RESOLVED FIXED 144399
REGRESSION: js/dom/navigator-plugins-crash.html asserts a lot 
https://bugs.webkit.org/show_bug.cgi?id=144399
Summary REGRESSION: js/dom/navigator-plugins-crash.html asserts a lot
Alexey Proskuryakov
Reported 2015-04-29 10:38:12 PDT
Only happening on Apple Yosemite Debug WK2. https://webkit-test-results.appspot.com/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=js%2Fdom%2Fnavigator-plugins-crash.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x00000001153eee17 WTFCrash + 39 1 com.apple.WebCore 0x0000000116ae5a99 WTF::CrashOnOverflow::overflowed() + 9 2 com.apple.WebCore 0x000000011717d791 WTF::Vector<WebCore::PluginInfo, 0ul, WTF::CrashOnOverflow, 16ul>::at(unsigned long) + 81 (Vector.h:660) 3 com.apple.WebCore 0x000000011717d65d WTF::Vector<WebCore::PluginInfo, 0ul, WTF::CrashOnOverflow, 16ul>::operator[](unsigned long) + 29 (Vector.h:679) 4 com.apple.WebCore 0x000000011717cfdf WebCore::DOMPlugin::pluginInfo() const + 79 (DOMPlugin.cpp:61) 5 com.apple.WebCore 0x000000011717cf67 WebCore::DOMPlugin::name() const + 39 (DOMPlugin.cpp:41) 6 com.apple.WebCore 0x00000001179e6ff7 WebCore::jsDOMPluginName(JSC::ExecState*, JSC::JSObject*, long long, JSC::PropertyName) + 71 (JSDOMPlugin.cpp:240)
Attachments
Patch (10.90 KB, patch)
2015-06-17 10:52 PDT, Conrad Shultz 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2015-04-29 12:55:48 PDT
I don't know why this started now, but the code is somewhat new too, as it was added in <http://trac.webkit.org/changeset/181562>. I don't think that there is any guarantee of m_index remaining a valid index.
Radar WebKit Bug Importer
Comment 2 2015-04-29 12:56:38 PDT
<rdar://problem/20750473>
Alexey Proskuryakov
Comment 3 2015-06-16 11:40:48 PDT
Marked the test as flakily crashing in r185598.
Conrad Shultz
Comment 4 2015-06-17 10:52:47 PDT
Created attachment 255023 [details] Patch
Darin Adler
Comment 5 2015-06-17 15:43:27 PDT
Comment on attachment 255023 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=255023&action=review > Source/WebCore/plugins/DOMPlugin.cpp:31 > + , m_pluginInfo(pluginInfo) I think this could be WTF::move(pluginInfo) for slightly better performance. > Source/WebCore/plugins/DOMPlugin.h:36 > + static Ref<DOMPlugin> create(PluginData* pluginData, Frame* frame, PluginInfo pluginInfo) { return adoptRef(*new DOMPlugin(pluginData, frame, pluginInfo)); } I think this could use WTF::move(pluginInfo) for slightly better performance. Should take a PluginData& argument instead of PluginData*. > Source/WebCore/plugins/DOMPluginArray.cpp:90 > const Vector<PluginInfo>& plugins = data->webVisiblePlugins(); > for (unsigned i = 0; i < plugins.size(); ++i) { > if (plugins[i].name == propertyName) > - return DOMPlugin::create(data, m_frame, i); > + return DOMPlugin::create(data, m_frame, plugins[i]); > } Should be rewritten as a modern for loop: for (auto& plugin : data->webVisiblePlugins()) { if (plugin.name == propertyName) return DOMPlugin::create(data, m_frame, plugin); } The loop used the old fashioned form only because it wanted an "i" to pass to DOMPlugin::create. > Source/WebCore/plugins/PluginData.h:76 > +inline bool operator==(PluginInfo a, PluginInfo b) Better to take const PluginInfo& arguments instead of copying the PluginInfo objects just to compare them.
David Kilzer (:ddkilzer)
Comment 6 2015-06-18 07:22:36 PDT
Please revert the change in r185598 when this lands.
Conrad Shultz
Comment 7 2015-06-18 11:33:49 PDT
Comment on attachment 255023 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=255023&action=review Thanks, Darin! >> Source/WebCore/plugins/DOMPlugin.cpp:31 >> + , m_pluginInfo(pluginInfo) > > I think this could be WTF::move(pluginInfo) for slightly better performance. Done. >> Source/WebCore/plugins/DOMPlugin.h:36 >> + static Ref<DOMPlugin> create(PluginData* pluginData, Frame* frame, PluginInfo pluginInfo) { return adoptRef(*new DOMPlugin(pluginData, frame, pluginInfo)); } > > I think this could use WTF::move(pluginInfo) for slightly better performance. > > Should take a PluginData& argument instead of PluginData*. I adopted WTF::move(), but changing PluginData is outside the scope of this bug and has wider ramifications, so I'd prefer to address that separately. >> Source/WebCore/plugins/DOMPluginArray.cpp:90 >> } > > Should be rewritten as a modern for loop: > > for (auto& plugin : data->webVisiblePlugins()) { > if (plugin.name == propertyName) > return DOMPlugin::create(data, m_frame, plugin); > } > > The loop used the old fashioned form only because it wanted an "i" to pass to DOMPlugin::create. Good catch. Fixed. >> Source/WebCore/plugins/PluginData.h:76 >> +inline bool operator==(PluginInfo a, PluginInfo b) > > Better to take const PluginInfo& arguments instead of copying the PluginInfo objects just to compare them. Yup, done.
Conrad Shultz
Comment 8 2015-06-18 12:32:56 PDT
Committed r185717: <http://trac.webkit.org/changeset/185717>
Conrad Shultz
Comment 9 2015-06-18 12:39:33 PDT
(In reply to comment #6) > Please revert the change in r185598 when this lands. Done in r185718.
Note You need to log in before you can comment on or make changes to this bug.