Comment 0 for bug 72018

(Filing here since nsPluginNativeWindowGtk2 seems to be responsible; but it also might be a widget:gtk2 or gtk+ bug.)

Steps to reproduce (taken from https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=210151 ):
0) Install totem plugin, start firefox
1) Go to a site with movie links, for example http://digital-desert.com/mpg-videos/
2) Open a non-movie link in a new tab, close the new tab [not sure this step is necessary]
3) Open a movie link in a new tab; wait for it to load in the totem plugin; close the tab
4) Right-click the movie link, Save Target As

Result:
Shortly after the gtk native filepicker shows, the application crashes.

Analysis:
There seems to be a problem with xembed plugins: when you close the tab that showed the plugin, the nsPluginNativeWindowGtk2 that wraps the GtkSocket is not destroyed yet (it is destroyed sometime later; I haven't yet noticed a pattern; at the very least it's destroyed on shutdown.) (Bug 241535 is caused by the same problem.)

Now, when the native gtk filepicker opens, it causes a style reset (#12 in trace). This is recursively propagated down the widget hierarchy, until it comes to the GtkSocket of the plugin window. That socket's widget->window at this point has a NULL colourmap, causing gtk_style_realize to segfault (NULL dereference).

Trace:
#0 0xb7bfac24 in gtk_style_realize (style=0x8bc43d0, colormap=0x0) at gtkstyle.c:839
#1 0xb7bfe1f0 in IA__gtk_style_attach (style=0x8bc3e00, window=0x88b1320) at gtkstyle.c:752
#2 0xb7ca4fe2 in gtk_widget_set_style_internal (widget=0x8d39c78, style=0x8bc3e00, initial_emission=0) at gtkwidget.c:5138
#3 0xb7ca513a in reset_rc_styles_recurse (widget=0x8d39c78, data=0x0) at gtkwidget.c:5348
#4 0xb67e49a3 in moz_container_forall (container=0x8277528, include_internals=1, callback=0xb7ca50d0 <reset_rc_styles_recurse>, callback_data=0x0)
    at mozcontainer.c:401
#5 0xb7af65fb in IA__gtk_container_forall (container=0x8277528, callback=0xb7ca50d0 <reset_rc_styles_recurse>, callback_data=0x0) at gtkcontainer.c:1261
#6 0xb7ca5129 in reset_rc_styles_recurse (widget=0x8277528, data=0x0) at gtkwidget.c:5351
#7 0xb7ab749f in gtk_bin_forall (container=0x8140738, include_internals=1, callback=0, callback_data=0x0) at gtkbin.c:133
#8 0xb7af65fb in IA__gtk_container_forall (container=0x8140738, callback=0xb7ca50d0 <reset_rc_styles_recurse>, callback_data=0x0) at gtkcontainer.c:1261
#9 0xb7ca5129 in reset_rc_styles_recurse (widget=0x8140738, data=0x0) at gtkwidget.c:5351
#10 0xb7ca518d in IA__gtk_widget_reset_rc_styles (widget=0x8140738) at gtkwidget.c:5361
#11 0xb7bcde40 in gtk_rc_reset_widgets (settings=0x8065080) at gtkrc.c:1606
#12 0xb7b54bb1 in reset_styles_idle (user_data=0x8ddda48) at gtkicontheme.c:602
#13 0xb759caa1 in g_idle_dispatch (source=0x8cbbf90, callback=0, user_data=0x8ddda48) at gmain.c:3926
#14 0xb759e802 in IA__g_main_context_dispatch (context=0x8081bc0) at gmain.c:2045
#15 0xb75a17df in g_main_context_iterate (context=0x8081bc0, block=1, dispatch=1, self=0x8123360) at gmain.c:2677
#16 0xb75a1b89 in IA__g_main_loop_run (loop=0x8e61630) at gmain.c:2881
#17 0xb7b07dfb in IA__gtk_dialog_run (dialog=0x8e80000) at gtkdialog.c:996
#18 0xb67f91bd in nsFilePicker::Show (this=0x8dee8b8, aReturn=0xbfb9f5cc) at nsFilePicker.cpp:583
[...]

Downstream bug reports: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=210151 (firefox) and http://bugzilla.gnome.org/show_bug.cgi?id=353503 (epiphany, many duplicates).