27769 2009-07-28 09:46:10 -0700 Chromium crashes in the V8 bindings code when the page is being torn down 2014-04-24 16:45:03 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) PC All RESOLVED FIXED P2 Normal --- 0 ananta webkit-unassigned abarth dglazkov fishd levin oldest_to_newest 135248 0 ananta 2009-07-28 09:46:10 -0700 This is a chromium specific issue. The Chromium bug is http://code.google.com/p/chromium/issues/detail?id=17710 Callstack as below:- The crash happens because the WebCore::V8Proxy::createNewContext function dereferences the activeDocumentLoader pointer in the FrameLoader object as below:- m_frame->loader()->activeDocumentLoader()->url().protocol(), This is set to NULL in the WebCore::FrameLoader::detachFromParent function by a call to setDocumentLoader(0). The fix should be to add a NULL check for the activeDocumentLoader pointer in the WebCore::V8Proxy::createNewContext function. I will upload a patch for this. chrome_23a0000!WebCore::ResourceRequestBase::url+0x2 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\platform\network\resourcerequestbase.cpp @ 106] chrome_23a0000!WebCore::V8Proxy::createNewContext+0xd8 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\bindings\v8\v8proxy.cpp @ 896] chrome_23a0000!WebCore::V8Proxy::initContextIfNeeded+0x77 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\bindings\v8\v8proxy.cpp @ 995] chrome_23a0000!WebCore::V8Proxy::context+0x3e [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\bindings\v8\v8proxy.cpp @ 1114] chrome_23a0000!WebCore::toV8Context+0x17 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\bindings\v8\v8helpers.cpp @ 49] chrome_23a0000!NPN_GetProperty+0x38 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\bindings\v8\npv8object.cpp @ 283] chrome_23a0000!NPObjectStub::OnGetProperty+0x68 [c:\b\slave\chromium-rel-xp\build\src\chrome\plugin\npobject_stub.cc @ 196] chrome_23a0000!IPC::MessageWithReply<Tuple1<NPIdentifier_Param>,Tuple2<NPVariant_Param &,bool &> >::Dispatch<NPObjectStub,void (__thiscall NPObjectStub::*)(NPIdentifier_Param const &,NPVariant_Param *,bool *)>+0x91 [c:\b\slave\chromium-rel-xp\build\src\ipc\ipc_message_utils.h @ 1136] chrome_23a0000!NPObjectStub::OnMessageReceived+0x126 [c:\b\slave\chromium-rel-xp\build\src\chrome\plugin\npobject_stub.cc @ 67] chrome_23a0000!MessageRouter::RouteMessage+0x34 [c:\b\slave\chromium-rel-xp\build\src\chrome\common\message_router.cc @ 41] chrome_23a0000!PluginChannelBase::OnMessageReceived+0x48 [c:\b\slave\chromium-rel-xp\build\src\chrome\plugin\plugin_channel_base.cc @ 112] chrome_23a0000!IPC::SyncChannel::ReceivedSyncMsgQueue::DispatchMessages+0x12c [c:\b\slave\chromium-rel-xp\build\src\ipc\ipc_sync_channel.cc @ 107] chrome_23a0000!IPC::SyncChannel::WaitForReply+0x79 [c:\b\slave\chromium-rel-xp\build\src\ipc\ipc_sync_channel.cc @ 415] chrome_23a0000!IPC::SyncChannel::SendWithTimeout+0x162 [c:\b\slave\chromium-rel-xp\build\src\ipc\ipc_sync_channel.cc @ 398] chrome_23a0000!IPC::SyncChannel::Send+0x10 [c:\b\slave\chromium-rel-xp\build\src\ipc\ipc_sync_channel.cc @ 362] chrome_23a0000!PluginChannelBase::Send+0x68 [c:\b\slave\chromium-rel-xp\build\src\chrome\plugin\plugin_channel_base.cc @ 95] chrome_23a0000!WebPluginDelegateProxy::Send+0x37 [c:\b\slave\chromium-rel-xp\build\src\chrome\renderer\webplugin_delegate_proxy.cc @ 294] chrome_23a0000!WebPluginDelegateProxy::PluginDestroyed+0x78 [c:\b\slave\chromium-rel-xp\build\src\chrome\renderer\webplugin_delegate_proxy.cc @ 211] chrome_23a0000!WebPluginImpl::TearDownPluginInstance+0x3f [c:\b\slave\chromium-rel-xp\build\src\webkit\glue\webplugin_impl.cc @ 1385] chrome_23a0000!WebPluginContainer::~WebPluginContainer+0x1d [c:\b\slave\chromium-rel-xp\build\src\webkit\glue\webplugin_impl.cc @ 177] chrome_23a0000!WebPluginContainer::`scalar deleting destructor'+0xb chrome_23a0000!WebCore::RenderWidget::clearWidget+0x2b [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\rendering\renderwidget.cpp @ 279] chrome_23a0000!WebCore::RenderPart::~RenderPart+0x15 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\rendering\renderpart.cpp @ 42] chrome_23a0000!WebCore::RenderPartObject::`scalar deleting destructor'+0x27 chrome_23a0000!WebCore::RenderObject::arenaDelete+0x80 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\rendering\renderobject.cpp @ 1882] chrome_23a0000!WebCore::RenderWidget::destroy+0x117 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\rendering\renderwidget.cpp @ 97] chrome_23a0000!WebCore::Node::detach+0x19 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\node.cpp @ 1169] chrome_23a0000!WebCore::ContainerNode::detach+0x1c [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\containernode.cpp @ 587] chrome_23a0000!WebCore::ContainerNode::detach+0x1c [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\containernode.cpp @ 587] chrome_23a0000!WebCore::ContainerNode::detach+0x1c [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\containernode.cpp @ 587] chrome_23a0000!WebCore::ContainerNode::detach+0x1c [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\containernode.cpp @ 587] chrome_23a0000!WebCore::Document::detach+0xc0 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\document.cpp @ 1359] chrome_23a0000!WebCore::Frame::setView+0x31 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\page\frame.cpp @ 232] chrome_23a0000!WebCore::FrameLoader::detachFromParent+0x12c [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\loader\frameloader.cpp @ 3524] chrome_23a0000!WebViewImpl::close+0x1f [c:\b\slave\chromium-rel-xp\build\src\webkit\glue\webview_impl.cc @ 943] chrome_23a0000!RenderWidget::Close+0x10 [c:\b\slave\chromium-rel-xp\build\src\chrome\renderer\render_widget.cc @ 651] chrome_23a0000!MessageLoop::RunTask+0x7e [c:\b\slave\chromium-rel-xp\build\src\base\message_loop.cc @ 314] chrome_23a0000!MessageLoop::DoWork+0x1ea [c:\b\slave\chromium-rel-xp\build\src\base\message_loop.cc @ 436] chrome_23a0000!base::MessagePumpDefault::Run+0x111 [c:\b\slave\chromium-rel-xp\build\src\base\message_pump_default.cc @ 50] chrome_23a0000!MessageLoop::RunInternal+0xb7 [c:\b\slave\chromium-rel-xp\build\src\base\message_loop.cc @ 198] chrome_23a0000!MessageLoop::RunHandler+0xa0 [c:\b\slave\chromium-rel-xp\build\src\base\message_loop.cc @ 182] chrome_23a0000!MessageLoop::Run+0x3d [c:\b\slave\chromium-rel-xp\build\src\base\message_loop.cc @ 156] chrome_23a0000!RendererMain+0x40f [c:\b\slave\chromium-rel-xp\build\src\chrome\renderer\renderer_main.cc @ 151] chrome_23a0000!ChromeMain+0x608 [c:\b\slave\chromium-rel-xp\build\src\chrome\app\chrome_dll_main.cc @ 486] chrome!wWinMain+0x2fd [c:\b\slave\chromium-rel-xp\build\src\chrome\app\chrome_exe_main.cc @ 102] chrome!__tmainCRTStartup+0x176 [f:\sp\vctools\crt_bld\self_x86\crt\src\crt0.c @ 324] WARNING: Stack unwind information not available. Following frames may be wrong. kernel32!RegisterWaitForInputIdle+0x49 135285 1 abarth 2009-07-28 11:10:13 -0700 That line of code is very wrong, but that's an issue for another bug. 135311 2 33657 ananta 2009-07-28 12:00:25 -0700 Created attachment 33657 Patch containing the proposed fix in V8Proxy.cpp 135323 3 33660 ananta 2009-07-28 12:30:52 -0700 Created attachment 33660 Updated V8 bindings patch 135324 4 33660 dglazkov 2009-07-28 12:32:03 -0700 Comment on attachment 33660 Updated V8 bindings patch ok. 135325 5 dglazkov 2009-07-28 12:33:31 -0700 Landed as http://trac.webkit.org/changeset/46496. 135327 6 abarth 2009-07-28 12:43:01 -0700 Where is the test case? 135332 7 fishd 2009-07-28 13:02:05 -0700 (In reply to comment #6) > Where is the test case? Hmm... it may be possible to extend the layout test plugin to have a mode where it attempts to read a property from the containing window during destruction. 135362 8 ananta 2009-07-28 13:49:50 -0700 Based on what I know about the plugin shutdown code in webkit, the window script objects are destroyed before the plugin shutdown function is called. Calls to NPN functions on the window script object would probably fail in this context. We need a different NPObject which remains valid during plugin shutdown on which the plugin can invoke. 1003844 9 darin 2014-04-24 16:45:03 -0700 Moving all JavaScriptGlue bugs to JavaScriptCore. The JavaScriptGlue framework itself is long gone. And most of the more recent bugs put in this component were put there by people who thought this was for some other aspect of “JavaScript glue” and have nothing to do with the actual original reason for the existence of this component, which was an OS-X-only framework named JavaScriptGlue. 33657 2009-07-28 12:00:25 -0700 2009-07-28 12:30:52 -0700 Patch containing the proposed fix in V8Proxy.cpp V8ProxyFix.txt text/plain 1488 ananta SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA0NjQ5MikKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTggQEAKKzIwMDktMDctMjggIEFuYW50YW5hcmF5YW5hbiBJeWVuZ2FyICA8YW5h bnRhQGNocm9taXVtLm9yZz4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4K KworICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9Mjc3NjkK KyAgICAgICAgVGhlIFY4IGJpbmRpbmdzIGZ1bmN0aW9uIFY4UHJveHk6OmNyZWF0ZU5ld0NvbnRl eHQgY2FuIGJlIAorICAgICAgICBjYWxsZWQgZHVyaW5nIGZyYW1lIHNodXRkb3duIHdoZXJlIHRo ZSBhY3RpdmVEb2N1bWVudExvYWRlcgorICAgICAgICBmdW5jdGlvbiBpbiBGcmFtZUxvYWRlciBj YW4gcmV0dXJuIE5VTEwuIEFkZGVkIGEgY2hlY2sgZm9yIHRoZQorICAgICAgICBzYW1lLgorCisg ICAgICAgIE5vIG5ldyB0ZXN0cy4gKE9PUFMhKQorCisgICAgICAgICogYmluZGluZ3MvdjgvVjhQ cm94eS5jcHA6CisgICAgICAgIChXZWJDb3JlOjpWOFByb3h5OjpjcmVhdGVOZXdDb250ZXh0KToK KwogMjAwOS0wNy0yOCAgWGFuIExvcGV6ICA8eGxvcGV6QGlnYWxpYS5jb20+CiAKICAgICAgICAg UmV2aWV3ZWQgYnkgR3VzdGF2byBOb3JvbmhhLgpJbmRleDogV2ViQ29yZS9iaW5kaW5ncy92OC9W OFByb3h5LmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09Ci0tLSBXZWJDb3JlL2JpbmRpbmdzL3Y4L1Y4UHJveHkuY3Bw CShyZXZpc2lvbiA0NjQ0NSkKKysrIFdlYkNvcmUvYmluZGluZ3MvdjgvVjhQcm94eS5jcHAJKHdv cmtpbmcgY29weSkKQEAgLTg2Myw2ICs4NjMsMTAgQEAgdjg6OlBlcnNpc3RlbnQ8djg6OkNvbnRl eHQ+IFY4UHJveHk6OmNyZQogewogICAgIHY4OjpQZXJzaXN0ZW50PHY4OjpDb250ZXh0PiByZXN1 bHQ7CiAKKyAgICAvLyBUaGUgYWN0aXZlRG9jdW1lbnRMb2FkZXIgcG9pbnRlciBjb3VsZCBiZSBO VUxMIGR1cmluZyBmcmFtZSBzaHV0ZG93bi4KKyAgICBpZiAoIW1fZnJhbWUtPmxvYWRlcigpLT5h Y3RpdmVEb2N1bWVudExvYWRlcigpKQorICAgICAgICByZXR1cm4gcmVzdWx0OworCiAgICAgLy8g Q3JlYXRlIGEgbmV3IGVudmlyb25tZW50IHVzaW5nIGFuIGVtcHR5IHRlbXBsYXRlIGZvciB0aGUg c2hhZG93CiAgICAgLy8gb2JqZWN0LiBSZXVzZSB0aGUgZ2xvYmFsIG9iamVjdCBpZiBvbmUgaGFz IGJlZW4gY3JlYXRlZCBlYXJsaWVyLgogICAgIHY4OjpQZXJzaXN0ZW50PHY4OjpPYmplY3RUZW1w bGF0ZT4gZ2xvYmFsVGVtcGxhdGUgPSBWOERPTVdpbmRvdzo6R2V0U2hhZG93T2JqZWN0VGVtcGxh dGUoKTsK 33660 2009-07-28 12:30:52 -0700 2009-07-28 12:32:03 -0700 Updated V8 bindings patch V8ProxyFix.txt text/plain 1664 ananta SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA0NjQ5MikKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMjAgQEAKKzIwMDktMDctMjggIEFuYW50YW5hcmF5YW5hbiBJeWVuZ2FyICA8YW5h bnRhQGNocm9taXVtLm9yZz4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4K KworICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9Mjc3NjkK KyAgICAgICAgVGhlIFY4IGJpbmRpbmdzIGZ1bmN0aW9uIFY4UHJveHk6OmNyZWF0ZU5ld0NvbnRl eHQgY2FuIGJlIAorICAgICAgICBjYWxsZWQgZHVyaW5nIGZyYW1lIHNodXRkb3duIHdoZXJlIHRo ZSBhY3RpdmVEb2N1bWVudExvYWRlcgorICAgICAgICBmdW5jdGlvbiBpbiBGcmFtZUxvYWRlciBj YW4gcmV0dXJuIE5VTEwuIEFkZGVkIGEgY2hlY2sgZm9yIHRoZQorICAgICAgICBzYW1lLgorCisg ICAgICAgIE5vIG5ldyB0ZXN0cyBhZGRlZCBhcyB0aGlzIGlzIGFuIGVkZ2UgY2FzZSB3aGVyZSB0 aGUgVjggCisgICAgICAgIGJpbmRpbmdzIGNvZGUgaXMgcmVlbnRlcmVkIHZpYSBOUEFQSSBkdXJp bmcgc2h1dGRvd24uIEl0IGlzIAorICAgICAgICBkaWZmaWN1bHQgdG8gd3JpdGUgYSBjb25zaXN0 ZW50bHkgcmVwcm9kdWNpYmxlIHRlc3QgZm9yIHRoaXMuCisKKyAgICAgICAgKiBiaW5kaW5ncy92 OC9WOFByb3h5LmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OlY4UHJveHk6OmNyZWF0ZU5ld0NvbnRl eHQpOgorCiAyMDA5LTA3LTI4ICBYYW4gTG9wZXogIDx4bG9wZXpAaWdhbGlhLmNvbT4KIAogICAg ICAgICBSZXZpZXdlZCBieSBHdXN0YXZvIE5vcm9uaGEuCkluZGV4OiBXZWJDb3JlL2JpbmRpbmdz L3Y4L1Y4UHJveHkuY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvYmluZGluZ3MvdjgvVjhQcm94 eS5jcHAJKHJldmlzaW9uIDQ2NDQ1KQorKysgV2ViQ29yZS9iaW5kaW5ncy92OC9WOFByb3h5LmNw cAkod29ya2luZyBjb3B5KQpAQCAtODYzLDYgKzg2MywxMCBAQCB2ODo6UGVyc2lzdGVudDx2ODo6 Q29udGV4dD4gVjhQcm94eTo6Y3JlCiB7CiAgICAgdjg6OlBlcnNpc3RlbnQ8djg6OkNvbnRleHQ+ IHJlc3VsdDsKIAorICAgIC8vIFRoZSBhY3RpdmVEb2N1bWVudExvYWRlciBwb2ludGVyIGNvdWxk IGJlIE5VTEwgZHVyaW5nIGZyYW1lIHNodXRkb3duLgorICAgIGlmICghbV9mcmFtZS0+bG9hZGVy KCktPmFjdGl2ZURvY3VtZW50TG9hZGVyKCkpCisgICAgICAgIHJldHVybiByZXN1bHQ7CisKICAg ICAvLyBDcmVhdGUgYSBuZXcgZW52aXJvbm1lbnQgdXNpbmcgYW4gZW1wdHkgdGVtcGxhdGUgZm9y IHRoZSBzaGFkb3cKICAgICAvLyBvYmplY3QuIFJldXNlIHRoZSBnbG9iYWwgb2JqZWN0IGlmIG9u ZSBoYXMgYmVlbiBjcmVhdGVkIGVhcmxpZXIuCiAgICAgdjg6OlBlcnNpc3RlbnQ8djg6Ok9iamVj dFRlbXBsYXRlPiBnbG9iYWxUZW1wbGF0ZSA9IFY4RE9NV2luZG93OjpHZXRTaGFkb3dPYmplY3RU ZW1wbGF0ZSgpOwo=