RESOLVED FIXED 27769
Chromium crashes in the V8 bindings code when the page is being torn down 
https://bugs.webkit.org/show_bug.cgi?id=27769
Summary Chromium crashes in the V8 bindings code when the page is being torn down
Ananta Iyengar
Reported 2009-07-28 09:46:10 PDT
This is a chromium specific issue. The Chromium bug is http://code.google.com/p/chromium/issues/detail?id=17710 Callstack as below:- The crash happens because the WebCore::V8Proxy::createNewContext function dereferences the activeDocumentLoader pointer in the FrameLoader object as below:- m_frame->loader()->activeDocumentLoader()->url().protocol(), This is set to NULL in the WebCore::FrameLoader::detachFromParent function by a call to setDocumentLoader(0). The fix should be to add a NULL check for the activeDocumentLoader pointer in the WebCore::V8Proxy::createNewContext function. I will upload a patch for this. chrome_23a0000!WebCore::ResourceRequestBase::url+0x2 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\platform\network\resourcerequestbase.cpp @ 106] chrome_23a0000!WebCore::V8Proxy::createNewContext+0xd8 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\bindings\v8\v8proxy.cpp @ 896] chrome_23a0000!WebCore::V8Proxy::initContextIfNeeded+0x77 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\bindings\v8\v8proxy.cpp @ 995] chrome_23a0000!WebCore::V8Proxy::context+0x3e [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\bindings\v8\v8proxy.cpp @ 1114] chrome_23a0000!WebCore::toV8Context+0x17 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\bindings\v8\v8helpers.cpp @ 49] chrome_23a0000!NPN_GetProperty+0x38 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\bindings\v8\npv8object.cpp @ 283] chrome_23a0000!NPObjectStub::OnGetProperty+0x68 [c:\b\slave\chromium-rel-xp\build\src\chrome\plugin\npobject_stub.cc @ 196] chrome_23a0000!IPC::MessageWithReply<Tuple1<NPIdentifier_Param>,Tuple2<NPVariant_Param &,bool &> >::Dispatch<NPObjectStub,void (__thiscall NPObjectStub::*)(NPIdentifier_Param const &,NPVariant_Param *,bool *)>+0x91 [c:\b\slave\chromium-rel-xp\build\src\ipc\ipc_message_utils.h @ 1136] chrome_23a0000!NPObjectStub::OnMessageReceived+0x126 [c:\b\slave\chromium-rel-xp\build\src\chrome\plugin\npobject_stub.cc @ 67] chrome_23a0000!MessageRouter::RouteMessage+0x34 [c:\b\slave\chromium-rel-xp\build\src\chrome\common\message_router.cc @ 41] chrome_23a0000!PluginChannelBase::OnMessageReceived+0x48 [c:\b\slave\chromium-rel-xp\build\src\chrome\plugin\plugin_channel_base.cc @ 112] chrome_23a0000!IPC::SyncChannel::ReceivedSyncMsgQueue::DispatchMessages+0x12c [c:\b\slave\chromium-rel-xp\build\src\ipc\ipc_sync_channel.cc @ 107] chrome_23a0000!IPC::SyncChannel::WaitForReply+0x79 [c:\b\slave\chromium-rel-xp\build\src\ipc\ipc_sync_channel.cc @ 415] chrome_23a0000!IPC::SyncChannel::SendWithTimeout+0x162 [c:\b\slave\chromium-rel-xp\build\src\ipc\ipc_sync_channel.cc @ 398] chrome_23a0000!IPC::SyncChannel::Send+0x10 [c:\b\slave\chromium-rel-xp\build\src\ipc\ipc_sync_channel.cc @ 362] chrome_23a0000!PluginChannelBase::Send+0x68 [c:\b\slave\chromium-rel-xp\build\src\chrome\plugin\plugin_channel_base.cc @ 95] chrome_23a0000!WebPluginDelegateProxy::Send+0x37 [c:\b\slave\chromium-rel-xp\build\src\chrome\renderer\webplugin_delegate_proxy.cc @ 294] chrome_23a0000!WebPluginDelegateProxy::PluginDestroyed+0x78 [c:\b\slave\chromium-rel-xp\build\src\chrome\renderer\webplugin_delegate_proxy.cc @ 211] chrome_23a0000!WebPluginImpl::TearDownPluginInstance+0x3f [c:\b\slave\chromium-rel-xp\build\src\webkit\glue\webplugin_impl.cc @ 1385] chrome_23a0000!WebPluginContainer::~WebPluginContainer+0x1d [c:\b\slave\chromium-rel-xp\build\src\webkit\glue\webplugin_impl.cc @ 177] chrome_23a0000!WebPluginContainer::`scalar deleting destructor'+0xb chrome_23a0000!WebCore::RenderWidget::clearWidget+0x2b [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\rendering\renderwidget.cpp @ 279] chrome_23a0000!WebCore::RenderPart::~RenderPart+0x15 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\rendering\renderpart.cpp @ 42] chrome_23a0000!WebCore::RenderPartObject::`scalar deleting destructor'+0x27 chrome_23a0000!WebCore::RenderObject::arenaDelete+0x80 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\rendering\renderobject.cpp @ 1882] chrome_23a0000!WebCore::RenderWidget::destroy+0x117 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\rendering\renderwidget.cpp @ 97] chrome_23a0000!WebCore::Node::detach+0x19 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\node.cpp @ 1169] chrome_23a0000!WebCore::ContainerNode::detach+0x1c [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\containernode.cpp @ 587] chrome_23a0000!WebCore::ContainerNode::detach+0x1c [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\containernode.cpp @ 587] chrome_23a0000!WebCore::ContainerNode::detach+0x1c [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\containernode.cpp @ 587] chrome_23a0000!WebCore::ContainerNode::detach+0x1c [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\containernode.cpp @ 587] chrome_23a0000!WebCore::Document::detach+0xc0 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\document.cpp @ 1359] chrome_23a0000!WebCore::Frame::setView+0x31 [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\page\frame.cpp @ 232] chrome_23a0000!WebCore::FrameLoader::detachFromParent+0x12c [c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\loader\frameloader.cpp @ 3524] chrome_23a0000!WebViewImpl::close+0x1f [c:\b\slave\chromium-rel-xp\build\src\webkit\glue\webview_impl.cc @ 943] chrome_23a0000!RenderWidget::Close+0x10 [c:\b\slave\chromium-rel-xp\build\src\chrome\renderer\render_widget.cc @ 651] chrome_23a0000!MessageLoop::RunTask+0x7e [c:\b\slave\chromium-rel-xp\build\src\base\message_loop.cc @ 314] chrome_23a0000!MessageLoop::DoWork+0x1ea [c:\b\slave\chromium-rel-xp\build\src\base\message_loop.cc @ 436] chrome_23a0000!base::MessagePumpDefault::Run+0x111 [c:\b\slave\chromium-rel-xp\build\src\base\message_pump_default.cc @ 50] chrome_23a0000!MessageLoop::RunInternal+0xb7 [c:\b\slave\chromium-rel-xp\build\src\base\message_loop.cc @ 198] chrome_23a0000!MessageLoop::RunHandler+0xa0 [c:\b\slave\chromium-rel-xp\build\src\base\message_loop.cc @ 182] chrome_23a0000!MessageLoop::Run+0x3d [c:\b\slave\chromium-rel-xp\build\src\base\message_loop.cc @ 156] chrome_23a0000!RendererMain+0x40f [c:\b\slave\chromium-rel-xp\build\src\chrome\renderer\renderer_main.cc @ 151] chrome_23a0000!ChromeMain+0x608 [c:\b\slave\chromium-rel-xp\build\src\chrome\app\chrome_dll_main.cc @ 486] chrome!wWinMain+0x2fd [c:\b\slave\chromium-rel-xp\build\src\chrome\app\chrome_exe_main.cc @ 102] chrome!__tmainCRTStartup+0x176 [f:\sp\vctools\crt_bld\self_x86\crt\src\crt0.c @ 324] WARNING: Stack unwind information not available. Following frames may be wrong. kernel32!RegisterWaitForInputIdle+0x49
Attachments
Patch containing the proposed fix in V8Proxy.cpp (1.45 KB, patch)
2009-07-28 12:00 PDT, Ananta Iyengar 		no flags
DetailsFormatted DiffDiff
Updated V8 bindings patch (1.62 KB, patch)
2009-07-28 12:30 PDT, Ananta Iyengar 		dglazkov: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2009-07-28 11:10:13 PDT
That line of code is very wrong, but that's an issue for another bug.
Ananta Iyengar
Comment 2 2009-07-28 12:00:25 PDT
Created attachment 33657 [details] Patch containing the proposed fix in V8Proxy.cpp
Ananta Iyengar
Comment 3 2009-07-28 12:30:52 PDT
Created attachment 33660 [details] Updated V8 bindings patch
Dimitri Glazkov (Google)
Comment 4 2009-07-28 12:32:03 PDT
Comment on attachment 33660 [details] Updated V8 bindings patch ok.
Dimitri Glazkov (Google)
Comment 5 2009-07-28 12:33:31 PDT
Landed as http://trac.webkit.org/changeset/46496.
Adam Barth
Comment 6 2009-07-28 12:43:01 PDT
Where is the test case?
Darin Fisher (:fishd, Google)
Comment 7 2009-07-28 13:02:05 PDT
(In reply to comment #6) > Where is the test case? Hmm... it may be possible to extend the layout test plugin to have a mode where it attempts to read a property from the containing window during destruction.
Ananta Iyengar
Comment 8 2009-07-28 13:49:50 PDT
Based on what I know about the plugin shutdown code in webkit, the window script objects are destroyed before the plugin shutdown function is called. Calls to NPN functions on the window script object would probably fail in this context. We need a different NPObject which remains valid during plugin shutdown on which the plugin can invoke.
Darin Adler
Comment 9 2014-04-24 16:45:03 PDT
Moving all JavaScriptGlue bugs to JavaScriptCore. The JavaScriptGlue framework itself is long gone. And most of the more recent bugs put in this component were put there by people who thought this was for some other aspect of “JavaScript glue” and have nothing to do with the actual original reason for the existence of this component, which was an OS-X-only framework named JavaScriptGlue.
Note You need to log in before you can comment on or make changes to this bug.