21240 – segmentation fault while closing a page with flash object

Bug 21240 - segmentation fault while closing a page with flash object

Summary: segmentation fault while closing a page with flash object

Status:	RESOLVED DUPLICATE of bug 21390

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKitGTK (show other bugs)
Version:	528+ (Nightly build)
Hardware:	PC Linux

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2008-09-30 05:33 PDT by Riccardo Magliocchetti
Modified:	2008-10-11 13:42 PDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Riccardo Magliocchetti 2008-09-30 05:33:02 PDT

webkit version r37056 (+ patch from bug 20779)

How to reproduce:
- get and install swfdec 0.8 and swfdec-mozilla
- point GtkLauncher to http://www.youtube.com
- play the youtube thumbnailer "Videos being watched right now..."
- close gtklauncher

(GtkLauncher:27763): Gtk-CRITICAL **: gtk_widget_queue_draw_area: assertion `GTK_IS_WIDGET (widget)' failed

(GtkLauncher:27763): Gtk-CRITICAL **: gtk_widget_queue_draw_area: assertion `GTK_IS_WIDGET (widget)' failed

(GtkLauncher:27763): Gtk-CRITICAL **: gtk_widget_queue_draw_area: assertion `GTK_IS_WIDGET (widget)' failed
Loading stream: http://i2.ytimg.com/vi/AJz4GmxXcrs/default.jpg
Loading stream: http://i2.ytimg.com/vi/AJz4GmxXcrs/default.jpg
Loading stream: http://i3.ytimg.com/vi/vmxz-khEvuU/default.jpg
Loading stream: http://i3.ytimg.com/vi/vmxz-khEvuU/default.jpg
Loading stream: http://i3.ytimg.com/vi/NKcHftQoQp4/default.jpg
Loading stream: http://i3.ytimg.com/vi/NKcHftQoQp4/default.jpg
Loading stream: http://i3.ytimg.com/vi/FBivlhYeFcg/default.jpg
Loading stream: http://i3.ytimg.com/vi/FBivlhYeFcg/default.jpg
Loading stream: http://i2.ytimg.com/vi/u_dVzR-L6Uc/default.jpg
Loading stream: http://i2.ytimg.com/vi/u_dVzR-L6Uc/default.jpg
SWFDEC: WARN : swfdec_as_interpret.c(875): swfdec_action_call_method: no function named "gotoAndPlay" on object unknown

(GtkLauncher:27763): Gtk-CRITICAL **: gtk_widget_queue_draw_area: assertion `GTK_IS_WIDGET (widget)' failed

(GtkLauncher:27763): Gtk-CRITICAL **: gtk_widget_queue_draw_area: assertion `GTK_IS_WIDGET (widget)' failed

(GtkLauncher:27763): GLib-GObject-WARNING **: invalid unclassed pointer in cast to `GtkWidget'

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb5766720 (LWP 27763)]
0xb7390197 in gtk_range_size_allocate (widget=0x8b454c8, allocation=0xbfefe8bc) at /build/buildd/gtk+2.0-2.12.11/gtk/gtkrange.c:1228
1228	/build/buildd/gtk+2.0-2.12.11/gtk/gtkrange.c: No such file or directory.
	in /build/buildd/gtk+2.0-2.12.11/gtk/gtkrange.c
(gdb) bt full
#0  0xb7390197 in gtk_range_size_allocate (widget=0x8b454c8, allocation=0xbfefe8bc) at /build/buildd/gtk+2.0-2.12.11/gtk/gtkrange.c:1228
No locals.
#1  0xb70410da in IA__g_cclosure_marshal_VOID__BOXED (closure=0x8b0afd8, return_value=0x0, n_param_values=2, param_values=0x9027f90, invocation_hint=0xbfefe6fc, 
    marshal_data=0xb7390160) at /tmp/buildd/glib2.0-2.17.7/gobject/gmarshal.c:566
	data1 = (gpointer) 0x8b454c8
	data2 = (gpointer) 0x8b073e0
	__PRETTY_FUNCTION__ = "IA__g_cclosure_marshal_VOID__BOXED"
#2  0xb70312d9 in g_type_class_meta_marshal (closure=0x8b0afd8, return_value=0x0, n_param_values=2, param_values=0x9027f90, invocation_hint=0xbfefe6fc, marshal_data=0x80)
    at /tmp/buildd/glib2.0-2.17.7/gobject/gclosure.c:878
	callback = <value optimized out>
#3  0xb7032b63 in IA__g_closure_invoke (closure=0x8b0afd8, return_value=0x0, n_param_values=2, param_values=0x9027f90, invocation_hint=0xbfefe6fc)
    at /tmp/buildd/glib2.0-2.17.7/gobject/gclosure.c:767
	marshal = (GClosureMarshal) 0xb7031290 <g_type_class_meta_marshal>
	marshal_data = (gpointer) 0x80
	__PRETTY_FUNCTION__ = "IA__g_closure_invoke"
#4  0xb7049bde in signal_emit_unlocked_R (node=0x8b0b148, detail=0, instance=0x8b454c8, emission_return=0x0, instance_and_params=0x9027f90)
    at /tmp/buildd/glib2.0-2.17.7/gobject/gsignal.c:3174
	accumulator = (SignalAccumulator *) 0x0
	emission = {next = 0x0, instance = 0x8b454c8, ihint = {signal_id = 15, detail = 0, run_type = G_SIGNAL_RUN_FIRST}, state = EMISSION_RUN, chain_type = 145968872}
	class_closure = (GClosure *) 0x8b0afd8
	handler_list = (Handler *) 0x0
	return_accu = (GValue *) 0x0
	accu = {g_type = 0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, 
      v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
	signal_id = 15
	max_sequential_handler_number = 299
	return_value_altered = 0
#5  0xb704bac6 in IA__g_signal_emit_valist (instance=0x8b454c8, signal_id=15, detail=0, var_args=0xbfefe8a0 "&#65533;&#65533;&#65533;&#65533;\001") at /tmp/buildd/glib2.0-2.17.7/gobject/gsignal.c:2977
	signal_return_type = 4
	param_values = (GValue *) 0x9027fa4
	node = (SignalNode *) 0x8b0b148
	i = 1
	n_params = 1
	__PRETTY_FUNCTION__ = "IA__g_signal_emit_valist"
#6  0xb704bf56 in IA__g_signal_emit (instance=0x8b454c8, signal_id=15, detail=0) at /tmp/buildd/glib2.0-2.17.7/gobject/gsignal.c:3034
No locals.
#7  0xb747c994 in IA__gtk_widget_size_allocate (widget=0x8b454c8, allocation=0xbfefe918) at /build/buildd/gtk+2.0-2.12.11/gtk/gtkwidget.c:3818
	aux_info = <value optimized out>
	real_allocation = {x = 198, y = 0, width = 15, height = 1}
	old_allocation = {x = 423, y = 103, width = 1, height = 1}
	size_changed = 1
	position_changed = 1
	__PRETTY_FUNCTION__ = "IA__gtk_widget_size_allocate"
#8  0xb7b686a8 in WebCore::ScrollbarGtk::frameRectsChanged () from /usr/local/lib/libwebkit-1.0.so.1
No locals.
#9  0xb7b686f1 in WebCore::ScrollbarGtk::setFrameRect () from /usr/local/lib/libwebkit-1.0.so.1
No locals.
#10 0xb7b679a2 in WebCore::ScrollView::updateScrollbars () from /usr/local/lib/libwebkit-1.0.so.1
No locals.
#11 0xb791a6ce in WebCore::ScrollView::setScrollbarModes () from /usr/local/lib/libwebkit-1.0.so.1
No locals.
#12 0xb78dce2b in WebCore::FrameView::resetScrollbars () from /usr/local/lib/libwebkit-1.0.so.1
No locals.
#13 0xb78df523 in WebCore::FrameView::~FrameView () from /usr/local/lib/libwebkit-1.0.so.1
No locals.
#14 0xb79c7235 in WebCore::RenderPart::~RenderPart () from /usr/local/lib/libwebkit-1.0.so.1
No locals.
#15 0xb79c75bd in WebCore::RenderPartObject::~RenderPartObject () from /usr/local/lib/libwebkit-1.0.so.1
No locals.
#16 0xb79c1ecf in WebCore::RenderObject::arenaDelete () from /usr/local/lib/libwebkit-1.0.so.1
No locals.
#17 0xb79ed80b in WebCore::RenderWidget::deref () from /usr/local/lib/libwebkit-1.0.so.1
No locals.
#18 0xb79ee4f1 in WebCore::RenderWidget::destroy () from /usr/local/lib/libwebkit-1.0.so.1
No locals.
#19 0xb775e729 in WebCore::Node::detach () from /usr/local/lib/libwebkit-1.0.so.1
No locals.
#20 0xb772a81e in WebCore::ContainerNode::detach () from /usr/local/lib/libwebkit-1.0.so.1
---Type <return> to continue, or q <return> to quit---
No locals.
#21 0xb774f3e3 in WebCore::Element::detach () from /usr/local/lib/libwebkit-1.0.so.1
No locals.
#22 0xb772a80b in WebCore::ContainerNode::detach () from /usr/local/lib/libwebkit-1.0.so.1
No locals.
#23 0xb774f3e3 in WebCore::Element::detach () from /usr/local/lib/libwebkit-1.0.so.1
No locals.
#24 0xb772a80b in WebCore::ContainerNode::detach () from /usr/local/lib/libwebkit-1.0.so.1
No locals.
#25 0xb774f3e3 in WebCore::Element::detach () from /usr/local/lib/libwebkit-1.0.so.1
No locals.
#26 0xb772a80b in WebCore::ContainerNode::detach () from /usr/local/lib/libwebkit-1.0.so.1
No locals.
#27 0xb7732bd7 in WebCore::Document::detach () from /usr/local/lib/libwebkit-1.0.so.1
No locals.
#28 0xb78d3d4e in WebCore::Frame::setView () from /usr/local/lib/libwebkit-1.0.so.1
No locals.
#29 0xb78fa01a in WebCore::Page::~Page () from /usr/local/lib/libwebkit-1.0.so.1
No locals.
#30 0xb766fde3 in webkit_web_view_finalize () from /usr/local/lib/libwebkit-1.0.so.1
No locals.
#31 0xb7034e23 in IA__g_object_unref (_object=0x8b48010) at /tmp/buildd/glib2.0-2.17.7/gobject/gobject.c:2411
	object = (GObject *) 0x8b48010
	__PRETTY_FUNCTION__ = "IA__g_object_unref"
#32 0xb736f6ee in IA__gtk_object_destroy (object=0x8b48010) at /build/buildd/gtk+2.0-2.12.11/gtk/gtkobject.c:403
	__PRETTY_FUNCTION__ = "IA__gtk_object_destroy"
#33 0xb7262fff in gtk_bin_forall (container=0x8b03928, include_internals=0, callback=0xbfefe8bc, callback_data=0x0) at /build/buildd/gtk+2.0-2.12.11/gtk/gtkbin.c:133
	__PRETTY_FUNCTION__ = "gtk_bin_forall"
#34 0xb73ae145 in gtk_scrolled_window_forall (container=0x8b03928, include_internals=0, callback=0xb747f3b0 <IA__gtk_widget_destroy>, callback_data=0x0)
    at /build/buildd/gtk+2.0-2.12.11/gtk/gtkscrolledwindow.c:1021
	__PRETTY_FUNCTION__ = "gtk_scrolled_window_forall"
#35 0xb72aa7f6 in IA__gtk_container_foreach (container=0x8b03928, callback=0xb747f3b0 <IA__gtk_widget_destroy>, callback_data=0x0)
    at /build/buildd/gtk+2.0-2.12.11/gtk/gtkcontainer.c:1480
	__PRETTY_FUNCTION__ = "IA__gtk_container_foreach"
#36 0xb72ab0c0 in gtk_container_destroy (object=0x8b03928) at /build/buildd/gtk+2.0-2.12.11/gtk/gtkcontainer.c:1020
No locals.
#37 0xb73affa0 in gtk_scrolled_window_destroy (object=0x8b03928) at /build/buildd/gtk+2.0-2.12.11/gtk/gtkscrolledwindow.c:799
	__PRETTY_FUNCTION__ = "gtk_scrolled_window_destroy"
#38 0xb7040a34 in IA__g_cclosure_marshal_VOID__VOID (closure=0x8b07928, return_value=0x0, n_param_values=1, param_values=0x929b3b0, invocation_hint=0xbfeff07c, 
    marshal_data=0xb73aff00) at /tmp/buildd/glib2.0-2.17.7/gobject/gmarshal.c:77
	data1 = (gpointer) 0x8b03928
	data2 = (gpointer) 0x0
	__PRETTY_FUNCTION__ = "IA__g_cclosure_marshal_VOID__VOID"
#39 0xb70312d9 in g_type_class_meta_marshal (closure=0x8b07928, return_value=0x0, n_param_values=1, param_values=0x929b3b0, invocation_hint=0xbfeff07c, marshal_data=0x4c)
    at /tmp/buildd/glib2.0-2.17.7/gobject/gclosure.c:878
	callback = <value optimized out>
#40 0xb7032a90 in IA__g_closure_invoke (closure=0x8b07928, return_value=0x0, n_param_values=1, param_values=0x929b3b0, invocation_hint=0xbfeff07c)
    at /tmp/buildd/glib2.0-2.17.7/gobject/gclosure.c:767
	marshal = (GClosureMarshal) 0xb7031290 <g_type_class_meta_marshal>
	marshal_data = (gpointer) 0x4c
	__PRETTY_FUNCTION__ = "IA__g_closure_invoke"
#41 0xb704a7a8 in signal_emit_unlocked_R (node=0x8b07970, detail=0, instance=0x8b03928, emission_return=0x0, instance_and_params=0x929b3b0)
    at /tmp/buildd/glib2.0-2.17.7/gobject/gsignal.c:3360
	need_unset = 0
	accumulator = (SignalAccumulator *) 0x0
	emission = {next = 0xbfeff4a4, instance = 0x8b03928, ihint = {signal_id = 7, detail = 0, run_type = G_SIGNAL_RUN_CLEANUP}, state = EMISSION_STOP, chain_type = 146008160}
	class_closure = (GClosure *) 0x8b07928
	handler_list = (Handler *) 0x0
	return_accu = (GValue *) 0x0
	accu = {g_type = 0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, 
      v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
	signal_id = 7
	max_sequential_handler_number = 291
	return_value_altered = 0
#42 0xb704bac6 in IA__g_signal_emit_valist (instance=0x8b03928, signal_id=7, detail=0, 
    var_args=0xbfeff21c "&#65533;\034X&#65533;&#65533;\034X&#65533;(9&#65533;\bH&#65533;&#65533;&#65533;1&#65533;G&#65533;(9&#65533;\b(9&#65533;\bh&#65533;&#65533;&#65533;\200V\006&#65533;\200V\006&#65533;(9&#65533;\bh&#65533;&#65533;&#65533;oR\003&#65533;(9&#65533;\bP") at /tmp/buildd/glib2.0-2.17.7/gobject/gsignal.c:2977
	signal_return_type = 4
	param_values = (GValue *) 0x929b3c4
---Type <return> to continue, or q <return> to quit---
	node = (SignalNode *) 0x8b07970
	i = 145669096
	n_params = 0
	__PRETTY_FUNCTION__ = "IA__g_signal_emit_valist"
#43 0xb704bf56 in IA__g_signal_emit (instance=0x8b03928, signal_id=7, detail=0) at /tmp/buildd/glib2.0-2.17.7/gobject/gsignal.c:3034
No locals.
#44 0xb736fa01 in gtk_object_dispose (gobject=0x8b03928) at /build/buildd/gtk+2.0-2.12.11/gtk/gtkobject.c:418
No locals.
#45 0xb747f131 in gtk_widget_dispose (object=0x8b03928) at /build/buildd/gtk+2.0-2.12.11/gtk/gtkwidget.c:7854
No locals.
#46 0xb703526f in IA__g_object_run_dispose (object=0x8b03928) at /tmp/buildd/glib2.0-2.17.7/gobject/gobject.c:785
	__PRETTY_FUNCTION__ = "IA__g_object_run_dispose"
#47 0xb736f6ee in IA__gtk_object_destroy (object=0x8b03928) at /build/buildd/gtk+2.0-2.12.11/gtk/gtkobject.c:403
	__PRETTY_FUNCTION__ = "IA__gtk_object_destroy"
#48 0xb7267240 in gtk_box_forall (container=0x8b02960, include_internals=0, callback=0xb747f3b0 <IA__gtk_widget_destroy>, callback_data=0x0)
    at /build/buildd/gtk+2.0-2.12.11/gtk/gtkbox.c:799
	child = <value optimized out>
	children = (GList *) 0x8b50020
	__PRETTY_FUNCTION__ = "gtk_box_forall"
#49 0xb72aa7f6 in IA__gtk_container_foreach (container=0x8b02960, callback=0xb747f3b0 <IA__gtk_widget_destroy>, callback_data=0x0)
    at /build/buildd/gtk+2.0-2.12.11/gtk/gtkcontainer.c:1480
	__PRETTY_FUNCTION__ = "IA__gtk_container_foreach"
#50 0xb72ab0c0 in gtk_container_destroy (object=0x8b02960) at /build/buildd/gtk+2.0-2.12.11/gtk/gtkcontainer.c:1020
No locals.
#51 0xb7040a34 in IA__g_cclosure_marshal_VOID__VOID (closure=0x8b07928, return_value=0x0, n_param_values=1, param_values=0x929b4c0, invocation_hint=0xbfeff4ac, 
    marshal_data=0xb72ab080) at /tmp/buildd/glib2.0-2.17.7/gobject/gmarshal.c:77
	data1 = (gpointer) 0x8b02960
	data2 = (gpointer) 0x0
	__PRETTY_FUNCTION__ = "IA__g_cclosure_marshal_VOID__VOID"
#52 0xb70312d9 in g_type_class_meta_marshal (closure=0x8b07928, return_value=0x0, n_param_values=1, param_values=0x929b4c0, invocation_hint=0xbfeff4ac, marshal_data=0x4c)
    at /tmp/buildd/glib2.0-2.17.7/gobject/gclosure.c:878
	callback = <value optimized out>
#53 0xb7032a90 in IA__g_closure_invoke (closure=0x8b07928, return_value=0x0, n_param_values=1, param_values=0x929b4c0, invocation_hint=0xbfeff4ac)
    at /tmp/buildd/glib2.0-2.17.7/gobject/gclosure.c:767
	marshal = (GClosureMarshal) 0xb7031290 <g_type_class_meta_marshal>
	marshal_data = (gpointer) 0x4c
	__PRETTY_FUNCTION__ = "IA__g_closure_invoke"
#54 0xb704a7a8 in signal_emit_unlocked_R (node=0x8b07970, detail=0, instance=0x8b02960, emission_return=0x0, instance_and_params=0x929b4c0)
    at /tmp/buildd/glib2.0-2.17.7/gobject/gsignal.c:3360
	need_unset = 0
	accumulator = (SignalAccumulator *) 0x0
	emission = {next = 0xbfeff8f4, instance = 0x8b02960, ihint = {signal_id = 7, detail = 0, run_type = G_SIGNAL_RUN_CLEANUP}, state = EMISSION_STOP, chain_type = 145782576}
	class_closure = (GClosure *) 0x8b07928
	handler_list = (Handler *) 0x0
	return_accu = (GValue *) 0x0
	accu = {g_type = 0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, 
      v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
	signal_id = 7
	max_sequential_handler_number = 291
	return_value_altered = 0
#55 0xb704bac6 in IA__g_signal_emit_valist (instance=0x8b02960, signal_id=7, detail=0, 
    var_args=0xbfeff64c "&#65533;\034X&#65533;&#65533;\034X&#65533;`)&#65533;\bx&#65533;&#65533;&#65533;1&#65533;G&#65533;`)&#65533;\b`)&#65533;\b\210&#65533;&#65533;&#65533;\200V\006&#65533;\200V\006&#65533;`)&#65533;\b\230&#65533;&#65533;&#65533;oR\003&#65533;`)&#65533;\bP") at /tmp/buildd/glib2.0-2.17.7/gobject/gsignal.c:2977
	signal_return_type = 4
	param_values = (GValue *) 0x929b4d4
	node = (SignalNode *) 0x8b07970
	i = 145669096
	n_params = 0
	__PRETTY_FUNCTION__ = "IA__g_signal_emit_valist"
#56 0xb704bf56 in IA__g_signal_emit (instance=0x8b02960, signal_id=7, detail=0) at /tmp/buildd/glib2.0-2.17.7/gobject/gsignal.c:3034
No locals.
#57 0xb736fa01 in gtk_object_dispose (gobject=0x8b02960) at /build/buildd/gtk+2.0-2.12.11/gtk/gtkobject.c:418
No locals.
#58 0xb747f131 in gtk_widget_dispose (object=0x8b02960) at /build/buildd/gtk+2.0-2.12.11/gtk/gtkwidget.c:7854
No locals.
#59 0xb703526f in IA__g_object_run_dispose (object=0x8b02960) at /tmp/buildd/glib2.0-2.17.7/gobject/gobject.c:785
	__PRETTY_FUNCTION__ = "IA__g_object_run_dispose"
#60 0xb736f6ee in IA__gtk_object_destroy (object=0x8b02960) at /build/buildd/gtk+2.0-2.12.11/gtk/gtkobject.c:403
	__PRETTY_FUNCTION__ = "IA__gtk_object_destroy"
---Type <return> to continue, or q <return> to quit---
#61 0xb7262fff in gtk_bin_forall (container=0x8b29250, include_internals=0, callback=0xbfefe8bc, callback_data=0x0) at /build/buildd/gtk+2.0-2.12.11/gtk/gtkbin.c:133
	__PRETTY_FUNCTION__ = "gtk_bin_forall"
#62 0xb72aa7f6 in IA__gtk_container_foreach (container=0x8b29250, callback=0xb747f3b0 <IA__gtk_widget_destroy>, callback_data=0x0)
    at /build/buildd/gtk+2.0-2.12.11/gtk/gtkcontainer.c:1480
	__PRETTY_FUNCTION__ = "IA__gtk_container_foreach"
#63 0xb72ab0c0 in gtk_container_destroy (object=0x8b29250) at /build/buildd/gtk+2.0-2.12.11/gtk/gtkcontainer.c:1020
No locals.
#64 0xb748fe73 in gtk_window_destroy (object=0x8b29250) at /build/buildd/gtk+2.0-2.12.11/gtk/gtkwindow.c:4190
No locals.
#65 0xb7040a34 in IA__g_cclosure_marshal_VOID__VOID (closure=0x8b07928, return_value=0x0, n_param_values=1, param_values=0x9298390, invocation_hint=0xbfeff8fc, 
    marshal_data=0xb748fdf0) at /tmp/buildd/glib2.0-2.17.7/gobject/gmarshal.c:77
	data1 = (gpointer) 0x8b29250
	data2 = (gpointer) 0x0
	__PRETTY_FUNCTION__ = "IA__g_cclosure_marshal_VOID__VOID"
#66 0xb70312d9 in g_type_class_meta_marshal (closure=0x8b07928, return_value=0x0, n_param_values=1, param_values=0x9298390, invocation_hint=0xbfeff8fc, marshal_data=0x4c)
    at /tmp/buildd/glib2.0-2.17.7/gobject/gclosure.c:878
	callback = <value optimized out>
#67 0xb7032b63 in IA__g_closure_invoke (closure=0x8b07928, return_value=0x0, n_param_values=1, param_values=0x9298390, invocation_hint=0xbfeff8fc)
    at /tmp/buildd/glib2.0-2.17.7/gobject/gclosure.c:767
	marshal = (GClosureMarshal) 0xb7031290 <g_type_class_meta_marshal>
	marshal_data = (gpointer) 0x4c
	__PRETTY_FUNCTION__ = "IA__g_closure_invoke"
#68 0xb704a7a8 in signal_emit_unlocked_R (node=0x8b07970, detail=0, instance=0x8b29250, emission_return=0x0, instance_and_params=0x9298390)
    at /tmp/buildd/glib2.0-2.17.7/gobject/gsignal.c:3360
	need_unset = 0
	accumulator = (SignalAccumulator *) 0x0
	emission = {next = 0x0, instance = 0x8b29250, ihint = {signal_id = 7, detail = 0, run_type = G_SIGNAL_RUN_CLEANUP}, state = EMISSION_STOP, chain_type = 145850432}
	class_closure = (GClosure *) 0x8b07928
	handler_list = (Handler *) 0x8b29c40
	return_accu = (GValue *) 0x0
	accu = {g_type = 0, data = {{v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}, {v_int = 0, 
      v_uint = 0, v_long = 0, v_ulong = 0, v_int64 = 0, v_uint64 = 0, v_float = 0, v_double = 0, v_pointer = 0x0}}}
	signal_id = 7
	max_sequential_handler_number = 291
	return_value_altered = 1
#69 0xb704bac6 in IA__g_signal_emit_valist (instance=0x8b29250, signal_id=7, detail=0, var_args=0xbfeffa9c "&#65533;&#65533;G&#65533;&#65533;\034X&#65533;P\222&#65533;\b&#65533;&#65533;&#65533;&#65533;1&#65533;G&#65533;P\222&#65533;\b")
    at /tmp/buildd/glib2.0-2.17.7/gobject/gsignal.c:2977
	signal_return_type = 4
	param_values = (GValue *) 0x92983a4
	node = (SignalNode *) 0x8b07970
	i = 1
	n_params = 0
	__PRETTY_FUNCTION__ = "IA__g_signal_emit_valist"
#70 0xb704bf56 in IA__g_signal_emit (instance=0x8b29250, signal_id=7, detail=0) at /tmp/buildd/glib2.0-2.17.7/gobject/gsignal.c:3034
No locals.
#71 0xb736fa01 in gtk_object_dispose (gobject=0x8b29250) at /build/buildd/gtk+2.0-2.12.11/gtk/gtkobject.c:418
No locals.
#72 0xb747f131 in gtk_widget_dispose (object=0x8b29250) at /build/buildd/gtk+2.0-2.12.11/gtk/gtkwidget.c:7854
No locals.
#73 0xb748c926 in gtk_window_dispose (object=0x8b29250) at /build/buildd/gtk+2.0-2.12.11/gtk/gtkwindow.c:1969
No locals.
#74 0xb703526f in IA__g_object_run_dispose (object=0x8b29250) at /tmp/buildd/glib2.0-2.17.7/gobject/gobject.c:785
	__PRETTY_FUNCTION__ = "IA__g_object_run_dispose"
#75 0xb736f6ee in IA__gtk_object_destroy (object=0x8b29250) at /build/buildd/gtk+2.0-2.12.11/gtk/gtkobject.c:403
	__PRETTY_FUNCTION__ = "IA__gtk_object_destroy"
#76 0xb7347a24 in IA__gtk_main_do_event (event=0x91795f8) at /build/buildd/gtk+2.0-2.12.11/gtk/gtkmain.c:1492
	event_widget = (GtkWidget *) 0x8b29250
	grab_widget = (GtkWidget *) 0x8b29250
	window_group = (GtkWindowGroup *) 0x8b7c720
	rewritten_event = (GdkEvent *) 0x0
	tmp_list = <value optimized out>
	__PRETTY_FUNCTION__ = "IA__gtk_main_do_event"
#77 0xb71b87ea in gdk_event_dispatch (source=0x8b061c0, callback=0, user_data=0x0) at /build/buildd/gtk+2.0-2.12.11/gdk/x11/gdkevents-x11.c:2351
	display = <value optimized out>
	event = <value optimized out>
#78 0xb6fa64b1 in IA__g_main_context_dispatch (context=0x8b06208) at /tmp/buildd/glib2.0-2.17.7/glib/gmain.c:2073
No locals.
#79 0xb6fa9b43 in g_main_context_iterate (context=0x8b06208, block=1, dispatch=1, self=0x8b1c880) at /tmp/buildd/glib2.0-2.17.7/glib/gmain.c:2706
---Type <return> to continue, or q <return> to quit---
	max_priority = 2147483647
	timeout = 15
	some_ready = 1
	nfds = 3
	allocated_nfds = <value optimized out>
	fds = (GPollFD *) 0x8b739f0
	__PRETTY_FUNCTION__ = "g_main_context_iterate"
#80 0xb6faa062 in IA__g_main_loop_run (loop=0x8deeeb8) at /tmp/buildd/glib2.0-2.17.7/glib/gmain.c:2929
	self = (GThread *) 0x8b1c880
	__PRETTY_FUNCTION__ = "IA__g_main_loop_run"
#81 0xb7347c99 in IA__gtk_main () at /build/buildd/gtk+2.0-2.12.11/gtk/gtkmain.c:1163
	tmp_list = (GList *) 0x8b073e0
	functions = (GList *) 0x0
	init = (GtkInitFunction *) 0x8b03928
	loop = (GMainLoop *) 0x8deeeb8
#82 0x08049b18 in main ()

Comment 1 Jeff Cook 2008-10-04 00:19:44 PDT

This actually doesn't segfault for me with svn r32784. Instead, I get what appears from a very quick Google search may be a compiler bug. Upon close of a page with a swf element, I get:

pure virtual method called
terminate called without an active exception
Aborted

The options I added to the compilation were -march=x86_64 -mtune=core2 -funit-at-a-time -pipe -O2 . I suspect it may be caused by -O2 or -funit-at-a-time, though the latter only affects asm blocks afaict from the man page.

Anyway, will try to recompile and see if I can reproduce the segfault. I don't experience it in Epiphany (with svn r37092) either and my patch from https://bugs.webkit.org/show_bug.cgi?id=20779 .

Comment 2 Jeff Cook 2008-10-04 01:04:33 PDT

Neglected to mention that I'm using GCC 4.3.2, glibc 2.8, and ArchLinux 2.6.26.

Comment 3 Riccardo Magliocchetti 2008-10-05 09:46:00 PDT

(In reply to comment #1)
> This actually doesn't segfault for me with svn r32784. 

do you mean r37284 right? i'm building a newer snapshot right now.

My platform is gcc 4.3.2 and glibc is 2.7 from debian sid.

Comment 4 Riccardo Magliocchetti 2008-10-05 11:12:57 PDT

It still crash, different warning though:

(GtkLauncher:16370): GLib-GObject-WARNING **: invalid uninstantiatable type `(null)' in cast to `GtkWidget'

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb5793720 (LWP 16370)]
0xb7b9268c in WebCore::ScrollView::platformRemoveChild ()
   from /usr/local/lib/libwebkit-1.0.so.1
Current language:  auto; currently asm
(gdb) bt full
#0  0xb7b9268c in WebCore::ScrollView::platformRemoveChild ()
   from /usr/local/lib/libwebkit-1.0.so.1
No locals.
#1  0xb7949f95 in WebCore::ScrollView::removeChild ()
   from /usr/local/lib/libwebkit-1.0.so.1
No locals.
#2  0xb794a333 in WebCore::ScrollView::setHasVerticalScrollbar ()
   from /usr/local/lib/libwebkit-1.0.so.1
No locals.
#3  0xb7920f4f in WebCore::FrameView::~FrameView ()
   from /usr/local/lib/libwebkit-1.0.so.1

Comment 5 Jan Alonzo 2008-10-11 13:42:01 PDT


*** This bug has been marked as a duplicate of 21390 ***