172846 – REGRESSION (r206386): Xactimate Website Crashes @ com.apple.WebKit: WebKit::NPRuntimeObjectMap::convertJSValueToNPVariant + 255

RESOLVED FIXED 172846

REGRESSION (r206386): Xactimate Website Crashes @ com.apple.WebKit: WebKit::NPRuntimeObjectMap::convertJSValueToNPVariant + 255

https://bugs.webkit.org/show_bug.cgi?id=172846

Summary REGRESSION (r206386): Xactimate Website Crashes @ com.apple.WebKit: WebKit::N...

Chris Dumez

Reported 2017-06-01 18:58:29 PDT

Xactimate Website Crashes @ com.apple.WebKit: WebKit::NPRuntimeObjectMap::convertJSValueToNPVariant + 255: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebKit 0x00000001041ffe8c JSC::JSCell::isString() const + 12 1 com.apple.WebKit 0x00000001041fd48e JSC::JSValue::isString() const + 62 2 com.apple.WebKit 0x00000001041fd0e7 WebKit::NPRuntimeObjectMap::convertJSValueToNPVariant(JSC::ExecState*, JSC::JSValue, _NPVariant&) + 375 3 com.apple.WebKit 0x00000001041e05b9 WebKit::NPJSObject::invoke(JSC::ExecState*, JSC::JSGlobalObject*, JSC::JSValue, _NPVariant const*, unsigned int, _NPVariant*) + 537 4 com.apple.WebKit 0x00000001041e037b WebKit::NPJSObject::invoke(void*, _NPVariant const*, unsigned int, _NPVariant*) + 315 5 com.apple.WebKit 0x00000001041e1b2b WebKit::NPJSObject::NP_Invoke(NPObject*, void*, _NPVariant const*, unsigned int, _NPVariant*) + 59 6 com.apple.WebKit 0x00000001041e5cde WebKit::NPObjectMessageReceiver::invoke(WebKit::NPIdentifierData const&, WTF::Vector<WebKit::NPVariantData, 0ul, WTF::CrashOnOverflow, 16ul> const&, bool&, WebKit::NPVariantData&) + 398 7 com.apple.WebKit 0x00000001041eac9c void IPC::callMemberFunctionImpl<WebKit::NPObjectMessageReceiver, void (WebKit::NPObjectMessageReceiver::*)(WebKit::NPIdentifierData const&, WTF::Vector<WebKit::NPVariantData, 0ul, WTF::CrashOnOverflow, 16ul> const&, bool&, WebKit::NPVariantData&), std::__1::tuple<WebKit::NPIdentifierData, WTF::Vector<WebKit::NPVariantData, 0ul, WTF::CrashOnOverflow, 16ul> >, 0ul, 1ul, std::__1::tuple<bool, WebKit::NPVariantData>, 0ul, 1ul>(WebKit::NPObjectMessageReceiver*, void (WebKit::NPObjectMessageReceiver::*)(WebKit::NPIdentifierData const&, WTF::Vector<WebKit::NPVariantData, 0ul, WTF::CrashOnOverflow, 16ul> const&, bool&, WebKit::NPVariantData&), std::__1::tuple<WebKit::NPIdentifierData, WTF::Vector<WebKit::NPVariantData, 0ul, WTF::CrashOnOverflow, 16ul> >&&, std::__1::tuple<bool, WebKit::NPVariantData>&, std::__1::integer_sequence<unsigned long, 0ul, 1ul>, std::__1::integer_sequence<unsigned long, 0ul, 1ul>) + 284 8 com.apple.WebKit 0x00000001041e9800 void IPC::callMemberFunction<WebKit::NPObjectMessageReceiver, void (WebKit::NPObjectMessageReceiver::*)(WebKit::NPIdentifierData const&, WTF::Vector<WebKit::NPVariantData, 0ul, WTF::CrashOnOverflow, 16ul> const&, bool&, WebKit::NPVariantData&), std::__1::tuple<WebKit::NPIdentifierData, WTF::Vector<WebKit::NPVariantData, 0ul, WTF::CrashOnOverflow, 16ul> >, std::__1::integer_sequence<unsigned long, 0ul, 1ul>, std::__1::tuple<bool, WebKit::NPVariantData>, std::__1::integer_sequence<unsigned long, 0ul, 1ul> >(std::__1::tuple<WebKit::NPIdentifierData, WTF::Vector<WebKit::NPVariantData, 0ul, WTF::CrashOnOverflow, 16ul> >&&, std::__1::tuple<bool, WebKit::NPVariantData>&, WebKit::NPObjectMessageReceiver*, void (WebKit::NPObjectMessageReceiver::*)(WebKit::NPIdentifierData const&, WTF::Vector<WebKit::NPVariantData, 0ul, WTF::CrashOnOverflow, 16ul> const&, bool&, WebKit::NPVariantData&)) + 96 9 com.apple.WebKit 0x00000001041e85f4 void IPC::handleMessage<Messages::NPObjectMessageReceiver::Invoke, WebKit::NPObjectMessageReceiver, void (WebKit::NPObjectMessageReceiver::*)(WebKit::NPIdentifierData const&, WTF::Vector<WebKit::NPVariantData, 0ul, WTF::CrashOnOverflow, 16ul> const&, bool&, WebKit::NPVariantData&)>(IPC::Decoder&, IPC::Encoder&, WebKit::NPObjectMessageReceiver*, void (WebKit::NPObjectMessageReceiver::*)(WebKit::NPIdentifierData const&, WTF::Vector<WebKit::NPVariantData, 0ul, WTF::CrashOnOverflow, 16ul> const&, bool&, WebKit::NPVariantData&)) + 388 10 com.apple.WebKit 0x00000001041e7c91 WebKit::NPObjectMessageReceiver::didReceiveSyncNPObjectMessageReceiverMessage(IPC::Connection&, IPC::Decoder&, std::__1::unique_ptr<IPC::Encoder, std::__1::default_delete<IPC::Encoder> >&) + 561 11 com.apple.WebKit 0x00000001041f5d67 WebKit::NPRemoteObjectMap::didReceiveSyncMessage(IPC::Connection&, IPC::Decoder&, std::__1::unique_ptr<IPC::Encoder, std::__1::default_delete<IPC::Encoder> >&) + 103

Attachments
Patch (1.76 KB, patch) 2017-06-01 19:01 PDT, Chris Dumez	no flags	Details Formatted Diff Diff
Follow-up fix (1.52 KB, patch) 2017-06-02 09:54 PDT, Chris Dumez	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Chris Dumez

Comment 1 2017-06-01 18:58:46 PDT

<rdar://problem/31093005>

Chris Dumez

Comment 2 2017-06-01 19:01:25 PDT

Created attachment 311791 [details] Patch

Chris Dumez

Comment 3 2017-06-01 21:35:31 PDT

Comment on attachment 311791 [details] Patch Clearing flags on attachment: 311791 Committed r217695: <http://trac.webkit.org/changeset/217695>

Chris Dumez

Comment 4 2017-06-01 21:35:33 PDT

All reviewed patches have been landed. Closing bug.

Mark Lam

Comment 5 2017-06-02 09:46:17 PDT

Comment on attachment 311791 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=311791&action=review > Source/WebKit2/WebProcess/Plugins/Netscape/NPJSObject.cpp:-316 > - scope.clearException(); After thinking about this some more, I wonder if convertJSValueToNPVariant() can produce an exception too. If so, you will need the above exception treatment here as well. What do you think?

Chris Dumez

Comment 6 2017-06-02 09:51:07 PDT

(In reply to Mark Lam from comment #5) > Comment on attachment 311791 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=311791&action=review > > > Source/WebKit2/WebProcess/Plugins/Netscape/NPJSObject.cpp:-316 > > - scope.clearException(); > > After thinking about this some more, I wonder if convertJSValueToNPVariant() > can produce an exception too. If so, you will need the above exception > treatment here as well. What do you think? I believe you are right. I believe convertJSValueToNPVariant() can indeed throw.

Chris Dumez

Comment 7 2017-06-02 09:54:00 PDT

Created attachment 311834 [details] Follow-up fix

Mark Lam

Comment 8 2017-06-02 11:46:42 PDT

Comment on attachment 311834 [details] Follow-up fix r=me

WebKit Commit Bot

Comment 9 2017-06-02 12:15:57 PDT

Comment on attachment 311834 [details] Follow-up fix Clearing flags on attachment: 311834 Committed r217729: <http://trac.webkit.org/changeset/217729>

WebKit Commit Bot

Comment 10 2017-06-02 12:15:59 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component Printing

Assignee

Chris Dumez

Reported

2017-06-01 18:58 PDT

Modified

2017-06-02 12:15 PDT History

CC List

7 users Show

URL

Keywords InRadar

Depends on

Blocks

162521

Dependencies

tree graph