 	js::InternalCallOrConstruct 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:498
52 	libxul.so 	js::Call 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:544
53 	libxul.so 	js::fun_call 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/jsfun.cpp:1179
54 	libxul.so 	js::fun_apply 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/jsfun.cpp:1201
55 	libxul.so 	js::InternalCallOrConstruct 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/jscntxtinlines.h:240
56 	libxul.so 	js::jit::DoCallFallback 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/jit/BaselineIC.cpp:5964
57 		@0x7f5493e9d7cf 	
58 		@0x7f5442f5d76f 	
59 		@0x7f5493e9484e 	
60 	libxul.so 	EnterBaseline 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/jit/BaselineJIT.cpp:156
61 	libxul.so 	js::jit::EnterBaselineMethod 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/jit/BaselineJIT.cpp:194
62 	libxul.so 	js::RunScript 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:416
63 	libxul.so 	js::InternalCallOrConstruct 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:498
64 	libxul.so 	js::Call 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:544
65 	libxul.so 	js::DirectProxyHandler::call 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/proxy/DirectProxyHandler.cpp:82
66 	libxul.so 	js::CrossCompartmentWrapper::call 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/proxy/CrossCompartmentWrapper.cpp:291
67 	libxul.so 	js::proxy_Call 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/proxy/Proxy.cpp:390
68 	libxul.so 	js::InternalCallOrConstruct 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/jscntxtinlines.h:240
69 	libxul.so 	Interpret 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:531
70 	libxul.so 	js::RunScript 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:426
71 	libxul.so 	js::ExecuteKernel 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:704
72 	libxul.so 	js::Execute 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:737
73 	libxul.so 	Evaluate 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/jsapi.cpp:4487
74 	libxul.so 	JS::Evaluate 	/build/firefox-6p7T67/firefox-48.0+build2/js/src/jsapi.cpp:4513
75 	libxul.so 	nsJSUtils::EvaluateString 	/build/firefox-6p7T67/firefox-48.0+build2/dom/base/nsJSUtils.cpp:212
76 	libxul.so 	nsJSUtils::EvaluateString 	/build/firefox-6p7T67/firefox-48.0+build2/dom/base/nsJSUtils.cpp:140
77 	libxul.so 	mozilla::plugins::parent::_evaluate 	/build/firefox-6p7T67/firefox-48.0+build2/dom/plugins/base/nsNPAPIPlugin.cpp:1431
78 	libxul.so 	mozilla::plugins::PluginScriptableObjectParent::AnswerNPN_Evaluate 	/build/firefox-6p7T67/firefox-48.0+build2/dom/plugins/ipc/PluginScriptableObjectParent.cpp:1332
79 	libxul.so 	mozilla::plugins::PPluginScriptableObjectParent::OnCallReceived 	/build/firefox-6p7T67/firefox-48.0+build2/obj-x86_64-linux-gnu/ipc/ipdl/PPluginScriptableObjectParent.cpp:735
80 	libxul.so 	mozilla::plugins::PPluginModuleParent::OnCallReceived 	/build/firefox-6p7T67/firefox-48.0+build2/obj-x86_64-linux-gnu/ipc/ipdl/PPluginModuleParent.cpp:1389
81 	libxul.so 	mozilla::ipc::MessageChannel::DispatchInterruptMessage 	/build/firefox-6p7T67/firefox-48.0+build2/ipc/glue/MessageChannel.cpp:1724
82 	libxul.so 	mozilla::ipc::MessageChannel::Call 	/build/firefox-6p7T67/firefox-48.0+build2/ipc/glue/MessageChannel.cpp:1415
83 	libxul.so 	mozilla::plugins::PPluginModuleParent::CallSyncNPP_New 	/build/firefox-6p7T67/firefox-48.0+build2/obj-x86_64-linux-gnu/ipc/ipdl/PPluginModuleParent.cpp:347
84 	libxul.so 	mozilla::plugins::PluginModuleParent::NPP_NewInternal 	/build/firefox-6p7T67/firefox-48.0+build2/dom/plugins/ipc/PluginModuleParent.cpp:2745
85 	libxul.so 	mozilla::plugins::PluginModuleParent::NPP_New 	/build/firefox-6p7T67/firefox-48.0+build2/dom/plugins/ipc/PluginModuleParent.cpp:2634
86 	libxul.so 	nsNPAPIPluginInstance::Start 	/build/firefox-6p7T67/firefox-48.0+build2/dom/plugins/base/nsNPAPIPluginInstance.cpp:449
87 	libxul.so 	nsNPAPIPluginInstance::Initialize 	/build/firefox-6p7T67/firefox-48.0+build2/dom/plugins/base/nsNPAPIPluginInstance.cpp:234
88 	libxul.so 	nsPluginHost::TrySetUpPluginInstance 	/build/firefox-6p7T67/firefox-48.0+build2/dom/plugins/base/nsPluginHost.cpp:1005
89 	libxul.so 	nsPluginHost::SetUpPluginInstance 	/build/firefox-6p7T67/firefox-48.0+build2/dom/plugins/base/nsPluginHost.cpp:922
113 	firefox 	main 	/build/firefox-6p7T67/firefox-48.0+build2/browser/app/nsBrowserApp.cpp:360
Ø 114 	libc-2.23.so 	libc-2.23.so@0x2082f 	
115 	firefox 	_init 	
116 	firefox 	_GLOBAL__sub_I_TimeStamp.cpp 	/build/firefox-6p7T67/firefox-48.0+build2/mozglue/misc/TimeStamp.cpp:47
117 		@0x7ffff1d6bc1f 	
Ø 118 	ld-2.23.so 	ld-2.23.so@0x105fa 	
119 	firefox 	_GLOBAL__sub_I_TimeStamp.cpp 	/build/firefox-6p7T67/firefox-48.0+build2/mozglue/misc/TimeStamp.cpp:47
120 		@0x7ffff1d6bc1f 	
121 	firefox 	_start 	
122 		@0x7ffff1d6bc17 	
=============================================================
More reports: https://crash-stats.mozilla.com/signature/?product=Firefox&signature=libgdk-3.so.0.1800.9%400x3d6f0

I hit this crash today while reading an article on Variety:
http://variety.com/2016/digital/news/hulu-free-streaming-end-yahoo-1201832578/

I've not reproduced it yet but there are 220 other reports over the last week, all with Firefox 47-49.
Whiteboard: [gfx-noted]
Crash volume for signature 'libgdk-3.so.0.1800.9@0x3d6f0':
 - nightly (version 51): 0 crashes from 2016-08-01.
 - aurora  (version 50): 0 crashes from 2016-08-01.
 - beta    (version 49): 0 crashes from 2016-08-02.
 - release (version 48): 658 crashes from 2016-07-25.
 - esr     (version 45): 0 crashes from 2016-05-02.

Crash volume on the last weeks (Week N is from 08-22 to 08-28):
            W. N-1  W. N-2  W. N-3
 - nightly       0       0       0
 - aurora        0       0       0
 - beta          0       0       0
 - release     274     196      48
 - esr           0       0       0

Affected platform: Linux

Crash rank on the last 7 days:
           Browser     Content   Plugin
 - nightly
 - aurora
 - beta
 - release #88
 - esr
The popular theme here is that the browser process is calling
PPluginModuleParent::CallSyncNPP_New() and receiving a
PluginScriptableObjectParent::AnswerNPN_Evaluate().
FlushPendingNotifications() is triggered, leading to
nsPluginFrame::CallSetWindow() and
nsPluginNativeWindowGtk::CreateXEmbedWindow().

I haven't found a crash from a Mozilla build.
Every one I saw looked like an Ubuntu build.
Making this assumption based on filenames such as
/build/firefox-Pw7m59/firefox-50.1.0+build2/dom/plugins/base/nsPluginNativeWindowGtk.cpp:184
which do no link to hg.mozilla.org.

Crash address 0x30 suggests a null pointer deref.
Component: Graphics → Plug-ins
Summary: Crash in libgdk-3.so.0.1800.9@0x3d6f0 → Crash in libgdk-3.so.0.1800.9@0x3d6f0 < CallSetWindow < FlushPendingNotifications < AnswerNPN_Evaluate < NPP_New
(In reply to Karl Tomlinson (:karlt) from comment #3)
> https://hg.mozilla.org/releases/mozilla-release/annotate/aed42f9ce9f7/dom/
> plugins/base/nsPluginNativeWindowGtk.cpp#l184

It looks like in the GTK source code that not all versions of GTK have the GDK_IS_WINDOW check inside gdk_window_get_user_data. So the easiest fix here is probably just to add a check for a null paren_win before calling it?
Flags: needinfo?(karlt)
(In reply to Lee Salzman [:lsalzman] from comment #4)
> It looks like in the GTK source code that not all versions of GTK have the
> GDK_IS_WINDOW check inside gdk_window_get_user_data. So the easiest fix here
> is probably just to add a check for a null paren_win before calling it?

The bug has occurred before this point because paren_win should not be null.

I suspect the nsPluginInstanceOwner doesn't have a widget.  The widget is
created after NPP_New completes.

If the plugin instance associated with NPP_New is the same as that for
SetWindow, then SetWindow should not be called until NPP_New has completed.

If they are different instances, then I guess it is possible that the widget
has been destroyed, but that should not happen until after the plugin instance
is destroyed.

If NPP_New hasn't completed, and I suspect that is the case, then the
NPPVpluginNeedsXEmbed call should not have been made, so the check for a
window should be further up the stack.

Looking at the base class implementation of
nsPluginNativeWindow::CallSetWindow, it seems that
nsPluginFrame::CallSetWindow() might be the best place to detect this
situation.  Similarly nsPluginNativeWindowWin::CallSetWindow() chains up to
the base class.

http://searchfox.org/mozilla-central/rev/3f614bdf91a2379a3e2c822da84e524f5e742121/dom/plugins/base/nsPluginNativeWindow.h#61

The tricky thing might be that windowless plugin instances don't have a window
and so that can't be used to determine whether NPP_New has returned.

mRunning is RUNNING before NPP_New is called and so that can't be used to determine whether NPP_New has completed (without some changes), and so the
check in nsNPAPIPluginInstance::SetWindow() would not return early, if that
function were called.

http://searchfox.org/mozilla-central/rev/3f614bdf91a2379a3e2c822da84e524f5e742121/dom/plugins/base/nsNPAPIPluginInstance.cpp#447
Flags: needinfo?(karlt)
We've removed support for all windowed-mode plugins on Linux, so this bug is almost certainly no longer relevant.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INCOMPLETE
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.