Bug 98448

Summary: [v8] Fix npCreateV8ScriptObject crash
Product: WebKit Reporter: Fady Samuel <fsamuel>
Component: New BugsAssignee: Fady Samuel <fsamuel>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, haraken, japhet, webkit.review.bot, wez
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
abarth: review+, abarth: commit-queue-
Added LayoutTest none

Fady Samuel
Reported 2012-10-04 13:30:04 PDT
[v8] Fix npCreateV8ScriptObject crash
Attachments
Patch (3.38 KB, patch)
2012-10-04 13:32 PDT, Fady Samuel 		abarth: review+
abarth: commit-queue-
DetailsFormatted DiffDiff
Added LayoutTest (7.71 KB, patch)
2012-11-26 17:53 PST, lazyboy 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Fady Samuel
Comment 1 2012-10-04 13:32:59 PDT
Created attachment 167165 [details] Patch
Adam Barth
Comment 2 2012-10-04 13:41:36 PDT
Comment on attachment 167165 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=167165&action=review > Source/WebCore/ChangeLog:9 > + npCreateV8ScriptObject was crashing because it was being called after the perContextData had > + been torned down. This is fixed by checking for a non-0 perContextData. Can we write a test for this case?
Fady Samuel
Comment 3 2012-10-16 13:29:38 PDT
I'm unable to repro this bug locally, let alone write a test for it. We're seeing this happen in crash reports: Meta information: Product Name: Chrome Product Version: 24.0.1283.0 Report ID: b5cb51aff83e2edd Report Time: 2012/10/01 16:35:58, Mon Uptime: 7 sec Cumulative Uptime: 0 sec OS Name: Windows NT OS Version: 6.1.7601 Service Pack 1 CPU Architecture: x86 CPU Info: GenuineIntel family 6 model 23 stepping 10 ptype: renderer Thread 0 *CRASHED* ( EXCEPTION_ACCESS_VIOLATION_READ @ 0x00000028 ) 0x54fb8b7a [chrome.dll] - npv8object.cpp:149 (cs|src|ann)] WebCore::npCreateV8ScriptObject(_NPP *,v8::Handle<v8::Object>,WebCore::DOMWindow *) 0x54fb82bb [chrome.dll] - v8nputils.cpp:72 (cs|src|ann)] WebCore::convertV8ObjectToNPVariant(v8::Local<v8::Value>,NPObject *,_NPVariant *) 0x5555f934 [chrome.dll] - npv8object.cpp:234 (cs|src|ann)] _NPN_Invoke 0x5662fb3a [chrome.dll] - npobject_stub.cc:183 (cs|src|ann)] NPObjectStub::OnInvoke(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *) 0x5662f661 [chrome.dll] - tuple.h:746 (cs|src|ann)] DispatchToMethod<NPObjectStub,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *),bool,NPIdentifier_Param,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> >,IPC::Message &>(NPObjectStub *,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *),Tuple3<bool,NPIdentifier_Param,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > > const &,Tuple1<IPC::Message &> *) 0x56630118 [chrome.dll] - ipc_message_utils.h:875 (cs|src|ann)] IPC::SyncMessageSchema<Tuple3<bool,NPIdentifier_Param,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > >,Tuple2<NPVariant_Param &,bool &> >::DispatchDelayReplyWithSendParams<NPObjectStub,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *)>(bool,Tuple3<bool,NPIdentifier_Param,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > > const &,IPC::Message const *,NPObjectStub *,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *)) 0x566302d7 [chrome.dll] - plugin_messages.h:490 (cs|src|ann)] NPObjectMsg_Invoke::DispatchDelayReply<NPObjectStub,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *)>(IPC::Message const *,NPObjectStub *,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *)) 0x5663065b [chrome.dll] - npobject_stub.cc:93 (cs|src|ann)] NPObjectStub::OnMessageReceived(IPC::Message const &) 0x54dc55fc [chrome.dll] - message_router.cc:47 (cs|src|ann)] MessageRouter::RouteMessage(IPC::Message const &) 0x5662ef83 [chrome.dll] - np_channel_base.cc:174 (cs|src|ann)] NPChannelBase::OnMessageReceived(IPC::Message const &) 0x54d3860a [chrome.dll] - ipc_channel_proxy.cc:261 (cs|src|ann)] IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const &) 0x54d0e8be [chrome.dll] - bind_internal.h:1256 (cs|src|ann)] base::internal::Invoker<2,base::internal::BindState<base::internal::RunnableAdapter<void ( notifier::NonBlockingPushClient::Core::*)(std::vector<notifier::Subscription,std::allocator<notifier::Subscription> > const &)>,void (notifier::NonBlockingPushClient::Core *,std::vector<notifier::Subscription,std::allocator<notifier::Subscription> > const &),void (notifier::NonBlockingPushClient::Core *,std::vector<notifier::Subscription,std::allocator<notifier::Subscription> >)>,void (notifier::NonBlockingPushClient::Core *,std::vector<notifier::Subscription,std::allocator<notifier::Subscription> > const &)>::Run(base::internal::BindStateBase *) 0x54d10b68 [chrome.dll] - message_loop.cc:470 (cs|src|ann)] MessageLoop::RunTask(base::PendingTask const &) 0x54d108cf [chrome.dll] - message_loop.cc:661 (cs|src|ann)] MessageLoop::DoWork() 0x54d10fab [chrome.dll] - message_pump_default.cc:28 (cs|src|ann)] base::MessagePumpDefault::Run(base::MessagePump::Delegate *) 0x54d1059a [chrome.dll] - message_loop.cc:427 (cs|src|ann)] MessageLoop::RunInternal() 0x54d104f2 [chrome.dll] - run_loop.cc:45 (cs|src|ann)] base::RunLoop::Run() 0x54d3f887 [chrome.dll] - message_loop.cc:307 (cs|src|ann)] MessageLoop::Run() 0x54d5c9a7 [chrome.dll] - renderer_main.cc:239 (cs|src|ann)] RendererMain(content::MainFunctionParams const &) 0x54cf864c [chrome.dll] - content_main_runner.cc:441 (cs|src|ann)] content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *) 0x54cf85d3 [chrome.dll] - content_main_runner.cc:734 (cs|src|ann)] content::ContentMainRunnerImpl::Run() 0x54cea5fc [chrome.dll] - content_main.cc:35 (cs|src|ann)] content::ContentMain(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *,content::ContentMainDelegate *) 0x54cea588 [chrome.dll] - chrome_main.cc:28 (cs|src|ann)] ChromeMain 0x00f1510d [chrome.exe] - client_util.cc:440 (cs|src|ann)] MainDllLoader::Launch(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *) 0x00f17933 [chrome.exe] - chrome_exe_main_win.cc:76 (cs|src|ann)] RunChrome(HINSTANCE__ *) 0x00f1799e [chrome.exe] - chrome_exe_main_win.cc:92 (cs|src|ann)] wWinMain 0x00f702ec [chrome.exe] - crt0.c:275] __tmainCRTStartup 0x7609ed6b [kernel32.dll] + 0x0004ed6b] BaseThreadInitThunk 0x7707377a [ntdll.dll] + 0x0006377a] __RtlUserThreadStart 0x7707374d [ntdll.dll] + 0x0006374d] _RtlUserThreadStart Delete comment
Adam Barth
Comment 4 2012-10-16 13:33:47 PDT
It seems like you should be able to write a LayoutTest for this issue using the test plugin. You just need to call NPN_Invoke on an object from a document that is no longer being displayed in a frame. You should also be able to do it using an unit test, but its probably better use the test plugin.
lazyboy
Comment 5 2012-11-26 17:53:21 PST
Created attachment 176129 [details] Added LayoutTest
Adam Barth
Comment 6 2012-11-26 19:02:10 PST
Comment on attachment 176129 [details] Added LayoutTest Thanks for the test.
WebKit Review Bot
Comment 7 2012-11-26 19:41:46 PST
Comment on attachment 176129 [details] Added LayoutTest Clearing flags on attachment: 176129 Committed r135804: <http://trac.webkit.org/changeset/135804>
Note You need to log in before you can comment on or make changes to this bug.