95692 2012-09-03 09:01:28 -0700 [WK2] WebProcess crashes when plugin is not initialized. 2012-09-04 16:49:06 -0700 1 1 1 Unclassified WebKit Plug-ins 528+ (Nightly build) Unspecified Unspecified RESOLVED DUPLICATE 95026 P2 Normal --- 1 abecsi abecsi andersca ap beidson kbalazs oldest_to_newest 710682 0 abecsi 2012-09-03 09:01:28 -0700 [WK2] WebProcess crashes when plugin is not initialized. 710684 1 abecsi 2012-09-03 09:02:28 -0700 This is reproducible with the Qt MiniBrowser when loading index.hu. 710685 2 161937 abecsi 2012-09-03 09:03:02 -0700 Created attachment 161937 Patch 710713 3 161937 beidson 2012-09-03 10:43:43 -0700 Comment on attachment 161937 Patch I would like to see steps to reproduce this crash and a backtrace of the crash. There's active work going on in this area so it's important to understand the details of what you've found and not just wallpaper over it. More specifically, PluginViews are created with m_plugin set to the Plugin that last their entire lifetime, so it's surprising to see that m_plugin might be null. The only time it can be cleared is if the plug-in fails to initialize and then the PluginView is still used after that case. Again, please give details on how this reproduces. 710927 4 abecsi 2012-09-04 03:11:16 -0700 The crash is reproducible (since http://trac.webkit.org/changeset/124815) with Qt MiniBrowser the following way: MiniBrowser index.hu And the backtrace of the crash: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fff97ffd700 (LWP 17013)] 0x00007ffff47c6305 in WebKit::PluginView::scriptObject (this=0x20fc5b0, globalObject=0x7fffe406ec80) at /home/abecsi/devel/git/webkit-git-svn/Source/WebKit2/WebProcess/Plugins/PluginView.cpp:555 555 if (m_plugin->isBeingAsynchronouslyInitialized()) { (gdb) bt #0 0x00007ffff47c6305 in WebKit::PluginView::scriptObject (this=0x20fc5b0, globalObject=0x7fffe406ec80) at /home/abecsi/devel/git/webkit-git-svn/Source/WebKit2/WebProcess/Plugins/PluginView.cpp:555 #1 0x00007ffff49c4574 in WebCore::pluginScriptObjectFromPluginViewBase (pluginElement=0x18c7240, globalObject=0x7fffe406ec80) at /home/abecsi/devel/git/webkit-git-svn/Source/WebCore/bindings/js/JSPluginElementFunctions.cpp:68 #2 0x00007ffff49c4637 in WebCore::pluginScriptObject (exec=0x7fff9dbdf2d8, jsHTMLElement=0x7fff7c09ef00) at /home/abecsi/devel/git/webkit-git-svn/Source/WebCore/bindings/js/JSPluginElementFunctions.cpp:90 #3 0x00007ffff49c4750 in WebCore::runtimeObjectCustomGetOwnPropertySlot (exec=0x7fff9dbdf2d8, propertyName=..., slot=..., element=0x7fff7c09ef00) at /home/abecsi/devel/git/webkit-git-svn/Source/WebCore/bindings/js/JSPluginElementFunctions.cpp:115 #4 0x00007ffff49b1fc5 in WebCore::pluginElementCustomGetOwnPropertySlot<WebCore::JSHTMLObjectElement, WebCore::JSHTMLElement> (exec=0x7fff9dbdf2d8, propertyName=..., slot=..., element=0x7fff7c09ef00) at /home/abecsi/devel/git/webkit-git-svn/Source/WebCore/bindings/js/JSPluginElementFunctions.h:58 #5 0x00007ffff49b1e3c in WebCore::JSHTMLObjectElement::getOwnPropertySlotDelegate (this=0x7fff7c09ef00, exec=0x7fff9dbdf2d8, propertyName=..., slot=...) at /home/abecsi/devel/git/webkit-git-svn/Source/WebCore/bindings/js/JSHTMLObjectElementCustom.cpp:38 #6 0x00007ffff5b9c5f7 in WebCore::JSHTMLObjectElement::getOwnPropertySlot (cell=0x7fff7c09ef00, exec=0x7fff9dbdf2d8, propertyName=..., slot=...) at generated/JSHTMLObjectElement.cpp:161 #7 0x00007ffff479ea07 in JSC::JSCell::fastGetOwnPropertySlot (this=0x7fff7c09ef00, exec=0x7fff9dbdf2d8, propertyName=..., slot=...) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/runtime/JSObject.h:616 #8 0x00007ffff49c26dc in JSC::JSValue::get (this=0x7fffffffcb80, exec=0x7fff9dbdf2d8, propertyName=..., slot=...) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/runtime/JSObject.h:871 #9 0x00007ffff6057fee in JSC::cti_op_get_by_id (args=0x7fffffffcc00) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/jit/JITStubs.cpp:1710 #10 0x00007ffff6055a99 in JSC::JITThunks::tryCacheGetByID (callFrame=0x22f1b30, codeBlock=0x7ffff455a29d <JSC::PropertyName::PropertyName(JSC::Identifier const&)+65>, returnAddress=..., baseValue=..., propertyName=..., slot=..., stubInfo= 0x7fff7c09ef00) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/jit/JITStubs.cpp:980 #11 0x00007fffffffcc30 in ?? () #12 0x00007fff7c09ef00 in ?? () #13 0x00000000022f1b30 in ?? () #14 0x00007fff00000003 in ?? () #15 0x00007fffffffcc40 in ?? () #16 0x00007fff7c0bcfc0 in ?? () #17 0x00007ffff7db0b00 in JSC::JSNotAnObject::s_info () from /home/abecsi/devel/git/webkit-git-svn/WebKitBuild/Debug/lib/libQtWebKit.so.5 #18 0x00007ffff7d6f260 in WebCore::JSDOMWindowPrototype::s_info () from /home/abecsi/devel/git/webkit-git-svn/WebKitBuild/Debug/lib/libQtWebKit.so.5 #19 0x00007fffffffcc70 in ?? () #20 0x00007fffa052a460 in ?? () #21 0x0000000000515ef8 in ?? () #22 0x00007fff9dbdf2d8 in ?? () #23 0x0000000000000000 in ?? () 711172 5 beidson 2012-09-04 09:20:56 -0700 (In reply to comment #4) > The crash is reproducible (since http://trac.webkit.org/changeset/124815) with Qt MiniBrowser the following way: > > MiniBrowser index.hu Why is the plug-in failing to initialize? Can you construct a test for this? TestNetscapePlugin and WebKitTestRunner have the ability to test this type of thing. 711313 6 162073 abecsi 2012-09-04 11:57:29 -0700 Created attachment 162073 Makes Qt MiniBrowser crash Plugin support seems generally be unreliable/broken in Qt5 so plugin tests are disabled, though plugins are not disabled in MiniBrowser since work is ongoing to fix the issues. Because the initialization of plugins that set the "movie" parameter fails in MiniBrowser and since on the mentioned news site (index.hu) some scripts try to access the plugin object the web process crashes in PluginView::scriptObject. Attached is a reduced test page that crashes the QtWebProcess in MiniBrowser. 711317 7 abecsi 2012-09-04 11:59:55 -0700 CC-ing Balazs who used to work on plugin issues. 711326 8 beidson 2012-09-04 12:09:02 -0700 I understand what is going on here. It hasn't come up on Mac because plug-ins generally don't fail to initialize there. Interesting that Qt has this problem. I'm not against the change. I'm just against it without a test. 711569 9 beidson 2012-09-04 16:49:06 -0700 *** This bug has been marked as a duplicate of bug 95026 *** 161937 2012-09-03 09:03:02 -0700 2012-09-04 11:57:29 -0700 Patch bug-95692-20120903180323.patch text/plain 1899 abecsi U3VidmVyc2lvbiBSZXZpc2lvbjogMTI3NDIwCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0Mi9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViS2l0Mi9DaGFuZ2VMb2cKaW5kZXggYWEzNmI0OTI1Y2ZmYzQ5 NjhjMmE0MzY5ZGJjMjA4M2VkMWQ0NjE1Yi4uMDUxOTk4MzBkNGI0N2Y3OGQ0MGJjZTBlY2ZhNDZm NWZmNWNhNzU5NCAxMDA2NDQKLS0tIGEvU291cmNlL1dlYktpdDIvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJLaXQyL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE2IEBACisyMDEyLTA5LTAzICBBbmRy YXMgQmVjc2kgIDxhbmRyYXMuYmVjc2lAbm9raWEuY29tPgorCisgICAgICAgIFtXSzJdIFdlYlBy b2Nlc3MgY3Jhc2hlcyB3aGVuIHBsdWdpbiBpcyBub3QgaW5pdGlhbGl6ZWQuCisgICAgICAgIGh0 dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD05NTY5MgorCisgICAgICAgIFJl dmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIFBlcmZvcm0gdGhlIG51bGwgY2hl Y2sgb2YgdGhlIHBsdWdpbiBtZW1iZXIgYmVmb3JlIHRyeWluZyB0byBkZXRlcm1pbmUKKyAgICAg ICAgaWYgaXQncyBiZWluZyBhc3luY2hyb25vdXNseSBpbml0aWFsaXplZC4KKworICAgICAgICAq IFdlYlByb2Nlc3MvUGx1Z2lucy9QbHVnaW5WaWV3LmNwcDoKKyAgICAgICAgKFdlYktpdDo6UGx1 Z2luVmlldzo6c2NyaXB0T2JqZWN0KToKKwogMjAxMi0wOS0wMyAgQWxsYW4gU2FuZGZlbGQgSmVu c2VuICA8YWxsYW4uamVuc2VuQG5va2lhLmNvbT4KIAogICAgICAgICBXaGVlbC1ldmVudHMgZmFp bHMgdGVtcG9yYXJpbHkgYWZ0ZXIgcmVsb2FkCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViS2l0Mi9X ZWJQcm9jZXNzL1BsdWdpbnMvUGx1Z2luVmlldy5jcHAgYi9Tb3VyY2UvV2ViS2l0Mi9XZWJQcm9j ZXNzL1BsdWdpbnMvUGx1Z2luVmlldy5jcHAKaW5kZXggMDE5ZDMzZThhNjFlZGRmYjViYzQ2MGM5 MjNkNDRmZDRmMjRjYzkwMy4uZTY5MjI4ZjgzOWQwZTMxZjA3OTdkYTk1Yjg1OTQwZjEzMDUyNzBl MyAxMDA2NDQKLS0tIGEvU291cmNlL1dlYktpdDIvV2ViUHJvY2Vzcy9QbHVnaW5zL1BsdWdpblZp ZXcuY3BwCisrKyBiL1NvdXJjZS9XZWJLaXQyL1dlYlByb2Nlc3MvUGx1Z2lucy9QbHVnaW5WaWV3 LmNwcApAQCAtNTUwLDYgKzU1MCwxMCBAQCBKU09iamVjdCogUGx1Z2luVmlldzo6c2NyaXB0T2Jq ZWN0KEpTR2xvYmFsT2JqZWN0KiBnbG9iYWxPYmplY3QpCiAgICAgaWYgKG1faXNXYWl0aW5nRm9y U3luY2hyb25vdXNJbml0aWFsaXphdGlvbikKICAgICAgICAgcmV0dXJuIDA7CiAKKyAgICAvLyBU aGUgcGx1Zy1pbiBjYW4gYmUgbnVsbCBoZXJlLgorICAgIGlmICghbV9wbHVnaW4pCisgICAgICAg IHJldHVybiAwOworCiAgICAgLy8gSWYgdGhlIHBsdWctaW4gZXhpc3RzIGJ1dCBpcyBub3QgaW5p dGlhbGl6ZWQgdGhlbiB3ZSdyZSBzdGlsbCBpbml0aWFsaXppbmcgYXN5bmNocm9ub3VzbHkuCiAg ICAgLy8gV2UgbmVlZCB0byB3YWl0IGhlcmUgdW50aWwgaW5pdGlhbGl6YXRpb24gaGFzIGVpdGhl ciBzdWNjZWVkZWQgb3IgZmFpbGVkLgogICAgIGlmIChtX3BsdWdpbi0+aXNCZWluZ0FzeW5jaHJv bm91c2x5SW5pdGlhbGl6ZWQoKSkgewpAQCAtNTU5LDcgKzU2Myw3IEBAIEpTT2JqZWN0KiBQbHVn aW5WaWV3OjpzY3JpcHRPYmplY3QoSlNHbG9iYWxPYmplY3QqIGdsb2JhbE9iamVjdCkKICAgICB9 CiAKICAgICAvLyBUaGUgcGx1Zy1pbiBjYW4gYmUgbnVsbCBoZXJlIGlmIGl0IGZhaWxlZCB0byBp bml0aWFsaXplLgotICAgIGlmICghbV9pc0luaXRpYWxpemVkIHx8ICFtX3BsdWdpbikKKyAgICBp ZiAoIW1faXNJbml0aWFsaXplZCkKICAgICAgICAgcmV0dXJuIDA7CiAKICNpZiBFTkFCTEUoTkVU U0NBUEVfUExVR0lOX0FQSSkK 162073 2012-09-04 11:57:29 -0700 2012-09-04 11:57:29 -0700 Makes Qt MiniBrowser crash plugin.html text/html 493 abecsi PGh0bWw+CiAgICA8aGVhZD4KICAgICAgICA8dGl0bGU+VmlkZW88L3RpdGxlPgogICAgPC9oZWFk PgogICAgPGJvZHk+CiAgICAgICAgPGRpdj4KICAgICAgICAgICAgPG9iamVjdCBpZD0iZmxhc2h2 aWRlbyI+CiAgICAgICAgICAgICAgICA8cGFyYW0gbmFtZT0ibW92aWUiIHZhbHVlPSJodHRwOi8v YXNzZXRzLmluZGF2aWRlby5odS9zd2YvcGxheWVyLnN3ZiI+CiAgICAgICAgICAgICAgICA8ZW1i ZWQgc3JjPSJodHRwOi8vYXNzZXRzLmluZGF2aWRlby5odS9zd2YvcGxheWVyLnN3ZiI+CiAgICAg ICAgICAgIDwvb2JqZWN0PgogICAgICAgIDwvZGl2PgogICAgPHNjcmlwdCBzcmM9Imh0dHA6Ly9h c3NldHMuaW5kYXZpZGVvLmh1L2pzL2xpYi9qcXVlcnktMS42LjQubWluLmpzIj48L3NjcmlwdD4K ICAgIDxzY3JpcHQgc3JjPSJodHRwOi8vYXNzZXRzLmluZGF2aWRlby5odS9qcy9zcmMvdnBsYXll cjIuanMiPjwvc2NyaXB0PgogICAgPC9ib2R5Pgo8L2h0bWw+Cg==