GNOME Bugzilla – Bug 737932
Browser plugin is crashy
Last modified: 2015-11-17 19:18:18 UTC
Moving this from WebKit Bugzilla... the gnome-shell browser plugin likes to crash WebKit on extensions.gnome.org, but it's not reproducible. It seems to be calling invokeDefault() with a NULL NPObject: 0 WebKit::NPN_InvokeDefault (npp=<optimized out>, npObject=0x0, arguments=0x7fff90c65a90, argumentCount=3, result=0x7fff90c65a70) at /usr/src/debug/webkitgtk-2.6.0/Source/WebKit2/WebProcess/Plugins/Netscape/NetscapeBrowserFuncs.cpp:686 plugin = {m_ptr = 0x7f88605d3dc0} protector = {m_protector = {_M_t = {<std::_Tuple_impl<0ul, WebKit::PluginController::PluginDestructionProtector*, std::default_delete<WebKit::PluginController::PluginDestructionProtector> >> = {<std::_Tuple_impl<1ul, std::default_delete<WebKit::PluginController::PluginDestructionProtector> >> = {<std::_Tuple_impl<2ul>> = {<No data fields>}, <std::_Head_base<1ul, std::default_delete<WebKit::PluginController::PluginDestructionProtector>, true>> = {<std::default_delete<WebKit::PluginController::PluginDestructionProtector>> = {<No data fields>}, <No data fields>}, <No data fields>}, <std::_Head_base<0ul, WebKit::PluginController::PluginDestructionProtector*, false>> = {_M_head_impl = 0x2017990}, <No data fields>}, <No data fields>}}}
+ Trace 234178
It looks like you always disconnect the signal handler that calls on_shell_signal() when the NPObject is deallocated, so I wonder if there's a thread safety issue. Check the See Also field for crash stats and a full backtrace.
Created attachment 315032 [details] [review] browser-plugin: link with -Wl,-z,nodelete This is because the plugin uses glib types registered statically (which is the default). (WebKitPluginProcess:383): GLib-GObject-WARNING **: cannot register existing type 'JsonGenerator' (WebKitPluginProcess:383): GLib-GObject-WARNING **: cannot add private field to invalid (non-instantiatable) type '<invalid>' (WebKitPluginProcess:383): GLib-CRITICAL **: g_once_init_leave: assertion 'result != 0' failed (WebKitPluginProcess:383): GLib-GObject-CRITICAL **: g_object_new: assertion 'G_TYPE_IS_OBJECT (object_type)' failed We need to ensure that the module is never unloaded.
Review of attachment 315032 [details] [review]: ::: browser-plugin/Makefile.am @@ +4,3 @@ mozillalib_LTLIBRARIES = libgnome-shell-browser-plugin.la +libgnome_shell_browser_plugin_la_LDFLAGS = -module -avoid-version -no-undefined -Wl,-z,nodelete I think if you don't leave a comment, some poor soul will stumble upon this in the future, say "why is that there," not check the git log, and delete it.
Comment on attachment 315032 [details] [review] browser-plugin: link with -Wl,-z,nodelete Pushed to git master and gnome-3-18 branches.
*** Bug 691686 has been marked as a duplicate of this bug. ***
Downstream reports indicate this crash still occurs with gnome-shell 3.18.2 :(
Created attachment 315747 [details] [review] Do not create a new object every time NPPVpluginScriptableNPObject is requested The problem is that we are creating a new scriptable object for the plugin instance everytime NPPVpluginScriptableNPObject is requested. That confuses everything, the ebsite uses only one of those to set the onchange listener, but all of them connect to the dbus signal, so it's very easy that the object handling the signal doesn't have the listener. That's why NPN_InvokeDefault is called with a null object. It's easier to simply create the scriptable object for the instance in its constructor, and return always that one when NPPVpluginScriptableNPObject is requested by the browser. This patch should fix the crashes, but it also fixes all the state inconsistencies I had noticed while trying it out in ephy.
btw, this patch applies on top of patch attached to bug #757940