538914 - OOPP: assertion "instance with invalid (NULL) class pointer" or crash during g_signal_handlers_destroy resizing windowed Flash plugin

Status: RESOLVED FIXED

(Core Graveyard :: Plug-ins, defect)

Description

[Karl Tomlinson (:karlt)]

STR:
1) Set dom.ipc.plugins.enabled (and restart).
2) Load data:text/html,<embed width="98%" height="98%" type="application/x-shockwave-flash" src="http://www.communitymx.com/content/source/E5141/wmode.swf">
3) resize the window.

Results:
nsPluginNativeWindowGtk2: call SetWindow with xid=0x320015e
[PluginModuleParent] NPP_SetWindow
[PluginInstanceChild] NPP_SetWindow(0x320015e, 8, 8, 556 x 403)
[PluginModuleChild] _getvalue

(<unknown>:20689): GLib-GObject-WARNING **: instance with invalid (NULL) class pointer

(<unknown>:20689): GLib-GObject-CRITICAL **: g_signal_handlers_destroy: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed

(<unknown>:20689): GLib-GObject-WARNING **: instance with invalid (NULL) class pointer

(<unknown>:20689): GLib-GObject-CRITICAL **: g_signal_handlers_destroy: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed

(<unknown>:20689): Gdk-CRITICAL **: gdk_window_get_origin: assertion `GDK_IS_WINDOW (window)' failed
nsPluginNativeWindowGtk2: call SetWindow with xid=0x320015e
[PluginModuleParent] NPP_SetWindow
[PluginInstanceChild] NPP_SetWindow(0x320015e, 8, 8, 579 x 403)
[PluginModuleChild] _getvalue

(<unknown>:20689): GLib-GObject-WARNING **: instance of invalid non-instantiatable type `<invalid>'

(<unknown>:20689): GLib-GObject-CRITICAL **: g_signal_handlers_destroy: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed

(<unknown>:20689): GLib-GObject-WARNING **: instance of invalid non-instantiatable type `<invalid>'

(<unknown>:20689): GLib-GObject-CRITICAL **: g_signal_handlers_destroy: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed

(<unknown>:20689): Gdk-CRITICAL **: gdk_window_get_user_data: assertion `GDK_IS_WINDOW (window)' failed

(<unknown>:20689): Gdk-CRITICAL **: gdk_window_get_origin: assertion `GDK_IS_WINDOW (window)' failed

(<unknown>:20689): Gdk-CRITICAL **: gdk_window_new: assertion `parent == NULL || GDK_IS_WINDOW (parent)' failed

(<unknown>:20689): Gdk-CRITICAL **: gdk_drawable_get_display: assertion `GDK_IS_DRAWABLE (drawable)' failed

(<unknown>:20689): Gdk-CRITICAL **: gdk_x11_get_xatom_by_name_for_display: assertion `GDK_IS_DISPLAY (display)' failed

(<unknown>:20689): Gdk-WARNING **: gdkdrawable-x11.c:878 drawable is not a pixmap or window

(<unknown>:20689): Gdk-CRITICAL **: gdk_x11_display_get_xdisplay: assertion `GDK_IS_DISPLAY (display)' failed

Program /mnt/sda11/karl/moz/obj/dev/dist/bin/mozilla-runtime (pid = 20689) received signal 11.

20689 is the child process.  This is its stack at crash (but the original bug happened before the first GObject warning):

#3  <signal handler called>
#4  XChangeProperty (dpy=0x0, w=0, property=0, type=0, format=32, mode=0, 
    data=0x7f6fdd8649c0 "\001", nelements=2) at ChProp.c:48
#5  0x00007f6fe18691b6 in xembed_set_info (window=<value optimized out>, 
    flags=0) at gtkplug-x11.c:126
#6  0x00007f6fe1734194 in gtk_plug_realize (widget=0x18682e0) at gtkplug.c:637
#7  0x00007f6fe2a53e0f in IA__g_closure_invoke (closure=0x1771640, 
    return_value=0x0, n_param_values=1, param_values=0x1700f00, 
    invocation_hint=0x7f6fdd864c00) at gclosure.c:767
#8  0x00007f6fe2a68b88 in signal_emit_unlocked_R (node=0x1802d70, detail=0, 
    instance=0x18682e0, emission_return=0x0, instance_and_params=0x1700f00)
    at gsignal.c:3177
#9  0x00007f6fe2a6a96b in IA__g_signal_emit_valist (instance=0x18682e0, 
    signal_id=<value optimized out>, detail=0, var_args=0x7f6fdd864de0)
    at gsignal.c:2980
#10 0x00007f6fe2a6ae28 in IA__g_signal_emit (instance=0x0, signal_id=0, 
    detail=0) at gsignal.c:3037
#11 0x00007f6fe1805a0f in IA__gtk_widget_realize (widget=0x18682e0)
    at gtkwidget.c:3325
#12 0x00007f6fe1814d23 in gtk_window_show (widget=0x18682e0)
    at gtkwindow.c:4487
#13 0x00007f6fe2a53e0f in IA__g_closure_invoke (closure=0x17adab0, 
    return_value=0x0, n_param_values=1, param_values=0x186fb60, 
    invocation_hint=0x7f6fdd8650e0) at gclosure.c:767
#14 0x00007f6fe2a68b88 in signal_emit_unlocked_R (node=0x1802cb0, detail=0, 
    instance=0x18682e0, emission_return=0x0, instance_and_params=0x186fb60)
    at gsignal.c:3177
#15 0x00007f6fe2a6a96b in IA__g_signal_emit_valist (instance=0x18682e0, 
    signal_id=<value optimized out>, detail=0, var_args=0x7f6fdd8652c0)
    at gsignal.c:2980
#16 0x00007f6fe2a6ae28 in IA__g_signal_emit (instance=0x0, signal_id=0, 
    detail=0) at gsignal.c:3037
#17 0x00007f6fe1806876 in IA__gtk_widget_show (widget=0x18682e0)
    at gtkwidget.c:3009
#18 0x00007f6fcff62b13 in ?? ()
   from /home/karl/.mozilla/plugins/libflashplayer.so
#19 0x00007f6fcff59448 in ?? ()
   from /home/karl/.mozilla/plugins/libflashplayer.so
#20 0x00007f6fcff5d5b9 in ?? ()
   from /home/karl/.mozilla/plugins/libflashplayer.so
#21 0x00007f6fe7b20040 in mozilla::plugins::PluginInstanceChild::AnswerNPP_SetWindow (this=0x17a3130, aWindow=@0x7f6fdd865570, rv=0x7f6fdd86563c)
    at /home/karl/moz/dev/dom/plugins/PluginInstanceChild.cpp:446
#22 0x00007f6fe7b7e8a5 in mozilla::plugins::PPluginInstanceChild::OnCallReceived (this=0x17a3130, msg=@0x7f6fdd8659d0, reply=@0x7f6fdd865908)
    at PPluginInstanceChild.cpp:834
#23 0x00007f6fe7b7b1e4 in mozilla::plugins::PPluginModuleChild::OnCallReceived
    (this=0x1620ab8, msg=@0x7f6fdd8659d0, reply=@0x7f6fdd865908)
    at PPluginModuleChild.cpp:375
#24 0x00007f6fe7b3a002 in mozilla::ipc::RPCChannel::DispatchIncall (
    this=0x1620ac8, call=@0x7f6fdd8659d0)
    at /home/karl/moz/dev/ipc/glue/RPCChannel.cpp:347
#25 0x00007f6fe7b3a3c9 in mozilla::ipc::RPCChannel::Incall (this=0x1620ac8, 
    call=@0x7f6fdd8659d0, stackDepth=0)
    at /home/karl/moz/dev/ipc/glue/RPCChannel.cpp:332
#26 0x00007f6fe7b3a6c2 in mozilla::ipc::RPCChannel::OnMaybeDequeueOne (
    this=0x1620ac8) at /home/karl/moz/dev/ipc/glue/RPCChannel.cpp:267
#27 0x00007f6fe7b3bb48 in DispatchToMethod<mozilla::ipc::RPCChannel, void (mozilla::ipc::RPCChannel::*)()> (obj=0x1620ac8, 
    method=0x7f6fe7b3a56c <mozilla::ipc::RPCChannel::OnMaybeDequeueOne()>, 
    arg=@0x18728b0) at /home/karl/moz/dev/ipc/chromium/src/base/tuple.h:383
#28 0x00007f6fe7b3bb84 in RunnableMethod<mozilla::ipc::RPCChannel, void (mozilla::ipc::RPCChannel::*)(), Tuple0>::Run (this=0x1872880)
    at /home/karl/moz/dev/ipc/chromium/src/base/task.h:307
#29 0x00007f6fe7bc9308 in MessageLoop::RunTask (this=0x7f6fdd865ed0, 
    task=0x1872880)
    at /home/karl/moz/dev/ipc/chromium/src/base/message_loop.cc:326
#30 0x00007f6fe7bc9754 in MessageLoop::DeferOrRunPendingTask (
    this=0x7f6fdd865ed0, pending_task=@0x7f6fdd865b20)
    at /home/karl/moz/dev/ipc/chromium/src/base/message_loop.cc:334
#31 0x00007f6fe7bc9a55 in MessageLoop::DoWork (this=0x7f6fdd865ed0)
    at /home/karl/moz/dev/ipc/chromium/src/base/message_loop.cc:434
#32 0x00007f6fe7b39354 in mozilla::ipc::DoWorkRunnable::Run (this=0x16219b0)
    at /home/karl/moz/dev/ipc/glue/MessagePump.cpp:75
#33 0x00007f6fe7ca96a0 in nsThread::ProcessNextEvent (this=0x1625960, 
    mayWait=1, result=0x7f6fdd865c4c)
    at /home/karl/moz/dev/xpcom/threads/nsThread.cpp:527
#34 0x00007f6fe7c41246 in NS_ProcessNextEvent_P (thread=0x1625960, mayWait=1)
    at nsThreadUtils.cpp:250
#35 0x00007f6fe7b39010 in mozilla::ipc::MessagePump::Run (this=0x16226b0, 
    aDelegate=0x7f6fdd865ed0)
    at /home/karl/moz/dev/ipc/glue/MessagePump.cpp:142

Comment 1

[Karl Tomlinson (:karlt)]

First GObject warning (from a different run):
#0  IA__g_log (log_domain=0x7fdda27c299c "GLib-GObject", 
    log_level=G_LOG_LEVEL_WARNING, 
    format=0x7fdda27c7518 "instance of invalid non-instantiatable type `%s'")
    at gmessages.c:525
#1  0x00007fdda27b57e9 in IA__g_type_check_instance (
    type_instance=<value optimized out>) at gtype.c:3807
#2  0x00007fdda27b1789 in IA__g_signal_handlers_destroy (
    instance=0x7fdda27c299c) at gsignal.c:2422
#3  0x00007fdda279f74b in g_object_real_dispose (object=0x7fdda27c299c)
    at gobject.c:739
#4  0x00007fdda279f896 in IA__g_object_unref (_object=<value optimized out>)
    at gobject.c:2393
#5  0x00007fdd8fcacabd in ?? ()
   from /home/karl/.mozilla/plugins/libflashplayer.so
#6  0x00007fdd8fca3448 in ?? ()
   from /home/karl/.mozilla/plugins/libflashplayer.so
#7  0x00007fdd8fca75b9 in ?? ()
   from /home/karl/.mozilla/plugins/libflashplayer.so
#8  0x00007fdda786a040 in mozilla::plugins::PluginInstanceChild::AnswerNPP_SetWindow (this=0x970e90, aWindow=@0x7fdd9d5af570, rv=0x7fdd9d5af63c)
    at /home/karl/moz/dev/dom/plugins/PluginInstanceChild.cpp:446

Comment 2

[Karl Tomlinson (:karlt)]

The first assertion happens because the GtkPlug has been destroyed (and the plugin is still trying to use it).
The socket Window is still mapped.

Comment 3

[Karl Tomlinson (:karlt)]

What seems to be happening is that the Flash plugin is using g_object_unref
instead of gtk_widget_destroy (or gtk_object_destroy) to attempt to destroy
the GtkPlug.  (The plugin creates a new GtkPlug when resized.)

GtkPlug is a GtkWindow which is an unusual GObject because it holds a
reference to itself.  The initial reference from gtk_plug_new() belongs to the
GtkPlug, but the plugin is releasing this reference.

When a g_object_unref would cause the reference count to drop to zero, it runs
the object's dispose method.  A GtkPlug's (actually its parent class
GtkWindow's) dispose removes its reference to itself.  The object gets deleted
early in the destruction process and things go downhill.

Comment 4

[Karl Tomlinson (:karlt)]

The reason why the crash doesn't occur when the plugin is in-process is that
when gtk_plug_new() creates a GtkPlug with a GtkSocket in the same process, it
has an initial reference count of 2.  The unref from the plugin is not enough
to drop the count to 0.

The other reference is held by the GtkSocket.  However, the GtkSocket does not
expect a subsequent plug added before a previous is removed.  When this
happens the GtkSocket does not release its reference to the previous plugin,
but merely overwrites its pointer with the new GtkPlug.

The previous GtkPlug is never destroyed, its last reference is never released,
and it leaks.

Comment 5

[Karl Tomlinson (:karlt)]

Flash Player 10.1 d51 (Beta 2) still unrefs the GtkPlug (and doesn't destroy).

Comment 6

[Karl Tomlinson (:karlt)]

Attachment: undo incorrect unref of GtkPlug by plugin

This fixes the issue described in comment 3.
That fixes the GLib-GObject assertions.

But we still have "Gdk-CRITICAL **: gdk_window_get_user_data: assertion `GDK_IS_WINDOW (window)' failed" and subsequent assertions followed by the same crash.

Comment 7

[timeless]

karlt: someone should contact someone from adobe....

Comment 8

[Karl Tomlinson (:karlt)]

I filed bug 539897 on the next issue as that has a different cause
(leaving this bug for the issue described in comment 3).

Comment 9

[Karl Tomlinson (:karlt)]

If Adobe fix this by merely changing the g_object_unref to a gtk_widget_destroy, then I don't know whether or not bug 539897 start to cause problems (even) in-process.

My best suggestion for a fix on Adobe's side is to keep using the same GtkPlug unless the socket xid changes.

Comment 10

[Karl Tomlinson (:karlt)]

Comment on attachment 421763 [details] [diff] [review]
undo incorrect unref of GtkPlug by plugin

There doesn't seem much point rushing on this until we also have a workaround for bug 539897 (which will probably be similar but different), but it looks like we'll need to do this workaround anyway.  Requesting review of the GTK stuff from roc, and review from cjones on whether this is a suitable place for this code.

Comment 11

[Robert O'Callahan (:roc) (email my personal email if necessary)]

Comment on attachment 421763 [details] [diff] [review]
undo incorrect unref of GtkPlug by plugin

+    // of gtk_widget_destroy.  The reference that Flash Flasher is removing

Flash Flasher?

Comment 12

[Chris Jones [:cjones] inactive; ni?/f?/r? if you need me]

Pushed http://hg.mozilla.org/projects/electrolysis/rev/736458a62836

Comment 13

[Benjamin Smedberg]

http://hg.mozilla.org/mozilla-central/rev/37854f31e2b2

Comment 14

[Karl Tomlinson (:karlt)]

Litmus test coverage in https://litmus.mozilla.org/show_test.cgi?id=11593