13591 – +[WebScriptObject _convertValueToObjcValue:originExecutionContext:executionContext:] returns a wrong object for plug-in nodes

Bug 13591 - +[WebScriptObject _convertValueToObjcValue:originExecutionContext:executionContext:] returns a wrong object for plug-in nodes

Summary: +[WebScriptObject _convertValueToObjcValue:originExecutionContext:executionCo...

Status:	REOPENED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit API (show other bugs)
Version:	523.x (Safari 3)
Hardware:	Mac OS X 10.4

Importance:	P2 Normal
Assignee:	Nobody

URL:	http://www.macrumors.com/2007/05/04/s...
Keywords:	InRadar, NeedsReduction

Depends on:
Blocks:

Reported:	2007-05-04 17:58 PDT by David Kilzer (:ddkilzer)
Modified:	2023-01-18 06:04 PST (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Kilzer (:ddkilzer) 2007-05-04 17:58:30 PDT

* SUMMARY
Using the WebInspector to on an embedded YouTube video on the linked page causes a crash.

* STEPS TO REPRODUCE
1. Open Safari/WebKit.
2. Navigate to the URL:  http://www.macrumors.com/2007/05/04/southpark-get-a-mac-ad/
3. Right-click near the video and select "Inspect Element".
4. Navigate to the <center> tag that holds the <object> tag in the Web Inspector.
5. Disclose the <center> tag in the Web Inspector.

* EXPECTED RESULTS
A red highlight should be drawn around the embedded object.

* ACTUAL RESULTS
Safari/WebKit crashes.

* REGRESSION
Only tested with a local debug build of WebKit r21257 with Safari 2.0.4 (419.3) on Mac OS X 10.4.9 (8P135).

* NOTES
Console output:

Segmentation fault

Stack trace:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0x80fd21e0

Thread 0 Crashed:
0   libobjc.A.dylib                	0x90a44c04 objc_msgSend_stret + 36
1   com.apple.WebKit               	0x003b8130 -[WebInspector(WebInspectorScripting) highlightDOMNode:] + 100 (WebInspector.m:300)
2   libobjc.A.dylib                	0x90a461f4 objc_msgSendv + 180
3   com.apple.Foundation           	0x92bdcc94 -[NSInvocation invoke] + 944
4   com.apple.JavaScriptCore       	0x00541b0c KJS::Bindings::ObjcInstance::invokeMethod(KJS::ExecState*, KJS::Bindings::MethodList const&, KJS::List const&) + 1888 (objc_instance.mm:190)
5   com.apple.JavaScriptCore       	0x0053b96c KJS::RuntimeMethod::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 404 (runtime_method.cpp:89)
6   com.apple.JavaScriptCore       	0x0059c6a0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:97)
7   com.apple.JavaScriptCore       	0x005c187c KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 992 (nodes.cpp:790)
8   com.apple.JavaScriptCore       	0x005bdef8 KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1723)
9   com.apple.JavaScriptCore       	0x005ba83c KJS::SourceElementsNode::execute(KJS::ExecState*) + 624 (nodes.cpp:2529)
10  com.apple.JavaScriptCore       	0x0058a788 KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1700)
11  com.apple.JavaScriptCore       	0x005bdd80 KJS::IfNode::execute(KJS::ExecState*) + 504 (nodes.cpp:1742)
12  com.apple.JavaScriptCore       	0x005ba83c KJS::SourceElementsNode::execute(KJS::ExecState*) + 624 (nodes.cpp:2529)
13  com.apple.JavaScriptCore       	0x0058a788 KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1700)
14  com.apple.JavaScriptCore       	0x005bdd80 KJS::IfNode::execute(KJS::ExecState*) + 504 (nodes.cpp:1742)
15  com.apple.JavaScriptCore       	0x005ba6e8 KJS::SourceElementsNode::execute(KJS::ExecState*) + 284 (nodes.cpp:2523)
16  com.apple.JavaScriptCore       	0x0058a788 KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1700)
17  com.apple.JavaScriptCore       	0x0058a8d8 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:319)
18  com.apple.JavaScriptCore       	0x00599c70 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:107)
19  com.apple.JavaScriptCore       	0x0059c6a0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:97)
20  com.apple.JavaScriptCore       	0x005c20c8 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 792 (nodes.cpp:694)
21  com.apple.JavaScriptCore       	0x005bdef8 KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1723)
22  com.apple.JavaScriptCore       	0x005ba6e8 KJS::SourceElementsNode::execute(KJS::ExecState*) + 284 (nodes.cpp:2523)
23  com.apple.JavaScriptCore       	0x0058a788 KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1700)
24  com.apple.JavaScriptCore       	0x0058a8d8 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:319)
25  com.apple.JavaScriptCore       	0x00599c70 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:107)
26  com.apple.JavaScriptCore       	0x0059c6a0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:97)
27  com.apple.JavaScriptCore       	0x005c187c KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 992 (nodes.cpp:790)
28  com.apple.JavaScriptCore       	0x005bdef8 KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1723)
29  com.apple.JavaScriptCore       	0x005bdd80 KJS::IfNode::execute(KJS::ExecState*) + 504 (nodes.cpp:1742)
30  com.apple.JavaScriptCore       	0x005ba83c KJS::SourceElementsNode::execute(KJS::ExecState*) + 624 (nodes.cpp:2529)
31  com.apple.JavaScriptCore       	0x0058a788 KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1700)
32  com.apple.JavaScriptCore       	0x0058a8d8 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:319)
33  com.apple.JavaScriptCore       	0x00599c70 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:107)
34  com.apple.JavaScriptCore       	0x0059c6a0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:97)
35  com.apple.JavaScriptCore       	0x005c187c KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 992 (nodes.cpp:790)
36  com.apple.JavaScriptCore       	0x005bdef8 KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1723)
37  com.apple.JavaScriptCore       	0x005ba83c KJS::SourceElementsNode::execute(KJS::ExecState*) + 624 (nodes.cpp:2529)
38  com.apple.JavaScriptCore       	0x0058a788 KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1700)
39  com.apple.JavaScriptCore       	0x005bdd80 KJS::IfNode::execute(KJS::ExecState*) + 504 (nodes.cpp:1742)
40  com.apple.JavaScriptCore       	0x005ba83c KJS::SourceElementsNode::execute(KJS::ExecState*) + 624 (nodes.cpp:2529)
41  com.apple.JavaScriptCore       	0x0058a788 KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1700)
42  com.apple.JavaScriptCore       	0x0058a8d8 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:319)
43  com.apple.JavaScriptCore       	0x00599c70 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:107)
44  com.apple.JavaScriptCore       	0x0059c6a0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:97)
45  com.apple.JavaScriptCore       	0x005c187c KJS::FunctionCallDotNode::evaluate(KJS::ExecState*) + 992 (nodes.cpp:790)
46  com.apple.JavaScriptCore       	0x005bdef8 KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1723)
47  com.apple.JavaScriptCore       	0x005ba6e8 KJS::SourceElementsNode::execute(KJS::ExecState*) + 284 (nodes.cpp:2523)
48  com.apple.JavaScriptCore       	0x0058a788 KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1700)
49  com.apple.JavaScriptCore       	0x0058a8d8 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:319)
50  com.apple.JavaScriptCore       	0x00599c70 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:107)
51  com.apple.JavaScriptCore       	0x0059c6a0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:97)
52  com.apple.JavaScriptCore       	0x005c20c8 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 792 (nodes.cpp:694)
53  com.apple.JavaScriptCore       	0x005bdef8 KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1723)
54  com.apple.JavaScriptCore       	0x005ba6e8 KJS::SourceElementsNode::execute(KJS::ExecState*) + 284 (nodes.cpp:2523)
55  com.apple.JavaScriptCore       	0x0058a788 KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1700)
56  com.apple.JavaScriptCore       	0x005b83a8 KJS::GlobalFuncImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 1080 (function.cpp:806)
57  com.apple.JavaScriptCore       	0x0059c6a0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:97)
58  com.apple.JavaScriptCore       	0x005c20c8 KJS::FunctionCallResolveNode::evaluate(KJS::ExecState*) + 792 (nodes.cpp:694)
59  com.apple.JavaScriptCore       	0x005bdef8 KJS::ExprStatementNode::execute(KJS::ExecState*) + 220 (nodes.cpp:1723)
60  com.apple.JavaScriptCore       	0x005bdd80 KJS::IfNode::execute(KJS::ExecState*) + 504 (nodes.cpp:1742)
61  com.apple.JavaScriptCore       	0x005ba83c KJS::SourceElementsNode::execute(KJS::ExecState*) + 624 (nodes.cpp:2529)
62  com.apple.JavaScriptCore       	0x0058a788 KJS::BlockNode::execute(KJS::ExecState*) + 216 (nodes.cpp:1700)
63  com.apple.JavaScriptCore       	0x0058a8d8 KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 92 (function.cpp:319)
64  com.apple.JavaScriptCore       	0x00599c70 KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 688 (function.cpp:107)
65  com.apple.JavaScriptCore       	0x0059c6a0 KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 288 (object.cpp:97)
66  com.apple.WebCore              	0x012d3b54 KJS::JSAbstractEventListener::handleEvent(WebCore::Event*, bool) + 736 (kjs_events.cpp:123)
67  com.apple.WebCore              	0x012940e4 WebCore::EventTargetNode::handleLocalEvents(WebCore::Event*, bool) + 548 (EventTargetNode.cpp:166)
68  com.apple.WebCore              	0x012920a8 WebCore::EventTargetNode::dispatchGenericEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 1036 (EventTargetNode.cpp:207)
69  com.apple.WebCore              	0x01294d90 WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool, WebCore::EventTarget*) + 396 (EventTargetNode.cpp:308)
70  com.apple.WebCore              	0x01294e24 WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 80 (EventTargetNode.cpp:292)
71  com.apple.WebCore              	0x014b3ac0 WebCore::EventHandler::defaultKeyboardEventHandler(WebCore::KeyboardEvent*) + 908 (EventHandler.cpp:1367)
72  com.apple.WebCore              	0x0129520c WebCore::EventTargetNode::defaultEventHandler(WebCore::Event*) + 308 (EventTargetNode.cpp:583)
73  com.apple.WebCore              	0x012926e4 WebCore::EventTargetNode::dispatchGenericEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 2632 (EventTargetNode.cpp:266)
74  com.apple.WebCore              	0x01294d90 WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool, WebCore::EventTarget*) + 396 (EventTargetNode.cpp:308)
75  com.apple.WebCore              	0x01294e24 WebCore::EventTargetNode::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, int&, bool) + 80 (EventTargetNode.cpp:292)
76  com.apple.WebCore              	0x01292e10 WebCore::EventTargetNode::dispatchKeyEvent(WebCore::PlatformKeyboardEvent const&) + 260 (EventTargetNode.cpp:370)
77  com.apple.WebCore              	0x014af0bc WebCore::EventHandler::keyEvent(WebCore::PlatformKeyboardEvent const&) + 152 (EventHandler.cpp:1333)
78  com.apple.WebCore              	0x014ac90c WebCore::EventHandler::keyEvent(NSEvent*) + 524 (EventHandlerMac.mm:138)
79  com.apple.WebKit               	0x00356ac0 -[WebHTMLView performKeyEquivalent:] + 544 (WebHTMLView.mm:4002)
80  com.apple.AppKit               	0x9383eb68 -[NSView performKeyEquivalent:] + 140
81  com.apple.AppKit               	0x9383eb68 -[NSView performKeyEquivalent:] + 140
82  com.apple.AppKit               	0x9383eb68 -[NSView performKeyEquivalent:] + 140
83  com.apple.AppKit               	0x9383eb68 -[NSView performKeyEquivalent:] + 140
84  com.apple.AppKit               	0x9383eac8 -[NSWindow performKeyEquivalent:] + 32
85  com.apple.AppKit               	0x93899820 -[NSApplication _handleKeyEquivalent:] + 56
86  com.apple.AppKit               	0x937a3408 -[NSApplication sendEvent:] + 2944
87  com.apple.Safari               	0x00021238 0x1000 + 131640
88  com.apple.AppKit               	0x9379ad10 -[NSApplication run] + 508
89  com.apple.AppKit               	0x9388b87c NSApplicationMain + 452
90  com.apple.Safari               	0x0005c77c 0x1000 + 374652
91  com.apple.Safari               	0x0005c624 0x1000 + 374308

Comment 1 Darin Adler 2007-05-04 22:20:51 PDT

<rdar://problem/5183700>

Comment 2 Darin Adler 2007-05-04 22:31:33 PDT

Somehow, instead of an Objective-C DOM node, we are getting a Netscape plug-in API scripting object here. It has something to do with mixing the Objective-C bindings with the Netscape C JavaScript bindings. This is not a bug in the inspector -- it's actually a bug in the bindings machinery.

Comment 3 mitz 2007-05-05 05:27:55 PDT

I think there are two issues here, both in +[WebScriptObject _convertValueToObjcValue:originExecutionContext:executionContext:]:

1) It casts the result of getInternalInstance into an ObjcInstance without checking that it is an ObjcInstance (I think currently there is no way to check the language of an Instance).

2) It always prefers the runtime object to the DOM wrapper, meaning that even in the case of a Web plugin it would return the scriptable object rather than the DOM node, which is not what the Web Inspector expects.

Comment 4 choongx 2007-07-23 22:00:17 PDT

Non-repro on r24513, Safari 3.0.2, OS X Intel.

Comment 5 David Kilzer (:ddkilzer) 2007-07-23 22:52:04 PDT

Confirmed fixed with new Web Inspector using a local debug build of WebKit r24534 with Safari 3.0 (522.12) on Mac OS X 10.4.10 (8R218).

Comment 6 mitz 2007-07-23 23:10:08 PDT

(In reply to comment #5)
> Confirmed fixed with new Web Inspector using a local debug build of WebKit
> r24534 with Safari 3.0 (522.12) on Mac OS X 10.4.10 (8R218).

I doubt that the root cause of the bug has been fixed, so it might warrant a follow-up bug.

Comment 7 David Kilzer (:ddkilzer) 2007-07-23 23:12:48 PDT

Reopening per Comment #6.

Comment 8 mitz 2007-07-23 23:20:32 PDT

Downgrading to P2, since it is no longer a reproducible browser crash or known to crash any existing application.

Comment 9 Alexey Proskuryakov 2010-03-16 15:46:18 PDT

Mitz, is there an actionable issue left to investigate?

Comment 10 mitz 2010-03-16 17:59:45 PDT

(In reply to comment #9)
> Mitz, is there an actionable issue left to investigate?

I think the issues mentioned in comment #3 are still present, and action could be taken to address them.

Comment 11 Alexey Proskuryakov 2010-03-17 12:59:05 PDT

Issue #1 is not present any more. I'm not sure if #2 is an issue, or correct behavior.

Comment 12 Alexey Proskuryakov 2010-03-17 13:01:43 PDT

Re-titling to describe issue #2.