After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 537456 - plugin crashes in webkit browsers
plugin crashes in webkit browsers
Status: RESOLVED FIXED
Product: totem
Classification: Core
Component: Browser plugin (obsolete)
unspecified
Other Linux
: Urgent critical
: ---
Assigned To: totem-browser-maint
totem-browser-maint
Depends on:
Blocks:
 
 
Reported: 2008-06-09 18:42 UTC by Christian Persch
Modified: 2009-09-15 00:27 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
possible fix (untested) (13.33 KB, patch)
2009-09-12 21:08 UTC, Christian Persch 		committed Details | Review

Description Christian Persch 2008-06-09 18:42:22 UTC 
Steps to repro:
0) Use totem plugin svn trunk in webkit GtkLauncher
1) Browse through apple.com/trailers

Sooner or later, it'll 'crash'. More precisely, dbus calls _exit behind our back:

(gdb) where

+ Trace 199959

  • #0 _exit
    from /lib/tls/i686/cmov/libc.so.6
  • #1 _dbus_exit
    at dbus-sysdeps-unix.c line 2480
  • #2 _dbus_connection_update_dispatch_status_and_unlock
    at dbus-connection.c line 4032
  • #3 _dbus_connection_send_and_unlock
    at dbus-connection.c line 2015
  • #4 dbus_connection_send
    at dbus-connection.c line 3086
  • #5 send_no_return_values
    at dbus-bus.c line 1372
  • #6 dbus_bus_remove_match
    at dbus-bus.c line 1530
  • #7 dbus_g_proxy_manager_unregister
    at dbus-gproxy.c line 1055
  • #8 dbus_g_proxy_dispose
    at dbus-gproxy.c line 1453
  • #9 g_object_run_dispose
    at gobject.c line 573
  • #10 dbus_g_proxy_destroy
    at dbus-gproxy.c line 1486
  • #11 dbus_g_proxy_manager_filter
    at dbus-gproxy.c line 1148
  • #12 dbus_connection_dispatch
    at dbus-connection.c line 4379
  • #13 message_queue_dispatch
    at dbus-gmain.c line 101
  • #14 g_main_dispatch
    at gmain.c line 2063
  • #15 g_main_context_dispatch
    at gmain.c line 2615
  • #16 g_main_context_iterate
    at gmain.c line 2696
  • #17 g_main_loop_run
    at gmain.c line 2919
  • #18 gtk_main
    at gtkmain.c line 1160
  • #19 main
    at ../WebKitTools/GtkLauncher/main.c line 200 






Comment 1


Bastien Nocera





          2008-06-09 18:54:51 UTC
        



Try calling dbus_connection_set_exit_on_disconnect() with FALSE in totemPlugin::Init(). Should avoid exiting when a (shared?) connection goes away.






Comment 2


Christian Persch





          2008-06-09 19:33:20 UTC
        



That seems to 'fix' it. However I'm not sure it's the right thing:
a) we share the connection with the host browser, which may not expect disappearing dbus connection
b) there's got to be a cause for the dbus disconnects just when the plugin viewer starts up...






Comment 3


Bastien Nocera





          2008-08-18 16:36:11 UTC
        



Is this still a problem?






Comment 4


Christian Persch





          2008-08-26 18:13:43 UTC
        



Yes, this still happens with webkit trunk, using totem + gtk+ trunk, libdbus 1.1.20, dbus-glib 0.76. Trace as in comment 0.






Comment 5


Christian Persch





          2008-11-27 14:19:43 UTC
        



Ok, I figured out what's happening here. I annotated all dbus calls in the plugin to validate strings, and it turns out we're trying to pass invalid UTF-8 over dbus. When that happens, we get disconnected from the bus of course.

Example:
** Message: totemNarrowSpacePlayer [0xa0069a8]
** Message: Base URI is 'http://www.apple.com/trailers/fox/australia/small2.htmlIQ\xf2\u0006'
[...]
CRITICAL **: ATTN! [Line 1058] Trying to pass non-UTF8 string over DBUS! [http://www.apple.com/trailers/fox/australia/small2.htmlIQ\362\006][len=59 pos=57]

from totemPlugin.cpp:
    mViewerPendingCall =
	dbus_g_proxy_begin_call (mViewerProxy,
				 "OpenStream",
				 ViewerOpenStreamCallback,
				 reinterpret_cast<void*>(this),
				 NULL,
				 G_TYPE_STRING, DO_VALIDATE_UTF8 (requestURI),
1058				 G_TYPE_STRING, DO_VALIDATE_UTF8 (baseURI),
				 G_TYPE_INVALID);

This is however NOT reproducible at will with always the same trailer, you have to browse around a bit. It seems this is memory corruption going on in webkit...

It's the baseURI, which is obtained through NPAPI calls into webkit.






Comment 6


Christian Persch





          2008-11-27 14:24:34 UTC
        



Another possibility to memory corruption is that the assumption that strings passed over NPAPI are always 0-terminated that's used in totemPlugin is wrong.






Comment 7


Christian Persch





          2009-09-12 17:46:58 UTC
        



Now that 2.28 will ship with webkit-based epiphany, I think this is more critical. I'll try to have a stab at fixing it.






Comment 8


Christian Persch





          2009-09-12 21:08:58 UTC
        



Created attachment 143083 [details] [review]
possible fix (untested)






Comment 9


Christian Persch





          2009-09-14 19:00:17 UTC
        



Comment on attachment 143083 [details] [review]
possible fix (untested)

Committed after approval from Bastien on IRC.






Comment 10


Philip Withnall





          2009-09-14 22:41:54 UTC
        



Fixed?






Comment 11


Bastien Nocera





          2009-09-15 00:27:34 UTC
        



I still see things like this:
** (epiphany:16700): DEBUG: 0x2784990: "Base URI is 'http://www.apple.com/trailers/fox/australia/small2.html;1'"

Missing a few cases where we need to truncate? I've fixed that one. Let's reopen if we find more...