Bug 137849

Summary:

[GTK] [Stable] webkitgtk 2.6.1 fails to load flashplugin

Product:

WebKit

Reporter:

Marcel Tiede <marcel.tiede>

Component:

WebKitGTK

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

berto, cgarcia, clopez

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Example program	none
Workaround	none
Patch	cgarcia: review+

Marcel Tiede

Reported 2014-10-18 05:23:40 PDT

Created attachment 240061 [details] Example program Hi, with a vala program that spawns a GTK-Window that only holds a webview (webkitgtk 2.6.1) there is an error loading the adobe flash website (https://www.adobe.com/software/flash/about/): Error scanning plugin /home/marcel/.mozilla/plugins/npwrapper.libflashplayer.so, /usr/lib/webkit2gtk-4.0/WebKitPluginProcess returned 256 exit status The flash version number itself is shown. I experienced a second problem. If I open the url https://deezer.com something is crashing very hard: [marcel@Obelix browsertest]$ ./browser Error scanning plugin /home/marcel/.mozilla/plugins/npwrapper.libflashplayer.so, /usr/lib/webkit2gtk-4.0/WebKitPluginProcess returned 256 exit status *** stack smashing detected ***: /usr/lib/webkit2gtk-4.0/WebKitPluginProcess2 terminated ======= Backtrace: ========= /usr/lib/libc.so.6(+0x7340e)[0x7fbd23ba940e] /usr/lib/libc.so.6(__fortify_fail+0x37)[0x7fbd23c2ea97] /usr/lib/libc.so.6(__fortify_fail+0x0)[0x7fbd23c2ea60] /usr/lib/webkit2gtk-4.0/WebKitPluginProcess2[0xac18d2] /usr/lib/webkit2gtk-4.0/WebKitPluginProcess2(_ZN6WebKit14NetscapePlugin10initializeERKNS_6Plugin10ParametersE+0x8db)[0xabd8ab] /usr/lib/webkit2gtk-4.0/WebKitPluginProcess2(_ZN6WebKit21PluginControllerProxy10initializeERKNS_24PluginCreationParametersE+0xe2)[0xa91fe2] /usr/lib/webkit2gtk-4.0/WebKitPluginProcess2(_ZN6WebKit20WebProcessConnection20createPluginInternalERKNS_24PluginCreationParametersERbS4_Rj+0x8e)[0xa965ce] /usr/lib/webkit2gtk-4.0/WebKitPluginProcess2(_ZN6WebKit20WebProcessConnection12createPluginERKNS_24PluginCreationParametersEN3WTF10PassRefPtrIN8Messages20WebProcessConnection12CreatePlugin12DelayedReplyEEE+0x200)[0xa96810] /usr/lib/webkit2gtk-4.0/WebKitPluginProcess2(_ZN3IPC20handleMessageDelayedIN8Messages20WebProcessConnection12CreatePluginEN6WebKit20WebProcessConnectionEMS5_FvRKNS4_24PluginCreationParametersEN3WTF10PassRefPtrINS3_12DelayedReplyEEEEEEvPNS_10ConnectionERNS_14MessageDecoderERSt10unique_ptrINS_14MessageEncoderESt14default_deleteISK_EEPT0_T1_+0x175)[0xac4e05] /usr/lib/webkit2gtk-4.0/WebKitPluginProcess2(_ZN6WebKit20WebProcessConnection41didReceiveSyncWebProcessConnectionMessageEPN3IPC10ConnectionERNS1_14MessageDecoderERSt10unique_ptrINS1_14MessageEncoderESt14default_deleteIS7_EE+0x9d)[0xac4bad] /usr/lib/webkit2gtk-4.0/WebKitPluginProcess2(_ZN6WebKit20WebProcessConnection21didReceiveSyncMessageEPN3IPC10ConnectionERNS1_14MessageDecoderERSt10unique_ptrINS1_14MessageEncoderESt14default_deleteIS7_EE+0x24d)[0xa95fdd] /usr/lib/webkit2gtk-4.0/WebKitPluginProcess2(_ZN3IPC10Connection19dispatchSyncMessageERNS_14MessageDecoderE+0x11c)[0xa8537c] /usr/lib/webkit2gtk-4.0/WebKitPluginProcess2(_ZN3IPC10Connection15dispatchMessageESt10unique_ptrINS_14MessageDecoderESt14default_deleteIS2_EE+0xcc)[0xa8545c] /usr/lib/webkit2gtk-4.0/WebKitPluginProcess2(_ZN3IPC10Connection16SyncMessageState16dispatchMessagesEPS0_+0x297)[0xa86c47] /usr/lib/webkit2gtk-4.0/WebKitPluginProcess2(_ZN3WTF7RunLoop11performWorkEv+0x1fc)[0x1da2e4c] /usr/lib/libjavascriptcoregtk-4.0.so.18(_ZN3WTF15GMainLoopSource12voidCallbackEv+0x2a5)[0x7fbd2bb896c5] /usr/lib/libjavascriptcoregtk-4.0.so.18(_ZN3WTF15GMainLoopSource18voidSourceCallbackEPS0_+0xa)[0x7fbd2bb8549a] /usr/lib/libglib-2.0.so.0(g_main_context_dispatch+0x15d)[0x7fbd2881692d] /usr/lib/libglib-2.0.so.0(+0x49d08)[0x7fbd28816d08] /usr/lib/libglib-2.0.so.0(g_main_loop_run+0xc2)[0x7fbd28817032] /usr/lib/webkit2gtk-4.0/WebKitPluginProcess2(PluginProcessMainUnix+0x29a)[0xa97aca] /usr/lib/libc.so.6(__libc_start_main+0xf0)[0x7fbd23b56040] /usr/lib/webkit2gtk-4.0/WebKitPluginProcess2[0xa82346] ======= Memory map: ======== ... With version 2.4.5 of webkitgtk there were no problems. In the attachments is a program to reproduce the errors. Command to compile the program: valac --pkg gtk+-3.0 --pkg webkit2gtk-4.0 browser.vala Marcel

Attachments
Example program (744 bytes, text/x-vala) 2014-10-18 05:23 PDT, Marcel Tiede	no flags	Details
Workaround (728 bytes, patch) 2014-11-06 02:32 PST, Alberto Garcia	no flags	Details Formatted Diff Diff
Patch (1.64 KB, patch) 2014-11-06 07:38 PST, Alberto Garcia	cgarcia: review+	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Carlos Alberto Lopez Perez

Comment 1 2014-10-18 10:35:32 PDT

I was able to reproduce the problem with the attached example program (when loading https://deezer.com) and with webkit2gtk 2.6.1. But I was not able to reproduce it on trunk, so I guess it is already fixed on trunk. It would be great to know which commit fixes it in order to backport to stable. What I was able to reproduce is the '*** stack smashing detected ***' error. For me the flash plugin works. Also the browser seems to continues to work, but any time you click on a link on that page another stack smashing error happens.

Marcel Tiede

Comment 2 2014-10-18 10:49:51 PDT

With the help of Carlos Alberto Lopez Perez I could find the problem for the error: Error scanning plugin /home/marcel/.mozilla/plugins/npwrapper.libflashplayer.so, /usr/lib/webkit2gtk-4.0/WebKitPluginProcess returned 256 exit status I just deleted the npwrapper.libflashplayer.so from my home directory.

Carlos Alberto Lopez Perez

Comment 3 2014-10-18 11:53:04 PDT

(In reply to comment #2) > With the help of Carlos Alberto Lopez Perez I could find the problem for > the error: > > Error scanning plugin > /home/marcel/.mozilla/plugins/npwrapper.libflashplayer.so, > /usr/lib/webkit2gtk-4.0/WebKitPluginProcess returned 256 exit status > > I just deleted the npwrapper.libflashplayer.so from my home directory. That was more a warning than an error. The real problem here seems to be a buffer overflow on webkit that causes that smashing stack error. Is reproducible with the example code attached and webkit 2.6.1 (I tried with the 2.6.1 packaged on Debian testing/sid).

Carlos Garcia Campos

Comment 4 2014-10-19 00:03:40 PDT

I can't reproduce this with 2.6.1, the bt looks like bug #137426 that was fixed and backported to 2.6 before the 2.6.1 release.

Marcel Tiede

Comment 5 2014-10-25 02:43:57 PDT

WebkitGTK 2.6.2 is also not solving the problem.

Alberto Garcia

Comment 6 2014-11-04 10:35:31 PST

It crashes for me as well (using 2.6.2): (gdb) bt #0 0x00007fbd3e90b107 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007fbd3e90c4e8 in __GI_abort () at abort.c:89 #2 0x00007fbd3e949044 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7fbd3ea3968b "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:175 #3 0x00007fbd3e9cc137 in __GI___fortify_fail (msg=msg@entry=0x7fbd3ea39673 "stack smashing detected") at fortify_fail.c:31 #4 0x00007fbd3e9cc100 in __stack_chk_fail () at stack_chk_fail.c:28 #5 0x0000000000afee12 in WebKit::NetscapePlugin::platformPostInitialize() () #6 0x0000000000afbabb in WebKit::NetscapePlugin::initialize(WebKit::Plugin::Parameters const&) () #7 0x0000000000ad6b32 in WebKit::PluginControllerProxy::initialize(WebKit::PluginCreationParameters const&) () #8 0x0000000000adb08c in WebKit::WebProcessConnection::createPluginInternal(WebKit::PluginCreationParameters const&, bool&, bool&, unsigned int&) () #9 0x0000000000adb2d0 in WebKit::WebProcessConnection::createPlugin(WebKit::PluginCreationParameters const&, WTF::PassRefPtr<Messages::WebProcessConnection::CreatePlugin::DelayedReply>) () #10 0x0000000000b01e50 in void IPC::handleMessageDelayed<Messages::WebProcessConnection::CreatePlugin, WebKit::WebProcessConnection, void (WebKit::WebProcessConnection::*)(WebKit::PluginCreationParameters const&, WTF::PassRefPtr<Messages::WebProcessConnection::CreatePlugin::DelayedReply>)>(IPC::Connection*, IPC::MessageDecoder&, std::unique_ptr<IPC::MessageEncoder, std::default_delete<IPC::MessageEncoder> >&, WebKit::WebProcessConnection*, void (WebKit::WebProcessConnection::*)(WebKit::PluginCreationParameters const&, WTF::PassRefPtr<Messages::WebProcessConnection::CreatePlugin::DelayedReply>)) ()

Alberto Garcia

Comment 7 2014-11-05 03:59:37 PST

With debugging symbols: (gdb) bt #0 0x00007f11ec156407 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007f11ec1577e8 in __GI_abort () at abort.c:89 #2 0x00007f11ec194344 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7f11ec2849f5 "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:175 #3 0x00007f11ec217437 in __GI___fortify_fail (msg=msg@entry=0x7f11ec2849dd "stack smashing detected") at fortify_fail.c:31 #4 0x00007f11ec217400 in __stack_chk_fail () at stack_chk_fail.c:28 #5 0x0000000000afee12 in WebKit::NetscapePlugin::platformPostInitialize (this=this@entry=0x7f11f4182dc0) at /tmp/buildd/webkit2gtk-2.6.2+dfsg1/Source/WebKit2/WebProcess/Plugins/Netscape/x11/NetscapePluginX11.cpp:229 #6 0x0000000000afbabb in WebKit::NetscapePlugin::initialize (this=0x7f11f4182dc0, parameters=...) at /tmp/buildd/webkit2gtk-2.6.2+dfsg1/Source/WebKit2/WebProcess/Plugins/Netscape/NetscapePlugin.cpp:668 #7 0x0000000000ad6b32 in WebKit::PluginControllerProxy::initialize (this=this@entry=0x2afc360, creationParameters=...) at /tmp/buildd/webkit2gtk-2.6.2+dfsg1/Source/WebKit2/PluginProcess/PluginControllerProxy.cpp:120 #8 0x0000000000adb08c in WebKit::WebProcessConnection::createPluginInternal (this=this@entry=0x7f11f416e9b0, creationParameters=..., result=result@entry=@0x7fff8e0063ce: false, wantsWheelEvents=wantsWheelEvents@entry=@0x7fff8e0063cf: false, remoteLayerClientID=remoteLayerClientID@entry=@0x7fff8e0063e0: 0) at /tmp/buildd/webkit2gtk-2.6.2+dfsg1/Source/WebKit2/PluginProcess/WebProcessConnection.cpp:219 #9 0x0000000000adb2d0 in WebKit::WebProcessConnection::createPlugin (this=0x7f11f416e9b0, creationParameters=..., reply=...) at /tmp/buildd/webkit2gtk-2.6.2+dfsg1/Source/WebKit2/PluginProcess/WebProcessConnection.cpp:264 #10 0x0000000000b01e50 in callMemberFunctionImpl<WebKit::WebProcessConnection, void (WebKit::WebProcessConnection::*)(WebKit::PluginCreationParameters const&, WTF::PassRefPtr<Messages::WebProcessConnection::CreatePlugin::DelayedReply>), Messages::WebProcessConnection::CreatePlugin::DelayedReply, std::tuple<WebKit::PluginCreationParameters>, 0ul> ( args=<unknown type in /usr/lib/debug/usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitPluginProcess2, CU 0x793474, DIE 0x7b3b95>, delayedReply=..., function=<optimized out>, object=0x7f11f416e9b0) at /tmp/buildd/webkit2gtk-2.6.2+dfsg1/Source/WebKit2/Platform/IPC/HandleMessage.h:44 #11 callMemberFunction<WebKit::WebProcessConnection, void (WebKit::WebProcessConnection::*)(WebKit::PluginCreationParameters const&, WTF::PassRefPtr<Messages::WebProcessConnection::CreatePlugin::DelayedReply>), Messages::WebProcessConnection::CreatePlugin::DelayedReply, std::tuple<WebKit::PluginCreationParameters>, std::make_index_sequence<1ul> > (function=<optimized out>, object=0x7f11f416e9b0, delayedReply=..., args=<unknown type in /usr/lib/debug/usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitPluginProcess2, CU 0x793474, DIE 0x7b3b1d>) at /tmp/buildd/webkit2gtk-2.6.2+dfsg1/Source/WebKit2/Platform/IPC/HandleMessage.h:50

Alberto Garcia

Comment 8 2014-11-05 04:53:55 PST

I can't seem to reproduce this crash if I rebuild webkit 2.6.2, so this might have to do with the version of the compiler or some library.

Carlos Alberto Lopez Perez

Comment 9 2014-11-05 06:19:16 PST

(In reply to comment #8) > I can't seem to reproduce this crash if I rebuild webkit 2.6.2, so > this might have to do with the version of the compiler or some library. I think it may have to be with the hardening flags that the debian package uses. $ grep ^CPPFLAGS webkit2gtk-2.6.2+dfsg1/debian/rules CPPFLAGS = $(shell dpkg-buildflags --get CPPFLAGS) -Wall $ dpkg-buildflags --get CPPFLAGS -D_FORTIFY_SOURCE=2 You can try rebuilding it with those flags to check if then is reproducible or not.

Alberto Garcia

Comment 10 2014-11-05 06:37:44 PST

I actually rebuilt it with exactly the same flags and it no longer crashes. I'm still looking into it. On a related note I just fixed bug 138418, although I don't see how that could cause this problem.

Alberto Garcia

Comment 11 2014-11-06 02:32:31 PST

Created attachment 241098 [details] Workaround I believe that this is a bug in GCC, I can reproduce it reliably with the following conditions: * GCC 4.9.1 (reproduced with 4.9.1-4 and 4.9.1-19 from Debian) * -O1 or -O2 * -fstack-protector-strong The affected function is NetscapePlugin::platformPostInitialize() from NetscapePluginX11.cpp. As a workaround it is possible to disable the compiler optimizations in that function (and still keep the stack protection enabled) with the following patch.

Alberto Garcia

Comment 12 2014-11-06 02:58:28 PST

Interestingly enough webkitgtk 2.4.7 does not seem to crash

Alberto Garcia

Comment 13 2014-11-06 07:38:32 PST

Created attachment 241106 [details] Patch I'm stupid, forget my previous comments. We are actually having the stack corrupted. The reason is that although NPPVpluginNeedsXEmbed is a boolean value we cannot use bool/NPBool there (1 byte) because the Flash player plugin (and possibly others) are using an int instead. My confusion came from the fact that it doesn't happen when we disable optimizations. The reason for that might be that in that case we would be overwriting the windowID variable instead, which is not a problem because we would not be changing its current value (0).

Carlos Garcia Campos

Comment 14 2014-11-06 07:41:35 PST

Comment on attachment 241106 [details] Patch How I hate flash :-/

Alberto Garcia

Comment 15 2014-11-06 07:46:35 PST

Committed r175696: <http://trac.webkit.org/changeset/175696>

Note You need to log in before you can comment on or make changes to this bug.