Closed Bug 79601 Opened 24 years ago Closed 23 years ago

crash when javascript controls flash embedding

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: rohan.hart, Assigned: srgchrpv)

References

(
URL
)

Details

Attachments

(3 files)

Crashes Mozilla 0.9.2 + Flash 5.0r522 on Solaris 8
115 bytes, text/html
Details
http://www.itpapers.com/ case reduced
247 bytes, text/html
Details
http://www.itpapers.com/ case (somehow) reduced
73.55 KB, text/html
Details
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; IRIX 6.5 IP32; en-US; rv:0.9+) Gecko/20010507 BuildID: 2001050721 Mozilla crashes after the page is disaplyed, apparently when the onLoad triggers. Under Netscape 4.6 the center of the page is replaced by several objects depending on the mouse's location, at least one of which is a shockwave movie. The shockwave plug-in is not installed. Turning off javascript stops Mozilla from crashing. Reproducible: Always Steps to Reproduce: 1.Go to http://www.itpapers.com/ Actual Results: Page is displayed and then promptly crashes Expected Results: Page is displayed The last messages on the console before the crash are: Document http://www.itpapers.com/ loaded successfully Gtk-WARNING **: invalid cast from (NULL) pointer to `GtkXtBin' Gtk+ is 1.2.10 The stack trace is: #0 0x44c187c in ns4xPluginInstance::SetWindow () #1 0x62b2c04 in nsObjectFrame::DidReflow () #2 0x62aaa50 in nsLineLayout::ReflowFrame () #3 0x62a3e1c in nsInlineFrame::ReflowInlineFrame () #4 0x62a3a10 in nsInlineFrame::ReflowFrames () #5 0x62a3658 in nsInlineFrame::Reflow () #6 0x62aa43c in nsLineLayout::ReflowFrame () #7 0x6266f40 in nsBlockFrame::ReflowInlineFrame () #8 0x626680c in nsBlockFrame::DoReflowInlineFrames () #9 0x6266b8c in nsBlockFrame::DoReflowInlineFramesAuto () #10 0x6266620 in nsBlockFrame::ReflowInlineFrames () #11 0x62650d8 in nsBlockFrame::ReflowLine () #12 0x62646a4 in nsBlockFrame::ReflowDirtyLines () #13 0x6261888 in nsBlockFrame::Reflow () #14 0x6259e00 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame () #15 0x6259a38 in nsAbsoluteContainingBlock::IncrementalReflow () #16 0x6261304 in nsBlockFrame::Reflow () #17 0x62736d0 in nsContainerFrame::ReflowChild () #18 0x628daa4 in CanvasFrame::Reflow () #19 0x628daa4 in CanvasFrame::Reflow () #20 0x628daa4 in CanvasFrame::Reflow () ...
There is a flash movie embedded on this page. This crashes on my linux build from today all the time (0508). Works ok on windows and mac trunk. chaiging polatform to PC/Linux.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: IRIX → Linux
Hardware: SGI → PC
cc: peter
Summary: crash when javascript controls plug-in display → crashes while loading page with flash
stack : Call Stack: (Signature = ns4xPluginInstance::SetWindow() 956c6f9e) ns4xPluginInstance::SetWindow() nsObjectFrame::DidReflow() nsLineLayout::ReflowFrame() nsInlineFrame::ReflowInlineFrame() nsInlineFrame::ReflowFrames() nsInlineFrame::Reflow() nsLineLayout::ReflowFrame() nsBlockFrame::ReflowInlineFrame() nsBlockFrame::DoReflowInlineFrames() nsBlockFrame::DoReflowInlineFramesAuto() nsBlockFrame::ReflowInlineFrames() nsBlockFrame::ReflowLine() nsBlockFrame::ReflowDirtyLines() nsBlockFrame::Reflow() nsAbsoluteContainingBlock::ReflowAbsoluteFrame() nsAbsoluteContainingBlock::IncrementalReflow() nsBlockFrame::Reflow() nsContainerFrame::ReflowChild() CanvasFrame::Reflow() nsBoxToBlockAdaptor::Reflow() nsBoxToBlockAdaptor::DoLayout() nsBox::Layout() nsScrollBoxFrame::DoLayout() nsBox::Layout() nsContainerBox::LayoutChildAt() nsGfxScrollFrameInner::LayoutBox() nsGfxScrollFrameInner::Layout() nsGfxScrollFrame::DoLayout() nsBox::Layout() nsBoxFrame::Reflow() nsGfxScrollFrame::Reflow() nsContainerFrame::ReflowChild() ViewportFrame::Reflow() nsHTMLReflowCommand::Dispatch() PresShell::ProcessReflowCommand() PresShell::ProcessReflowCommands() PresShell::FlushPendingNotifications() nsEventStateManager::FlushPendingEvents() nsEventStateManager::GenerateDragGesture() nsEventStateManager::PreHandleEvent() PresShell::HandleEventInternal() PresShell::HandleEvent() nsView::HandleEvent() nsView::HandleEvent() nsView::HandleEvent() nsViewManager::DispatchEvent() HandleEvent() nsWidget::DispatchEvent() nsWidget::DispatchWindowEvent() nsWidget::DispatchMouseEvent() nsWidget::OnMotionNotifySignal() nsWindow::HandleGDKEvent() dispatch_superwin_event() handle_gdk_event() libgdk-1.2.so.0 + 0x1700b (0x4070400b) libglib-1.2.so.0 + 0xfbe6 (0x4072ebe6) libglib-1.2.so.0 + 0x101a1 (0x4072f1a1) libglib-1.2.so.0 + 0x10341 (0x4072f341) libgtk-1.2.so.0 + 0x8c209 (0x40659209) nsAppShell::Run() nsAppShellService::Run() main1() main() libc.so.6 + 0x181eb (0x401ef1eb) Registers: EAX: 00000000 EBX: 40fa64f8 ECX: 00000000 ED
cc:ing Serge, weren't you looking at something like this?
I don't get a crash when accessing a simple page with embedded flash - this only occurs when the embedded flash is swapped in and out by the javascript.
Summary: crashes while loading page with flash → crash when javascript controls flash embedding
No, I haven't seen something like this before. Gtk-WARNING **: invalid cast from (NULL) pointer to `GtkXtBin' comes from here http://lxr.mozilla.org/seamonkey/source/modules/plugin/nglsrc/ns4xPluginInstance.cpp#601 because window->window == 0 we do not call mXtBin = gtk_xtbin_new(win, 0); and than crahs at: 610 window->window = (nsPluginPort *)GTK_XTBIN(mXtBin)->xtwindow; because mXtBin == 0 so my first proposal to fix this is a simple bulletproofing: ===================================================== RCS file: /cvsroot/mozilla/modules/plugin/nglsrc/ns4xPluginInstance.cpp,v retrieving revision 1.49 diff -u -r1.49 ns4xPluginInstance.cpp --- ns4xPluginInstance.cpp 2001/04/28 02:24:29 1.49 +++ ns4xPluginInstance.cpp 2001/05/09 23:14:57 @@ -554,7 +554,8 @@ ws = (NPSetWindowCallbackStruct *)window->ws_info; GdkWindow *win = gdk_window_lookup((XID)window->window); - if (win) + if (!win) + goto L_NO_WINDOW; { #ifdef NS_DEBUG printf("About to create new xtbin of %i X %i from %p...\n", @@ -608,6 +609,8 @@ // And now point the NPWindow structures window // to the actual X window window->window = (nsPluginPort *)GTK_XTBIN(mXtBin)->xtwindow; + +L_NO_WINDOW: #endif // MOZ_WIDGET_GTK -------------------- it'll fix the crash , but problem, which probably hides in javascript document.write('<OBJECT ... <EMBED </EMBED> </OBJECT>'); still remains.
Sorry, I thought it was similar to the default plugin one you fixed. You have my r= to check-in at least this patch to band-aid this until more cycles can be devoted to fixing Linux plugin bugs. I don't like the goto, but looking at the code in context, it doesn't seem like a bad choice. Thanks!
add cc:
I want to stress this is not a Linux only bug. Mozilla 0.9.2 + Shockwave Flash 5.0 r52 crash on Solaris 8 when accessing http://www.macromedia.com/software/flash/ Turning off javascript indeed stops Mozilla from crashing. The difference here is that I get X errrors: X Error of failed request: BadMatch (invalid parameter attributes) Major opcode of failed request: 131 (MIT-SHM) Minor opcode of failed request: 3 (X_ShmPutImage) Serial number of failed request: 64 Current serial number in output stream: 64 Note that I have a 24-bit capable display but the default display is 8-bit - as usual on Solaris and Irix machines. I can't provide a stack trace, sorry. The -g and -d options don't work on Solaris. User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:0.9.2) Gecko/20010630 BuildID: 2001063019
I don't think this has anything to do with javascript. This is just a flash embedding problem. I have reduced http://www.macromedia.com/software/flash/ to attachment http://bugzilla.mozilla.org/showattachment.cgi?attach_id=43349 that contains <EMBED TYPE="application/x-shockwave-flash"></EMBED> This crashes Mozilla the same way: X Error of failed request: BadMatch (invalid parameter attributes) Major opcode of failed request: 131 (MIT-SHM) Minor opcode of failed request: 3 (X_ShmPutImage) Serial number of failed request: 64 Current serial number in output stream: 64
Definitely not a javascript issue. I've also reduced http://www.itpapers.com/ and now have it crash even with javascript turned off by changing document.write('<OBJECT c... to <OBJECT c...
Note that when reducing http://www.itpapers.com/ to http://bugzilla.mozilla.org/showattachment.cgi?attach_id=43352 the error messages on the console change from Gtk-WARNING **: invalid cast from (NULL) pointer to `GtkXtBin' Segmentation Fault to X Error of failed request: BadMatch (invalid parameter attributes) Major opcode of failed request: 131 (MIT-SHM) Minor opcode of failed request: 3 (X_ShmPutImage) Serial number of failed request: 64 Current serial number in output stream: 64 I'm still not sure what this means...
Aaaaargh! I am very sorry, but I am afraid I was wrong. The intial error invalid cast from (NULL) pointer to `GtkXtBin' from http://www.itpapers.com/ is different from the X error I keep getting when using Mozilla + Flash on Solaris. I am trying again to reduce http://www.itpapers.com/ to something smaller but removing even a single of comments from this page will result in Mozilla not crashing. Actually this could be related to the cache. Clear the cache on disk before running mozilla and it won't crash on the attached file. Rerun mozilla on the same file and it will crash! Like this: $ rm -rf /home/papadopo/.mozilla/papadopo/0u4z2wg5.slt/NewCache/* $ /usr/local/mozilla/mozilla file:///home/papadopo/index.html > /dev/null $ /usr/local/mozilla/mozilla file:///home/papadopo/index.html > /dev/null Gtk-WARNING **: invalid cast from (NULL) pointer to `GtkXtBin' Segmentation Fault $
cc:ing Serge, perhaps he knows more about this.
I don't think Flash 5 works with 8 bit display on Solaris. Dimitri, could you try setting your default display to 24, if you have not already done so? This may resolve the problem of "X Error of failed request: BadMatch (invalid parameter attributes)". See also bug: 85958
The first two attachments don't cause a crash on IRIX using build 2001071722 while the third and the original problem URL do. Note that I don't have any flash plugin installed because there isn't, as far as I'm aware, one available which works with Mozilla on IRIX.
I see this bug too with version 0.9.4. The browser dies with Gtk-WARNING **: invalid cast from (NULL) pointer to `GtkXtBin' Segmentation fault when I visit http://www.unibanco.com.br I'm using Flash 5.0 r47.
WFM on Solaris 2.8 MOZILLA_0_9_5_BRANCH and on Linux Redhat 7.1 MOZILLA_0_9_4_BRANCH (in both cases I used jre 1.3.1). Reporter, can you still reproduce this bug ?
itpapers seems to have changed slightly - I get a crash under 0.9.4 on the third attachment only. Using build 2001111122 there's no crash for any of the test cases, but neither is there a request for a shockwave plugin (which I don't have installed) - has the suggested patch to stop the crash (but not the underlying problem) gone in recently?
Rohan, I couldn't reproduce bug on third attachment. Actually I didn't completely understand your question about patch: as I understand you ask about patch that fixes the bug ?
I was refering to the bulletproofing patch proposed by Serge in comment #6. This is on IRIX - do Linux show a flash movie in the third attachment? To summarise: the crash has gone but so has the movie. Should I raise a seperate bug to fix that?
The bulletproofing I've proposed has been checked in for bug 85701, I'm going to play with this one soon, to figure out what actually going on here.
Linux doesn't show movie on third attachment
The same thing appears to happen on www.oracle.com/start where there's javascript inside the embedded flash <object> bit writing directly to the page. This is on mozilla 0.9.6 under RedHat 7.2 with Shockwave Flash 5.0 r47
--- Mass reassigning Unix bugs to serge ---
Assignee: av → serge
WFM with 20020130 linux gebug build rh 7.2, flash 5.0 r47 I'm going ro resolve this as WFM if there are no objections.
resolved as WFM
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → WORKSFORME
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: