242809 - intermittent crash in EmbedPrivate::GetPIDOMWindow

Status: RESOLVED DUPLICATE of bug 243419

(Core Graveyard :: Embedding: GTK Widget, defect)

Description

[Tommi Komulainen]

We're getting few bug reports where gtkmozembed seems to be crashing inside
EmbedPrivate::GetPIDOMWindow.  http://bugzilla.gnome.org/show_bug.cgi?id=140778
is one example.

We don't have reproducable testcase, but I'm wondering if the following could be
the culprit:

840   // get the private DOM window
841   nsCOMPtr<nsPIDOMWindow> domWindowPrivate = do_QueryInterface(domWindow);
842   // and the root window for that DOM window
843   *aPIWin = domWindowPrivate->GetPrivateRoot();

It looks to me the only place where it could possibly be crashing is line 843 if
domWindowPrivate manages to be NULL.  Some parts inside mozilla have guards
against that possibility, but not all.

Comment 1

[Tommi Komulainen]

Received more information:

line 809 is 
mWindow->GetWebBrowser(getter_AddRefs(webBrowser));

#0  0x4fbe5167 in EmbedPrivate::GetPIDOMWindow(nsPIDOMWindow**) (
    this=0x949b578, aPIWin=0xbfffdea4) at EmbedPrivate.cpp:809
        webBrowser = {mRawPtr = 0x0}
        domWindow = {mRawPtr = 0xbfffdea4}
        domWindowPrivate = {mRawPtr = 0x910130c}
        rootWindow = {mRawPtr = 0x429e7d40}
        chromeHandler = {mRawPtr = 0xbfffde14}
        piWin = {mRawPtr = 0x8257740}
#1  0x4fbe4a77 in EmbedPrivate::TopLevelFocusIn() (this=0x949b578)
    at EmbedPrivate.cpp:653
        piWin = {mRawPtr = 0x0}
        focusController = {mRawPtr = 0x91011f8}
#2  0x4fbe197f in handle_toplevel_focus_in (aWidget=0x8336cb0, 
    aEvent=0x830d7e8, aPrivate=0xbfffde24) at gtkmozembed2.cpp:779
No locals.
#3  0x4f68ed69 in _gtk_marshal_BOOLEAN__BOXED ()
   from /usr/lib/libgtk-x11-2.0.so.0
No symbol table info available.
#4  0x41d7a267 in g_signal_type_cclosure_new ()
   from /usr/lib/libgobject-2.0.so.0
No symbol table info available.
#5  0xbfffdf8c in ?? ()
No symbol table info available.

(gdb) print *this
$3 = {mOwningWidget = 0x829f248, mWindow = 0x1, 
  mWindowGuard = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, 
  mProgress = 0x220720, mProgressGuard = {<nsCOMPtr_base> = {
      mRawPtr = 0x3e00}, <No data fields>}, mContentListener = 0x0, 
  mContentListenerGuard = {<nsCOMPtr_base> = {
      mRawPtr = 0x86b1290}, <No data fields>}, mEventListener = 0x0, 
  mEventListenerGuard = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}, 
  mStream = 0xffffffff, mStreamGuard = {<nsCOMPtr_base> = {
      mRawPtr = 0xffffffff}, <No data fields>}, mNavigation = {mRawPtr = 0x1}, 
  mSessionHistory = {mRawPtr = 0x1}, mEventReceiver = {mRawPtr = 0x0}, 
  mURI = {<nsSubstring> = {<nsAString> = {mVTable = 0x9904cd8, mData = 0x0, 
        mLength = 0, 
        mFlags = 161144728}, <No data fields>}, <No data fields>}, 
  static sWidgetCount = 20, static sCompPath = 0x81bfa08 "/usr/lib/mozilla", 
  static sAppComps = 0x4fc02080, static sNumAppComps = 1, 
  static sAppShell = 0x8237740, static sWindowList = 0x8a67af8, 
  static sProfileDir = 0x81bf6a0 "/home/mikaelh/.galeon/mozilla", 
  static sProfileName = 0x81c0e68 "galeon", 
  static sProfileDirServiceProvider = 0x8258340, static sPrefs = 0x8236ab0, 
  static sAppFileLocProvider = 0x0, mChromeMask = 0, mIsChrome = 2, 
  mChromeLoaded = 0, mMozWindowWidget = 0x3f000000, mIsDestroyed = 0, 
  mListenersAttached = 0, static sOffscreenWindow = 0x8d852f0, 
  static sOffscreenFixed = 0x8d856d8}

Comment 2

[Tommi Komulainen]

Adding prints here and there shows that the destructor is run before the fatal
GetPIDOMWindow call.

Comment 3

[Tommi Komulainen]

gtk_moz_embed_unrealize() and _destroy() are being called, and after those the
same object still receives a 'toplevel-focus-out' causing the crash.

I'm fairly certain the patch in bug 243419 will fix this one.

*** This bug has been marked as a duplicate of 243419 ***