Closed Bug 1022135 Opened 10 years ago Closed 10 years ago

Using DOM inspector addon crashes [@gfxContext::gfxContext][@nsRenderingContext::Init] in gtk3 build

Categories

(Core :: Widget: Gtk, defect)

Product:
Core
Component:
Widget: Gtk
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1013552

People

(Reporter: glandium, Unassigned)

References

Details

STR:
- Install DOM Inspector addon: https://addons.mozilla.org/en-US/firefox/addon/dom-inspector-6622/?src=search
- Restart gtk3 firefox.
- Open web page.
- Open DOM Inspector (F10 to show the menubar, Tools> Web Developer> DOM Inspector (*not* Inspector)
- Click the icon under the "File" menu. The one with the tooltip saying "Find a node to inspect by clicking on it"
- Click somewhere in the web page.
- Crash.

That works without that icon, simply by developing the DOM tree in the left pane and selecting visible elements.

Backtrace:
#0  gfxContext::gfxContext (this=0x7fffb4a21160, surface=0x0)
    at /tmp/buildd/firefox-32.0~a1+20140606030206/gfx/thebes/gfxContext.cpp:88
No locals.
#1  0x00007fffe8a7c9a2 in nsRenderingContext::Init (this=this@entry=0x7fffbd3cba80, aContext=0x7fffc89fe860, aThebesSurface=0x0)
    at /tmp/buildd/firefox-32.0~a1+20140606030206/gfx/src/nsRenderingContext.cpp:72
No locals.
#2  0x00007fffe95b9c7d in inFlasher::DrawElementOutline (this=0x7fffb4abc920, aElement=<optimized out>)
    at /tmp/buildd/firefox-32.0~a1+20140606030206/layout/inspector/inFlasher.cpp:134
        rect = {<mozilla::gfx::BaseRect<int, nsRect, nsPoint, nsSize, nsMargin>> = {x = -20224, y = 32767, width = -386702873, 
            height = 32767}, <No data fields>}
        isLastFrame = <optimized out>
        offset = {<mozilla::gfx::BasePoint<int, nsPoint>> = {x = 36930, y = 12200}, <No data fields>}
        widget = 0x7ffff6c56830
        window = {<nsCOMPtr_base> = {mRawPtr = 0x7fffc9922820}, <No data fields>}
        presShell = {<nsCOMPtr_base> = {mRawPtr = 0x7fffc89a5800}, <No data fields>}
        frame = 0x7fffc8526c58
        isFirstFrame = true
#3  0x00007fffe8665b46 in NS_InvokeByIndex (that=<optimized out>, methodIndex=<optimized out>, paramCount=<optimized out>, 
    params=<optimized out>)
    at /tmp/buildd/firefox-32.0~a1+20140606030206/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:164
        nr_stack = <optimized out>
        gpregs = {140736600685848, 140736555091760, 140736224822016, 140736600685824, 208432219914410296, 0}
        d0 = <optimized out>
        d5 = <optimized out>
        a1 = <optimized out>
        result = <optimized out>
        d1 = <optimized out>
        d6 = <optimized out>
        a2 = <optimized out>
        methodAddress = <optimized out>
        d2 = <optimized out>
        d7 = <optimized out>
        a3 = <optimized out>
        stack = 0x7fffffffb020
        fpregs = {6.9533558068464778e-310, 6.9533297541203157e-310, 6.9533362454949844e-310, 5.1567068557972845e+63, 
          2.0912018606438872e-296, 6.9533377637797612e-310, 1.4693719670179912e+206, 6.9533279363472722e-310}
        d3 = <optimized out>
        a4 = <optimized out>
        d4 = <optimized out>
        a0 = <optimized out>
        a5 = <optimized out>
#4  0x00007fffe8f4b630 in Invoke (this=0x7fffffffb1e8)
    at /tmp/buildd/firefox-32.0~a1+20140606030206/js/xpconnect/src/XPCWrappedNative.cpp:2389
        argc = <optimized out>
#5  Call (this=0x7fffffffb1e8) at /tmp/buildd/firefox-32.0~a1+20140606030206/js/xpconnect/src/XPCWrappedNative.cpp:1730
        foundDependentParam = <optimized out>
#6  XPCWrappedNative::CallMethod (ccx=..., mode=mode@entry=XPCWrappedNative::CALL_METHOD)
    at /tmp/buildd/firefox-32.0~a1+20140606030206/js/xpconnect/src/XPCWrappedNative.cpp:1697
        rv = <optimized out>
#7  0x00007fffe8f50254 in XPC_WN_CallMethod (cx=0x7fffcb173d00, argc=1, vp=0x7fffde6021e8)
    at /tmp/buildd/firefox-32.0~a1+20140606030206/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1273
        funobj = {<js::RootedBase<JSObject*>> = {<No data fields>}, stack = 0x7fffcb173d18, prev = 0x7fffffffbf90, 
          ptr = 0x7fffb4b08280}
        obj = {<js::RootedBase<JSObject*>> = {<No data fields>}, stack = 0x7fffcb173d18, prev = 0x7fffffffb398, ptr = 0x7fffb4c29e20}
        member = 0x7fffb4929558
        args = {<JS::detail::CallArgsBase<(JS::detail::UsedRval)0>> = {<JS::CallReceiver> = {<JS::detail::CallReceiverBase<(JS::detail::UsedRval)0>> = {<JS::detail::UsedRvalBase<(JS::detail::UsedRval)1>> = {<No data fields>}, 
                argv_ = 0x7fffde6021f8}, <No data fields>}, argc_ = 1}, <No data fields>}
        ccx = {<nsAXPCNativeCallContext> = {_vptr.nsAXPCNativeCallContext = 0x7fffeba152a0 <vtable for XPCCallContext+16>}, mAr = {
            mContext = 0x7fffcb173d00}, mState = XPCCallContext::READY_TO_CALL, mXPC = {mRawPtr = 0x7fffe5983290}, 
          mXPCContext = 0x7fffcb0e3f70, mJSContext = 0x7fffcb173d00, mCallerLanguage = XPCContext::LANG_JS, 
          mPrevCallerLanguage = XPCContext::LANG_UNKNOWN, mPrevCallContext = 0x0, mWrapper = 0x7fffb4ab4b80, 
          mTearOff = 0x7fffb4ab4bc0, mScriptableInfo = 0x0, mSet = 0x7fffb4abc8e0, mInterface = 0x7fffb4929500, 
          mMember = 0x7fffb4929558, mName = {<js::RootedBase<jsid>> = {<No data fields>}, stack = 0x7fffcb173d58, 
            prev = 0x7fffffffbff0, ptr = {asBits = 140736409004664}}, mStaticMemberIsLocal = false, mArgc = 1, 
          mArgv = 0x7fffde6021f8, mRetVal = 0x7fffde6021e8, mMethodIndex = 9}
        iface = 0x7fffb4929500
#8  0x00007fffe9df5308 in CallJSNative (args=..., native=0x7fffe8f50087 <XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*)>, 
    cx=0x7fffcb173d00) at /tmp/buildd/firefox-32.0~a1+20140606030206/js/src/jscntxtinlines.h:239
        ok = <optimized out>
#9  js::Invoke (cx=0x7fffcb173d00, args=..., construct=<optimized out>)
    at /tmp/buildd/firefox-32.0~a1+20140606030206/js/src/vm/Interpreter.cpp:455
        gcIfNeeded = {cx_ = 0x7fffcb173d00}
        state = {<js::RunState> = {_vptr.RunState = 0x0, kind_ = (unknown: 3029505280), 
            script_ = {<js::RootedBase<JSScript*>> = {<No data fields>}, stack = 0x7fffffffb698, prev = 0x7fffffffb748, 
              ptr = 0x7fffffffb8d0}}, args_ = @0x7fffe9d3a215, initial_ = (js::INITIAL_CONSTRUCT | unknown: 4294948176), 
          useNewType_ = 255}
        ok = <optimized out>
        initial = <optimized out>
#10 0x00007fffe9dea222 in Interpret (cx=0x7fffcb173d00, state=...)
    at /tmp/buildd/firefox-32.0~a1+20140606030206/js/src/vm/Interpreter.cpp:2561
        construct = false
(snip)
This crash is not really surprising. The NULL pointer that is passed down to gfxContext::gfxContext comes from widget->GetThebesSurface()

nsIWidget defines GetThebesSurface as
  virtual gfxASurface *GetThebesSurface() = 0;


nsBaseWidget, which derives from nsIWidget defines it as:
  virtual gfxASurface*    GetThebesSurface();

and has an implementation that returns a null pointer.

gtk's nsWindow, which derives from nsBaseWidget, defines it as:
  gfxASurface       *GetThebesSurface(); for GTK2
and
  gfxASurface       *GetThebesSurface(cairo_t *cr); for GTK3

IOW, GTK3 doesn't have a proper implementation of GetThebesSurface.
GetThebesSurface is going away, see bug 991640.
It seems to me the definition of GetThebesSurface() should be removed from nsIWidget and nsBaseWidget. layout/inspector/inFlasher.cpp is the last place where it's used outside of widget code. And in fact, even in widget code, it seems to be dead code for windows and gonk.
Heh. looks like my analysis matches bug 991640 :)
So, in practice, this is going to be fixed by the removal of nsIFlasher in bug 1018324.
Depends on: 1018324
A dup of bug 991272
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Blocks: 1034064
No longer blocks: 1034064
You need to log in before you can comment on or make changes to this bug.