Closed Bug 540114 Opened 10 years ago Closed 10 years ago

OOPP: Plugin process crashes with BadWindow X error loading youtube.com

Categories

(Core :: Plug-ins, defect)

x86_64
Linux
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla1.9.3a2
Tracking Status
status1.9.2 --- .4-fixed

People

(Reporter: jst, Assigned: karlt)

References

Details

(Keywords: topcrash, Whiteboard: [fixed-lorentz])

Attachments

(2 files)

Running with a recent build from mozilla-central (built locally), mozilla-runtime crashes when loading youtube.com. Here's the stack:

#0  0x00007f33a449d1e1 in nanosleep () from /lib64/libc.so.6

#1  0x00007f33a449d030 in sleep () from /lib64/libc.so.6

#2  0x00007f33a5d0ecab in ah_crap_handler (signum=6)

    at ../../../mozilla/toolkit/xre/nsSigHandlers.cpp:155

#3  <signal handler called>

#4  0x00007f33a442c275 in raise () from /lib64/libc.so.6

#5  0x00007f33a442da55 in abort () from /lib64/libc.so.6

#6  0x00007f33a1e1cb27 in IA__g_logv (log_domain=<value optimized out>, 

    log_level=<value optimized out>, format=<value optimized out>, 

    args1=0x7f339d2675e0) at gmessages.c:506

#7  0x00007f33a1e1cbb3 in IA__g_log (

    log_domain=0x269d <Address 0x269d out of bounds>, log_level=9886, 

    format=0x6 <Address 0x6 out of bounds>) at gmessages.c:526

#8  0x00007f33a0505456 in gdk_x_error (display=<value optimized out>, 

    error=<value optimized out>) at gdkmain-x11.c:641

#9  0x00007f33a1ae80b4 in _XError (dpy=0x7f339808fd90, rep=0x7f3398279990)

    at XlibInt.c:2924

#10 0x00007f33a1aee3fc in process_responses (dpy=0x7f339808fd90, 

    wait_for_first_event=<value optimized out>, 

    current_error=<value optimized out>, current_request=0) at xcb_io.c:207

#11 0x00007f33a1aeedb7 in _XEventsQueued (dpy=0x7f339808fd90, 

    mode=<value optimized out>) at xcb_io.c:256

#12 0x00007f33a1ad7bfd in XPending (dpy=0x7f339808fd90) at Pending.c:56

#13 0x00007f33a04fb459 in _gdk_events_queue (display=0x7f3398214100)

    at gdkevents-x11.c:2278

#14 0x00007f33a04fb9de in gdk_event_dispatch (source=<value optimized out>, 

    callback=0x269e, user_data=0x6) at gdkevents-x11.c:2361

#15 0x00007f33a1e1290e in g_main_dispatch (context=<value optimized out>)

    at gmain.c:1824

#16 IA__g_main_context_dispatch (context=<value optimized out>) at gmain.c:2377

#17 0x00007f33a1e160e8 in g_main_context_iterate (context=0x7f33981174d0, 

    block=<value optimized out>, dispatch=<value optimized out>, 

    self=<value optimized out>) at gmain.c:2455

#18 0x00007f33a1e1620a in IA__g_main_context_iteration (

    context=0x7f33981174d0, may_block=0) at gmain.c:2518

#19 0x00007f33a68387ed in nsBaseAppShell::DoProcessNextNativeEvent (

    this=0x269d, mayWait=9886)

---Type <return> to continue, or q <return> to quit---

    at ../../../../mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:155

#20 0x00007f33a6838b88 in nsBaseAppShell::OnProcessNextEvent (

    this=0x7f3398276fa0, thr=0x7f3398003b10, mayWait=0, 

    recursionDepth=<value optimized out>)

    at ../../../../mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:293

#21 0x00007f33a6a013c0 in nsThread::ProcessNextEvent (this=0x7f3398003b10, 

    mayWait=0, result=0x7f339d267c3c)

    at ../../../mozilla/xpcom/threads/nsThread.cpp:508

#22 0x00007f33a69be0d7 in NS_ProcessNextEvent_P (thread=0x269d, mayWait=0)

    at nsThreadUtils.cpp:250

#23 0x00007f33a690f2a5 in mozilla::ipc::MessagePump::Run (this=0x7f33980008c0, 

    aDelegate=0x7f339d267e10) at ../../../mozilla/ipc/glue/MessagePump.cpp:118

#24 0x00007f33a6970b40 in MessageLoop::RunInternal (this=0x7f339d267e10)

    at ../../../mozilla/ipc/chromium/src/base/message_loop.cc:211

#25 0x00007f33a6970ba3 in MessageLoop::Run (this=0x7f339d267e10)

    at ../../../mozilla/ipc/chromium/src/base/message_loop.cc:168

#26 0x00007f33a6838c5e in nsBaseAppShell::Run (this=0x7f3398276fa0)

    at ../../../../mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:174

#27 0x00007f33a5d0edf8 in XRE_RunAppShell ()

    at ../../../mozilla/toolkit/xre/nsEmbedFunctions.cpp:463

#28 0x00007f33a690f44e in mozilla::ipc::MessagePumpForChildProcess::Run (

    this=0x7f33980008c0, aDelegate=0x7f339d267e10)

    at ../../../mozilla/ipc/glue/MessagePump.cpp:218

#29 0x00007f33a6970b40 in MessageLoop::RunInternal (this=0x7f339d267e10)

    at ../../../mozilla/ipc/chromium/src/base/message_loop.cc:211

#30 0x00007f33a6970ba3 in MessageLoop::Run (this=0x7f339d267e10)

    at ../../../mozilla/ipc/chromium/src/base/message_loop.cc:168

#31 0x00007f33a6986ff4 in base::Thread::ThreadMain (this=0xf6cfe0)

    at ../../../mozilla/ipc/chromium/src/base/thread.cc:165

#32 0x00007f33a69a5c1e in ThreadFunc (closure=0x269d)

    at ../../../mozilla/ipc/chromium/src/base/platform_thread_posix.cc:26

#33 0x00007f33a780185a in start_thread () from /lib64/libpthread.so.0

#34 0x00007f33a44d722d in clone () from /lib64/libc.so.6

#35 0x0000000000000000 in ?? ()

Oddly enough I see this in one profile, but not in another one (both have OOPP enabled), so I'm not sure if this is as critical as it looks at first glance. This happens in a build built with --enable-debug --enable-optimize (which results in the child process sleeping when crashing, which leads to Firefox hanging waiting for the child to die).

Anyways, filing this just to have it on file.
Here's some output of this happening

For application/x-shockwave-flash found plugin libflashplayer.so
LoadPlugin() /usr/lib64/mozilla/plugins/libflashplayer.so returned 7f61d3f85370
WARNING: NS_ENSURE_TRUE(compMgr) failed: file nsComponentManagerUtils.cpp, line 90
WARNING: NS_ENSURE_TRUE(compMgr) failed: file nsComponentManagerUtils.cpp, line 90
WARNING: NS_ENSURE_TRUE(compMgr) failed: file nsComponentManagerUtils.cpp, line 90
!!! XPConnect won't warn about Shadowed Members of...
   Window, HTMLDocument, HTMLCollection, Event, ChromeWindow
************************************************************
* Call to xpconnect wrapped JSObject produced this error:  *
[Exception... "Component returned failure code: 0x80570016 (NS_ERROR_XPC_GS_RETURNED_FAILURE) [nsIJSCID.getService]"  nsresult: "0x80570016 (NS_ERROR_XPC_GS_RETURNED_FAILURE)"  location: "JS frame :: file:///home/jst/work/tip/fb-rel/dist/bin/components/fuelApplication.js :: extApp_initToolkitHelpers :: line 1306"  data: no]
************************************************************
WARNING: Cannot create startup observer : service,@mozilla.org/fuel/application;1: file ../../../../../mozilla/embedding/components/appstartup/src/nsAppStartupNotifier.cpp, line 113
LoadPlugin() /usr/lib64/mozilla/plugins/libflashplayer.so returned 7ff22c26efc0
nsPluginNativeWindowGtk2: NPPVpluginNeedsXEmbed=1
nsPluginNativeWindowGtk2: call SetWindow with xid=0x4800630

(<unknown>:12100): Gdk-CRITICAL **: gdk_window_get_origin: assertion `GDK_IS_WINDOW (window)' failed
nsPluginNativeWindowGtk2: call SetWindow with xid=0x4800630
nsHTMLDocument name cache miss for name 'document'
nsHTMLDocument name cache miss for name 'createEvent'
nsHTMLDocument name cache miss for name 'dispatchEvent'
nsHTMLDocument name cache miss for name 'Components'
WARNING: Components.lookupMethod deprecated, use Components.utils.lookupMethod: file ../../../../../mozilla/js/src/xpconnect/src/xpccomponents.cpp, line 4103
nsHTMLDocument name cache miss for name 'window'
nsHTMLDocument name cache miss for name 'parseInt'
nsHTMLDocument name cache miss for name 'Math'
###!!! ASSERTION: LoadObject was reentered?: '!mInstantiating', file ../../../../mozilla/content/base/src/nsObjectLoadingContent.cpp, line 979
###!!! ASSERTION: LoadObject was reentered?: '!mInstantiating', file ../../../../mozilla/content/base/src/nsObjectLoadingContent.cpp, line 1065
For application/x-shockwave-flash found plugin libflashplayer.so

(<unknown>:12100): Gdk-WARNING **: GdkWindow 0x4a00003 unexpectedly destroyed
nsPluginNativeWindowGtk2: NPPVpluginNeedsXEmbed=1

Gdk-ERROR **: The program '<unknown>' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadWindow (invalid Window parameter)'.
  (Details: serial 211 error_code 3 request_code 18 minor_code 0)
  (Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the --sync command line
   option to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)
aborting...
nsPluginNativeWindowGtk2: call SetWindow with xid=0x4800631
jst: please use --sync ;-)
(In reply to comment #2)
> ###!!! ASSERTION: LoadObject was reentered?: '!mInstantiating', file
> ../../../../mozilla/content/base/src/nsObjectLoadingContent.cpp, line 979

Is this bad?

> (<unknown>:12100): Gdk-WARNING **: GdkWindow 0x4a00003 unexpectedly destroyed

That looks bad.  A break point in g_log can provide a stack for this (if the behavior is not affected by the change in timing).
(First continue for the gdk_window_get_origin assertion.)

> The error was 'BadWindow (invalid Window parameter)'.
>   (Details: serial 211 error_code 3 request_code 18 minor_code 0)

Request code 18 is XChangeProperty.

>   (Note to programmers: normally, X errors are reported asynchronously;
>    that is, you will receive the error a while after causing it.
>    To debug your program, run it with the --sync command line
>    option to change this behavior. You can then get a meaningful
>    backtrace from your debugger if you break on the gdk_x_error() function.)

Printing *error from a break point in gdk_x_error might be helpful (together
with the other XIDs in the console output.  (Running with --sync only the
command line will only affect the parent process and may or may not change the
timing and avoid the bug.)
ooh, we probably need a way to enable --sync for the oopp host.
Summary: OOPP: Plugin process crashes with X error loading youtube.com → OOPP: Plugin process crashes with BadWindow X error loading youtube.com
Duplicate of this bug: 543355
This is easily reproducible on http://tv.repubblica.it/copertina/ciancimino-attacco-a-forza-italia/42318?video .  I'll try to follow up after I finish with bug 545186, if it's not a dup of this.
Blocks: 545819
Evidence in bug 545819 suggests this is the cause of the most reported Linux crash on trunk.
Blocks: LorentzBeta1
Keywords: topcrash
Blocks: 544153
The BadWindow in XChangeProperty is the X Window associated with the "unexpectedly destroyed" GdkWindow, which is that of the GtkPlug.

The child process has received PluginInstanceDestroyed and the ancestor socket window (from the browser process) has been destroyed.
The X Error happens while GTK tries to destroy the GtkPlug in response to an unexpected GDK_DESTROY message.

XSynchronize(display,TRUE) in the child doesn't help.

Need to work out why the plug wasn't destroyed during PluginInstanceDestroyed.
Assignee: nobody → karlt
The browser process is destroying the socket window while the plug window is still a child.

Apparently Flash Player does not destroy the plug itself but relies on the browser ending the protocol (and I think GtkPlug responds by destroying itself). 
The embedder (browser) can end the XEmbed protocol by unmapping the plug window and reparenting it to the root window.
This usually works because the browser processes a CreateNotify event from the creation of the plugin's plug window as a child of the socket, and takes note that there is a foreign child that must be reparented.

However, things go wrong here when the socket is destroyed before the CreateNotify event is processed.  The socket window does not yet know that it has a child window and so doesn't bother to reparent it.
Duplicate of this bug: 544153
Duplicate of this bug: 545819
Comment on attachment 427010 [details] [diff] [review]
reparent foreign children of the socket window before it gets destroyed

Patch wfm.

>+static void
>+socket_unrealize_cb(GtkWidget *widget, gpointer data)
>+{
>+  // Ensure to unmap and reparent any child windows that GDK does not yet know

Nit: s/Ensure to//
Attachment #427010 - Flags: review?(jones.chris.g) → review+
> Patch wfm.
Does it also WFY for the Flashblock case in Bug 544153?
http://hg.mozilla.org/projects/electrolysis/rev/448ac1b0a391
(including s/Ensure to//.)

(In reply to comment #15)
Solves the Flashblock issues I was seeing.
Whiteboard: [land m-c]
Forgot this.
Attachment #427437 - Flags: review?(jones.chris.g)
Works wonders for me as well (before the last attachment, even).
Attachment #427437 - Flags: review?(jones.chris.g) → review+
http://hg.mozilla.org/mozilla-central/rev/8e1227edb170
http://hg.mozilla.org/mozilla-central/rev/01bd51527d0f
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Whiteboard: [land m-c]
Target Milestone: --- → mozilla1.9.3a2
Duplicate of this bug: 530711
Flags: in-testsuite?
Depends on: 550983
Blanket approval for Lorentz merge to mozilla-1.9.2
a=beltzner for 1.9.2.4 - please make sure to mark status1.9.2:.4-fixed
crashtest:
http://hg.mozilla.org/mozilla-central/rev/64d8811a32ec
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.