Closed
Bug 540795
Opened 15 years ago
Closed 15 years ago
NotifyPluginEventObservers crashes
Categories
(Core Graveyard :: Plug-ins, defect)
Core Graveyard
Plug-ins
Tracking
(blocking1.9.2 .1+, status1.9.2 .1-fixed, fennec1.0+)
RESOLVED
FIXED
People
(Reporter: dougt, Assigned: dougt)
References
Details
Attachments
(2 files, 1 obsolete file)
|
2.89 KB,
patch
|
stechz
:
review+
mfinkle
:
review+
|
Details | Diff | Splinter Review |
|
3.04 KB,
patch
|
jst
:
review+
|
Details | Diff | Splinter Review |
#0 0x4003f96c in raise () from /lib/libpthread.so.0
#1 0x40afffd0 in nsProfileLock::FatalSignalHandler (signo=11) at nsProfileLock.cpp:212
#2 <signal handler called>
#3 nsCSSFrameConstructor::FindFrameWithContent (this=0x4653fa00, aFrameManager=0x43c960fc, aParentFrame=0x46be5780, aParentContent=0x46bb8fe0,
aContent=0x46ab9520, aHint=0x0) at ../../dist/include/nsINode.h:898
#4 0x40cd7ba8 in nsCSSFrameConstructor::FindPrimaryFrameFor (this=0x4653fa00, aFrameManager=0x43c960fc, aContent=0x46ab9520, aFrame=0xbeb53ea8,
aHint=0x0) at /home/romaxaxz/microbcomponent/mozilla-1.9.2/layout/base/nsCSSFrameConstructor.cpp:8850
#5 0x40d01f3c in nsFrameManager::GetPrimaryFrameFor (this=0x43c960fc, aContent=0x46ab9520, aIndexHint=1186729744)
at /home/romaxaxz/microbcomponent/mozilla-1.9.2/layout/base/nsFrameManager.cpp:404
#6 0x40d15130 in PresShell::GetPrimaryFrameFor (this=<value optimized out>, aContent=0x46be5780)
at /home/romaxaxz/microbcomponent/mozilla-1.9.2/layout/base/nsPresShell.cpp:5226
#7 0x410849f8 in GetBindingURL (aContent=0x46ab9520, aDocument=<value optimized out>, aResult=0xbeb53efc)
at /home/romaxaxz/microbcomponent/mozilla-1.9.2/dom/base/nsDOMClassInfo.cpp:7676
#8 0x410875d8 in nsElementSH::PreCreate (this=<value optimized out>, nativeObj=0x46ab9520, cx=<value optimized out>, globalObj=<value optimized out>,
parentObj=0xbeb53f6c) at /home/romaxaxz/microbcomponent/mozilla-1.9.2/dom/base/nsDOMClassInfo.cpp:7731
#9 0x41087684 in nsHTMLPluginObjElementSH::PreCreate (this=0xbeb53e40, nativeObj=0x46be5780, cx=0x46bc10c0, globalObj=0xf0dea7ff, parentObj=0xbeb53f6c)
at /home/romaxaxz/microbcomponent/mozilla-1.9.2/dom/base/nsDOMClassInfo.cpp:9607
#10 0x40b346dc in ConstructSlimWrapper (ccx=..., p=<value optimized out>, cache=0x46ab9524, xpcScope=0x4560e740, rval=0xbeb54004)
at /home/romaxaxz/microbcomponent/mozilla-1.9.2/js/src/xpconnect/src/xpcwrappednative.cpp:3799
#11 0x40b19d78 in XPCConvert::NativeInterface2JSObject (lccx=..., d=0xbeb542d8, dest=0x0, src=0x46ab95a8, iid=0xbeb54288, Interface=0x0,
cache=0x46ab9524, scope=0x45b45400, allowNativeWrapper=1, isGlobal=0, pErr=0x0)
at /home/romaxaxz/microbcomponent/mozilla-1.9.2/js/src/xpconnect/src/xpcconvert.cpp:1152
#12 0x40b1a7f8 in XPCConvert::NativeData2JS (lccx=..., d=0xbeb542d8, s=0xbeb54350, type=..., iid=0xbeb54288, scope=0x45b45400, pErr=0x0)
---Type <return> to continue, or q <return> to quit---
at /home/romaxaxz/microbcomponent/mozilla-1.9.2/js/src/xpconnect/src/xpcconvert.cpp:469
#13 0x40b2e3b0 in nsXPCWrappedJSClass::CallMethod (this=0x43cf6130, wrapper=<value optimized out>, methodIndex=3, info=0x43c15fd0,
nativeParams=0xbeb54350) at /home/romaxaxz/microbcomponent/mozilla-1.9.2/js/src/xpconnect/src/xpcprivate.h:2974
#14 0x40b28128 in nsXPCWrappedJS::CallMethod (this=0x46be5780, methodIndex=3, info=0x43c15fd0, params=0xbeb54350)
at /home/romaxaxz/microbcomponent/mozilla-1.9.2/js/src/xpconnect/src/xpcwrappedjs.cpp:570
#15 0x416239bc in PrepareAndDispatch (self=0x465e9e90, methodIndex=<value optimized out>, args=0xbeb54414)
at /home/romaxaxz/microbcomponent/mozilla-1.9.2/xpcom/reflect/xptcall/src/md/unix/xptcstubs_arm.cpp:132
#16 0x4162306c in SharedStub () from /home/user/fennec/xulrunner/libxul.so
#17 0x415e1eec in nsObserverList::NotifyObservers (this=<value optimized out>, aSubject=0x46ab95a8, aTopic=0x417f9524 "plugin-changed-event",
someData=0xbeb5449c) at /home/romaxaxz/microbcomponent/mozilla-1.9.2/xpcom/ds/nsObserverList.cpp:130
#18 0x415e2470 in nsObserverService::NotifyObservers (this=<value optimized out>, aSubject=0x46ab95a8, aTopic=0x417f9524 "plugin-changed-event",
someData=0xbeb5449c) at /home/romaxaxz/microbcomponent/mozilla-1.9.2/xpcom/ds/nsObserverService.cpp:182
#19 0x40d6d83c in nsObjectFrame::NotifyPluginEventObservers (this=<value optimized out>, eventType=0xbeb5449c)
at /home/romaxaxz/microbcomponent/mozilla-1.9.2/layout/generic/nsObjectFrame.cpp:1318
#20 0x40d728cc in nsObjectFrame::Destroy (this=0x46cd8638) at /home/romaxaxz/microbcomponent/mozilla-1.9.2/layout/generic/nsObjectFrame.cpp:702
#21 0x40d6683c in nsLineBox::DeleteLineList (aPresContext=0x465a1000, aLines=...)
at /home/romaxaxz/microbcomponent/mozilla-1.9.2/layout/generic/nsLineBox.cpp:341
#22 0x40d2e740 in nsBlockFrame::Destroy (this=0x46be5780) at /home/romaxaxz/microbcomponent/mozilla-1.9.2/layout/generic/nsBlockFrame.cpp:300
#23 0x40d4b12c in nsFrameList::DestroyFrame (this=<value optimized out>, aFrame=0x46be5780, aPrevSiblingHint=<value optimized out>)
at /home/romaxaxz/microbcomponent/mozilla-1.9.2/layout/generic/nsFrameList.cpp:129
#24 0x40d28c90 in nsAbsoluteContainingBlock::RemoveFrame (this=0x46bd4a48, aDelegatingFrame=<value optimized out>, aListName=<value optimized out>,
aOldFrame=0x46be5780) at /home/romaxaxz/microbcomponent/mozilla-1.9.2/layout/generic/nsAbsoluteContainingBlock.cpp:122
#25 0x40d300a4 in nsBlockFrame::RemoveFrame (this=0x46bd49f8, aListName=0x40d300a4, aOldFrame=0x46be5780)
---Type <return> to continue, or q <return> to quit---
at /home/romaxaxz/microbcomponent/mozilla-1.9.2/layout/generic/nsBlockFrame.cpp:5169
#26 0x40d01c08 in nsFrameManager::RemoveFrame (this=0x43c960fc, aParentFrame=0x46bd49f8, aListName=0x405b2a6c, aOldFrame=0x46be5780)
at /home/romaxaxz/microbcomponent/mozilla-1.9.2/layout/base/nsFrameManager.cpp:735
#27 0x40ce2670 in nsCSSFrameConstructor::ContentRemoved (this=0x4653fa00, aContainer=0x46bb8f40, aChild=<value optimized out>, aIndexInContainer=5,
aFlags=nsCSSFrameConstructor::REMOVE_FOR_RECONSTRUCTION, aDidReconstruct=0xbeb546b8)
at /home/romaxaxz/microbcomponent/mozilla-1.9.2/layout/base/nsCSSFrameConstructor.cpp:7416
#28 0x40ce2988 in nsCSSFrameConstructor::RecreateFramesForContent (this=0x4653fa00, aContent=0x46bb8fe0, aAsyncInsert=0)
at /home/romaxaxz/microbcomponent/mozilla-1.9.2/layout/base/nsCSSFrameConstructor.cpp:9218
#29 0x40ce35a8 in nsCSSFrameConstructor::ProcessRestyledFrames (this=0x4653fa00, aChangeList=...)
at /home/romaxaxz/microbcomponent/mozilla-1.9.2/layout/base/nsCSSFrameConstructor.cpp:7885
#30 0x40ce3834 in nsCSSFrameConstructor::RestyleElement (this=0x4653fa00, aContent=<value optimized out>, aPrimaryFrame=0x46be5780, aMinHint=0)
at /home/romaxaxz/microbcomponent/mozilla-1.9.2/layout/base/nsCSSFrameConstructor.cpp:7969
#31 0x40ce39fc in nsCSSFrameConstructor::ProcessOneRestyle (this=0x4653fa00, aContent=0x46bb8fe0, aRestyleHint=eReStyle_Self, aChangeHint=0)
at /home/romaxaxz/microbcomponent/mozilla-1.9.2/layout/base/nsCSSFrameConstructor.cpp:11657
#32 0x40ce3b64 in nsCSSFrameConstructor::ProcessPendingRestyles (this=0x4653fa00)
at /home/romaxaxz/microbcomponent/mozilla-1.9.2/layout/base/nsCSSFrameConstructor.cpp:11766
#33 0x40d1d854 in PresShell::FlushPendingNotifications (this=0x43c960e0, aType=Flush_Style)
at /home/romaxaxz/microbcomponent/mozilla-1.9.2/layout/base/nsPresShell.cpp:4875
#34 0x40cd304c in nsCSSFrameConstructor::RestyleEvent::Run (this=<value optimized out>)
at /home/romaxaxz/microbcomponent/mozilla-1.9.2/layout/base/nsCSSFrameConstructor.cpp:11852
#35 0x41612e2c in nsThread::ProcessNextEvent (this=0x405a4060, mayWait=1, result=0xbeb54f54)
at /home/romaxaxz/microbcomponent/mozilla-1.9.2/xpcom/threads/nsThread.cpp:527
#36 0x415d3ff4 in NS_ProcessNextEvent_P (thread=0xbeb53e40, mayWait=1) at nsThreadUtils.cpp:250
---Type <return> to continue, or q <return> to quit---
#37 0x41512cb8 in nsBaseAppShell::Run (this=0x43b2a830) at /home/romaxaxz/microbcomponent/mozilla-1.9.2/widget/src/xpwidgets/nsBaseAppShell.cpp:170
#38 0x41398cb0 in nsAppStartup::Run (this=0x43ce8820) at /home/romaxaxz/microbcomponent/mozilla-1.9.2/toolkit/components/startup/src/nsAppStartup.cpp:182
#39 0x40af8bac in XRE_main (argc=<value optimized out>, argv=<value optimized out>, aAppData=<value optimized out>)
at /home/romaxaxz/microbcomponent/mozilla-1.9.2/toolkit/xre/nsAppRunner.cpp:3506
#40 0x00009b84 in main (argc=0, argv=0xbeb5a744) at /home/romaxaxz/microbcomponent/mozilla-1.9.2/xulrunner/stub/nsXULStub.cpp:583
We do not need the init or the delete notifications. We also do not need to be passed the dom element associated with the change.
|
Assignee | |
Comment 1•15 years ago
|
||
Assignee: nobody → mozbugz
Attachment #422501 -
Flags: review?(jst)
|
|
Assignee | |
Comment 2•15 years ago
|
||
Attachment #422502 -
Flags: review?(webapps)
|
|
Assignee | |
Updated•15 years ago
|
blocking1.9.2: --- → ?
tracking-fennec: --- → ?
|
||
Updated•15 years ago
|
tracking-fennec: ? → 1.0+
|
||
Comment 3•15 years ago
|
||
Comment on attachment 422502 [details] [diff] [review]
fennec patch
>- self.updateEmbedRegions(plugins, self.getCriticalRect());
>+ let plugins = doc.querySelectorAll("embed,object");
>+
>+ self.updateEmbedRegions(plugins, self.getCriticalRect());
the blank line is not needed and indent needs 2 more spaces
Attachment #422502 -
Flags: review+
|
||
Comment 4•15 years ago
|
||
Comment on attachment 422502 [details] [diff] [review]
fennec patch
>- gObserverService.addObserver(this, "plugin-changed-event", false);
>+ gObserverService.addObserver(this, "plugin-reflow-event", false);
You missed this change in stop().
>- self.updateEmbedRegions(plugins, self.getCriticalRect());
>+ let plugins = doc.querySelectorAll("embed,object");
>+
>+ self.updateEmbedRegions(plugins, self.getCriticalRect());
Indent this properly.
r+ with nits.
Attachment #422502 -
Flags: review?(webapps) → review+
|
||
Comment 5•15 years ago
|
||
Sorry, but this all look very scary to me, at least as a first glance.
(just say if I'm reading the code wrong)
Though the scariness comes from the notifications which were there
already before this bug.
The notification happens in the middle of a reflow, right? And the
notification observer runs some script? It is guaranteed that the script
doesn't cause a reflow?
Would it be enough to fire the notification using a script runner?
That would be much safer.
|
||
Updated•15 years ago
|
blocking1.9.2: ? → .1+
|
|
||
Comment 6•15 years ago
|
||
Frontend patch pushed to mobile browser trunk http://hg.mozilla.org/mobile-browser/rev/6117e4cef960
I just realized: I may have been too hasty since the reflow event isn't in platform yet?
|
|
Assignee | |
Comment 7•15 years ago
|
||
i have confidence that we can get a platform fix before the nightly gets spun.
|
||
Comment 8•15 years ago
|
||
Attachment #422501 -
Attachment is obsolete: true
Attachment #422668 -
Flags: review?
Attachment #422501 -
Flags: review?(jst)
|
|
||
Updated•15 years ago
|
Attachment #422668 -
Flags: review? → review?(jst)
|
||
Updated•15 years ago
|
Attachment #422668 -
Flags: review?(jst) → review+
|
|
||
Comment 9•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/4d906fab5a87
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/bfec812ca05c
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
||
Comment 10•15 years ago
|
||
Is there a testcase for this patch?
|
|
Assignee | |
Comment 11•15 years ago
|
||
it was one of the causes of a crash when leaving a site with plugins.
|
|
||
Updated•15 years ago
|
status1.9.2:
--- → .1-fixed
|
||
Updated•3 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•