Closed Bug 512142 Opened 15 years ago Closed 3 years ago

Layout synchronously fires image loads, causing problems if a necko listener isn't well-behaved

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
Other
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: romaxa, Unassigned)

References

(
URL
)

Details

(Keywords: sec-want, Whiteboard: [sg:want P4]) 

We have bunch of crashes in our embedding environment with stack
#2  <signal handler called>
#3  0x00000000 in ?? ()
#4  0xb2696ec4 in nsPresContext::AllocateFromShell (this=0x90d1390, aSize=84)
    at layout/tables/../base/nsPresContext.h:283
#5  0xb26dfd60 in nsStyleBackground::operator new (sz=84, aContext=0x90d1390)
    at layout/style/nsStyleStruct.h:230
#6  0xb26db0ad in nsRuleNode::ComputeBackgroundData (this=0x90d15d8, aStartStruct=0x0, aData=@0xbffe0e1c, aContext=0x90d12d0, aHighestNode=0x90d15d8, 
    aRuleDetail=nsRuleNode::eRulePartialReset, aCanStoreInRuleTree=1) at layout/style/nsRuleNode.cpp:4152
#7  0xb26dd1a2 in nsRuleNode::WalkRuleTree (this=0x90d15d8, aSID=eStyleStruct_Background, aContext=0x90d12d0, aRuleData=0xbffe0dd4, aSpecificData=0xbffe0e1c)
    at layout/style/nsStyleStructList.h:79
#8  0xb26deb83 in nsRuleNode::GetBackgroundData (this=0x90d15d8, aContext=0x90d12d0)
    at layout/style/nsRuleNode.cpp:1526
#9  0xb26dec75 in nsRuleNode::GetStyleBackground (this=0x90d15d8, aContext=0x90d12d0, aComputeData=1)
    at layout/style/nsStyleStructList.h:79
#10 0xb26e4485 in nsStyleContext::GetStyleBackground (this=0x90d12d0) at layout/style/nsStyleStructList.h:79
#11 0xb254816c in nsCSSFrameConstructor::ConstructFramesFromItem (this=0x90d0658, aState=@0xbffe1088, aIter=@0xbffe0f64, aParentFrame=0x90d14b8, 
    aFrameItems=@0xbffe1020) at layout/base/nsCSSFrameConstructor.cpp:5510
#12 0xb254bda8 in nsCSSFrameConstructor::ConstructFrame (this=0x90d0658, aState=@0xbffe1088, aContent=0x9178258, aParentFrame=0x90d14b8, 
    aFrameItems=@0xbffe1020) at layout/base/nsCSSFrameConstructor.cpp:5126
#13 0xb254c0dd in nsCSSFrameConstructor::CreateAnonymousFrames (this=0x90d0658, aState=@0xbffe1088, aParent=0x90b94a8, aParentFrame=0x90d14b8, 
---Type <return> to continue, or q <return> to quit---
    aChildItems=@0xbffe1020) at layout/base/nsCSSFrameConstructor.cpp:4025
#14 0xb254c1ef in nsCSSFrameConstructor::BeginBuildingScrollFrame (this=0x90d0658, aState=@0xbffe1088, aContent=0x90b94a8, aContentStyle=0x90d1050, 
    aParentFrame=0x90d0ee4, aScrolledPseudo=0x8d52830, aIsRoot=1, aNewFrame=@0xbffe10e8)
    at layout/base/nsCSSFrameConstructor.cpp:4373
#15 0xb254ca5d in nsCSSFrameConstructor::SetUpDocElementContainingBlock (this=0x90d0658, aDocElement=0x90b94a8)
    at layout/base/nsCSSFrameConstructor.cpp:2904
#16 0xb254ccd6 in nsCSSFrameConstructor::ConstructDocElementFrame (this=0x90d0658, aDocElement=0x90b94a8, aFrameState=0x0, aNewFrame=0xbffe1368)
    at layout/base/nsCSSFrameConstructor.cpp:2444
#17 0xb254d70f in nsCSSFrameConstructor::ContentInserted (this=0x90d0658, aContainer=0x0, aChild=0x90b94a8, aIndexInContainer=0, aFrameState=0x0)
    at layout/base/nsCSSFrameConstructor.cpp:6553
#18 0xb25a5df1 in PresShell::InitialReflow (this=0x90cf2f0, aWidth=48000, aHeight=20160)
    at layout/base/nsPresShell.cpp:2720



Just because we are destroying layout during InitialReflow.
I cannot understand why PresShell destroyed, because we have 
nsCOMPtr<nsIPresShell> kungFuDeathGrip(this); in the beginning of PresShell::InitialReflow
http://mxr.mozilla.org/mozilla-central/source/layout/base/nsPresShell.cpp#2544

But even if PresShell refcount increased we still get destroyed from DocumentViewerImpl::DestroyPresShell with next stack

I have made sintetic call of GtkMozEmbed destroy and test it on mozilla-1.9.2 release...
And it also crashes...  and PresShell::Destroy backtrace is next:

#0  ~PresShell (this=0x99dc670) at layout/base/nsPresShell.cpp:1757
#1  0xb258de90 in PresShell::Release (this=0x99dc670) at layout/base/nsPresShell.cpp:1752
#2  0xb731f7f4 in nsCOMPtr_base::assign_with_AddRef () from obj-i386/dist/bin/libxpcom_core.so
#3  0xb2573728 in nsCOMPtr<nsIPresShell>::operator= (this=0x9982f2c, rhs=0x0) at ../../dist/include/nsCOMPtr.h:640
#4  0xb2566c06 in DocumentViewerImpl::DestroyPresShell (this=0x9982ef8)
    at layout/base/nsDocumentViewer.cpp:4333
#5  0xb256d476 in DocumentViewerImpl::Destroy (this=0x9982ef8) at layout/base/nsDocumentViewer.cpp:1573
#6  0xb256895f in DocumentViewerImpl::Hide (this=0x99ee420) at layout/base/nsDocumentViewer.cpp:1987
#7  0xb4bff026 in nsDocShell::SetVisibility () from obj-i386/dist/bin/components/libdocshell.so
#8  0xb4c44e47 in nsWebBrowser::SetVisibility () from obj-i386/dist/bin/components/libwebbrwsr.so
#9  0xb70e3932 in EmbedPrivate::Hide (this=0x96ac998) at embedding/browser/gtk/src/EmbedPrivate.cpp:361
#10 0xb70e1402 in gtk_moz_embed_unmap (widget=0x96732d0) at embedding/browser/gtk/src/gtkmozembed2.cpp:593
#11 0xb77e241d in IA__g_cclosure_marshal_VOID__VOID (closure=0x96713a0, return_value=0x0, n_param_values=1, param_values=0x987a6c8, 
    invocation_hint=0xbf9d486c, marshal_data=0xb70e12fa) at /home/bifh4/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.3/gobject/gmarshal.c:77
#12 0xb77d3dc8 in g_type_class_meta_marshal (closure=0x96713a0, return_value=0x0, n_param_values=1, param_values=0x987a6c8, invocation_hint=0xbf9d486c, 
    marshal_data=0x70) at /home/bifh4/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.3/gobject/gclosure.c:878
#13 0xb77d54ec in IA__g_closure_invoke (closure=0x96713a0, return_value=0x0, n_param_values=1, param_values=0x987a6c8, invocation_hint=0xbf9d486c)
    at /home/bifh4/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.3/gobject/gclosure.c:767
#14 0xb77e951f in signal_emit_unlocked_R (node=0x9671240, detail=0, instance=0x96732d0, emission_return=0x0, instance_and_params=0x987a6c8)
    at /home/bifh4/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.3/gobject/gsignal.c:3177
#15 0xb77eb5ca in IA__g_signal_emit_valist (instance=0x96732d0, signal_id=12, detail=0, var_args=0xbf9d4a7c "\211´Ë·¨\203ß·\001")
    at /home/bifh4/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.3/gobject/gsignal.c:2980
---Type <return> to continue, or q <return> to quit---
#16 0xb77eb90e in IA__g_signal_emit (instance=0x96732d0, signal_id=12, detail=0)
    at /home/bifh4/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.3/gobject/gsignal.c:3037
#17 0xb7cbb4ce in IA__gtk_widget_unmap (widget=0x96732d0) at gtkwidget.c:3447
#18 0xb7cc0c67 in IA__gtk_widget_unparent (widget=0x96732d0) at gtkwidget.c:3124
#19 0xb7b03752 in gtk_box_remove (container=0x96730a0, widget=0xb259db4a) at gtkbox.c:747
#20 0xb77e1a22 in IA__g_cclosure_marshal_VOID__OBJECT (closure=0x9666e28, return_value=0x0, n_param_values=2, param_values=0x987f228, 
    invocation_hint=0xbf9d4d8c, marshal_data=0xb7b03700) at /home/bifh4/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.3/gobject/gmarshal.c:636
#21 0xb77d3dc8 in g_type_class_meta_marshal (closure=0x9666e28, return_value=0x0, n_param_values=2, param_values=0x987f228, invocation_hint=0xbf9d4d8c, 
    marshal_data=0x170) at /home/bifh4/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.3/gobject/gclosure.c:878
#22 0xb77d55cb in IA__g_closure_invoke (closure=0x9666e28, return_value=0x0, n_param_values=2, param_values=0x987f228, invocation_hint=0xbf9d4d8c)
    at /home/bifh4/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.3/gobject/gclosure.c:767
#23 0xb77e951f in signal_emit_unlocked_R (node=0x968f200, detail=0, instance=0x96730a0, emission_return=0x0, instance_and_params=0x987f228)
    at /home/bifh4/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.3/gobject/gsignal.c:3177
#24 0xb77eb5ca in IA__g_signal_emit_valist (instance=0x96730a0, signal_id=82, detail=0, var_args=0xbf9d4fa0 "Ô2g\t\001")
    at /home/bifh4/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.3/gobject/gsignal.c:2980
#25 0xb77eb90e in IA__g_signal_emit (instance=0x96730a0, signal_id=82, detail=0)
    at /home/bifh4/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.3/gobject/gsignal.c:3037
#26 0xb7b31467 in IA__gtk_container_remove (container=0x96730a0, widget=0x96732d0) at gtkcontainer.c:1227
#27 0xb7cb7d20 in IA__gtk_widget_reparent (widget=0x96732d0, new_parent=0x98554c0) at gtkwidget.c:5167
#28 0xb70e46ab in EmbedPrivate::Unrealize (this=0x96ac998) at embedding/browser/gtk/src/EmbedPrivate.cpp:337
#29 0xb70e1758 in gtk_moz_embed_unrealize (widget=0x96732d0) at embedding/browser/gtk/src/gtkmozembed2.cpp:527
#30 0xb77e241d in IA__g_cclosure_marshal_VOID__VOID (closure=0x9671490, return_value=0x0, n_param_values=1, param_values=0x987f8c8, 
---Type <return> to continue, or q <return> to quit---
    invocation_hint=0xbf9d52bc, marshal_data=0xb70e1678) at /home/bifh4/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.3/gobject/gmarshal.c:77
#31 0xb77d3dc8 in g_type_class_meta_marshal (closure=0x9671490, return_value=0x0, n_param_values=1, param_values=0x987f8c8, invocation_hint=0xbf9d52bc, 
    marshal_data=0x78) at /home/bifh4/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.3/gobject/gclosure.c:878
#32 0xb77d54ec in IA__g_closure_invoke (closure=0x9671490, return_value=0x0, n_param_values=1, param_values=0x987f8c8, invocation_hint=0xbf9d52bc)
    at /home/bifh4/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.3/gobject/gclosure.c:767
#33 0xb77e9db9 in signal_emit_unlocked_R (node=0x96714b8, detail=0, instance=0x96732d0, emission_return=0x0, instance_and_params=0x987f8c8)
    at /home/bifh4/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.3/gobject/gsignal.c:3285
#34 0xb77eb5ca in IA__g_signal_emit_valist (instance=0x96732d0, signal_id=14, detail=0, var_args=0xbf9d54cc "¹¬Ë·¨\203ß· \003")
    at /home/bifh4/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.3/gobject/gsignal.c:2980
#35 0xb77eb90e in IA__g_signal_emit (instance=0x96732d0, signal_id=14, detail=0)
    at /home/bifh4/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.3/gobject/gsignal.c:3037
#36 0xb7cbad40 in IA__gtk_widget_unrealize (widget=0x96732d0) at gtkwidget.c:3598
#37 0xb7cc0e2f in IA__gtk_widget_unparent (widget=0x96732d0) at gtkwidget.c:3126
#38 0xb7b03752 in gtk_box_remove (container=0x96730a0, widget=0xb259db4a) at gtkbox.c:747
#39 0xb77e1a22 in IA__g_cclosure_marshal_VOID__OBJECT (closure=0x9666e28, return_value=0x0, n_param_values=2, param_values=0x98801b8, 
    invocation_hint=0xbf9d57dc, marshal_data=0xb7b03700) at /home/bifh4/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.3/gobject/gmarshal.c:636
#40 0xb77d3dc8 in g_type_class_meta_marshal (closure=0x9666e28, return_value=0x0, n_param_values=2, param_values=0x98801b8, invocation_hint=0xbf9d57dc, 
    marshal_data=0x170) at /home/bifh4/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.3/gobject/gclosure.c:878
#41 0xb77d54ec in IA__g_closure_invoke (closure=0x9666e28, return_value=0x0, n_param_values=2, param_values=0x98801b8, invocation_hint=0xbf9d57dc)
    at /home/bifh4/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.3/gobject/gclosure.c:767
#42 0xb77e951f in signal_emit_unlocked_R (node=0x968f200, detail=0, instance=0x96730a0, emission_return=0x0, instance_and_params=0x98801b8)
    at /home/bifh4/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.3/gobject/gsignal.c:3177
---Type <return> to continue, or q <return> to quit---
#43 0xb77eb5ca in IA__g_signal_emit_valist (instance=0x96730a0, signal_id=82, detail=0, var_args=0xbf9d59f0 "")
    at /home/bifh4/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.3/gobject/gsignal.c:2980
#44 0xb77eb90e in IA__g_signal_emit (instance=0x96730a0, signal_id=82, detail=0)
    at /home/bifh4/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.3/gobject/gsignal.c:3037
#45 0xb7b31467 in IA__gtk_container_remove (container=0x96730a0, widget=0x96732d0) at gtkcontainer.c:1227
#46 0xb7cbbc15 in gtk_widget_dispose (object=0x96732d0) at gtkwidget.c:8111
#47 0xb77d79cd in IA__g_object_run_dispose (object=0x96732d0) at /home/bifh4/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.3/gobject/gobject.c:789
#48 0xb7bd1b0f in IA__gtk_object_destroy (object=0x96732d0) at gtkobject.c:406
#49 0xb7cbbf19 in IA__gtk_widget_destroy (widget=0x96732d0) at gtkwidget.c:3177
#50 0xb70e8f0f in EmbedProgress::OnStateChange (this=0x96c6ce8, aWebProgress=0x9862b9c, aRequest=0xb2208528, aStateFlags=65537, aStatus=0)
    at embedding/browser/gtk/src/EmbedProgress.cpp:75
#51 0xb4c1b4d4 in nsDocLoader::FireOnStateChange () from obj-i386/dist/bin/components/libdocshell.so
#52 0xb4c1c3a0 in nsDocLoader::OnStartRequest () from obj-i386/dist/bin/components/libdocshell.so
#53 0xb5d9fab1 in nsLoadGroup::AddRequest () from obj-i386/dist/bin/components/libnecko.so
#54 0xb4a832ad in imgRequestProxy::AddToLoadGroup () from obj-i386/dist/bin/components/libimglib2.so
#55 0xb4a7f80e in imgLoader::LoadImage () from obj-i386/dist/bin/components/libimglib2.so
#56 0xb27631dd in nsContentUtils::LoadImage () from obj-i386/dist/bin/components/libgklayout.so
#57 0xb26a8e19 in Image (this=0x9af35c8, aURI=0x99b0df0, aString=0x99b0d90, aReferrer=0x9994e40, aOriginPrincipal=0x9756958, aDocument=0x99edac8)
    at layout/style/nsCSSValue.cpp:514
#58 0xb26a9944 in nsCSSValue::StartImageLoad (this=0x99b0f40, aDocument=0x99edac8)
    at layout/style/nsCSSValue.cpp:415
#59 0xb2661210 in nsCSSCompressedDataBlock::MapRuleInfoInto (this=0x99b0f90, aRuleData=0xbf9d5f24)
---Type <return> to continue, or q <return> to quit---
    at layout/style/nsCSSDataBlock.cpp:282
#60 0xb26a07ec in nsCSSDeclaration::MapRuleInfoInto (this=0x99b0af8, aRuleData=0xbf9d5f24)
    at layout/style/nsCSSDeclaration.h:95
#61 0xb269c97a in CSSStyleRuleImpl::MapRuleInfoInto (this=0x99b1000, aRuleData=0xbf9d5f24)
    at layout/style/nsCSSStyleRule.cpp:1455
#62 0xb26d1ef2 in nsRuleNode::WalkRuleTree (this=0x9a3a2f0, aSID=eStyleStruct_Background, aContext=0x9a39fe8, aRuleData=0xbf9d5f24, aSpecificData=0xbf9d5f6c)
    at layout/style/nsRuleNode.cpp:1810
#63 0xb26d3b83 in nsRuleNode::GetBackgroundData (this=0x9a3a2f0, aContext=0x9a39fe8)
    at layout/style/nsRuleNode.cpp:1526
#64 0xb26d3c75 in nsRuleNode::GetStyleBackground (this=0x9a3a2f0, aContext=0x9a39fe8, aComputeData=1)
    at layout/style/nsStyleStructList.h:79
#65 0xb26d9485 in nsStyleContext::GetStyleBackground (this=0x9a39fe8) at layout/style/nsStyleStructList.h:79
#66 0xb253d16c in nsCSSFrameConstructor::ConstructFramesFromItem (this=0x9a39370, aState=@0xbf9d61d8, aIter=@0xbf9d60b4, aParentFrame=0x9a3a1d0, 
    aFrameItems=@0xbf9d6170) at layout/base/nsCSSFrameConstructor.cpp:5510
#67 0xb2540da8 in nsCSSFrameConstructor::ConstructFrame (this=0x9a39370, aState=@0xbf9d61d8, aContent=0x9ae7998, aParentFrame=0x9a3a1d0, 
    aFrameItems=@0xbf9d6170) at layout/base/nsCSSFrameConstructor.cpp:5126
#68 0xb25410dd in nsCSSFrameConstructor::CreateAnonymousFrames (this=0x9a39370, aState=@0xbf9d61d8, aParent=0x9a22190, aParentFrame=0x9a3a1d0, 
    aChildItems=@0xbf9d6170) at layout/base/nsCSSFrameConstructor.cpp:4025
#69 0xb25411ef in nsCSSFrameConstructor::BeginBuildingScrollFrame (this=0x9a39370, aState=@0xbf9d61d8, aContent=0x9a22190, aContentStyle=0x9a39d68, 
    aParentFrame=0x9a39bfc, aScrolledPseudo=0x96ba830, aIsRoot=1, aNewFrame=@0xbf9d6238)
    at layout/base/nsCSSFrameConstructor.cpp:4373
#70 0xb2541a5d in nsCSSFrameConstructor::SetUpDocElementContainingBlock (this=0x9a39370, aDocElement=0x9a22190)
---Type <return> to continue, or q <return> to quit---
    at layout/base/nsCSSFrameConstructor.cpp:2904
#71 0xb2541cd6 in nsCSSFrameConstructor::ConstructDocElementFrame (this=0x9a39370, aDocElement=0x9a22190, aFrameState=0x0, aNewFrame=0xbf9d64b8)
    at layout/base/nsCSSFrameConstructor.cpp:2444
#72 0xb254270f in nsCSSFrameConstructor::ContentInserted (this=0x9a39370, aContainer=0x0, aChild=0x9a22190, aIndexInContainer=0, aFrameState=0x0)
    at layout/base/nsCSSFrameConstructor.cpp:6553
#73 0xb259adf1 in PresShell::InitialReflow (this=0x9a38008, aWidth=48000, aHeight=20160)
    at layout/base/nsPresShell.cpp:2720
#74 0xb2760302 in nsContentSink::StartLayout () from obj-i386/dist/bin/components/libgklayout.so
#75 0xb27607fd in nsContentSink::StyleSheetLoaded () from obj-i386/dist/bin/components/libgklayout.so
#76 0xb2666ef7 in CSSLoaderImpl::SheetComplete (this=0x99ee130, aLoadData=0x9a7bb18, aStatus=0)
    at layout/style/nsCSSLoader.cpp:1599
#77 0xb2667810 in CSSLoaderImpl::ParseSheet (this=0x99ee130, aStream=0x984eab8, aLoadData=0x9a7bb18, aCompleted=@0xbf9d6848)
    at layout/style/nsCSSLoader.cpp:1560
#78 0xb2668b4a in SheetLoadData::OnStreamComplete (this=0x9a7bb18, aLoader=0x9a7bf40, aContext=0x0, aStatus=0, aDataStream=0x984eab8)
    at layout/style/nsCSSLoader.cpp:861
#79 0xb5db2dd3 in nsUnicharStreamLoader::OnStopRequest () from obj-i386/dist/bin/components/libnecko.so
#80 0xb5dc2bc1 in nsHTTPCompressConv::OnStopRequest () from obj-i386/dist/bin/components/libnecko.so
#81 0xb5db22ed in nsStreamListenerTee::OnStopRequest () from obj-i386/dist/bin/components/libnecko.so
#82 0xb5e09770 in nsHttpChannel::OnStopRequest () from obj-i386/dist/bin/components/libnecko.so
#83 0xb5d9b5d7 in nsInputStreamPump::OnStateStop () from obj-i386/dist/bin/components/libnecko.so
#84 0xb5d9b8c2 in nsInputStreamPump::OnInputStreamReady () from obj-i386/dist/bin/components/libnecko.so
#85 0xb73426ab in nsInputStreamReadyEvent::Run () from obj-i386/dist/bin/libxpcom_core.so
---Type <return> to continue, or q <return> to quit---
#86 0xb7357c5f in nsThread::ProcessNextEvent () from obj-i386/dist/bin/libxpcom_core.so
#87 0xb73249ac in NS_ProcessPendingEvents_P () from obj-i386/dist/bin/libxpcom_core.so
#88 0xb4bd751d in nsBaseAppShell::NativeEventCallback () from obj-i386/dist/bin/components/libwidget_gtk2.so
#89 0xb4bc2fa3 in nsAppShell::EventProcessorCallback () from obj-i386/dist/bin/components/libwidget_gtk2.so
#90 0xb77626c7 in g_io_unix_dispatch (source=0x985cbf8, callback=0xb4bc2f76 <nsAppShell::EventProcessorCallback(_GIOChannel*, GIOCondition, void*)>, 
    user_data=0x985cab0) at /home/bifh4/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.3/glib/giounix.c:162
#91 0xb772de3c in IA__g_main_context_dispatch (context=0x9676198) at /home/bifh4/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.3/glib/gmain.c:1836
#92 0xb77313c5 in g_main_context_iterate (context=0x9676198, block=1, dispatch=1, self=0x9688758)
    at /home/bifh4/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.3/glib/gmain.c:2467
#93 0xb77316b8 in IA__g_main_loop_run (loop=0x99ed658) at /home/bifh4/fremantle-i386-prereleased.cs2007q3/work/glib2.0-2.20.3/glib/gmain.c:2675
#94 0xb7babb49 in IA__gtk_main () at gtkmain.c:1200
#95 0x0804c4c9 in main (argc=2, argv=0xbf9d7e54) at embedding/browser/gtk/tests/TestGtkEmbed.cpp:267
Usually destroy happen in these cases:

PresShell::FlushPendingNotifications
nsCSSFrameConstructor::ProcessPendingRestyles
 - DESTROY from outside and Crash

PresShell::InitialReflow
nsCSSFrameConstructor::ContentInserted
 - DESTROY from outside and Crash

PresShell::ContentAppended
nsCSSFrameConstructor::ContentAppended
 - DESTROY from outside and Crash
Steps to reproduce this crash:
Open URL
Count 14 OnStateChange notifications
Destroy browser window

Result - Crash
Chain of calls is next:
Page started loading
entering into PresShell::InitialReflow
entering into nsCSSFrameConstructor::ContentInserted
    CSS background image parsed, and OnStateChange progress notification fired
In OnStateChange nsWebBrowser->DocShell->PresShell destroy happen
After returning back to nsCSSFrameConstructor/PresShell all of them are deleted.
Group: core-security
So why does OnStateChange cause the deletion?
Something under EmbedProgress::OnStateChange does something it shouldn't be doing?
(In reply to comment #4)
> So why does OnStateChange cause the deletion?
This is just an example, and 100% way to reproduce this problem.

> Something under EmbedProgress::OnStateChange does something it shouldn't be
> doing?

In our implementation we sending EmbedProgress notification to UI and waiting until UI answer... during that time we receiving another notification from UI about closing browser window....

I don't know exactly, If it is strictly forbidden to destroy browser window inside progress notifications then Ok..... we can just fix it outside embedding if PresShell don't want to protect itself during reflow...
(In reply to comment #5)
> This is just an example, and 100% way to reproduce this problem.
So what you mean with "just an example"? Are all the cases similar where
OnStateChange does something unexpected?

> 
> In our implementation we sending EmbedProgress notification to UI and waiting
> until UI answer... during that time we receiving another notification from UI
> about closing browser window....
This sounds very evil to me.
In general, OnStateChange listeners can be implemented in JS and can do weird stuff.  They shouldn't be trusted.  The fact that we synchronously start those image loads is a (known, last I checked) issue; while we're doing that all necko listeners must behave well to avoid crashes.  "behave well" means no spinning the event loop, no destroying any objects, no reentering the DOM, etc.
Summary: PresShell allow to destroy itself during reflow. → Layout synchronously fires image loads, causing problems if a necko listener isn't well-behaved
Group: core-security
Whiteboard: [sg:want P4]

Marking this as Resolved > Worksforme since there are no crashes with this signature reported in the last 6 months.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.