145114 – [GTK] Crash when handling NPAPI plugin

RESOLVED INVALID 145114

[GTK] Crash when handling NPAPI plugin

https://bugs.webkit.org/show_bug.cgi?id=145114

Summary [GTK] Crash when handling NPAPI plugin

Tomas Popela

Reported 2015-05-17 23:23:04 PDT

As reported on https://bugzilla.redhat.com/show_bug.cgi?id=1222241 the WebProcess (WebKitGTK+ 2.8.1) crashed when handling the libgnome-shell-browser-plugin plugin. I'm curious if we can simply early return from WebKit::NetscapePlugin::platformVisibilityDidChange if we cannot obtain valid GdkWindow with gtk_plug_get_socket_window. #0 0x00007f5f2dbc2b82 in _gdk_window_has_impl (window=window@entry=0x0) at gdkwindow.c:593 No locals. #1 0x00007f5f2dbf39ee in gdk_x11_window_get_xid (window=0x0) at gdkwindow-x11.c:5527 No locals. #2 0x00007f5f3594c28d in WebKit::NetscapePlugin::platformVisibilityDidChange (this=0x7f5f117fb158) at /usr/src/debug/webkitgtk-2.8.1/Source/WebKit2/WebProcess/Plugins/Netscape/x11/NetscapePluginX11.cpp:291 windowID = 0 #3 0x00007f5f357515a6 in WebKit::PluginControllerProxy::visibilityDidChange (this=0x7f5f396c3eb0, isVisible=<optimized out>) at /usr/src/debug/webkitgtk-2.8.1/Source/WebKit2/PluginProcess/PluginControllerProxy.cpp:445 No locals. #4 0x00007f5f3595e8ac in callMemberFunctionImpl<WebKit::PluginControllerProxy, void (WebKit::PluginControllerProxy::*)(bool), std::tuple<bool>, 0ul> (args=<optimized out>, function=<optimized out>, object=0x7f5f396c3eb0) at /usr/src/debug/webkitgtk-2.8.1/Source/WebKit2/Platform/IPC/HandleMessage.h:16 No locals. #5 callMemberFunction<WebKit::PluginControllerProxy, void (WebKit::PluginControllerProxy::*)(bool), std::tuple<bool>, std::make_index_sequence<1ul> > (function=<optimized out>, object=0x7f5f396c3eb0, args=<unknown type in /usr/lib/debug/usr/lib64/libwebkit2gtk-4.0.so.37.6.4.debug, CU 0xbbd7d6e, DIE 0xbc148d3>) at /usr/src/debug/webkitgtk-2.8.1/Source/WebKit2/Platform/IPC/HandleMessage.h:22 No locals. #6 IPC::handleMessage<Messages::PluginControllerProxy::MutedStateChanged, WebKit::PluginControllerProxy, void (WebKit::PluginControllerProxy::*)(bool)> (decoder=..., object=object@entry=0x7f5f396c3eb0, function=(void (WebKit::PluginControllerProxy::*)(WebKit::PluginControllerProxy * const, bool)) 0x7f5f35751590 <WebKit::PluginControllerProxy::visibilityDidChange(bool)>) at /usr/src/debug/webkitgtk-2.8.1/Source/WebKit2/Platform/IPC/HandleMessage.h:92 arguments = std::tuple containing = {[1] = false} #7 0x00007f5f3595d9f4 in WebKit::PluginControllerProxy::didReceivePluginControllerProxyMessage (this=this@entry=0x7f5f396c3eb0, connection=..., decoder=...) at /usr/src/debug/webkitgtk-2.8.1/x86_64-redhat-linux-gnu/DerivedSources/WebKit2/PluginControllerProxyMessageReceiver.cpp:81 No locals. #8 0x00007f5f35754d88 in WebKit::WebProcessConnection::didReceiveMessage (this=<optimized out>, connection=..., decoder=...) at /usr/src/debug/webkitgtk-2.8.1/Source/WebKit2/PluginProcess/WebProcessConnection.cpp:140 protector = {m_pluginController = 0x7f5f396c3eb0} #9 0x00007f5f3574bcfb in IPC::Connection::dispatchMessage (this=this@entry=0x7f5f117ff3f0, message=std::unique_ptr<IPC::MessageDecoder> containing 0x7f5f11fd5420) at /usr/src/debug/webkitgtk-2.8.1/Source/WebKit2/Platform/IPC/Connection.cpp:860 oldDidReceiveInvalidMessage = false #10 0x00007f5f3574c551 in IPC::Connection::dispatchOneMessage (this=0x7f5f117ff3f0) at /usr/src/debug/webkitgtk-2.8.1/Source/WebKit2/Platform/IPC/Connection.cpp:888 message = std::unique_ptr<IPC::MessageDecoder> containing 0x0 #11 0x00007f5f36b3bf21 in operator() (this=0x7ffde75c4570) at /usr/include/c++/5.0.0/functional:2271 No locals. #12 WTF::RunLoop::performWork (this=0x7f5f11ff8000) at /usr/src/debug/webkitgtk-2.8.1/Source/WTF/wtf/RunLoop.cpp:104 function = {<std::_Maybe_unary_or_binary_function<void>> = {<No data fields>}, <std::_Function_base> = {static _M_max_size = 16, static _M_max_align = 8, _M_functor = {_M_unused = {_M_object = 0x7f5ec4001e00, _M_const_object = 0x7f5ec4001e00, _M_function_pointer = 0x7f5ec4001e00, _M_member_pointer = (void (std::_Undefined_class::*)(std::_Undefined_class * const)) 0x7f5ec4001e00, this adjustment 140046412330767}, _M_pod_data = "\000\036\000\304^\177\000\000\017\267\250\030_\177\000"}, _M_manager = 0x7f5f3574d280 <std::_Function_base::_Base_manager<WTF::Function<void ()> >::_M_manager(std::_Any_data&, std::_Any_data const&, std::_Manager_operation)>}, _M_invoker = 0x7f5f3574d1e0 <std::_Function_handler<void (), WTF::Function<void ()> >::_M_invoke(std::_Any_data const&)>} functionsToHandle = <optimized out> #13 0x00007f5f34f4b225 in operator() (this=0x7ffde75c4638) at /usr/include/c++/5.0.0/functional:2271 No locals. #14 WTF::GMainLoopSource::voidCallback (this=0x7f5f11fd82c0) at /usr/src/debug/webkitgtk-2.8.1/Source/WTF/wtf/gobject/GMainLoopSource.cpp:365 context = {source = {m_ptr = 0x7f5ec4001e60}, cancellable = {m_ptr = 0x0}, socketCancellable = {m_ptr = 0x0}, voidCallback = {<std::_Maybe_unary_or_binary_function<void>> = {<No data fields>}, <std::_Function_base> = {static _M_max_size = 16, static _M_max_align = 8, _M_functor = {_M_unused = {_M_object = 0x7f5ec4001e40, _M_const_object = 0x7f5ec4001e40, _M_function_pointer = 0x7f5ec4001e40, _M_member_pointer = (void (std::_Undefined_class::*)(std::_Undefined_class * const)) 0x7f5ec4001e40, this adjustment 140046961219824}, _M_pod_data = "@\036\000\304^\177\000\000\360\030`9_\177\000"}, _M_manager = 0x7f5f36b3fdc0 <std::_Function_base::_Base_manager<WTF::RunLoop::wakeUp()::<lambda()> >::_M_manager(std::_Any_data &, const std::_Any_data &, std::_Manager_operation)>}, _M_invoker = 0x7f5f36b3fd80 <std::_Function_handler<void(), WTF::RunLoop::wakeUp()::<lambda()> >::_M_invoke(const std::_Any_data &)>}, boolCallback = {<std::_Maybe_unary_or_binary_function<bool>> = {<No data fields>}, <std::_Function_base> = {static _M_max_size = 16, static _M_max_align = 8, _M_functor = {_M_unused = {_M_object = 0x0, _M_const_object = 0x0, _M_function_pointer = 0x0, _M_member_pointer = NULL}, _M_pod_data = '\000' <repeats 15 times>}, _M_manager = 0x0}, _M_invoker = 0x0}, socketCallback = {<std::_Maybe_unary_or_binary_function<bool, GIOCondition>> = {<std::unary_function<GIOCondition, bool>> = {<No data fields>}, <No data fields>}, <std::_Function_base> = {static _M_max_size = 16, static _M_max_align = 8, _M_functor = {_M_unused = {_M_object = 0x7f5ec4000020, _M_const_object = 0x7f5ec4000020, _M_function_pointer = 0x7f5ec4000020, _M_member_pointer = (void (std::_Undefined_class::*)(std::_Undefined_class * const)) 0x7f5ec4000020, this adjustment 8}, _M_pod_data = " \000\000\304^\177\000\000\b\000\000\000\000\000\000"}, _M_manager = 0x0}, _M_invoker = 0x7f5f11fd82c0}, destroyCallback = {<std::_Maybe_unary_or_binary_function<void>> = {<No data fields>}, <std::_Function_base> = {static _M_max_size = 16, static _M_max_align = 8, _M_functor = {_M_unused = {_M_object = 0x0, _M_const_object = 0x0, _M_function_pointer = 0x0, _M_member_pointer = NULL}, _M_pod_data = "\000\000\000\000\000\000\000\000 \000\000\304^\177\000"}, _M_manager = 0x0}, _M_invoker = 0x7f5f18a8b650}} #15 0x00007f5f34f4742a in WTF::GMainLoopSource::voidSourceCallback (source=<optimized out>) at /usr/src/debug/webkitgtk-2.8.1/Source/WTF/wtf/gobject/GMainLoopSource.cpp:456 No locals. #16 0x00007f5f31e84a8a in g_main_dispatch (context=0x7f5f396018f0) at gmain.c:3122 dispatch = 0x7f5f31e81530 <g_idle_dispatch> prev_source = 0x0 was_in_call = 0 user_data = 0x7f5f11fd82c0 callback = 0x7f5f34f47420 <WTF::GMainLoopSource::voidSourceCallback(WTF::GMainLoopSource*)> cb_funcs = 0x7f5f321738a0 <g_source_callback_funcs> cb_data = 0x7f5ec4001ef0 need_destroy = <optimized out> source = 0x7f5ec4001e60 current = 0x7f5f395e9500 i = 0 #17 g_main_context_dispatch (context=context@entry=0x7f5f396018f0) at gmain.c:3737 No locals. #18 0x00007f5f31e84e20 in g_main_context_iterate (context=0x7f5f396018f0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3808 max_priority = 2147483647 timeout = 1133 some_ready = 1 nfds = <optimized out> allocated_nfds = 3 fds = 0x7f5f3968e920 #19 0x00007f5f31e85142 in g_main_loop_run (loop=0x7f5f3968e860) at gmain.c:4002 __func__ = "g_main_loop_run" #20 0x00007f5f358e1e4b in WebKit::ChildProcessMain<WebKit::PluginProcess, WebKit::PluginProcessMain> (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/webkitgtk-2.8.1/Source/WebKit2/Shared/unix/ChildProcessMain.h:61 childMain = {<WebKit::ChildProcessMainBase> = {_vptr.ChildProcessMainBase = 0x7f5f3723fd50 <vtable for WebKit::PluginProcessMain+16>, m_parameters = {uiProcessName = {m_impl = {m_ptr = 0x0}}, clientIdentifier = {m_impl = {m_ptr = 0x0}}, connectionIdentifier = 34, extraInitializationData = {m_impl = {static m_maxLoad = <optimized out>, static m_minLoad = <optimized out>, m_table = 0x7f5f11ffb200, m_tableSize = 8, m_tableSizeMask = 7, m_keyCount = 1, m_deletedCount = 0}}}}, <No data fields>} #21 0x00007f5f2c4b8790 in __libc_start_main (main=0x7f5f37600bd0 <main(int, char**)>, argc=3, argv=0x7ffde75c4998, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffde75c4988) at libc-start.c:289 result = <optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, -5599487145779380534, 140046927662048, 140728485038480, 0, 0, -5544212190049583414, -5599497930774659382}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x7ffde75c49b8, 0x7f5f375ff148}, data = {prev = 0x0, cleanup = 0x0, canceltype = -413382216}}} not_first_call = <optimized out> #22 0x00007f5f37600c09 in _start ()

Attachments
Add attachment proposed patch, testcase, etc.

Carlos Garcia Campos

Comment 1 2020-08-17 06:48:11 PDT

Plugins are no longer supported.

Note You need to log in before you can comment on or make changes to this bug.