Closed Bug 435764 Opened 16 years ago Closed 16 years ago

crash [@ cairo_draw_with_xlib] painting windowless plugins when MIME type is obtained from data/src

Categories

(Core Graveyard :: Plug-ins, defect, P1)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
Linux
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.1a1

People

(Reporter: sylvain.bertrand, Assigned: karlt)

References

(
URL
)

Details

(Keywords: crash, fixed1.9.0.2, fixed1.9.1)

Crash Data

Attachments

(3 files, 3 obsolete files)

gdb bt full with a debug build of firefox 3.0 RC1
16.83 KB, text/plain
Details
move ws_info set up from nsObjectFrame::CallSetWindow() v4.1.1
29.11 KB, patch
samuel.sidler+old
: approval1.9.0.2+
Details | Diff | Splinter Review
include gdk/gdkscreen.h in system-headers
404 bytes, patch
roc
: review+
samuel.sidler+old
: approval1.9.0.2+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; fr; rv:1.9) Gecko/2008052615 (Gentoo) Firefox/3.0
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; fr; rv:1.9) Gecko/2008052615 (Gentoo) Firefox/3.0

As of today (26052008), with the swfdec(git) plugin enabled or disabled, if you try to view/scroll to the bottom of the provided page, firefox 3.0 RC1 crashed (trying to display a plugin managed area).

Reproducible: Always
Component: General → GFX: Thebes
Keywords: crash
Product: Firefox → Core
QA Contact: general → thebes
Summary: crash viewing http://www.leparisien.fr with swfdec(git) plugin enabled or disabled → crash viewing http://www.leparisien.fr with swfdec(git) plugin enabled or disabled [@ cairo_draw_with_xlib]
Version: unspecified → Trunk
Assignee: nobody → mozbugz
Crash with same BT:
http://www.universfreebox.com/article5360.html
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: mozbugz → nobody
Component: GFX: Thebes → Plug-ins
Flags: blocking1.9.1?
QA Contact: thebes → plugins
Assignee: nobody → mozbugz
Made a full debug build of firefox 3 RC2 with today git swfdec:
 - http://www.leparisien.fr seems not to crash anymore.
 - http://www.universfreebox.com/article5360.html hangs the whole firefox process.

I'm keen to try out swfdec, but I haven't found a revision of
git://swfdec.freedesktop.org/git/swfdec/swfdec in the last few days that compiles.

Can someone recommend a revision/tag that I should use, please?

BTW, the current issue is:
cc1: warnings being treated as errors
swfdec_init.c: In function 'swfdec_init':
swfdec_init.c:68: warning: implicit declaration of function 'strtoul'
swfdec_init.c:68: warning: nested extern declaration of 'strtoul'

Uh yeah, you're in a kind of peculiar situation here as you need to run a development version, and those set -Werror (and no, I'm not going into a discussion of why this is the best thing people should do). In theory, git master should work (and definitely compile) fine, as there's enough developers running it every day. If there's issues, poke me on IRC and I'll fix them immediately.

That said, if you still want the easy path, export CFLAGS=-Wno-error when building swfdec and swfdec-mozilla. That gets rid of the "warnings being treated as errors" thing.
Thanks to Benjamin, I now have swfdec-mozilla compiled (and producing some
nice effects when Mozilla doesn't crash).

The crash is happening because sometimes ws_info is not set up (in
nsObjectFrame::CallSetWindow()) and so it contains zeros when used in
nsPluginInstanceOwner::Paint().

The crash happens for plugins that are instantiated through
nsObjectFrame::Instantiate(nsIChannel* aChannel, nsIStreamListener** aStreamListener)
rather than
nsObjectFrame::Instantiate(const char* aMimeType, nsIURI* aURI)
as only the later does CallSetWindow() (and I don't know why that is).

With attachment 324576 [details] [diff] [review], gfxXlibNativeRenderer::Draw almost never uses its dpy
argument and so the crash reduces to

###!!! ASSERTION: Visual changed: colormap may not match: 'ws_info->visual == visual', file /home/karl/moz/mozilla/layout/generic/nsObjectFrame.cpp, line 4207

but still no useful info is available in ws_info for the plugin.

I can reproduce the assertion when scrolling to the first windowless plugin on 
http://www.universfreebox.com/article5360.html, or on http://movies.yahoo.com/.

This is one way to solve the problem.
Perhaps another is to set up in nsObjectFrame::FixupWindow, or perhaps both
nsObjectFrame::Instantiate methods (or neither) should do CallSetWindow();

The build here has this patch and attachment 324576 [details] [diff] [review], for those who would like something that works:

https://build.mozilla.org/tryserver-builds/2008-06-11_23:42-ktomlinson@mozilla.com-lines-null-wsinfo/

(I'll see if I can work out why the Instantiate methods differ.)
Is this a common way to view flash on linux? Or are people just using the official macromedia one?
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P1
(In reply to comment #9)

The bug is being hit because newer versions of swfdec have windowless support.

https://bugs.launchpad.net/ubuntu/+source/firefox-3.0/+bug/239182

The macromedia plugin will hit the same bug when it has wmode support.

(I don't know how many users use use swfdec or gnash or the macromedia plugin [with nspluginwrapper for 64-bit].)
Similar problem seen in Adobe Flash Player. Most notable with http://movies.yahoo.com/ . Tracked by Adobe internal issue 228012.
This will happen with any windowless plugin when the mime type is determined from using the URL in the data attribute rather than from the
type attribute, which now happens for object elements (bug 95549).
I guess there would be the same problem if the type attribute were not included in an embed element.
Status: NEW → ASSIGNED
Summary: crash viewing http://www.leparisien.fr with swfdec(git) plugin enabled or disabled [@ cairo_draw_with_xlib] → crash [@ cairo_draw_with_xlib] painting windowless plugins when MIME type is obtained from src
nsPluginInstanceOwner::CreateWidget() is a good place to set up the display because that is where the plugin "becomes" windowless, and the display should not change.

The right place to set up the Colormap is in nsPluginInstanceOwner::Renderer::NativeDraw() where the Visual is known.

To avoid the need to hunt for the Visual on the Display to find the
Screen for selecting a Colormap, this changes the Display* argument of gfxXlibNativeRenderer::NativeDraw to a Screen*.

This also makes the treatment of CAIRO_XLIB_DRAWING_SUPPORTS_NONDEFAULT_VISUAL in _create_temp_xlib_surface consistent with that in _draw_with_xlib_direct.
i.e. when not set the visual must be the default visual of the screen used,
but need not be the default visual of the fallback dpy specified.
Attachment #324752 - Attachment is obsolete: true
Attachment #327742 - Flags: review?(roc)
Reported by Adobe Flash Player users:
http://nvidia.com/
http://www.bbc.co.uk/
I reproduced these crashes by loading the pages and then maximizing the browser frame. The crash appears to come from libxul.so.
I'm seeing an almost identical crash with latest Adobe Flash Player on my own personal blog, which is fixed by Karl's test build. I can reproduce 100% on latest nightly by scrolling down the page.
http://crash-stats.mozilla.com/report/index/ec6a48d1-4a4b-11dd-b681-001cc45a2ce4 and http://crash-stats.mozilla.com/report/index/d95b1702-4a4c-11dd-a703-001cc45a2ce4 are two of my crashes from a nightly.

I think my bug #442115 is a duplicate of this with some additional information as to what is causing this.
Flags: wanted1.9.0.x?
Summary: crash [@ cairo_draw_with_xlib] painting windowless plugins when MIME type is obtained from src → crash [@ cairo_draw_with_xlib] painting windowless plugins when MIME type is obtained from data/src
FindColormapForVisual and the other colormap-getting machinery should move into gfxNativeRenderer as discussed. Otherwise looks great. (X suuuuucks!)
(In reply to comment #19)
> FindColormapForVisual and the other colormap-getting machinery should move into
> gfxNativeRenderer as discussed.

Done.
Attachment #327742 - Attachment is obsolete: true
Attachment #328287 - Flags: review?(roc)
Attachment #327742 - Flags: review?(roc)
Requesting blocking 1.9.0.2 because both swfdec and Adobe now have
windowless-capable Flash plugins available (though Adobe's at least is still in
beta), and moonlight also has a windowless plugin.

The number of affected sites is hard to estimate as there is a race condition between reflow and plugin instantiation, but definitely high enough that we can expect plenty of users to hit this when they upgrade their plugin versions.
Flags: blocking1.9.0.2?
Confirmed the latest patch fixes this issue with the moonlight plugin and our testcases.

@karlt, The patch doesn't appear to apply cleanly with any version of patch tho, dunno whats going on with that.
Correct patch line counts.  (Same code.)

(In reply to comment #22)
> The patch doesn't appear to apply cleanly with any version of patch
> tho, dunno whats going on with that.

Thanks for testing, Geoff.  Sorry about the patch.  Emacs diff-mode sometimes (but I don't know exactly when) doesn't update line counts and I forgot to check that.
Attachment #328287 - Attachment is obsolete: true
for:

/tools/gcc/bin/g++  -fno-rtti -fno-exceptions -Wall -Wconversion -Wpointer-arith -Woverloaded-virtual -Wsynth -Wno-ctor-dtor-privacy -Wno-non-virtual-dtor -Wcast-align -Wno-long-long -pedantic -gstabs+ -fno-strict-aliasing -fshort-wchar -pthread -pipe  -DNDEBUG -DTRIMMED -Os -freorder-blocks -fno-reorder-functions -finline-limit=50 -fPIC -shared -Wl,-z,defs -Wl,-h,libxul.so -o libxul.so  nsStaticXULComponents.o nsUnicharUtils.o nsCompressedCharMap.o nsBidiUtils.o nsRDFResource.o     -lpthread   -Wl,-rpath-link,../../dist/bin  -Wl,--whole-archive ../../embedding/browser/gtk/src/libgtkembedmoz.a ../../toolkit/xre/libxulapp_s.a  ../../staticlib/components/libxpconnect.a ../../staticlib/components/libnecko.a ../../staticlib/components/libuconv.a ../../staticlib/components/libi18n.a ../../staticlib/components/libchardet.a ../../staticlib/components/libjar50.a ../../staticlib/components/libpref.a ../../staticlib/components/libcaps.a ../../staticlib/components/libhtmlpars.a ../../staticlib/components/libimglib2.a ../../staticlib/components/libgklayout.a ../../staticlib/components/libdocshell.a ../../staticlib/components/libembedcomponents.a ../../staticlib/components/libwebbrwsr.a ../../staticlib/components/libnsappshell.a ../../staticlib/components/libtxmgr.a ../../staticlib/components/libchrome.a ../../staticlib/components/libcommandlines.a ../../staticlib/components/libtoolkitcomps.a ../../staticlib/components/libpipboot.a ../../staticlib/components/libpipnss.a ../../staticlib/components/libgkplugin.a ../../staticlib/components/libmozfind.a ../../staticlib/components/libappcomps.a ../../staticlib/components/libunixproxy.a ../../staticlib/components/libxpinstall.a ../../staticlib/components/libjsd.a ../../staticlib/components/libautoconfig.a ../../staticlib/components/libauth.a ../../staticlib/components/libcookie.a ../../staticlib/components/libpermissions.a ../../staticlib/components/libuniversalchardet.a ../../staticlib/components/libcomposer.a ../../staticlib/components/librdf.a ../../staticlib/components/libwindowds.a ../../staticlib/components/libintlapp.a ../../staticlib/components/libfileview.a ../../staticlib/components/libstoragecomps.a ../../staticlib/components/libplaces.a ../../staticlib/components/libtkautocomplete.a ../../staticlib/components/libsatchel.a ../../staticlib/components/libpippki.a ../../staticlib/components/libucvmath.a ../../staticlib/components/libwidget_gtk2.a ../../staticlib/components/libsystem-pref.a ../../staticlib/components/libgkgfxthebes.a ../../staticlib/components/libaccessibility.a ../../staticlib/components/libremoteservice.a ../../staticlib/components/libspellchecker.a ../../staticlib/components/libzipwriter.a ../../staticlib/libxpcom_core.a ../../staticlib/libucvutil_s.a ../../staticlib/libgkgfx.a ../../staticlib/libgfxshared_s.a ../../staticlib/libmozreg_s.a ../../staticlib/libmorkreader_s.a ../../staticlib/libgtkxtbin.a ../../staticlib/libgfxpsshar.a ../../staticlib/libthebes.a  -Wl,--no-whole-archive -L../../dist/lib -lsqlite3 -L../../dist/bin -L../../dist/lib  -L../../dist/bin -L../../dist/lib -L../../jpeg -lmozjpeg -L../../modules/libimg/png -lmozpng -L../../dist/bin -lmozlcms -L../../dist/bin -lmozjs -L../../dist/bin -L../../dist/lib -lcrmf -lsmime3 -lssl3 -lnss3 -lnssutil3 -lsoftokn3  -L../../modules/zlib/src -lmozz -L/lib64 -lpangocairo-1.0 -lcairo -lpangoft2-1.0 -lpango-1.0 -lgobject-2.0 -lgmodule-2.0 -ldl -lglib-2.0   ../../gfx/cairo/cairo/src/libmozcairo.a ../../gfx/cairo/libpixman/src/libmozlibpixman.a   -L/usr/lib64 -lXrender -lfreetype -lfontconfig -L../../dist/lib -lplds4 -lplc4 -lnspr4 -lpthread -ldl -L/usr/lib64 -lX11  -lXft -lXrender -lfontconfig -lfreetype -lX11   -L/lib64 -lgtk-x11-2.0 -latk-1.0 -lgdk-x11-2.0 -lgdk_pixbuf-2.0 -lm -lpangocairo-1.0 -lpango-1.0 -lcairo -lgmodule-2.0 -ldl -lgobject-2.0 -lglib-2.0   -lXt -lgthread-2.0 -lfreetype -ldl -lm     
/usr/bin/ld: ../../staticlib/libthebes.a(gfxXlibNativeRenderer.o): relocation R_X86_64_PC32 against `gdk_display_get_screen' can not be used when making a shared object; recompile with -fPIC
Attachment #328437 - Flags: review?(roc)
Another consistent crasher: http://skoda-auto.cz/
Please use the build here:

http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2008-07-08-02-mozilla-central/

It includes the fix for this bug
(and resolves the crash on http://skoda-auto.cz/).
Awesome. Works great with all of the problem URLs. Thanks.
Blocks: 384845
Can we get a test for this before landing in 1.9.0?
Flags: in-testsuite?
(In reply to comment #31)
Automated testing depends on having a windowless plugin in our source tree
(bug 386144).

I've manually tested this patch with Swfdec on the problem sites reported
here, Geoff Norton has tested the Moonlight plugin (comment #22) on their
testcases (including attachment attachment 326988 [details]), and Mike Melanson has
tested the Adobe plugin (comment #28).
Comment on attachment 328388 [details] [diff] [review]
move ws_info set up from nsObjectFrame::CallSetWindow() v4.1.1

Approved for 1.9.0.2. Please land in CVS. a=ss
Attachment #328388 - Flags: approval1.9.0.2? → approval1.9.0.2+
Comment on attachment 328437 [details] [diff] [review]
include gdk/gdkscreen.h in system-headers

Approved for 1.9.0.2. Please land in CVS. a=ss
Attachment #328437 - Flags: approval1.9.0.2? → approval1.9.0.2+
No blocking, but wanted (and the patches are already approved).
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.2?
Flags: blocking1.9.0.2-
Target Milestone: --- → mozilla1.9.1a1
Keywords: fixed1.9.0.2
Crash Signature: [@ cairo_draw_with_xlib]
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: