GNOME Bugzilla – Bug 634934
Crash under NP_GetMIMEDescription () from /usr/lib/mozilla/plugins/libtotem-cone-plugin.so
Last modified: 2010-11-16 13:00:20 UTC
See https://bugzilla.mozilla.org/show_bug.cgi?id=611954 -- while enumerating plugin information for libtotem-cone-plugin.so we hit a segfault (observed on x64 Ubuntu). STR: 1. Create a debug Firefox build. ( https://developer.mozilla.org/En/Simple_Firefox_build ) 2. Have libtotem-cone-plugin.so as a plugin. 3. Run, from the top-level directory, "make -C objdir-ff-debug xpcshell-tests" -- I see 31 failures, as given by the gzipped log file in the Mozilla bug. 4. Isolate any given test with "TEST_PATH=$PATH_SUFFIX make -C objdir-ff-debug xpcshell-tests", where $PATH_SUFFIX is given by the part of the path following /_tests/, for example: xpcshell/modules/plugin/test/unit/test_bug471245.js
Thanks for taking the time to report this bug. Without a stack trace from the crash it's very hard to determine what caused it. Can you get us a stack trace? Please see http://live.gnome.org/GettingTraces for more information on how to do so. Thanks in advance!
The backtrace in the linked bug is missing debug symbols for totem and glib/gio. Please install them, and get a new backtrace, and also paste any console output created before the crash. (For future reference, please always copy all the relevant info from other bug trackers, instead of just linking.)
(In reply to comment #2) Will get those to you soon. (Not sure that this is really sev:critical, since I've only seen the crash during our debug tests.)
Created attachment 174575 [details] backtrace Got one more frame for you!
+ Trace 224696
700 G_LOCK (gio_xdgmime); Looks unlikely to crash... unless... is xpcshell intialising gthread and gobject (ie calling g_type_init() somewhere) ?
Created attachment 174579 [details] IA__g_content_type_get_description state at point of signal Looks like it's calling an uninitialized local (at [rbp+8]).
(In reply to comment #6) > Looks like it's calling an uninitialized local (at [rbp+8]). (Er sorry, first function arg.)
(In reply to comment #5) > Looks unlikely to crash... unless... is xpcshell intialising gthread and > gobject (ie calling g_type_init() somewhere) ? Uh oh, when I set a breakpoint on g_type_init the segfault disappears!
(In reply to comment #8) > Uh oh, when I set a breakpoint on g_type_init the segfault disappears! Nevermind, that was an artifact of the test. If I break on main, then on g_type_init, it never hits. I'll build a debug version of the plugin later to see if it repros there.
Right, so gobject is not initialised, and thus calling gio functions is not allowed. However, totem's NP_Initalize() implementation does call g_type_init() already. So how comes gecko calls NP_GetMIMEDescription() without first initialising the module through NP_Initialize() ?
Oh, and NP_GetMIMEDescription() *also* calls g_type_init(). So I really don't see how you cannot hit g_type_init()... Actually I now see it was only added recently (bug 621771), so you just need to upgrade. *** This bug has been marked as a duplicate of bug 621771 ***