Closed
Bug 493362
Opened 16 years ago
Closed 16 years ago
crashes @SetWidgetForHierarchy
Categories
(Core Graveyard :: Plug-ins, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: karlt, Assigned: karlt)
References
Details
(Keywords: crash)
Attachments
(1 file)
|
865 bytes,
patch
|
roc
:
review+
|
Details | Diff | Splinter Review |
Reported in bug 485125 comment 18 by Timothy Nikkel:
#5 <signal handler called>
#6 0xb4fe458e in SetWidgetForHierarchy (aWindow=0xac9734c0,
aOldWidget=0xb39f5290, aNewWidget=0xacc3f4c0)
at /src/widget/src/gtk2/nsWindow.cpp:715
#7 0xb4fe45a1 in SetWidgetForHierarchy (aWindow=0xac973460,
aOldWidget=0xb39f5290, aNewWidget=0xacc3f4c0)
at /src/widget/src/gtk2/nsWindow.cpp:715
#8 0xb4fe7065 in nsWindow::SetParent (this=0xaccb6690, aNewParent=0x0)
at /src/widget/src/gtk2/nsWindow.cpp:914
#9 0xb31eed61 in nsPluginInstanceOwner::PrepareToStop (this=0xad0f0680,
aDelayedStop=1)
at /src/layout/generic/nsObjectFrame.cpp:4290
#10 0xb31f4294 in nsObjectFrame::StopPluginInternal (this=0xaf3c18d4,
aDelayedStop=1)
at /src/layout/generic/nsObjectFrame.cpp:2053
#11 0xb31f59c6 in nsObjectFrame::Destroy (this=0xaf3c18d4)
at /src/layout/generic/nsObjectFrame.cpp:615
#12 0xb31c7daa in nsFrameList::DestroyFrames (this=0xad17f1ec)
at /src/layout/generic/nsFrameList.cpp:67
#13 0xb3223b9c in ViewportFrame::Destroy (this=0xad17f1b0)
at /src/layout/generic/nsViewportFrame.cpp:67
#14 0xb3162d5c in nsFrameManager::Destroy (this=0xac90f01c)
at /src/layout/base/nsFrameManager.cpp:290
#15 0xb3185b16 in PresShell::Destroy (this=0xac90f000)
at /src/layout/base/nsPresShell.cpp:1881
On a subsequent run I put a breakpoint at nsWindow.cpp:715, skipped over the
first call to SetWidgetForHierarchy to get to the crash in the second call. The
first time through the loop:
(gdb) p list
$12 = (GList *) 0xaf4753e0
(gdb) p list->data
$13 = (gpointer) 0xaf471280
The second time:
(gdb) p list
$14 = (GList *) 0x5a5a5a5a
and that is a special indicating allocated but unused memory I think.
|
Assignee | |
Comment 1•16 years ago
|
||
And in in bug 485125 comment 19 by Matthew Cline:
I'm getting a crash with a slightly different stack trace:
0 SetWidgetForHierarchy widget/src/gtk2/nsWindow.cpp:692
1 SetWidgetForHierarchy widget/src/gtk2/nsWindow.cpp:715
2 SetWidgetForHierarchy widget/src/gtk2/nsWindow.cpp:715
3 nsWindow::Destroy widget/src/gtk2/nsWindow.cpp:818
4 nsPluginInstanceOwner::Destroy layout/generic/nsObjectFrame.cpp:4264
5 DoStopPlugin layout/generic/nsObjectFrame.cpp:1952
However, it's saying everthing is in libxul.so, so the crash stat server might
be messed up (see bp-81f29a2c-f973-47b6-8b67-633ef2090516)
I also get this warning right before the crash:
GLib-GObject-WARNING **: invalid uninstantiatable type `<invalid>' in cast to
`GdkWindow'
|
|
Assignee | |
Comment 2•16 years ago
|
||
Are there some reliable steps to reproduce?
In reply to bug 485125 comment 18:
> I'm getting a crash when closing a tab containing an (empty) flash plugin.
Timothy, what do you mean by "empty"?
|
|
Assignee | |
Comment 3•16 years ago
|
||
Some debugging with tn on irc:
p ((GList*(*)())gdk_window_peek_children)(aWindow)
(_GList *) 0xac347820
p *((GList*(*)())gdk_window_peek_children)(aWindow)
{data = 0xaf9bc460, next = 0x0, prev = 0x0}
p list
(GList *) 0x5a5a5a5a
It looks like a previous iteration has removed a link from the list.
gtk_widget_reparent or gtk_widget_destroy would do this.
|
|
Assignee | |
Comment 4•16 years ago
|
||
Attachment #377839 -
Flags: review?(roc)
Attachment #377839 -
Flags: review?(roc) → review+
|
|
Assignee | |
Comment 5•16 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 6•16 years ago
|
||
Unfortunately this wasn't quite fixed in time for the 2009-05-16 nightly build, but the fix will be in tomorrow's build.
|
||
Updated•3 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•