187869 – leak in plugin loading code

Bug 187869 - leak in plugin loading code

Summary: leak in plugin loading code

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	firefox
Sub Component:
Version:	rawhide
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Christopher Aillon
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	127537 171491
TreeView+	depends on / blocked

Reported:	2006-04-04 06:40 UTC by Thomas Fitzsimmons
Modified:	2007-11-30 22:11 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-10-29 21:41:22 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Test Firefox GtkSocket support (1.41 KB, application/x-gzip) 2006-04-04 06:40 UTC, Thomas Fitzsimmons	no flags	Details
View All

Description Thomas Fitzsimmons 2006-04-04 06:40:22 UTC

Created attachment 127272 [details]
Test Firefox GtkSocket support

Comment 1 Thomas Fitzsimmons 2006-04-04 06:40:22 UTC

$ rpm -q firefox
firefox-1.5.0.1-9

The attached minimal XEmbed plugin demonstrates a crash in Mozilla's plugin
code.  To reproduce:

tar xzvf plugin-test.tar.gz
cd plugin-test
make && make install
firefox plugin-page.html

Nothing will show in the GtkSocket window.  Now browse to non-plugin-page.html
in the same directory.  Then go back and forth between the pages a few times. 
Then open System->Preferences->Theme.  Now switch to another theme.  You should
see some GDK assertion failures in the console.  Then switch back to the
original theme.  The browser will crash.

I investigated a little: the problem seems to be that the GtkSockets are never
destroyed.  Breaking at nsPluginNativeWindowGtk2.cpp:148 and
nsPluginNativeWindowGtk2.cpp:91 confirms this.  Every time plugin-page.html is
loaded, gtk_socket_new is called.  But gtk_widget_destroy is never called on any
socket.

Here is the backtrace from gdk_colormap_get_screen just before the assertion
failures:

#0  0x05e02095 in IA__gdk_colormap_get_screen (cmap=0x0) at gdkcolor-x11.c:1532
#1  0x0604a2d9 in IA__gtk_style_attach (style=0x9b82630, window=0x9b70018) at
gtkstyle.c:769
#2  0x060e58f2 in gtk_widget_set_style_internal (widget=0x99b2130,
style=0x9b82630, initial_emission=0) at gtkwidget.c:4948
#3  0x060e5aba in reset_rc_styles_recurse (widget=0x99b2130, data=0x0) at
gtkwidget.c:5113
#4  0x0073d4ca in moz_container_forall (container=0x95b1370, include_internals=1, 
    callback=0x60e5a50 <reset_rc_styles_recurse>, callback_data=0x0) at
mozcontainer.c:401
#5  0x05f6225b in IA__gtk_container_forall (container=0x95b1370,
callback=0x60e5a50 <reset_rc_styles_recurse>, 
    callback_data=0x0) at gtkcontainer.c:1265
#6  0x060e5aa9 in reset_rc_styles_recurse (widget=0x95b1370, data=0x0) at
gtkwidget.c:5116
#7  0x05f23a6f in gtk_bin_forall (container=0x962e020, include_internals=1,
callback=0x60e5a50 <reset_rc_styles_recurse>, 
    callback_data=0x0) at gtkbin.c:166
#8  0x05f6225b in IA__gtk_container_forall (container=0x962e020,
callback=0x60e5a50 <reset_rc_styles_recurse>, 
    callback_data=0x0) at gtkcontainer.c:1265
#9  0x060e5aa9 in reset_rc_styles_recurse (widget=0x962e020, data=0x0) at
gtkwidget.c:5116
#10 0x060e5b0d in IA__gtk_widget_reset_rc_styles (widget=0x962e020) at
gtkwidget.c:5126
#11 0x0602b0d0 in gtk_rc_reset_widgets (settings=0x9489420) at gtkrc.c:1336
#12 0x0602ea9d in IA__gtk_rc_reparse_all_for_settings (settings=0x9489420,
force_load=1) at gtkrc.c:1543
#13 0x0602ec19 in gtk_rc_settings_changed (settings=0x9489420, pspec=0x9589a70,
context=0x9591048) at gtkrc.c:551
#14 0x003fb8e9 in g_cclosure_marshal_VOID__PARAM () from
/usr/lib/libgobject-2.0.so.0
#15 0x003eef6d in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#16 0x003ffa3d in g_signal_override_class_closure () from
/usr/lib/libgobject-2.0.so.0
#17 0x00400f47 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#18 0x00401109 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#19 0x003f3431 in g_object_class_override_property () from
/usr/lib/libgobject-2.0.so.0
#20 0x003efd4f in g_enum_register_static () from /usr/lib/libgobject-2.0.so.0
#21 0x003f4f52 in g_object_notify () from /usr/lib/libgobject-2.0.so.0
#22 0x0603b4f6 in _gtk_settings_handle_event (event=0x974c1b0) at gtksettings.c:1303
#23 0x05ff0078 in IA__gtk_main_do_event (event=0x974c1b0) at gtkmain.c:1270
#24 0x05e1293a in gdk_event_dispatch (source=0x94a27e0, callback=0,
user_data=0x0) at gdkevents-x11.c:2291
#25 0x0027009d in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#26 0x0027332f in g_main_context_check () from /usr/lib/libglib-2.0.so.0
#27 0x002736d9 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#28 0x05ff0594 in IA__gtk_main () at gtkmain.c:1001
#29 0x00746046 in nsAppShell::Run (this=0x95b2b38) at nsAppShell.cpp:139
#30 0x009e61c0 in nsAppStartup::Run (this=0x95b2af8) at nsAppStartup.cpp:150
#31 0x0804f21a in XRE_main (argc=4, argv=0xbfbdb9b4, aAppData=0x8063080) at
nsAppRunner.cpp:2313
#32 0x0804af75 in main (argc=4, argv=0xbfbdb9b4) at nsBrowserApp.cpp:61
#33 0x006167e4 in __libc_start_main () from /lib/libc.so.6
#34 0x0804aed1 in _start ()

Up a few frames in moz_container_forall you can examine tmp_list, the list of
GtkWidgets in the MozContainer.  The length of this list is the number of times
the plugin page has been visited.  All GtkWidgets in this list are GtkSockets
and all but the last entry have colormap == 0.

Here is the backtrace from the actual crash:

#0  gtk_gc_key_hash (key=0x0) at gtkgc.c:206
#1  0x00264527 in g_hash_table_lookup () from /usr/lib/libglib-2.0.so.0
#2  0x0025a2be in g_cache_remove () from /usr/lib/libglib-2.0.so.0
#3  0x05fb1e26 in IA__gtk_gc_release (gc=0x0) at gtkgc.c:98
#4  0x060525b7 in gtk_style_real_unrealize (style=0x9599c00) at gtkstyle.c:1859
#5  0x0680da31 in clearlooks_style_unrealize (style=0x9599c00) at
./src/clearlooks_style.c:1343
#6  0x003fc1c9 in g_cclosure_marshal_VOID__VOID () from /usr/lib/libgobject-2.0.so.0
#7  0x003ed7a9 in g_value_set_static_boxed () from /usr/lib/libgobject-2.0.so.0
#8  0x003eef6d in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#9  0x003ffeca in g_signal_override_class_closure () from
/usr/lib/libgobject-2.0.so.0
#10 0x00400f47 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#11 0x00401109 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#12 0x06049fea in IA__gtk_style_detach (style=0x9599c00) at gtkstyle.c:802
#13 0x060ea981 in gtk_widget_real_unrealize (widget=0x99b22b0) at gtkwidget.c:6808
#14 0x0603feb3 in gtk_socket_unrealize (widget=0x99b22b0) at gtksocket.c:424
#15 0x003fc1c9 in g_cclosure_marshal_VOID__VOID () from /usr/lib/libgobject-2.0.so.0
#16 0x003ed7a9 in g_value_set_static_boxed () from /usr/lib/libgobject-2.0.so.0
#17 0x003ef05c in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#18 0x00400083 in g_signal_override_class_closure () from
/usr/lib/libgobject-2.0.so.0
#19 0x00400f47 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#20 0x00401109 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#21 0x060e6cc2 in IA__gtk_widget_unrealize (widget=0x99b22b0) at gtkwidget.c:2367
#22 0x0073d4ca in moz_container_forall (container=0x95b1370, include_internals=1, 
    callback=0x60e6c20 <IA__gtk_widget_unrealize>, callback_data=0x0) at
mozcontainer.c:401
#23 0x05f6225b in IA__gtk_container_forall (container=0x95b1370,
callback=0x60e6c20 <IA__gtk_widget_unrealize>, 
    callback_data=0x0) at gtkcontainer.c:1265
#24 0x060ea9da in gtk_widget_real_unrealize (widget=0x95b1370) at gtkwidget.c:6804
#25 0x003fc1c9 in g_cclosure_marshal_VOID__VOID () from /usr/lib/libgobject-2.0.so.0
#26 0x003ed7a9 in g_value_set_static_boxed () from /usr/lib/libgobject-2.0.so.0
#27 0x003ef05c in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#28 0x00400083 in g_signal_override_class_closure () from
/usr/lib/libgobject-2.0.so.0
#29 0x00400f47 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#30 0x00401109 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#31 0x060e6cc2 in IA__gtk_widget_unrealize (widget=0x95b1370) at gtkwidget.c:2367
#32 0x05f23a6f in gtk_bin_forall (container=0x962e020, include_internals=1,
callback=0x60e6c20 <IA__gtk_widget_unrealize>, 
    callback_data=0x0) at gtkbin.c:166
#33 0x05f6225b in IA__gtk_container_forall (container=0x962e020,
callback=0x60e6c20 <IA__gtk_widget_unrealize>, 
    callback_data=0x0) at gtkcontainer.c:1265
#34 0x060ea9da in gtk_widget_real_unrealize (widget=0x962e020) at gtkwidget.c:6804
#35 0x060f5263 in gtk_window_unrealize (widget=0x962e020) at gtkwindow.c:4271
#36 0x003fc1c9 in g_cclosure_marshal_VOID__VOID () from /usr/lib/libgobject-2.0.so.0
#37 0x003ed7a9 in g_value_set_static_boxed () from /usr/lib/libgobject-2.0.so.0
#38 0x003eef6d in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#39 0x00400083 in g_signal_override_class_closure () from
/usr/lib/libgobject-2.0.so.0
#40 0x00400f47 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#41 0x00401109 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#42 0x060e6cc2 in IA__gtk_widget_unrealize (widget=0x962e020) at gtkwidget.c:2367
#43 0x060e7625 in gtk_widget_dispose (object=0x962e020) at gtkwidget.c:6651
#44 0x060f2b26 in gtk_window_dispose (object=0x962e020) at gtkwindow.c:1762
#45 0x003f15f0 in g_object_run_dispose () from /usr/lib/libgobject-2.0.so.0
#46 0x0601147e in IA__gtk_object_destroy (object=0x962e020) at gtkobject.c:404
#47 0x060e7815 in IA__gtk_widget_destroy (widget=0x962e020) at gtkwidget.c:1995
#48 0x0074218f in nsWindow::Destroy (this=0x976ff30) at nsWindow.cpp:421
#49 0x0074229f in ~nsWindow (this=0x976ff30) at nsWindow.cpp:320
#50 0x0075077d in nsBaseWidget::Release (this=0x976ff30) at nsBaseWidget.cpp:64
#51 0x0073fd69 in nsWindow::Release (this=0x976ff30) at nsWindow.cpp:334
#52 0x00747218 in nsCommonWidget::DispatchEvent (this=0x976ff30,
aEvent=0xbfbdae5c, aStatus=@0xbfbdae8c)
    at nsCommonWidget.cpp:225
#53 0x007406c0 in nsWindow::OnDeleteEvent (this=0x976ff30, aWidget=0x962e020,
aEvent=0x974c160) at nsWindow.cpp:1421
#54 0x007406e8 in delete_event_cb (widget=0x962e020, event=0x974c160) at
nsWindow.cpp:3658
#55 0x05ff54de in _gtk_marshal_BOOLEAN__BOXED (closure=0x9775b28,
return_value=0xbfbdb008, n_param_values=2, 
    param_values=0xbfbdb0e4, invocation_hint=0xbfbdaff4, marshal_data=0x7406ca)
at gtkmarshalers.c:83
#56 0x003eef6d in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#57 0x003ffa3d in g_signal_override_class_closure () from
/usr/lib/libgobject-2.0.so.0
#58 0x00400d0f in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#59 0x00401109 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#60 0x060e0028 in gtk_widget_event_internal (widget=0x962e020, event=0x974c160)
at gtkwidget.c:3732
#61 0x05ff02e6 in IA__gtk_main_do_event (event=0x974c160) at gtkmain.c:1356
#62 0x05e1293a in gdk_event_dispatch (source=0x94a27e0, callback=0,
user_data=0x0) at gdkevents-x11.c:2291
#63 0x0027009d in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#64 0x0027332f in g_main_context_check () from /usr/lib/libglib-2.0.so.0
#65 0x002736d9 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#66 0x05ff0594 in IA__gtk_main () at gtkmain.c:1001
#67 0x00746046 in nsAppShell::Run (this=0x95b2b38) at nsAppShell.cpp:139
#68 0x009e61c0 in nsAppStartup::Run (this=0x95b2af8) at nsAppStartup.cpp:150
#69 0x0804f21a in XRE_main (argc=4, argv=0xbfbdb9b4, aAppData=0x8063080) at
nsAppRunner.cpp:2313
#70 0x0804af75 in main (argc=4, argv=0xbfbdb9b4) at nsBrowserApp.cpp:61
#71 0x006167e4 in __libc_start_main () from /lib/libc.so.6
#72 0x0804aed1 in _start ()

Comment 2 Thomas Fitzsimmons 2006-04-10 16:29:19 UTC

This crash is caused by a leak in Firefox's generic plugin loading code -- the
nsPluginInstanceOwner destructor isn't being called which means that the
associated nsPluginNativeWindowGtk2's destructor isn't being called.  So
unmapped GtkSockets are never destroyed and thus never removed from the
MozContainer.  Changing the theme triggers the crash because it attempts to
access the colormaps of the unmapped GtkSockets.

I tested CVS HEAD Firefox and the issue is resolved, and the
nsPluginNativeWindowGtk2 is created when a plugin page is loaded and destroyed
when the plugin page is unloaded.

Some digging in bugzilla.mozilla.org revealed that this was likely fixed by
Christian Biesinger's rewrite of the plugin loading/unloading code:

https://bugzilla.mozilla.org/show_bug.cgi?id=309706

I'd like to leave this report open until Christian's patches land in Rawhide.

Comment 3 Thomas Fitzsimmons 2006-04-10 17:55:31 UTC

caillon tells me that Firefox 2.0 will contain Christian's patches and it is
scheduled to be released before Fedora Core 6.

Comment 4 Thomas Fitzsimmons 2007-10-29 21:41:22 UTC

This is fixed in Rawhide.

Note You need to log in before you can comment on or make changes to this bug.