Bug 172846

Summary: REGRESSION (r206386): Xactimate Website Crashes @ com.apple.WebKit: WebKit::NPRuntimeObjectMap::convertJSValueToNPVariant + 255
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: PrintingAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, ggaren, kling, koivisto, mark.lam, saam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 162521    
Attachments:
Description Flags
Patch
none
Follow-up fix none

Chris Dumez
Reported 2017-06-01 18:58:29 PDT
Xactimate Website Crashes @ com.apple.WebKit: WebKit::NPRuntimeObjectMap::convertJSValueToNPVariant + 255: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebKit 0x00000001041ffe8c JSC::JSCell::isString() const + 12 1 com.apple.WebKit 0x00000001041fd48e JSC::JSValue::isString() const + 62 2 com.apple.WebKit 0x00000001041fd0e7 WebKit::NPRuntimeObjectMap::convertJSValueToNPVariant(JSC::ExecState*, JSC::JSValue, _NPVariant&) + 375 3 com.apple.WebKit 0x00000001041e05b9 WebKit::NPJSObject::invoke(JSC::ExecState*, JSC::JSGlobalObject*, JSC::JSValue, _NPVariant const*, unsigned int, _NPVariant*) + 537 4 com.apple.WebKit 0x00000001041e037b WebKit::NPJSObject::invoke(void*, _NPVariant const*, unsigned int, _NPVariant*) + 315 5 com.apple.WebKit 0x00000001041e1b2b WebKit::NPJSObject::NP_Invoke(NPObject*, void*, _NPVariant const*, unsigned int, _NPVariant*) + 59 6 com.apple.WebKit 0x00000001041e5cde WebKit::NPObjectMessageReceiver::invoke(WebKit::NPIdentifierData const&, WTF::Vector<WebKit::NPVariantData, 0ul, WTF::CrashOnOverflow, 16ul> const&, bool&, WebKit::NPVariantData&) + 398 7 com.apple.WebKit 0x00000001041eac9c void IPC::callMemberFunctionImpl<WebKit::NPObjectMessageReceiver, void (WebKit::NPObjectMessageReceiver::*)(WebKit::NPIdentifierData const&, WTF::Vector<WebKit::NPVariantData, 0ul, WTF::CrashOnOverflow, 16ul> const&, bool&, WebKit::NPVariantData&), std::__1::tuple<WebKit::NPIdentifierData, WTF::Vector<WebKit::NPVariantData, 0ul, WTF::CrashOnOverflow, 16ul> >, 0ul, 1ul, std::__1::tuple<bool, WebKit::NPVariantData>, 0ul, 1ul>(WebKit::NPObjectMessageReceiver*, void (WebKit::NPObjectMessageReceiver::*)(WebKit::NPIdentifierData const&, WTF::Vector<WebKit::NPVariantData, 0ul, WTF::CrashOnOverflow, 16ul> const&, bool&, WebKit::NPVariantData&), std::__1::tuple<WebKit::NPIdentifierData, WTF::Vector<WebKit::NPVariantData, 0ul, WTF::CrashOnOverflow, 16ul> >&&, std::__1::tuple<bool, WebKit::NPVariantData>&, std::__1::integer_sequence<unsigned long, 0ul, 1ul>, std::__1::integer_sequence<unsigned long, 0ul, 1ul>) + 284 8 com.apple.WebKit 0x00000001041e9800 void IPC::callMemberFunction<WebKit::NPObjectMessageReceiver, void (WebKit::NPObjectMessageReceiver::*)(WebKit::NPIdentifierData const&, WTF::Vector<WebKit::NPVariantData, 0ul, WTF::CrashOnOverflow, 16ul> const&, bool&, WebKit::NPVariantData&), std::__1::tuple<WebKit::NPIdentifierData, WTF::Vector<WebKit::NPVariantData, 0ul, WTF::CrashOnOverflow, 16ul> >, std::__1::integer_sequence<unsigned long, 0ul, 1ul>, std::__1::tuple<bool, WebKit::NPVariantData>, std::__1::integer_sequence<unsigned long, 0ul, 1ul> >(std::__1::tuple<WebKit::NPIdentifierData, WTF::Vector<WebKit::NPVariantData, 0ul, WTF::CrashOnOverflow, 16ul> >&&, std::__1::tuple<bool, WebKit::NPVariantData>&, WebKit::NPObjectMessageReceiver*, void (WebKit::NPObjectMessageReceiver::*)(WebKit::NPIdentifierData const&, WTF::Vector<WebKit::NPVariantData, 0ul, WTF::CrashOnOverflow, 16ul> const&, bool&, WebKit::NPVariantData&)) + 96 9 com.apple.WebKit 0x00000001041e85f4 void IPC::handleMessage<Messages::NPObjectMessageReceiver::Invoke, WebKit::NPObjectMessageReceiver, void (WebKit::NPObjectMessageReceiver::*)(WebKit::NPIdentifierData const&, WTF::Vector<WebKit::NPVariantData, 0ul, WTF::CrashOnOverflow, 16ul> const&, bool&, WebKit::NPVariantData&)>(IPC::Decoder&, IPC::Encoder&, WebKit::NPObjectMessageReceiver*, void (WebKit::NPObjectMessageReceiver::*)(WebKit::NPIdentifierData const&, WTF::Vector<WebKit::NPVariantData, 0ul, WTF::CrashOnOverflow, 16ul> const&, bool&, WebKit::NPVariantData&)) + 388 10 com.apple.WebKit 0x00000001041e7c91 WebKit::NPObjectMessageReceiver::didReceiveSyncNPObjectMessageReceiverMessage(IPC::Connection&, IPC::Decoder&, std::__1::unique_ptr<IPC::Encoder, std::__1::default_delete<IPC::Encoder> >&) + 561 11 com.apple.WebKit 0x00000001041f5d67 WebKit::NPRemoteObjectMap::didReceiveSyncMessage(IPC::Connection&, IPC::Decoder&, std::__1::unique_ptr<IPC::Encoder, std::__1::default_delete<IPC::Encoder> >&) + 103
Attachments
Patch (1.76 KB, patch)
2017-06-01 19:01 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Follow-up fix (1.52 KB, patch)
2017-06-02 09:54 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2017-06-01 18:58:46 PDT
<rdar://problem/31093005>
Chris Dumez
Comment 2 2017-06-01 19:01:25 PDT
Created attachment 311791 [details] Patch
Chris Dumez
Comment 3 2017-06-01 21:35:31 PDT
Comment on attachment 311791 [details] Patch Clearing flags on attachment: 311791 Committed r217695: <http://trac.webkit.org/changeset/217695>
Chris Dumez
Comment 4 2017-06-01 21:35:33 PDT
All reviewed patches have been landed. Closing bug.
Mark Lam
Comment 5 2017-06-02 09:46:17 PDT
Comment on attachment 311791 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=311791&action=review > Source/WebKit2/WebProcess/Plugins/Netscape/NPJSObject.cpp:-316 > - scope.clearException(); After thinking about this some more, I wonder if convertJSValueToNPVariant() can produce an exception too. If so, you will need the above exception treatment here as well. What do you think?
Chris Dumez
Comment 6 2017-06-02 09:51:07 PDT
(In reply to Mark Lam from comment #5) > Comment on attachment 311791 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=311791&action=review > > > Source/WebKit2/WebProcess/Plugins/Netscape/NPJSObject.cpp:-316 > > - scope.clearException(); > > After thinking about this some more, I wonder if convertJSValueToNPVariant() > can produce an exception too. If so, you will need the above exception > treatment here as well. What do you think? I believe you are right. I believe convertJSValueToNPVariant() can indeed throw.
Chris Dumez
Comment 7 2017-06-02 09:54:00 PDT
Created attachment 311834 [details] Follow-up fix
Mark Lam
Comment 8 2017-06-02 11:46:42 PDT
Comment on attachment 311834 [details] Follow-up fix r=me
WebKit Commit Bot
Comment 9 2017-06-02 12:15:57 PDT
Comment on attachment 311834 [details] Follow-up fix Clearing flags on attachment: 311834 Committed r217729: <http://trac.webkit.org/changeset/217729>
WebKit Commit Bot
Comment 10 2017-06-02 12:15:59 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.