485125 - Crash on close [@ libflashplayer.so@0x4110d ]

Status: RESOLVED FIXED

Description

[Kevin Brosnan]

Linux number 1 crasher over a 4 week period.

Steps to reproduce are not clean however this is something that I hit on a semi-daily basis.

Browse some websites with flash.
Close Firefox.
Crash reporter appears.

Crash Reports in libflashplayer.so@0x4110d http://bit.ly/IvViW

0  	libflashplayer.so  	libflashplayer.so@0x4110d  	
1 	libflashplayer.so 	libflashplayer.so@0x3b0bf 	
2 	libflashplayer.so 	libflashplayer.so@0x33060 	
3 	libflashplayer.so 	libflashplayer.so@0x37cf3 	
4 	libxul.so 	nsNPAPIPluginInstance::Stop() 	modules/plugin/base/src/nsNPAPIPluginInstance.cpp:883
5 	libxul.so 	DoStopPlugin(nsPluginInstanceOwner*, int) 	layout/generic/nsObjectFrame.cpp:1960
6 	libxul.so 	nsStopPluginRunnable::Run() 	layout/generic/nsObjectFrame.cpp:2023
7 	libxul.so 	nsThread::ProcessNextEvent(int, int*) 	xpcom/threads/nsThread.cpp:510
8 	libxul.so 	NS_ProcessNextEvent_P(nsIThread*, int) 	nsThreadUtils.cpp:227
9 	libxul.so 	nsBaseAppShell::Run() 	widget/src/xpwidgets/nsBaseAppShell.cpp:170
10 	libxul.so 	nsAppStartup::Run() 	toolkit/components/startup/src/nsAppStartup.cpp:192
11 	libxul.so 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3279
12 	firefox-bin 	main 	browser/app/nsBrowserApp.cpp:156
13 	libc-2.8.90.so 	libc-2.8.90.so@0x16684

Comment 1

[Mike Beltzner [:beltzner, not reading bugmail]]

Hey Mike, are you on this? Got any ideas?

Comment 2

[Aakash Desai [:aakashd]]

I'm able to verify this close to half the time, but it's still rather intermittent. When running this instance via the terminal, every one of these crashes has outputted "(firefox-bin:14812): GLib-GObject-WARNING **: invalid uninstantiatable type `(null)' in cast to `GdkDrawable'" during a crash. I'm going to add a steps to reproduce once I get to a defined steps to reproduce.

Comment 3

[Aakash Desai [:aakashd]]

I got the steps to reproduce and here are the crash reports:
http://crash-stats.mozilla.com/report/index/00d853d7-7bfe-4fa4-9887-5ba372090330
http://crash-stats.mozilla.com/report/index/dee38e13-a367-4e34-9f43-fc79b2090330
Build Id: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1b3) Gecko/20090305 Firefox/3.1b3

I've gotten this to reproduce on two different Ubuntu PC's (one VM and the other a desktop comp) with the release build.

Steps to Reproduce:
1. Add in "user_pref("browser.startup.page",3); to your prefs.js file.
2. Start up firefox 3.1b3 via the terminal with the profile that has the changed prefs.js file.
3. On the first tab, go to http://www.espn.com/
4. Open a second tab and go to http://www.nbc.com/
5. Open a third tab and go to http://www.gmail.com/, then login. Remember to click the "x" button on the pop-down save passed bar.
6. Click, Hold and drag the 2nd tab to its content area to open it in a new window.
7. Re-size that new window so that it's completely within the content area of the original window.
8. Quit out of Firefox via the new window (created in step 6).
9. If it doesn't work on the first time through, repeat steps 2-8 2 more times. It always works on the 3rd time through.

Comment 4

[Blake Kaplan (:mrbkap)]

Created attachment 370111 [details]
stacks

I crash pretty reliably using ctl+q to quit (instead of ctl+w to close the last tab/window).

Comment 5

[Johnny Stenback (:jst)]

Karl says he can look into this. Reassigning.

Karl, if this turns out to point to code like the delayed plugin destruction code or what not doing something unexpected, please let me know, I could probably help if it's unrelated to gtk etc.

Comment 6

[Matthew Cline]

I got this with 38 copies of "(pkix_CacheCert_Add: PKIX_PL_HashTable_Add for Certs skipped: entry existed" on the terminal, but no Glib or GdkDrawable warnings/errors.

bp-4161b7ff-97f0-4ed8-ab12-1a1bb2090409

Comment 7

[Matthew Cline]

For the two Flash apps which I know can cause this problem, and for which I know the URLs, I get these three lines (with the xid hex codes varying):

    nsPluginNativeWindowGtk2: NPPVpluginNeedsXEmbed=1
    nsPluginNativeWindowGtk2: call SetWindow with xid=0xa0204c
    nsPluginNativeWindowGtk2: call SetWindow with xid=0xa0204c

This isn't outputed for all Flash apps, so maybe this has something to with it.

The two URLs are:

* http://prince-residence.com/
* http://www.pogo.com/marketing/landing/lp-scrabble-mt.jsp?sourceid=cam052_ValueClickLandingPageLoad_FreePogo_FullPagePopUp_ScrabbleMT&princerox=

Comment 8

[Tony Chung [:tchung]]

relnote worthy?  affects flash sites on linux

Comment 9

[Karl Tomlinson (:karlt)]

(In reply to comment #8)
> relnote worthy?  affects flash sites on linux

This is not new to 1.9.1, so I don't think 1.9.1 needs a relnote. (The same problem exists on 1.9.0.)  The problem occurs with the Flash plugin in window mode (not wmode=transparent nor wmode=opaque).

Comment 10

[Johnny Stenback (:jst)]

Karl, any update here? Let me know if you need help from someone here?

Comment 11

[Karl Tomlinson (:karlt)]

We can fix this be reparenting windows similar to what we do on MS Windows.
This is going to be much easier if we move the GtkWidget code in nsPluginNativeWindowGtk2 to nsWindow.cpp, which is probably where it should be anyway.  I'm working on it.  I don't think I'll need any help, thanks.

Comment 12

[Karl Tomlinson (:karlt)]

Created attachment 377567 [details] [diff] [review]
nsIWidget::SetParent(nsnull) for gtk

This reparents an nsIWidget to no nsIWidget for gtk, so we can do the same plugin widget reparenting that we do on MS Windows.

I ended up not moving the GtkWidget code in nsPluginNativeWindowGtk2 to nsWindow.cpp, as it wasn't going to simplify all the issues and didn't look like it was going to reduce the size of changes.

This undoes some of the changes from bug 451341 and fixes it in a different way.
Moving the weak refs from one container to another didn't look appealing.
And the whole list of weak refs on the container was a bit unfortunate given that the list of GdkWindows is available in the GdkWindow hierarchy anyway.

Comment 13

[Karl Tomlinson (:karlt)]

Created attachment 377571 [details] [diff] [review]
reparent widgets for delayed destruction

Same as MS Windows but without the audio/x-pn-realaudio-plugin quirk in nsObjectFrame::StopPlugin.

Does the comment "If the native window will be destroyed" make sense for Mac?

Comment 14

[Robert O'Callahan (:roc) (email my personal email if necessary)]

Comment on attachment 377567 [details] [diff] [review]
nsIWidget::SetParent(nsnull) for gtk

+// Change or NULL the GtkWidget on a hierarchy of GtkWindows and any child
+// GtkWidgets.

This comment could be better.

Comment 15

[Johnny Stenback (:jst)]

Comment on attachment 377571 [details] [diff] [review]
reparent widgets for delayed destruction

 DoDelayedStop(nsPluginInstanceOwner *aInstanceOwner, PRBool aDelayedStop)
 {
-  // Don't delay stopping QuickTime (bug 425157), Flip4Mac (bug 426524),
-  // XStandard (bug 430219), CMISS Zinc (bug 429604). ARM Flash (454756)
+  // If the native window will be destroyed, don't delay stopping QuickTime
+  // (bug 425157), Flip4Mac (bug 426524), XStandard (bug 430219), CMISS Zinc
+  // (bug 429604).

Whether the native window part of that makes sense is a good question. The cases where we do not delay stopping of a plugin is not exactly well defined, it's special cased for various plugins here, and also in nsObjectFrame::StopPlugin(). So I think I'd just leave the comment vague as it was :)

r+sr=jst

Comment 16

[Karl Tomlinson (:karlt)]

http://hg.mozilla.org/mozilla-central/rev/e49fa251d45e
http://hg.mozilla.org/mozilla-central/rev/53728d1ce5eb

Comment 17

[Karl Tomlinson (:karlt)]

Created attachment 377659 [details] [diff] [review]
testplugin changes

This modifies the test plugin to rely on the same kinds of things that other plugins are relying on.  Without the fix here, layout/generic/test/test_plugin_clipping.xhtml would crash with these test plugin changes.

Comment 18

[Timothy Nikkel (:tnikkel)]

I'm getting a crash when closing a tab containing an (empty) flash plugin.

#0  0xb7fec430 in __kernel_vsyscall ()
#1  0xb71cdf36 in nanosleep () from /lib/tls/i686/cmov/libc.so.6
#2  0xb71cdd4e in sleep () from /lib/tls/i686/cmov/libc.so.6
#3  0xb7f82a0a in ah_crap_handler (signum=11)
    at /src/toolkit/xre/nsSigHandlers.cpp:149
#4  0xb7f82f21 in nsProfileLock::FatalSignalHandler (signo=11)
    at nsProfileLock.cpp:216
#5  <signal handler called>
#6  0xb4fe458e in SetWidgetForHierarchy (aWindow=0xac9734c0, 
    aOldWidget=0xb39f5290, aNewWidget=0xacc3f4c0)
    at /src/widget/src/gtk2/nsWindow.cpp:715
#7  0xb4fe45a1 in SetWidgetForHierarchy (aWindow=0xac973460, 
    aOldWidget=0xb39f5290, aNewWidget=0xacc3f4c0)
    at /src/widget/src/gtk2/nsWindow.cpp:715
#8  0xb4fe7065 in nsWindow::SetParent (this=0xaccb6690, aNewParent=0x0)
    at /src/widget/src/gtk2/nsWindow.cpp:914
#9  0xb31eed61 in nsPluginInstanceOwner::PrepareToStop (this=0xad0f0680, 
    aDelayedStop=1)
    at /src/layout/generic/nsObjectFrame.cpp:4290
#10 0xb31f4294 in nsObjectFrame::StopPluginInternal (this=0xaf3c18d4, 
    aDelayedStop=1)
    at /src/layout/generic/nsObjectFrame.cpp:2053
#11 0xb31f59c6 in nsObjectFrame::Destroy (this=0xaf3c18d4)
    at /src/layout/generic/nsObjectFrame.cpp:615
#12 0xb31c7daa in nsFrameList::DestroyFrames (this=0xad17f1ec)
    at /src/layout/generic/nsFrameList.cpp:67
#13 0xb3223b9c in ViewportFrame::Destroy (this=0xad17f1b0)
    at /src/layout/generic/nsViewportFrame.cpp:67
#14 0xb3162d5c in nsFrameManager::Destroy (this=0xac90f01c)
    at /src/layout/base/nsFrameManager.cpp:290
#15 0xb3185b16 in PresShell::Destroy (this=0xac90f000)
    at /src/layout/base/nsPresShell.cpp:1881
#16 0xb3150782 in DocumentViewerImpl::DestroyPresShell (this=0xacf0c450)
    at /src/layout/base/nsDocumentViewer.cpp:4255
#17 0xb31508fd in DocumentViewerImpl::Hide (this=0xacf0c450)
    at /src/layout/base/nsDocumentViewer.cpp:1963
#18 0xb2f441e6 in nsDocShell::SetVisibility (this=0xac944190, aVisibility=0)
    at /src/docshell/base/nsDocShell.cpp:4528
#19 0xb31c52b0 in nsSubDocumentFrame::HideViewer (this=0xad2629ec)
    at /src/layout/generic/nsFrameFrame.cpp:795
#20 0xb31c5d4a in nsSubDocumentFrame::Destroy (this=0xad2629ec)
    at /src/layout/generic/nsFrameFrame.cpp:760
#21 0xb31e8e8d in nsLineBox::DeleteLineList (aPresContext=0xac90a000, 
    aLines=@0xad26273c)
    at /src/layout/generic/nsLineBox.cpp:338
#22 0xb31a5eb1 in nsBlockFrame::Destroy (this=0xad2626f8)
    at /src/layout/generic/nsBlockFrame.cpp:298
#23 0xb31e8e8d in nsLineBox::DeleteLineList (aPresContext=0xac90a000, 
    aLines=@0xad262514)
    at /src/layout/generic/nsLineBox.cpp:338
#24 0xb31a5eb1 in nsBlockFrame::Destroy (this=0xad2624d0)
    at /src/layout/generic/nsBlockFrame.cpp:298
#25 0xb31c7daa in nsFrameList::DestroyFrames (this=0xacc712cc)
    at /src/layout/generic/nsFrameList.cpp:67
#26 0xb31b1fb0 in nsContainerFrame::Destroy (this=0xacc71294)
    at /src/layout/generic/nsContainerFrame.cpp:266
#27 0xb31d8be7 in CanvasFrame::Destroy (this=0xacc71294)
    at /src/layout/generic/nsHTMLFrame.cpp:228
#28 0xb31c7daa in nsFrameList::DestroyFrames (this=0xacc7144c)
    at /src/layout/generic/nsFrameList.cpp:67
#29 0xb31b1fb0 in nsContainerFrame::Destroy (this=0xacc71414)
    at /src/layout/generic/nsContainerFrame.cpp:266
#30 0xb31c7daa in nsFrameList::DestroyFrames (this=0xacc711e8)
    at /src/layout/generic/nsFrameList.cpp:67
#31 0xb31b1fb0 in nsContainerFrame::Destroy (this=0xacc711b0)
    at /src/layout/generic/nsContainerFrame.cpp:266
#32 0xb3162d5c in nsFrameManager::Destroy (this=0xac90b41c)
    at /src/layout/base/nsFrameManager.cpp:290
#33 0xb3185b16 in PresShell::Destroy (this=0xac90b400)
    at /src/layout/base/nsPresShell.cpp:1881
#34 0xb3150782 in DocumentViewerImpl::DestroyPresShell (this=0xacc95110)
    at /src/layout/base/nsDocumentViewer.cpp:4255
#35 0xb31508fd in DocumentViewerImpl::Hide (this=0xacc95110)
    at /src/layout/base/nsDocumentViewer.cpp:1963
#36 0xb2f441e6 in nsDocShell::SetVisibility (this=0xb15b8f90, aVisibility=0)
    at /src/docshell/base/nsDocShell.cpp:4528
#37 0xb31c52b0 in nsSubDocumentFrame::HideViewer (this=0xaf16e898)
    at /src/layout/generic/nsFrameFrame.cpp:795
#38 0xb31c5d4a in nsSubDocumentFrame::Destroy (this=0xaf16e898)
    at /src/layout/generic/nsFrameFrame.cpp:760
#39 0xb31c7daa in nsFrameList::DestroyFrames (this=0xaf16e4ac)
    at /src/layout/generic/nsFrameList.cpp:67
#40 0xb31b1fb0 in nsContainerFrame::Destroy (this=0xaf16e474)
    at /src/layout/generic/nsContainerFrame.cpp:266
#41 0xb31c7daa in nsFrameList::DestroyFrames (this=0xaf16e518)
    at /src/layout/generic/nsFrameList.cpp:67
#42 0xb31b1fb0 in nsContainerFrame::Destroy (this=0xaf16e4e0)
    at /src/layout/generic/nsContainerFrame.cpp:266
#43 0xb32edc10 in nsBoxFrame::RemoveFrame (this=0xb1f13da8, aListName=0x0, 
    aOldFrame=0xaf16e4e0)
    at /src/layout/xul/base/src/nsBoxFrame.cpp:1027
#44 0xb3162c80 in nsFrameManager::RemoveFrame (this=0xb2b8201c, 
    aParentFrame=0xb1f13da8, aListName=0x0, aOldFrame=0xaf16e4e0)
    at /src/layout/base/nsFrameManager.cpp:717
#45 0xb313035b in nsCSSFrameConstructor::ContentRemoved (this=0xb2bad110, 
    aContainer=0xb1f26910, aChild=0xaf17ed30, aIndexInContainer=18, 
    aDidReconstruct=0xbf8e9a74)
    at /src/layout/base/nsCSSFrameConstructor.cpp:7120
#46 0xb317f96c in PresShell::ContentRemoved (this=0xb2b82000, 
    aDocument=0xb2db2000, aContainer=0xb1f26910, aChild=0xaf17ed30, 
    aIndexInContainer=18)
    at /src/layout/base/nsPresShell.cpp:4993
#47 0xb339fc46 in nsNodeUtils::ContentRemoved (aContainer=0xb2db2000, 
    aChild=0xaf17ed30, aIndexInContainer=18)
    at /src/content/base/src/nsNodeUtils.cpp:167
#48 0xb338ed3c in nsGenericElement::doRemoveChildAt (aIndex=18, aNotify=1, 
    aKid=0xaf17ed30, aParent=0xb1f26910, aDocument=0xb2db2000, 
    aChildArray=@0xb1f2692c)
    at /src/content/base/src/nsGenericElement.cpp:3395
#49 0xb338ee5d in nsGenericElement::RemoveChildAt (this=0xb1f26910, aIndex=18, 
    aNotify=1)
    at /src/content/base/src/nsGenericElement.cpp:3325
#50 0xb36840e3 in nsXULElement::RemoveChildAt (this=0xb1f26910, aIndex=18, 
    aNotify=1)
    at /src/content/xul/content/src/nsXULElement.cpp:961
#51 0xb338714b in nsGenericElement::doRemoveChild (aOldChild=0xaf17ed50, 
    aParent=0xb1f26910, aDocument=0xb2db2000, aReturn=0xbf8e9d34)
    at /src/content/base/src/nsGenericElement.cpp:4002
#52 0xb33871db in nsGenericElement::RemoveChild (this=0xb1f26910, 
    aOldChild=0xaf17ed50, aReturn=0xbf8e9d34)
    at /src/content/base/src/nsGenericElement.cpp:3560
#53 0xb62767f6 in nsIDOMNode_RemoveChild (cx=0xb39d5400, argc=1, vp=0xac95e178)
    at dom_quickstubs.cpp:4183
#54 0xb7e68f87 in js_Interpret (cx=0xb39d5400)
    at /src/js/src/jsinterp.cpp:5139
#55 0xb7e7d0c6 in js_Invoke (cx=0xb39d5400, argc=1, vp=0xac95e024, flags=0)
    at /src/js/src/jsinterp.cpp:1394
#56 0xb7e7d5fd in js_InternalInvoke (cx=0xb39d5400, obj=0xaf182560, 
    fval=-1296180128, flags=0, argc=1, argv=0xac95e020, rval=0xbf8ea39c)
    at /src/js/src/jsinterp.cpp:1447
#57 0xb7e19cc7 in JS_CallFunctionValue (cx=0xb39d5400, obj=0xaf182560, 
    fval=-1296180128, argc=1, argv=0xac95e020, rval=0xbf8ea39c)
    at /src/js/src/jsapi.cpp:5191
#58 0xb354e972 in nsJSContext::CallEventHandler (this=0xb39f3820, 
    aTarget=0xaf17eac0, aScope=0xb39efd60, aHandler=0xb2bddc60, 
    aargv=0xac977d00, arv=0xbf8ea544)
    at /src/dom/base/nsJSEnvironment.cpp:2026
#59 0xb35a3cc9 in nsJSEventListener::HandleEvent (this=0xacc12550, 
    aEvent=0xacc3c9ac)
    at /src/dom/src/events/nsJSEventListener.cpp:247
#60 0xb3510697 in nsXBLPrototypeHandler::ExecuteHandler (this=0xb1fad700, 
    aTarget=0xaf17eac0, aEvent=0xacc3c9ac)
    at /src/content/xbl/src/nsXBLPrototypeHandler.cpp:341
#61 0xb350bbe1 in nsXBLEventHandler::HandleEvent (this=0xb1f09d60, 
    aEvent=0xacc3c9ac)
    at /src/content/xbl/src/nsXBLEventHandler.cpp:88
#62 0xb33e4a82 in nsEventListenerManager::HandleEventSubType (this=0xaf1803a0, 
    aListenerStruct=0xaf173328, aListener=0xb1f09d60, aDOMEvent=0xacc3c9ac, 
    aCurrentTarget=0xaf17eac0, aPhaseFlags=6)
    at /src/content/events/src/nsEventListenerManager.cpp:1087
#63 0xb33e4f91 in nsEventListenerManager::HandleEvent (this=0xaf1803a0, 
    aPresContext=0xb2b81c00, aEvent=0xbf8eabc4, aDOMEvent=0xbf8eaa38, 
    aCurrentTarget=0xaf17eac0, aFlags=6, aEventStatus=0xbf8eaa3c)
    at /src/content/events/src/nsEventListenerManager.cpp:1187
#64 0xb340ab15 in nsEventTargetChainItem::HandleEvent (this=0xacc0b020, 
    aVisitor=@0xbf8eaa30, aFlags=6, aMayHaveNewListenerManagers=1)
    at /src/content/events/src/nsEventDispatcher.cpp:227
#65 0xb340ad57 in nsEventTargetChainItem::HandleEventTargetChain (
    this=0xacc0b220, aVisitor=@0xbf8eaa30, aFlags=6, aCallback=0xbf8eaab0, 
    aMayHaveNewListenerManagers=1)
    at /src/content/events/src/nsEventDispatcher.cpp:291
#66 0xb340b2f2 in nsEventDispatcher::Dispatch (aTarget=0xaf17eac0, 
    aPresContext=0xb2b81c00, aEvent=0xbf8eabc4, aDOMEvent=0x0, 
    aEventStatus=0xbf8eb008, aCallback=0xbf8eaab0)
    at /src/content/events/src/nsEventDispatcher.cpp:508
#67 0xb317cd7c in PresShell::HandleEventInternal (this=0xb2b82000, 
    aEvent=0xbf8eabc4, aView=0x0, aStatus=0xbf8eb008)
    at /src/layout/base/nsPresShell.cpp:6238
#68 0xb317d34c in PresShell::HandleEventWithTarget (this=0xb2b82000, 
    aEvent=0xbf8eabc4, aFrame=0xb6cb0c9c, aContent=0xaf17eac0, 
    aStatus=0xbf8eb008)
    at /src/layout/base/nsPresShell.cpp:6137
#69 0xb33ec05d in nsEventStateManager::CheckForAndDispatchClick (
    this=0xb2b7b760, aPresContext=0xb2b81c00, aEvent=0xbf8eb1e0, 
    aStatus=0xbf8eb008)
    at /src/content/events/src/nsEventStateManager.cpp:4234
#70 0xb33f5f84 in nsEventStateManager::PostHandleEvent (this=0xb2b7b760, 
    aPresContext=0xb2b81c00, aEvent=0xbf8eb1e0, aTargetFrame=0xb6cb0c9c, 
    aStatus=0xbf8eb008, aView=0xb2ba3460)
    at /src/content/events/src/nsEventStateManager.cpp:3198
#71 0xb317cdda in PresShell::HandleEventInternal (this=0xb2b82000, 
    aEvent=0xbf8eb1e0, aView=0xb2ba3460, aStatus=0xbf8eb008)
    at /src/layout/base/nsPresShell.cpp:6259
#72 0xb317d47c in PresShell::HandlePositionedEvent (this=0xb2b82000, 
    aView=0xb2ba3460, aTargetFrame=0xb6cb0c9c, aEvent=0xbf8eb1e0, 
    aEventStatus=0xbf8eb008)
    at /src/layout/base/nsPresShell.cpp:6120
#73 0xb317d972 in PresShell::HandleEvent (this=0xb2b82000, aView=0xb2ba3460, 
    aEvent=0xbf8eb1e0, aEventStatus=0xbf8eb008)
    at /src/layout/base/nsPresShell.cpp:5980
#74 0xb353e75b in nsViewManager::HandleEvent (this=0xb2ba3400, 
    aView=0xb2ba3460, aPoint={x = -1081167712, y = -1081167392}, 
    aEvent=0xbf8eb1e0, aCaptured=0)
    at /src/view/src/nsViewManager.cpp:1346
#75 0xb3541997 in nsViewManager::DispatchEvent (this=0xb2ba3400, 
    aEvent=0xbf8eb1e0, aStatus=0xbf8eb11c)
    at /src/view/src/nsViewManager.cpp:1325
#76 0xb353b2cd in HandleEvent (aEvent=0xbf8eb1e0)
    at /src/view/src/nsView.cpp:168
#77 0xb4fe7294 in nsWindow::DispatchEvent (this=0xb2ba8040, aEvent=0xbf8eb1e0, 
    aStatus=@0xbf8eb244)
    at /src/widget/src/gtk2/nsWindow.cpp:581
#78 0xb4fe3b66 in nsWindow::OnButtonReleaseEvent (this=0xb2ba8040, 
    aWidget=0xb39f5290, aEvent=0xacc3f2e0)
    at /src/widget/src/gtk2/nsWindow.cpp:2894
#79 0xb4fe3bc8 in button_release_event_cb (widget=0xb39f5290, event=0xacc3f2e0)
    at /src/widget/src/gtk2/nsWindow.cpp:5504
#80 0xb7a73036 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#81 0xb7644c4b in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#82 0xb765b095 in ?? () from /usr/lib/libgobject-2.0.so.0
#83 0xb765c62b in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#84 0xb765cc26 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#85 0xb7b8833e in ?? () from /usr/lib/libgtk-x11-2.0.so.0
#86 0xb7a6bb4c in gtk_propagate_event () from /usr/lib/libgtk-x11-2.0.so.0
#87 0xb7a6cef7 in gtk_main_do_event () from /usr/lib/libgtk-x11-2.0.so.0
#88 0xb780550a in ?? () from /usr/lib/libgdk-x11-2.0.so.0
#89 0xb75b6718 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#90 0xb75b9dc3 in ?? () from /usr/lib/libglib-2.0.so.0
#91 0xb75b9f81 in g_main_context_iteration () from /usr/lib/libglib-2.0.so.0
#92 0xb4fed3a8 in nsAppShell::ProcessNextNativeEvent (this=0xb6a444c0, 
    mayWait=1) at /src/widget/src/gtk2/nsAppShell.cpp:144
#93 0xb500c9a4 in nsBaseAppShell::DoProcessNextNativeEvent (this=0xb6a444c0, 
    mayWait=1)
    at /src/widget/src/xpwidgets/nsBaseAppShell.cpp:151
#94 0xb500cd67 in nsBaseAppShell::OnProcessNextEvent (this=0xb6a444c0, 
    thr=0xb6b79740, mayWait=1, recursionDepth=0)
    at /src/widget/src/xpwidgets/nsBaseAppShell.cpp:296
#95 0xb7dba134 in nsThread::ProcessNextEvent (this=0xb6b79740, mayWait=1, 
    result=0xbf8eb830) at /src/xpcom/threads/nsThread.cpp:497
#96 0xb7d62ece in NS_ProcessNextEvent_P (thread=0x2, mayWait=1)
    at nsThreadUtils.cpp:230
#97 0xb500cebc in nsBaseAppShell::Run (this=0xb6a444c0)
    at /src/widget/src/xpwidgets/nsBaseAppShell.cpp:170
#98 0xb4e661c4 in nsAppStartup::Run (this=0xb6a9fee0)
    at /src/toolkit/components/startup/src/nsAppStartup.cpp:193
#99 0xb7f763de in XRE_main (argc=1, argv=0xbf8ebdf4, aAppData=0xb6b06540)
    at /src/toolkit/xre/nsAppRunner.cpp:3339
#100 0x080498cc in main (argc=1, argv=0xbf8ebdf4)
    at /src/browser/app/nsBrowserApp.cpp:156

On a subsequent run I put a breakpoint at nsWindow.cpp:715, skipped over the first call to SetWidgetForHierarchy to get to the crash in the second call. The first time through the loop:
(gdb) p list
$12 = (GList *) 0xaf4753e0
(gdb) p list->data
$13 = (gpointer) 0xaf471280

The second time:
(gdb) p list
$14 = (GList *) 0x5a5a5a5a
and that is a special indicating allocated but unused memory I think.

Comment 19

[Matthew Cline]

I'm getting a crash with a slightly different stack trace:

0 SetWidgetForHierarchy  	 widget/src/gtk2/nsWindow.cpp:692
1 SetWidgetForHierarchy 	widget/src/gtk2/nsWindow.cpp:715
2 SetWidgetForHierarchy 	widget/src/gtk2/nsWindow.cpp:715
3 nsWindow::Destroy 	widget/src/gtk2/nsWindow.cpp:818
4 nsPluginInstanceOwner::Destroy 	layout/generic/nsObjectFrame.cpp:4264
5 DoStopPlugin  	 layout/generic/nsObjectFrame.cpp:1952

However, it's saying everthing is in libxul.so, so the crash stat server might be messed up (see bp-81f29a2c-f973-47b6-8b67-633ef2090516)

I also get this warning right before the crash:

GLib-GObject-WARNING **: invalid uninstantiatable type `<invalid>' in cast to `GdkWindow'

Comment 20

[Karl Tomlinson (:karlt)]

The crashes in comment 18 and 19 have been fixed in bug 493362.
http://hg.mozilla.org/mozilla-central/rev/a4db3244cebb

When the changes here land on 1.9.1, that correction will need to be included.

No crashes in libflashplayer.so@0x4110d have been reported for Firefox:3.6a1pre since build id 2009051400 (comment 16).

Comment 21

[Karl Tomlinson (:karlt)]

Created attachment 377957 [details]
testplugin changes (without tabs)

Comment 22

[Karl Tomlinson (:karlt)]

Comment on attachment 377957 [details]
testplugin changes (without tabs)

http://hg.mozilla.org/mozilla-central/rev/f210fcece4f3

Comment 23

[Karl Tomlinson (:karlt)]

Fixed on 1.9.1 (with the correction for bug 493362):
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/2e54a9362669
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/53f838c7c18b

I haven't landed the testplugin changes on 1.9.1 because we don't have a gtk testplugin on 1.9.1.