[Webkit-unassigned] [Bug 31086] New: Carbon WebKit plugins wreak havoc in Firefox

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Nov 3 14:28:33 PST 2009 

https://bugs.webkit.org/show_bug.cgi?id=31086

           Summary: Carbon WebKit plugins wreak havoc in Firefox
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Macintosh
        OS/Version: Mac OS X 10.5
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: smichaud at pobox.com


For some time crashes at IdleTimerVector have been close to the top of
the Mozilla topcrasher list on OS X.  For example see
http://crash-stats.mozilla.com/query/query?version=ALL%3AALL&platform=mac&date=&range_value=1&range_unit=weeks&query_search=signature&query_type=exact&query=&do_query=1.

IdleTimerVector (in the HIToolbox framework) is what's called by the
OS as a result of using InstallEventLoopIdleTimer()
(http://developer.apple.com/legacy/mac/library/documentation/Carbon/Reference/Carbon_Event_Manager_Ref/Reference/reference.html#//apple_ref/doc/uid/TP30000135-CH1g-CJBJCEJJ)
to install an "idle timer".

The Mozilla tree doesn't contain any calls to
InstallEventLoopIdleTimer().  But this *is* called by
DivXBrowserPlugin (http://www.divx.com/).  And 100% of the
IdleTimerVector crashes are associated with this module.

DivXBrowserPlugin is a Carbon app that uses WebKit.  There aren't too
many of these (DivXBrowserPlugin is the only one I can find).
Moreover it doesn't call InstallEventLoopIdleTimer() directly --
instead it calls WebInitForCarbon() (in the WebKit) and it's the
latter that calls InstallEventLoopIdleTimer().  The WebKit framework
is also 100% associated with the IdleTimerVector crashes.

(For information on the correlation of FF crashes with particular
modules, see the following links:
http://people.mozilla.org/~dbaron/crash-stats/20090929-interesting-modules
http://people.mozilla.com/crash_analysis/)

It turns out these crashes are caused by what happens in WebKit's
PoolCleaner() function -- the target of the "idle timer" installed by
WebInitForCarbon().  They should happen in any Cocoa browser that
loads a Carbon WebKit plugin, unless the browser takes certain
precautions (i.e. unless it does something to "disable"
PoolCleaner()).

The IdleTimerVector crashes don't happen on OS X 10.6 and above --
where PoolCleaner() is already disabled by changes to the Foundation
framework's NSPushAutoreleasePool() and NSPopAutoreleasePool()
functions.

This is discussed in much more detail at
https://bugzilla.mozilla.org/show_bug.cgi?id=509130.

I've proposed a patch there that works around the bug in Firefox.  And
Safari already works around the problem in a different way (see
https://bugzilla.mozilla.org/show_bug.cgi?id=509130#c42).

But it'd be nice to get this problem fixed at the source, in WebKit
code.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list