Summary: | [GTK] [Stable] webkitgtk 2.6.1 fails to load flashplugin | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Marcel Tiede <marcel.tiede> | ||||||||
Component: | WebKitGTK | Assignee: | Nobody <webkit-unassigned> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | Normal | CC: | berto, cgarcia, clopez | ||||||||
Priority: | P2 | ||||||||||
Version: | 528+ (Nightly build) | ||||||||||
Hardware: | Unspecified | ||||||||||
OS: | Unspecified | ||||||||||
Attachments: |
|
Description
Marcel Tiede
2014-10-18 05:23:40 PDT
I was able to reproduce the problem with the attached example program (when loading https://deezer.com) and with webkit2gtk 2.6.1. But I was not able to reproduce it on trunk, so I guess it is already fixed on trunk. It would be great to know which commit fixes it in order to backport to stable. What I was able to reproduce is the '*** stack smashing detected ***' error. For me the flash plugin works. Also the browser seems to continues to work, but any time you click on a link on that page another stack smashing error happens. With the help of Carlos Alberto Lopez Perez I could find the problem for the error: Error scanning plugin /home/marcel/.mozilla/plugins/npwrapper.libflashplayer.so, /usr/lib/webkit2gtk-4.0/WebKitPluginProcess returned 256 exit status I just deleted the npwrapper.libflashplayer.so from my home directory. (In reply to comment #2) > With the help of Carlos Alberto Lopez Perez I could find the problem for > the error: > > Error scanning plugin > /home/marcel/.mozilla/plugins/npwrapper.libflashplayer.so, > /usr/lib/webkit2gtk-4.0/WebKitPluginProcess returned 256 exit status > > I just deleted the npwrapper.libflashplayer.so from my home directory. That was more a warning than an error. The real problem here seems to be a buffer overflow on webkit that causes that smashing stack error. Is reproducible with the example code attached and webkit 2.6.1 (I tried with the 2.6.1 packaged on Debian testing/sid). I can't reproduce this with 2.6.1, the bt looks like bug #137426 that was fixed and backported to 2.6 before the 2.6.1 release. WebkitGTK 2.6.2 is also not solving the problem. It crashes for me as well (using 2.6.2): (gdb) bt #0 0x00007fbd3e90b107 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007fbd3e90c4e8 in __GI_abort () at abort.c:89 #2 0x00007fbd3e949044 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7fbd3ea3968b "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:175 #3 0x00007fbd3e9cc137 in __GI___fortify_fail (msg=msg@entry=0x7fbd3ea39673 "stack smashing detected") at fortify_fail.c:31 #4 0x00007fbd3e9cc100 in __stack_chk_fail () at stack_chk_fail.c:28 #5 0x0000000000afee12 in WebKit::NetscapePlugin::platformPostInitialize() () #6 0x0000000000afbabb in WebKit::NetscapePlugin::initialize(WebKit::Plugin::Parameters const&) () #7 0x0000000000ad6b32 in WebKit::PluginControllerProxy::initialize(WebKit::PluginCreationParameters const&) () #8 0x0000000000adb08c in WebKit::WebProcessConnection::createPluginInternal(WebKit::PluginCreationParameters const&, bool&, bool&, unsigned int&) () #9 0x0000000000adb2d0 in WebKit::WebProcessConnection::createPlugin(WebKit::PluginCreationParameters const&, WTF::PassRefPtr<Messages::WebProcessConnection::CreatePlugin::DelayedReply>) () #10 0x0000000000b01e50 in void IPC::handleMessageDelayed<Messages::WebProcessConnection::CreatePlugin, WebKit::WebProcessConnection, void (WebKit::WebProcessConnection::*)(WebKit::PluginCreationParameters const&, WTF::PassRefPtr<Messages::WebProcessConnection::CreatePlugin::DelayedReply>)>(IPC::Connection*, IPC::MessageDecoder&, std::unique_ptr<IPC::MessageEncoder, std::default_delete<IPC::MessageEncoder> >&, WebKit::WebProcessConnection*, void (WebKit::WebProcessConnection::*)(WebKit::PluginCreationParameters const&, WTF::PassRefPtr<Messages::WebProcessConnection::CreatePlugin::DelayedReply>)) () With debugging symbols: (gdb) bt #0 0x00007f11ec156407 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007f11ec1577e8 in __GI_abort () at abort.c:89 #2 0x00007f11ec194344 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7f11ec2849f5 "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:175 #3 0x00007f11ec217437 in __GI___fortify_fail (msg=msg@entry=0x7f11ec2849dd "stack smashing detected") at fortify_fail.c:31 #4 0x00007f11ec217400 in __stack_chk_fail () at stack_chk_fail.c:28 #5 0x0000000000afee12 in WebKit::NetscapePlugin::platformPostInitialize (this=this@entry=0x7f11f4182dc0) at /tmp/buildd/webkit2gtk-2.6.2+dfsg1/Source/WebKit2/WebProcess/Plugins/Netscape/x11/NetscapePluginX11.cpp:229 #6 0x0000000000afbabb in WebKit::NetscapePlugin::initialize (this=0x7f11f4182dc0, parameters=...) at /tmp/buildd/webkit2gtk-2.6.2+dfsg1/Source/WebKit2/WebProcess/Plugins/Netscape/NetscapePlugin.cpp:668 #7 0x0000000000ad6b32 in WebKit::PluginControllerProxy::initialize (this=this@entry=0x2afc360, creationParameters=...) at /tmp/buildd/webkit2gtk-2.6.2+dfsg1/Source/WebKit2/PluginProcess/PluginControllerProxy.cpp:120 #8 0x0000000000adb08c in WebKit::WebProcessConnection::createPluginInternal (this=this@entry=0x7f11f416e9b0, creationParameters=..., result=result@entry=@0x7fff8e0063ce: false, wantsWheelEvents=wantsWheelEvents@entry=@0x7fff8e0063cf: false, remoteLayerClientID=remoteLayerClientID@entry=@0x7fff8e0063e0: 0) at /tmp/buildd/webkit2gtk-2.6.2+dfsg1/Source/WebKit2/PluginProcess/WebProcessConnection.cpp:219 #9 0x0000000000adb2d0 in WebKit::WebProcessConnection::createPlugin (this=0x7f11f416e9b0, creationParameters=..., reply=...) at /tmp/buildd/webkit2gtk-2.6.2+dfsg1/Source/WebKit2/PluginProcess/WebProcessConnection.cpp:264 #10 0x0000000000b01e50 in callMemberFunctionImpl<WebKit::WebProcessConnection, void (WebKit::WebProcessConnection::*)(WebKit::PluginCreationParameters const&, WTF::PassRefPtr<Messages::WebProcessConnection::CreatePlugin::DelayedReply>), Messages::WebProcessConnection::CreatePlugin::DelayedReply, std::tuple<WebKit::PluginCreationParameters>, 0ul> ( args=<unknown type in /usr/lib/debug/usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitPluginProcess2, CU 0x793474, DIE 0x7b3b95>, delayedReply=..., function=<optimized out>, object=0x7f11f416e9b0) at /tmp/buildd/webkit2gtk-2.6.2+dfsg1/Source/WebKit2/Platform/IPC/HandleMessage.h:44 #11 callMemberFunction<WebKit::WebProcessConnection, void (WebKit::WebProcessConnection::*)(WebKit::PluginCreationParameters const&, WTF::PassRefPtr<Messages::WebProcessConnection::CreatePlugin::DelayedReply>), Messages::WebProcessConnection::CreatePlugin::DelayedReply, std::tuple<WebKit::PluginCreationParameters>, std::make_index_sequence<1ul> > (function=<optimized out>, object=0x7f11f416e9b0, delayedReply=..., args=<unknown type in /usr/lib/debug/usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitPluginProcess2, CU 0x793474, DIE 0x7b3b1d>) at /tmp/buildd/webkit2gtk-2.6.2+dfsg1/Source/WebKit2/Platform/IPC/HandleMessage.h:50 I can't seem to reproduce this crash if I rebuild webkit 2.6.2, so this might have to do with the version of the compiler or some library. (In reply to comment #8) > I can't seem to reproduce this crash if I rebuild webkit 2.6.2, so > this might have to do with the version of the compiler or some library. I think it may have to be with the hardening flags that the debian package uses. $ grep ^CPPFLAGS webkit2gtk-2.6.2+dfsg1/debian/rules CPPFLAGS = $(shell dpkg-buildflags --get CPPFLAGS) -Wall $ dpkg-buildflags --get CPPFLAGS -D_FORTIFY_SOURCE=2 You can try rebuilding it with those flags to check if then is reproducible or not. I actually rebuilt it with exactly the same flags and it no longer crashes. I'm still looking into it. On a related note I just fixed bug 138418, although I don't see how that could cause this problem. Created attachment 241098 [details]
Workaround
I believe that this is a bug in GCC, I can reproduce it reliably with
the following conditions:
* GCC 4.9.1 (reproduced with 4.9.1-4 and 4.9.1-19 from Debian)
* -O1 or -O2
* -fstack-protector-strong
The affected function is NetscapePlugin::platformPostInitialize() from
NetscapePluginX11.cpp.
As a workaround it is possible to disable the compiler optimizations
in that function (and still keep the stack protection enabled) with
the following patch.
Interestingly enough webkitgtk 2.4.7 does not seem to crash Created attachment 241106 [details]
Patch
I'm stupid, forget my previous comments. We are actually having the
stack corrupted.
The reason is that although NPPVpluginNeedsXEmbed is a boolean value
we cannot use bool/NPBool there (1 byte) because the Flash player
plugin (and possibly others) are using an int instead.
My confusion came from the fact that it doesn't happen when we disable
optimizations. The reason for that might be that in that case we would
be overwriting the windowID variable instead, which is not a problem
because we would not be changing its current value (0).
Comment on attachment 241106 [details]
Patch
How I hate flash :-/
Committed r175696: <http://trac.webkit.org/changeset/175696> |