Updates:
Cc: [email protected] [email protected]
Labels: -Area-BrowserUI Area-Plugins
Comment #3 on issue 18957 by [email protected]: Crash -
gfx::Canvas::DrawStringInt(std::basic_string<wchar_t,
std::char_traits<wchar_t>, std::allocator<wchar_t> > const&, gfx::Font
const&, unsigned int const&, int, int, int, int, int)
http://code.google.com/p/chromium/issues/detail?id=18957
I took a look at this briefly, and the crashes don't always happen in
g_object_unref(layout). Actually,
more of them seem to happen in pango_layout_get_size(layout, &width,
&height). The actual crash happens
deep within glib.
I think it's interesting to note that for a large fraction of the crashes
(1/3 or 1/2 of them), you see
something like:
Thread 3
0xb7335fa6 [libc-2.9.so + 0x00070fa6]
0xb73365b5 [libc-2.9.so + 0x000715b5]
0xb8046407 [ld-2.9.so + 0x00013407]
0xb8046936 [ld-2.9.so + 0x00013936]
0xb7a95c83 [libdl-2.9.so + 0x00000c83]
0xb8041035 [ld-2.9.so + 0x0000e035]
0xb7a9601b [libdl-2.9.so + 0x0000101b]
0xb7a95cb9 [libdl-2.9.so + 0x00000cb9]
0x09149dfc [chrome - native_library_linux.cc:28]
base::UnloadNativeLibrary(void*)
0x08a1af61 [chrome - plugin_lib_linux.cc:84]
NPAPI::PluginLib::ReadWebPluginInfo(FilePath const&, WebPluginInfo*)
0x089ae444 [chrome - plugin_list.cc:77]
NPAPI::PluginList::ReadPluginInfo(FilePath
const&, WebPluginInfo*, NPAPI::PluginEntryPoints const**)
0x089b03b2 [chrome - plugin_list.cc:185]
NPAPI::PluginList::LoadPlugin(FilePath const&)
0x089b15fa [chrome - plugin_list_linux.cc:55]
NPAPI::PluginList::LoadPluginsFromDir(FilePath const&)
0x089b0bb1 [chrome - plugin_list.cc:168]
NPAPI::PluginList::LoadPlugins(bool)
0x089b0da3 [chrome - plugin_list.cc:30]
NPAPI::PluginList::Singleton()
0x08168311 [chrome - plugin_service.cc:209]
PluginService::HavePluginFor(std::string
const&, bool)
0x0819e668 [chrome - resource_dispatcher_host.cc:1273]
ResourceDispatcherHost::ShouldDownload(std::string const&, std::string
const&)
0x0835e91f [chrome - buffered_resource_handler.cc:248]
BufferedResourceHandler::CompleteResponseStarted(int, bool)
0x0835f499 [chrome - buffered_resource_handler.cc:125]
BufferedResourceHandler::OnReadCompleted(int, int*)
0x081a0a29 [chrome - resource_dispatcher_host.cc:1378]
ResourceDispatcherHost::CompleteRead(URLRequest*, int*)
0x081a0b18 [chrome - resource_dispatcher_host.cc:1332]
ResourceDispatcherHost::OnReadCompleted(URLRequest*, int)
0x081a1a32 [chrome - resource_dispatcher_host.cc:1029]
ResourceDispatcherHost::OnResponseStarted(URLRequest*)
0x08713f76 [chrome - url_request.cc:352]
URLRequest::ResponseStarted()
0x0871c565 [chrome - url_request_job.cc:417]
URLRequestJob::NotifyHeadersComplete()
0x0876dd50 [chrome - url_request_http_job.cc:556]
URLRequestHttpJob::NotifyHeadersComplete()
0x0876df58 [chrome - url_request_http_job.cc:454]
URLRequestHttpJob::OnStartCompleted(int)
0x086cab23 [chrome - task.h:543]
net::HttpCache::Transaction::DoCallback(int)
0x086ce0e8 [chrome - http_cache.cc:701]
net::HttpCache::Transaction::HandleResult(int)
0x086cfa59 [chrome - http_cache.cc:1308]
net::HttpCache::Transaction::OnNetworkInfoAvailable(int)
0x086d92c3 [chrome - task.h:543]
net::HttpNetworkTransaction::DoCallback(int)
0x0870da73 [chrome - task.h:543]
net::TCPClientSocketLibevent::DoReadCallback(int)
0x0870dbdb [chrome - tcp_client_socket_libevent.cc:342]
net::TCPClientSocketLibevent::DidCompleteRead()
0x08619fa5 [chrome - event.c:385] event_base_loop
0x084cfb33 [chrome - message_pump_libevent.cc:253]
base::MessagePumpLibevent::Run(base::MessagePump::Delegate*)
0x084cd964 [chrome - message_loop.cc:199]
MessageLoop::RunInternal()
0x084cdac5 [chrome - message_loop.cc:155] MessageLoop::Run()
0x084f3b0f [chrome - thread.cc:156]
base::Thread::ThreadMain()
0x084da150 [chrome - platform_thread_posix.cc:26]
ThreadFunc(void*)
0xb76f24fe [libpthread-2.9.so + 0x000064fe]
0xb73a949d [libc-2.9.so + 0x000e449d]
Note, that this is not the crashing thread. However, when you look at what
plugin is getting loaded, it's
usually a totem plugin or something. My suspicion is that we are running
into glib/gobject/gdk/gtk/pango
thread safety issues while initializing the totem plugin. We probably need
to fix 17863 in order to stop
this.
If you look at
http://crash/search?query=product:Chrome_Linux+version:3.0.198.1+ReadWebPluginInfo,
you'll
see all sorts of crashes where we're loading a plugin that touches
gtk/gdk/glib and crashes in another
thread that is mucking around with gtk/gdk/glib.
Someone can probably verify this theory by triggering the mime type check
for downloads over and over
again until the race condition occurs.
--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
--~--~---------~--~----~------------~-------~--~----~
Automated mail from issue updates at http://crbug.com/
Subscription options: http://groups.google.com/group/chromium-bugs
-~----------~----~----~----~------~----~------~--~---
