Closed
Bug 1293832
Opened 8 years ago
Closed 7 years ago
Crash in libgdk-3.so.0.1800.9@0x3d6f0 < CallSetWindow < FlushPendingNotifications < AnswerNPN_Evaluate < NPP_New
Categories
(Core Graveyard :: Plug-ins, defect)
Tracking
(firefox48 affected)
RESOLVED
INCOMPLETE
Tracking | Status | |
---|---|---|
firefox48 | --- | affected |
People
(Reporter: u279076, Unassigned)
Details
(Keywords: crash, Whiteboard: [gfx-noted])
Crash Data
This bug was filed from the Socorro interface and is report bp-88530417-2236-4e1d-a50b-5b7672160809. ============================================================= Ø 0 libgdk-3.so.0.1800.9 libgdk-3.so.0.1800.9@0x3d6f0 1 libxul.so nsPluginNativeWindowGtk::CreateXEmbedWindow /build/firefox-6p7T67/firefox-48.0+build2/dom/plugins/base/nsPluginNativeWindowGtk.cpp:184 2 libxul.so nsPluginNativeWindowGtk::CallSetWindow /build/firefox-6p7T67/firefox-48.0+build2/dom/plugins/base/nsPluginNativeWindowGtk.cpp:105 3 libxul.so nsPluginFrame::CallSetWindow /build/firefox-6p7T67/firefox-48.0+build2/layout/generic/nsPluginFrame.cpp:664 4 libxul.so nsPluginFrame::ReflowFinished /build/firefox-6p7T67/firefox-48.0+build2/layout/generic/nsPluginFrame.cpp:547 5 libxul.so PresShell::HandlePostedReflowCallbacks /build/firefox-6p7T67/firefox-48.0+build2/layout/base/nsPresShell.cpp:3904 6 libxul.so PresShell::DidDoReflow /build/firefox-6p7T67/firefox-48.0+build2/layout/base/nsPresShell.cpp:9086 7 libxul.so PresShell::ProcessReflowCommands /build/firefox-6p7T67/firefox-48.0+build2/layout/base/nsPresShell.cpp:9448 8 libxul.so PresShell::FlushPendingNotifications /build/firefox-6p7T67/firefox-48.0+build2/layout/base/nsPresShell.cpp:4098 9 libxul.so PresShell::FlushPendingNotifications /build/firefox-6p7T67/firefox-48.0+build2/layout/base/nsPresShell.cpp:3945 10 libxul.so nsDocument::FlushPendingNotifications /build/firefox-6p7T67/firefox-48.0+build2/dom/base/nsDocument.cpp:8344 11 libxul.so mozilla::dom::Element::GetPrimaryFrame /build/firefox-6p7T67/firefox-48.0+build2/dom/base/Element.cpp:2121 12 libxul.so mozilla::dom::Element::GetStyledFrame /build/firefox-6p7T67/firefox-48.0+build2/dom/base/Element.cpp:579 13 libxul.so nsGenericHTMLElement::GetOffsetRect /build/firefox-6p7T67/firefox-48.0+build2/dom/html/nsGenericHTMLElement.cpp:333 14 libxul.so mozilla::dom::HTMLElementBinding::get_offsetLeft /build/firefox-6p7T67/firefox-48.0+build2/dom/html/nsGenericHTMLElement.h:286 15 libxul.so mozilla::dom::GenericBindingGetter /build/firefox-6p7T67/firefox-48.0+build2/dom/bindings/BindingUtils.cpp:2715 16 libxul.so js::InternalCallOrConstruct /build/firefox-6p7T67/firefox-48.0+build2/js/src/jscntxtinlines.h:240 17 libxul.so js::Call /build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:544 18 libxul.so js::CallGetter /build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:656 19 libxul.so CallGetter /build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/NativeObject.cpp:1735 20 libxul.so js::NativeGetProperty /build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/NativeObject.cpp:1783 21 libxul.so js::CrossCompartmentWrapper::get /build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/NativeObject.h:1475 22 libxul.so js::Proxy::get /build/firefox-6p7T67/firefox-48.0+build2/js/src/proxy/Proxy.cpp:299 23 libxul.so js::GetProperty /build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/NativeObject.h:1474 24 libxul.so Interpret /build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:217 25 libxul.so js::RunScript /build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:426 26 libxul.so js::InternalCallOrConstruct /build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:498 27 libxul.so js::jit::DoCallFallback /build/firefox-6p7T67/firefox-48.0+build2/js/src/jit/BaselineIC.cpp:5964 28 @0x7f5493e9d7cf 29 @0x7f5447f493e7 30 @0x7f5493e9484e 31 libxul.so EnterBaseline /build/firefox-6p7T67/firefox-48.0+build2/js/src/jit/BaselineJIT.cpp:156 32 libxul.so js::jit::EnterBaselineAtBranch /build/firefox-6p7T67/firefox-48.0+build2/js/src/jit/BaselineJIT.cpp:262 33 libxul.so Interpret /build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:1836 34 libxul.so js::RunScript /build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:426 35 libxul.so js::InternalCallOrConstruct /build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:498 36 libxul.so js::jit::DoCallFallback /build/firefox-6p7T67/firefox-48.0+build2/js/src/jit/BaselineIC.cpp:5964 37 @0x7f5493e9d7cf 38 @0x7f5447ef0687 39 @0x7f5493e9484e 40 libxul.so EnterBaseline /build/firefox-6p7T67/firefox-48.0+build2/js/src/jit/BaselineJIT.cpp:156 41 libxul.so js::jit::EnterBaselineMethod /build/firefox-6p7T67/firefox-48.0+build2/js/src/jit/BaselineJIT.cpp:194 42 libxul.so js::RunScript /build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:416 43 libxul.so js::InternalCallOrConstruct /build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:498 44 libxul.so js::jit::DoCallFallback /build/firefox-6p7T67/firefox-48.0+build2/js/src/jit/BaselineIC.cpp:5964 45 @0x7f5493e9d7cf 46 @0x7f5447ea74af 47 @0x7f5493e9484e 48 libxul.so EnterBaseline /build/firefox-6p7T67/firefox-48.0+build2/js/src/jit/BaselineJIT.cpp:156 49 libxul.so js::jit::EnterBaselineMethod /build/firefox-6p7T67/firefox-48.0+build2/js/src/jit/BaselineJIT.cpp:194 50 libxul.so js::RunScript /build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:416 51 libxul.so js::InternalCallOrConstruct /build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:498 52 libxul.so js::Call /build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:544 53 libxul.so js::fun_call /build/firefox-6p7T67/firefox-48.0+build2/js/src/jsfun.cpp:1179 54 libxul.so js::fun_apply /build/firefox-6p7T67/firefox-48.0+build2/js/src/jsfun.cpp:1201 55 libxul.so js::InternalCallOrConstruct /build/firefox-6p7T67/firefox-48.0+build2/js/src/jscntxtinlines.h:240 56 libxul.so js::jit::DoCallFallback /build/firefox-6p7T67/firefox-48.0+build2/js/src/jit/BaselineIC.cpp:5964 57 @0x7f5493e9d7cf 58 @0x7f5442f5d76f 59 @0x7f5493e9484e 60 libxul.so EnterBaseline /build/firefox-6p7T67/firefox-48.0+build2/js/src/jit/BaselineJIT.cpp:156 61 libxul.so js::jit::EnterBaselineMethod /build/firefox-6p7T67/firefox-48.0+build2/js/src/jit/BaselineJIT.cpp:194 62 libxul.so js::RunScript /build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:416 63 libxul.so js::InternalCallOrConstruct /build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:498 64 libxul.so js::Call /build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:544 65 libxul.so js::DirectProxyHandler::call /build/firefox-6p7T67/firefox-48.0+build2/js/src/proxy/DirectProxyHandler.cpp:82 66 libxul.so js::CrossCompartmentWrapper::call /build/firefox-6p7T67/firefox-48.0+build2/js/src/proxy/CrossCompartmentWrapper.cpp:291 67 libxul.so js::proxy_Call /build/firefox-6p7T67/firefox-48.0+build2/js/src/proxy/Proxy.cpp:390 68 libxul.so js::InternalCallOrConstruct /build/firefox-6p7T67/firefox-48.0+build2/js/src/jscntxtinlines.h:240 69 libxul.so Interpret /build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:531 70 libxul.so js::RunScript /build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:426 71 libxul.so js::ExecuteKernel /build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:704 72 libxul.so js::Execute /build/firefox-6p7T67/firefox-48.0+build2/js/src/vm/Interpreter.cpp:737 73 libxul.so Evaluate /build/firefox-6p7T67/firefox-48.0+build2/js/src/jsapi.cpp:4487 74 libxul.so JS::Evaluate /build/firefox-6p7T67/firefox-48.0+build2/js/src/jsapi.cpp:4513 75 libxul.so nsJSUtils::EvaluateString /build/firefox-6p7T67/firefox-48.0+build2/dom/base/nsJSUtils.cpp:212 76 libxul.so nsJSUtils::EvaluateString /build/firefox-6p7T67/firefox-48.0+build2/dom/base/nsJSUtils.cpp:140 77 libxul.so mozilla::plugins::parent::_evaluate /build/firefox-6p7T67/firefox-48.0+build2/dom/plugins/base/nsNPAPIPlugin.cpp:1431 78 libxul.so mozilla::plugins::PluginScriptableObjectParent::AnswerNPN_Evaluate /build/firefox-6p7T67/firefox-48.0+build2/dom/plugins/ipc/PluginScriptableObjectParent.cpp:1332 79 libxul.so mozilla::plugins::PPluginScriptableObjectParent::OnCallReceived /build/firefox-6p7T67/firefox-48.0+build2/obj-x86_64-linux-gnu/ipc/ipdl/PPluginScriptableObjectParent.cpp:735 80 libxul.so mozilla::plugins::PPluginModuleParent::OnCallReceived /build/firefox-6p7T67/firefox-48.0+build2/obj-x86_64-linux-gnu/ipc/ipdl/PPluginModuleParent.cpp:1389 81 libxul.so mozilla::ipc::MessageChannel::DispatchInterruptMessage /build/firefox-6p7T67/firefox-48.0+build2/ipc/glue/MessageChannel.cpp:1724 82 libxul.so mozilla::ipc::MessageChannel::Call /build/firefox-6p7T67/firefox-48.0+build2/ipc/glue/MessageChannel.cpp:1415 83 libxul.so mozilla::plugins::PPluginModuleParent::CallSyncNPP_New /build/firefox-6p7T67/firefox-48.0+build2/obj-x86_64-linux-gnu/ipc/ipdl/PPluginModuleParent.cpp:347 84 libxul.so mozilla::plugins::PluginModuleParent::NPP_NewInternal /build/firefox-6p7T67/firefox-48.0+build2/dom/plugins/ipc/PluginModuleParent.cpp:2745 85 libxul.so mozilla::plugins::PluginModuleParent::NPP_New /build/firefox-6p7T67/firefox-48.0+build2/dom/plugins/ipc/PluginModuleParent.cpp:2634 86 libxul.so nsNPAPIPluginInstance::Start /build/firefox-6p7T67/firefox-48.0+build2/dom/plugins/base/nsNPAPIPluginInstance.cpp:449 87 libxul.so nsNPAPIPluginInstance::Initialize /build/firefox-6p7T67/firefox-48.0+build2/dom/plugins/base/nsNPAPIPluginInstance.cpp:234 88 libxul.so nsPluginHost::TrySetUpPluginInstance /build/firefox-6p7T67/firefox-48.0+build2/dom/plugins/base/nsPluginHost.cpp:1005 89 libxul.so nsPluginHost::SetUpPluginInstance /build/firefox-6p7T67/firefox-48.0+build2/dom/plugins/base/nsPluginHost.cpp:922 113 firefox main /build/firefox-6p7T67/firefox-48.0+build2/browser/app/nsBrowserApp.cpp:360 Ø 114 libc-2.23.so libc-2.23.so@0x2082f 115 firefox _init 116 firefox _GLOBAL__sub_I_TimeStamp.cpp /build/firefox-6p7T67/firefox-48.0+build2/mozglue/misc/TimeStamp.cpp:47 117 @0x7ffff1d6bc1f Ø 118 ld-2.23.so ld-2.23.so@0x105fa 119 firefox _GLOBAL__sub_I_TimeStamp.cpp /build/firefox-6p7T67/firefox-48.0+build2/mozglue/misc/TimeStamp.cpp:47 120 @0x7ffff1d6bc1f 121 firefox _start 122 @0x7ffff1d6bc17 ============================================================= More reports: https://crash-stats.mozilla.com/signature/?product=Firefox&signature=libgdk-3.so.0.1800.9%400x3d6f0 I hit this crash today while reading an article on Variety: http://variety.com/2016/digital/news/hulu-free-streaming-end-yahoo-1201832578/ I've not reproduced it yet but there are 220 other reports over the last week, all with Firefox 47-49.
Updated•8 years ago
|
Whiteboard: [gfx-noted]
Comment 1•8 years ago
|
||
Crash volume for signature 'libgdk-3.so.0.1800.9@0x3d6f0': - nightly (version 51): 0 crashes from 2016-08-01. - aurora (version 50): 0 crashes from 2016-08-01. - beta (version 49): 0 crashes from 2016-08-02. - release (version 48): 658 crashes from 2016-07-25. - esr (version 45): 0 crashes from 2016-05-02. Crash volume on the last weeks (Week N is from 08-22 to 08-28): W. N-1 W. N-2 W. N-3 - nightly 0 0 0 - aurora 0 0 0 - beta 0 0 0 - release 274 196 48 - esr 0 0 0 Affected platform: Linux Crash rank on the last 7 days: Browser Content Plugin - nightly - aurora - beta - release #88 - esr
status-firefox48:
--- → affected
Comment 2•7 years ago
|
||
The popular theme here is that the browser process is calling PPluginModuleParent::CallSyncNPP_New() and receiving a PluginScriptableObjectParent::AnswerNPN_Evaluate(). FlushPendingNotifications() is triggered, leading to nsPluginFrame::CallSetWindow() and nsPluginNativeWindowGtk::CreateXEmbedWindow(). I haven't found a crash from a Mozilla build. Every one I saw looked like an Ubuntu build. Making this assumption based on filenames such as /build/firefox-Pw7m59/firefox-50.1.0+build2/dom/plugins/base/nsPluginNativeWindowGtk.cpp:184 which do no link to hg.mozilla.org. Crash address 0x30 suggests a null pointer deref.
Component: Graphics → Plug-ins
Summary: Crash in libgdk-3.so.0.1800.9@0x3d6f0 → Crash in libgdk-3.so.0.1800.9@0x3d6f0 < CallSetWindow < FlushPendingNotifications < AnswerNPN_Evaluate < NPP_New
Comment 3•7 years ago
|
||
https://hg.mozilla.org/releases/mozilla-release/annotate/aed42f9ce9f7/dom/plugins/base/nsPluginNativeWindowGtk.cpp#l184
Comment 4•7 years ago
|
||
(In reply to Karl Tomlinson (:karlt) from comment #3) > https://hg.mozilla.org/releases/mozilla-release/annotate/aed42f9ce9f7/dom/ > plugins/base/nsPluginNativeWindowGtk.cpp#l184 It looks like in the GTK source code that not all versions of GTK have the GDK_IS_WINDOW check inside gdk_window_get_user_data. So the easiest fix here is probably just to add a check for a null paren_win before calling it?
Flags: needinfo?(karlt)
Comment 5•7 years ago
|
||
(In reply to Lee Salzman [:lsalzman] from comment #4) > It looks like in the GTK source code that not all versions of GTK have the > GDK_IS_WINDOW check inside gdk_window_get_user_data. So the easiest fix here > is probably just to add a check for a null paren_win before calling it? The bug has occurred before this point because paren_win should not be null. I suspect the nsPluginInstanceOwner doesn't have a widget. The widget is created after NPP_New completes. If the plugin instance associated with NPP_New is the same as that for SetWindow, then SetWindow should not be called until NPP_New has completed. If they are different instances, then I guess it is possible that the widget has been destroyed, but that should not happen until after the plugin instance is destroyed. If NPP_New hasn't completed, and I suspect that is the case, then the NPPVpluginNeedsXEmbed call should not have been made, so the check for a window should be further up the stack. Looking at the base class implementation of nsPluginNativeWindow::CallSetWindow, it seems that nsPluginFrame::CallSetWindow() might be the best place to detect this situation. Similarly nsPluginNativeWindowWin::CallSetWindow() chains up to the base class. http://searchfox.org/mozilla-central/rev/3f614bdf91a2379a3e2c822da84e524f5e742121/dom/plugins/base/nsPluginNativeWindow.h#61 The tricky thing might be that windowless plugin instances don't have a window and so that can't be used to determine whether NPP_New has returned. mRunning is RUNNING before NPP_New is called and so that can't be used to determine whether NPP_New has completed (without some changes), and so the check in nsNPAPIPluginInstance::SetWindow() would not return early, if that function were called. http://searchfox.org/mozilla-central/rev/3f614bdf91a2379a3e2c822da84e524f5e742121/dom/plugins/base/nsNPAPIPluginInstance.cpp#447
Flags: needinfo?(karlt)
Comment 6•7 years ago
|
||
We've removed support for all windowed-mode plugins on Linux, so this bug is almost certainly no longer relevant.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INCOMPLETE
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•