After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 737932 - Browser plugin is crashy
Browser plugin is crashy
Status: RESOLVED FIXED
Product: gnome-shell
Classification: Core
Component: extensions
3.13.x
Other Linux
: Normal critical
: ---
Assigned To: gnome-shell-maint
gnome-shell-maint
: 691686 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2014-10-05 15:40 UTC by Michael Catanzaro
Modified: 2015-11-17 19:18 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
browser-plugin: link with -Wl,-z,nodelete (1.06 KB, patch)
2015-11-07 09:03 UTC, Carlos Garcia Campos
committed Details | Review
Do not create a new object every time NPPVpluginScriptableNPObject is requested (10.50 KB, patch)
2015-11-17 13:53 UTC, Carlos Garcia Campos
committed Details | Review

Description Michael Catanzaro 2014-10-05 15:40:59 UTC
Moving this from WebKit Bugzilla... the gnome-shell browser plugin likes to crash WebKit on extensions.gnome.org, but it's not reproducible. It seems to be calling invokeDefault() with a NULL NPObject:

0  WebKit::NPN_InvokeDefault (npp=<optimized out>, npObject=0x0, arguments=0x7fff90c65a90, argumentCount=3, result=0x7fff90c65a70) at /usr/src/debug/webkitgtk-2.6.0/Source/WebKit2/WebProcess/Plugins/Netscape/NetscapeBrowserFuncs.cpp:686
        plugin = {m_ptr = 0x7f88605d3dc0}
        protector = {m_protector = {_M_t = {<std::_Tuple_impl<0ul, WebKit::PluginController::PluginDestructionProtector*, std::default_delete<WebKit::PluginController::PluginDestructionProtector> >> = {<std::_Tuple_impl<1ul, std::default_delete<WebKit::PluginController::PluginDestructionProtector> >> = {<std::_Tuple_impl<2ul>> = {<No data fields>}, <std::_Head_base<1ul, std::default_delete<WebKit::PluginController::PluginDestructionProtector>, true>> = {<std::default_delete<WebKit::PluginController::PluginDestructionProtector>> = {<No data fields>}, <No data fields>}, <No data fields>}, <std::_Head_base<0ul, WebKit::PluginController::PluginDestructionProtector*, false>> = {_M_head_impl = 0x2017990}, <No data fields>}, <No data fields>}}}
  • #1 on_shell_signal
    at browser-plugin.c line 298

It looks like you always disconnect the signal handler that calls on_shell_signal() when the NPObject is deallocated, so I wonder if there's a thread safety issue.

Check the See Also field for crash stats and a full backtrace.
Comment 1 Carlos Garcia Campos 2015-11-07 09:03:11 UTC
Created attachment 315032 [details] [review]
browser-plugin: link with -Wl,-z,nodelete

This is because the plugin uses glib types registered statically (which is the default).

(WebKitPluginProcess:383): GLib-GObject-WARNING **: cannot register existing type 'JsonGenerator'

(WebKitPluginProcess:383): GLib-GObject-WARNING **: cannot add private field to invalid (non-instantiatable) type '<invalid>'

(WebKitPluginProcess:383): GLib-CRITICAL **: g_once_init_leave: assertion 'result != 0' failed

(WebKitPluginProcess:383): GLib-GObject-CRITICAL **: g_object_new: assertion 'G_TYPE_IS_OBJECT (object_type)' failed

We need to ensure that the module is never unloaded.
Comment 2 Michael Catanzaro 2015-11-07 14:17:27 UTC
Review of attachment 315032 [details] [review]:

::: browser-plugin/Makefile.am
@@ +4,3 @@
 mozillalib_LTLIBRARIES = libgnome-shell-browser-plugin.la
 
+libgnome_shell_browser_plugin_la_LDFLAGS = -module -avoid-version -no-undefined -Wl,-z,nodelete

I think if you don't leave a comment, some poor soul will stumble upon this in the future, say "why is that there," not check the git log, and delete it.
Comment 3 Carlos Garcia Campos 2015-11-10 14:26:38 UTC
Comment on attachment 315032 [details] [review]
browser-plugin: link with -Wl,-z,nodelete

Pushed to git master and gnome-3-18 branches.
Comment 4 Carlos Garcia Campos 2015-11-11 09:48:34 UTC
*** Bug 691686 has been marked as a duplicate of this bug. ***
Comment 5 Michael Catanzaro 2015-11-16 16:54:50 UTC
Downstream reports indicate this crash still occurs with gnome-shell 3.18.2 :(
Comment 6 Carlos Garcia Campos 2015-11-17 13:53:03 UTC
Created attachment 315747 [details] [review]
Do not create a new object every time NPPVpluginScriptableNPObject is requested

The problem is that we are creating a new scriptable object for the plugin instance everytime NPPVpluginScriptableNPObject is requested. That confuses everything, the ebsite uses only one of those to set the onchange listener, but all of them connect to the dbus signal, so it's very easy that the object handling the signal doesn't have the listener. That's why NPN_InvokeDefault is called with a null object. It's easier to simply create the scriptable object for the instance in its constructor, and return always that one when NPPVpluginScriptableNPObject is requested by the browser. This patch should fix the crashes, but it also fixes all the state inconsistencies I had noticed while trying it out in ephy.
Comment 7 Carlos Garcia Campos 2015-11-17 13:56:37 UTC
btw, this patch applies on top of patch attached to bug #757940