Bug 144399 - REGRESSION: js/dom/navigator-plugins-crash.html asserts a lot
Summary: REGRESSION: js/dom/navigator-plugins-crash.html asserts a lot
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Plug-ins (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Conrad Shultz
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2015-04-29 10:38 PDT by Alexey Proskuryakov
Modified: 2015-06-18 12:39 PDT (History)
4 users (show)

See Also:

Attachments
Patch (10.90 KB, patch)
2015-06-17 10:52 PDT, Conrad Shultz 		darin: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey Proskuryakov 2015-04-29 10:38:12 PDT 
Only happening on Apple Yosemite Debug WK2.

https://webkit-test-results.appspot.com/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=js%2Fdom%2Fnavigator-plugins-crash.html

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x00000001153eee17 WTFCrash + 39
1   com.apple.WebCore             	0x0000000116ae5a99 WTF::CrashOnOverflow::overflowed() + 9
2   com.apple.WebCore             	0x000000011717d791 WTF::Vector<WebCore::PluginInfo, 0ul, WTF::CrashOnOverflow, 16ul>::at(unsigned long) + 81 (Vector.h:660)
3   com.apple.WebCore             	0x000000011717d65d WTF::Vector<WebCore::PluginInfo, 0ul, WTF::CrashOnOverflow, 16ul>::operator[](unsigned long) + 29 (Vector.h:679)
4   com.apple.WebCore             	0x000000011717cfdf WebCore::DOMPlugin::pluginInfo() const + 79 (DOMPlugin.cpp:61)
5   com.apple.WebCore             	0x000000011717cf67 WebCore::DOMPlugin::name() const + 39 (DOMPlugin.cpp:41)
6   com.apple.WebCore             	0x00000001179e6ff7 WebCore::jsDOMPluginName(JSC::ExecState*, JSC::JSObject*, long long, JSC::PropertyName) + 71 (JSDOMPlugin.cpp:240)
Comment 1 Alexey Proskuryakov 2015-04-29 12:55:48 PDT 
I don't know why this started now, but the code is somewhat new too, as it was added in  <http://trac.webkit.org/changeset/181562>.

I don't think that there is any guarantee of m_index remaining a valid index.
Comment 2 Radar WebKit Bug Importer 2015-04-29 12:56:38 PDT 
<rdar://problem/20750473>
Comment 3 Alexey Proskuryakov 2015-06-16 11:40:48 PDT 
Marked the test as flakily crashing in r185598.
Comment 4 Conrad Shultz 2015-06-17 10:52:47 PDT 
Created attachment 255023 [details]
Patch
Comment 5 Darin Adler 2015-06-17 15:43:27 PDT 
Comment on attachment 255023 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=255023&action=review

> Source/WebCore/plugins/DOMPlugin.cpp:31
> +    , m_pluginInfo(pluginInfo)

I think this could be WTF::move(pluginInfo) for slightly better performance.

> Source/WebCore/plugins/DOMPlugin.h:36
> +    static Ref<DOMPlugin> create(PluginData* pluginData, Frame* frame, PluginInfo pluginInfo) { return adoptRef(*new DOMPlugin(pluginData, frame, pluginInfo)); }

I think this could use WTF::move(pluginInfo) for slightly better performance.

Should take a PluginData& argument instead of PluginData*.

> Source/WebCore/plugins/DOMPluginArray.cpp:90
>      const Vector<PluginInfo>& plugins = data->webVisiblePlugins();
>      for (unsigned i = 0; i < plugins.size(); ++i) {
>          if (plugins[i].name == propertyName)
> -            return DOMPlugin::create(data, m_frame, i);
> +            return DOMPlugin::create(data, m_frame, plugins[i]);
>      }

Should be rewritten as a modern for loop:

    for (auto& plugin : data->webVisiblePlugins()) {
        if (plugin.name == propertyName)
            return DOMPlugin::create(data, m_frame, plugin);
    }

The loop used the old fashioned form only because it wanted an "i" to pass to DOMPlugin::create.

> Source/WebCore/plugins/PluginData.h:76
> +inline bool operator==(PluginInfo a, PluginInfo b)

Better to take const PluginInfo& arguments instead of copying the PluginInfo objects just to compare them.
Comment 6 David Kilzer (:ddkilzer) 2015-06-18 07:22:36 PDT 
Please revert the change in r185598 when this lands.
Comment 7 Conrad Shultz 2015-06-18 11:33:49 PDT 
Comment on attachment 255023 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=255023&action=review

Thanks, Darin!

>> Source/WebCore/plugins/DOMPlugin.cpp:31
>> +    , m_pluginInfo(pluginInfo)
> 
> I think this could be WTF::move(pluginInfo) for slightly better performance.

Done.

>> Source/WebCore/plugins/DOMPlugin.h:36
>> +    static Ref<DOMPlugin> create(PluginData* pluginData, Frame* frame, PluginInfo pluginInfo) { return adoptRef(*new DOMPlugin(pluginData, frame, pluginInfo)); }
> 
> I think this could use WTF::move(pluginInfo) for slightly better performance.
> 
> Should take a PluginData& argument instead of PluginData*.

I adopted WTF::move(), but changing PluginData is outside the scope of this bug and has wider ramifications, so I'd prefer to address that separately.

>> Source/WebCore/plugins/DOMPluginArray.cpp:90
>>      }
> 
> Should be rewritten as a modern for loop:
> 
>     for (auto& plugin : data->webVisiblePlugins()) {
>         if (plugin.name == propertyName)
>             return DOMPlugin::create(data, m_frame, plugin);
>     }
> 
> The loop used the old fashioned form only because it wanted an "i" to pass to DOMPlugin::create.

Good catch. Fixed.

>> Source/WebCore/plugins/PluginData.h:76
>> +inline bool operator==(PluginInfo a, PluginInfo b)
> 
> Better to take const PluginInfo& arguments instead of copying the PluginInfo objects just to compare them.

Yup, done.
Comment 8 Conrad Shultz 2015-06-18 12:32:56 PDT 
Committed r185717: <http://trac.webkit.org/changeset/185717>
Comment 9 Conrad Shultz 2015-06-18 12:39:33 PDT 
(In reply to comment #6)
> Please revert the change in r185598 when this lands.

Done in r185718.