Note: There are a few cases of duplicates in user autocompletion which are being worked on.

crash [@ cairo_draw_with_xlib] painting windowless plugins when MIME type is obtained from data/src

RESOLVED FIXED in mozilla1.9.1a1

Status

()

Core
Plug-ins
P1
critical
RESOLVED FIXED
9 years ago
6 years ago

People

(Reporter: Sylvain BERTRAND, Assigned: karlt)

Tracking

({crash, fixed1.9.0.2, fixed1.9.1})

Trunk
mozilla1.9.1a1
x86
Linux
crash, fixed1.9.0.2, fixed1.9.1
Points:
---
Bug Flags:
blocking1.9.1 +
blocking1.9.0.2 -
wanted1.9.0.x +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

Attachments

(3 attachments, 3 obsolete attachments)

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; fr; rv:1.9) Gecko/2008052615 (Gentoo) Firefox/3.0
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; fr; rv:1.9) Gecko/2008052615 (Gentoo) Firefox/3.0

As of today (26052008), with the swfdec(git) plugin enabled or disabled, if you try to view/scroll to the bottom of the provided page, firefox 3.0 RC1 crashed (trying to display a plugin managed area).

Reproducible: Always
(Reporter)

Comment 1

9 years ago
Created attachment 322523 [details]
gdb bt full with a debug build of firefox 3.0 RC1

Updated

9 years ago
Duplicate of this bug: 435838

Updated

9 years ago
Component: General → GFX: Thebes
Keywords: crash
Product: Firefox → Core
QA Contact: general → thebes
Summary: crash viewing http://www.leparisien.fr with swfdec(git) plugin enabled or disabled → crash viewing http://www.leparisien.fr with swfdec(git) plugin enabled or disabled [@ cairo_draw_with_xlib]
Version: unspecified → Trunk
(Assignee)

Updated

9 years ago
Assignee: nobody → mozbugz
(Reporter)

Comment 3

9 years ago
Crash with same BT:
http://www.universfreebox.com/article5360.html
(Assignee)

Updated

9 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Assignee)

Updated

9 years ago
Assignee: mozbugz → nobody
Component: GFX: Thebes → Plug-ins
Flags: blocking1.9.1?
QA Contact: thebes → plugins
(Assignee)

Updated

9 years ago
Assignee: nobody → mozbugz
(Reporter)

Comment 4

9 years ago
Made a full debug build of firefox 3 RC2 with today git swfdec:
 - http://www.leparisien.fr seems not to crash anymore.
 - http://www.universfreebox.com/article5360.html hangs the whole firefox process.
(Assignee)

Comment 5

9 years ago
I'm keen to try out swfdec, but I haven't found a revision of
git://swfdec.freedesktop.org/git/swfdec/swfdec in the last few days that compiles.

Can someone recommend a revision/tag that I should use, please?

BTW, the current issue is:
cc1: warnings being treated as errors
swfdec_init.c: In function 'swfdec_init':
swfdec_init.c:68: warning: implicit declaration of function 'strtoul'
swfdec_init.c:68: warning: nested extern declaration of 'strtoul'

Comment 6

9 years ago
Uh yeah, you're in a kind of peculiar situation here as you need to run a development version, and those set -Werror (and no, I'm not going into a discussion of why this is the best thing people should do). In theory, git master should work (and definitely compile) fine, as there's enough developers running it every day. If there's issues, poke me on IRC and I'll fix them immediately.

That said, if you still want the easy path, export CFLAGS=-Wno-error when building swfdec and swfdec-mozilla. That gets rid of the "warnings being treated as errors" thing.
(Assignee)

Comment 7

9 years ago
Thanks to Benjamin, I now have swfdec-mozilla compiled (and producing some
nice effects when Mozilla doesn't crash).

The crash is happening because sometimes ws_info is not set up (in
nsObjectFrame::CallSetWindow()) and so it contains zeros when used in
nsPluginInstanceOwner::Paint().

The crash happens for plugins that are instantiated through
nsObjectFrame::Instantiate(nsIChannel* aChannel, nsIStreamListener** aStreamListener)
rather than
nsObjectFrame::Instantiate(const char* aMimeType, nsIURI* aURI)
as only the later does CallSetWindow() (and I don't know why that is).

With attachment 324576 [details] [diff] [review], gfxXlibNativeRenderer::Draw almost never uses its dpy
argument and so the crash reduces to

###!!! ASSERTION: Visual changed: colormap may not match: 'ws_info->visual == visual', file /home/karl/moz/mozilla/layout/generic/nsObjectFrame.cpp, line 4207

but still no useful info is available in ws_info for the plugin.

I can reproduce the assertion when scrolling to the first windowless plugin on 
http://www.universfreebox.com/article5360.html, or on http://movies.yahoo.com/.
(Assignee)

Comment 8

9 years ago
Created attachment 324752 [details] [diff] [review]
move ws_info set up from nsObjectFrame::CallSetWindow() to nsPluginInstanceOwner::CreateWidget()

This is one way to solve the problem.
Perhaps another is to set up in nsObjectFrame::FixupWindow, or perhaps both
nsObjectFrame::Instantiate methods (or neither) should do CallSetWindow();

The build here has this patch and attachment 324576 [details] [diff] [review], for those who would like something that works:

https://build.mozilla.org/tryserver-builds/2008-06-11_23:42-ktomlinson@mozilla.com-lines-null-wsinfo/

(I'll see if I can work out why the Instantiate methods differ.)
Is this a common way to view flash on linux? Or are people just using the official macromedia one?
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P1
(Assignee)

Comment 10

9 years ago
(In reply to comment #9)

The bug is being hit because newer versions of swfdec have windowless support.

https://bugs.launchpad.net/ubuntu/+source/firefox-3.0/+bug/239182

The macromedia plugin will hit the same bug when it has wmode support.

(I don't know how many users use use swfdec or gnash or the macromedia plugin [with nspluginwrapper for 64-bit].)
(Assignee)

Comment 11

9 years ago
(In reply to comment #8)
A better build with attachment 324914 [details] [diff] [review] (which fixes the plugin height) and attachment 324752 [details] [diff] [review]:

https://build.mozilla.org/tryserver-builds/2008-06-12_19:53-ktomlinson@mozilla.com-lines-null-wsinfo-2/

Comment 12

9 years ago
Similar problem seen in Adobe Flash Player. Most notable with http://movies.yahoo.com/ . Tracked by Adobe internal issue 228012.
(Assignee)

Comment 13

9 years ago
This will happen with any windowless plugin when the mime type is determined from using the URL in the data attribute rather than from the
type attribute, which now happens for object elements (bug 95549).
I guess there would be the same problem if the type attribute were not included in an embed element.
Status: NEW → ASSIGNED
Summary: crash viewing http://www.leparisien.fr with swfdec(git) plugin enabled or disabled [@ cairo_draw_with_xlib] → crash [@ cairo_draw_with_xlib] painting windowless plugins when MIME type is obtained from src
(Assignee)

Comment 14

9 years ago
Created attachment 327742 [details] [diff] [review]
move ws_info set up from nsObjectFrame::CallSetWindow()

nsPluginInstanceOwner::CreateWidget() is a good place to set up the display because that is where the plugin "becomes" windowless, and the display should not change.

The right place to set up the Colormap is in nsPluginInstanceOwner::Renderer::NativeDraw() where the Visual is known.

To avoid the need to hunt for the Visual on the Display to find the
Screen for selecting a Colormap, this changes the Display* argument of gfxXlibNativeRenderer::NativeDraw to a Screen*.

This also makes the treatment of CAIRO_XLIB_DRAWING_SUPPORTS_NONDEFAULT_VISUAL in _create_temp_xlib_surface consistent with that in _draw_with_xlib_direct.
i.e. when not set the visual must be the default visual of the screen used,
but need not be the default visual of the fallback dpy specified.
Attachment #324752 - Attachment is obsolete: true
Attachment #327742 - Flags: review?(roc)

Comment 15

9 years ago
Reported by Adobe Flash Player users:
http://nvidia.com/
http://www.bbc.co.uk/
I reproduced these crashes by loading the pages and then maximizing the browser frame. The crash appears to come from libxul.so.
I'm seeing an almost identical crash with latest Adobe Flash Player on my own personal blog, which is fixed by Karl's test build. I can reproduce 100% on latest nightly by scrolling down the page.
http://crash-stats.mozilla.com/report/index/ec6a48d1-4a4b-11dd-b681-001cc45a2ce4 and http://crash-stats.mozilla.com/report/index/d95b1702-4a4c-11dd-a703-001cc45a2ce4 are two of my crashes from a nightly.

Comment 17

9 years ago
I think my bug #442115 is a duplicate of this with some additional information as to what is causing this.  
(Assignee)

Updated

9 years ago
Duplicate of this bug: 442115
(Assignee)

Updated

9 years ago
Flags: wanted1.9.0.x?
Summary: crash [@ cairo_draw_with_xlib] painting windowless plugins when MIME type is obtained from src → crash [@ cairo_draw_with_xlib] painting windowless plugins when MIME type is obtained from data/src
FindColormapForVisual and the other colormap-getting machinery should move into gfxNativeRenderer as discussed. Otherwise looks great. (X suuuuucks!)
(Assignee)

Comment 20

9 years ago
Created attachment 328287 [details] [diff] [review]
move ws_info set up from nsObjectFrame::CallSetWindow() v4.1

(In reply to comment #19)
> FindColormapForVisual and the other colormap-getting machinery should move into
> gfxNativeRenderer as discussed.

Done.
Attachment #327742 - Attachment is obsolete: true
Attachment #328287 - Flags: review?(roc)
Attachment #327742 - Flags: review?(roc)
Attachment #328287 - Flags: superreview+
Attachment #328287 - Flags: review?(roc)
Attachment #328287 - Flags: review+
(Assignee)

Comment 21

9 years ago
Requesting blocking 1.9.0.2 because both swfdec and Adobe now have
windowless-capable Flash plugins available (though Adobe's at least is still in
beta), and moonlight also has a windowless plugin.

The number of affected sites is hard to estimate as there is a race condition between reflow and plugin instantiation, but definitely high enough that we can expect plenty of users to hit this when they upgrade their plugin versions.
Flags: blocking1.9.0.2?

Comment 22

9 years ago
Confirmed the latest patch fixes this issue with the moonlight plugin and our testcases.

@karlt, The patch doesn't appear to apply cleanly with any version of patch tho, dunno whats going on with that.
(Assignee)

Comment 23

9 years ago
Created attachment 328388 [details] [diff] [review]
move ws_info set up from nsObjectFrame::CallSetWindow() v4.1.1

Correct patch line counts.  (Same code.)

(In reply to comment #22)
> The patch doesn't appear to apply cleanly with any version of patch
> tho, dunno whats going on with that.

Thanks for testing, Geoff.  Sorry about the patch.  Emacs diff-mode sometimes (but I don't know exactly when) doesn't update line counts and I forgot to check that.
Attachment #328287 - Attachment is obsolete: true
(Assignee)

Comment 24

9 years ago
Created attachment 328437 [details] [diff] [review]
include gdk/gdkscreen.h in system-headers

for:

/tools/gcc/bin/g++  -fno-rtti -fno-exceptions -Wall -Wconversion -Wpointer-arith -Woverloaded-virtual -Wsynth -Wno-ctor-dtor-privacy -Wno-non-virtual-dtor -Wcast-align -Wno-long-long -pedantic -gstabs+ -fno-strict-aliasing -fshort-wchar -pthread -pipe  -DNDEBUG -DTRIMMED -Os -freorder-blocks -fno-reorder-functions -finline-limit=50 -fPIC -shared -Wl,-z,defs -Wl,-h,libxul.so -o libxul.so  nsStaticXULComponents.o nsUnicharUtils.o nsCompressedCharMap.o nsBidiUtils.o nsRDFResource.o     -lpthread   -Wl,-rpath-link,../../dist/bin  -Wl,--whole-archive ../../embedding/browser/gtk/src/libgtkembedmoz.a ../../toolkit/xre/libxulapp_s.a  ../../staticlib/components/libxpconnect.a ../../staticlib/components/libnecko.a ../../staticlib/components/libuconv.a ../../staticlib/components/libi18n.a ../../staticlib/components/libchardet.a ../../staticlib/components/libjar50.a ../../staticlib/components/libpref.a ../../staticlib/components/libcaps.a ../../staticlib/components/libhtmlpars.a ../../staticlib/components/libimglib2.a ../../staticlib/components/libgklayout.a ../../staticlib/components/libdocshell.a ../../staticlib/components/libembedcomponents.a ../../staticlib/components/libwebbrwsr.a ../../staticlib/components/libnsappshell.a ../../staticlib/components/libtxmgr.a ../../staticlib/components/libchrome.a ../../staticlib/components/libcommandlines.a ../../staticlib/components/libtoolkitcomps.a ../../staticlib/components/libpipboot.a ../../staticlib/components/libpipnss.a ../../staticlib/components/libgkplugin.a ../../staticlib/components/libmozfind.a ../../staticlib/components/libappcomps.a ../../staticlib/components/libunixproxy.a ../../staticlib/components/libxpinstall.a ../../staticlib/components/libjsd.a ../../staticlib/components/libautoconfig.a ../../staticlib/components/libauth.a ../../staticlib/components/libcookie.a ../../staticlib/components/libpermissions.a ../../staticlib/components/libuniversalchardet.a ../../staticlib/components/libcomposer.a ../../staticlib/components/librdf.a ../../staticlib/components/libwindowds.a ../../staticlib/components/libintlapp.a ../../staticlib/components/libfileview.a ../../staticlib/components/libstoragecomps.a ../../staticlib/components/libplaces.a ../../staticlib/components/libtkautocomplete.a ../../staticlib/components/libsatchel.a ../../staticlib/components/libpippki.a ../../staticlib/components/libucvmath.a ../../staticlib/components/libwidget_gtk2.a ../../staticlib/components/libsystem-pref.a ../../staticlib/components/libgkgfxthebes.a ../../staticlib/components/libaccessibility.a ../../staticlib/components/libremoteservice.a ../../staticlib/components/libspellchecker.a ../../staticlib/components/libzipwriter.a ../../staticlib/libxpcom_core.a ../../staticlib/libucvutil_s.a ../../staticlib/libgkgfx.a ../../staticlib/libgfxshared_s.a ../../staticlib/libmozreg_s.a ../../staticlib/libmorkreader_s.a ../../staticlib/libgtkxtbin.a ../../staticlib/libgfxpsshar.a ../../staticlib/libthebes.a  -Wl,--no-whole-archive -L../../dist/lib -lsqlite3 -L../../dist/bin -L../../dist/lib  -L../../dist/bin -L../../dist/lib -L../../jpeg -lmozjpeg -L../../modules/libimg/png -lmozpng -L../../dist/bin -lmozlcms -L../../dist/bin -lmozjs -L../../dist/bin -L../../dist/lib -lcrmf -lsmime3 -lssl3 -lnss3 -lnssutil3 -lsoftokn3  -L../../modules/zlib/src -lmozz -L/lib64 -lpangocairo-1.0 -lcairo -lpangoft2-1.0 -lpango-1.0 -lgobject-2.0 -lgmodule-2.0 -ldl -lglib-2.0   ../../gfx/cairo/cairo/src/libmozcairo.a ../../gfx/cairo/libpixman/src/libmozlibpixman.a   -L/usr/lib64 -lXrender -lfreetype -lfontconfig -L../../dist/lib -lplds4 -lplc4 -lnspr4 -lpthread -ldl -L/usr/lib64 -lX11  -lXft -lXrender -lfontconfig -lfreetype -lX11   -L/lib64 -lgtk-x11-2.0 -latk-1.0 -lgdk-x11-2.0 -lgdk_pixbuf-2.0 -lm -lpangocairo-1.0 -lpango-1.0 -lcairo -lgmodule-2.0 -ldl -lgobject-2.0 -lglib-2.0   -lXt -lgthread-2.0 -lfreetype -ldl -lm     
/usr/bin/ld: ../../staticlib/libthebes.a(gfxXlibNativeRenderer.o): relocation R_X86_64_PC32 against `gdk_display_get_screen' can not be used when making a shared object; recompile with -fPIC
Attachment #328437 - Flags: review?(roc)
Attachment #328437 - Flags: review?(roc) → review+
(Assignee)

Comment 25

9 years ago
pushed:
http://hg.mozilla.org/index.cgi/mozilla-central/rev/9bbea3b66376
http://hg.mozilla.org/index.cgi/mozilla-central/rev/e30f2c0b5c1f
http://hg.mozilla.org/index.cgi/mozilla-central/rev/6c0971153949
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED

Comment 26

9 years ago
Another consistent crasher: http://skoda-auto.cz/
(Assignee)

Comment 27

9 years ago
Please use the build here:

http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2008-07-08-02-mozilla-central/

It includes the fix for this bug
(and resolves the crash on http://skoda-auto.cz/).

Comment 28

9 years ago
Awesome. Works great with all of the problem URLs. Thanks.
(Assignee)

Updated

9 years ago
Blocks: 384845
Attachment #328388 - Flags: approval1.9.0.2?
Attachment #328437 - Flags: approval1.9.0.2?

Updated

9 years ago
Duplicate of this bug: 445043
(Assignee)

Updated

9 years ago
Duplicate of this bug: 445202
Can we get a test for this before landing in 1.9.0?
Flags: in-testsuite?
(Assignee)

Comment 32

9 years ago
(In reply to comment #31)
Automated testing depends on having a windowless plugin in our source tree
(bug 386144).

I've manually tested this patch with Swfdec on the problem sites reported
here, Geoff Norton has tested the Moonlight plugin (comment #22) on their
testcases (including attachment attachment 326988 [details]), and Mike Melanson has
tested the Adobe plugin (comment #28).
Comment on attachment 328388 [details] [diff] [review]
move ws_info set up from nsObjectFrame::CallSetWindow() v4.1.1

Approved for 1.9.0.2. Please land in CVS. a=ss
Attachment #328388 - Flags: approval1.9.0.2? → approval1.9.0.2+
Comment on attachment 328437 [details] [diff] [review]
include gdk/gdkscreen.h in system-headers

Approved for 1.9.0.2. Please land in CVS. a=ss
Attachment #328437 - Flags: approval1.9.0.2? → approval1.9.0.2+
No blocking, but wanted (and the patches are already approved).
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.2?
Flags: blocking1.9.0.2-
(Assignee)

Comment 36

9 years ago
Comment on attachment 328388 [details] [diff] [review]
move ws_info set up from nsObjectFrame::CallSetWindow() v4.1.1

checked into cvs with attachment 328437 [details] [diff] [review]:

http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&branch=HEAD&cvsroot=%2Fcvsroot&date=explicit&mindate=1216938963&maxdate=1216939084&who=karlt%2B%25karlt.net
(Assignee)

Updated

9 years ago
Target Milestone: --- → mozilla1.9.1a1
(Assignee)

Updated

9 years ago
Keywords: fixed1.9.0.2
Keywords: fixed1.9.1

Updated

7 years ago

Updated

7 years ago

Updated

7 years ago
Crash Signature: [@ cairo_draw_with_xlib]
You need to log in before you can comment on or make changes to this bug.