30419 – NPN_UserAgent leaks its return value

Bug 30419 - NPN_UserAgent leaks its return value

Summary: NPN_UserAgent leaks its return value

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Mac OS X 10.5

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2009-10-15 17:55 PDT by Dan Webb
Modified:	2009-10-21 16:49 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dan Webb 2009-10-15 17:55:35 PDT

Each call to NPN_UserAgent leaks an NSString object on the Mac.

How I discovered the bug:  I was calling NPN_UserAgent in NPP_HandleEvent, and I noticed a slow leak.  I opened ObjectAlloc.tracetemplate and did a trace of Safari, and it showed a leak of an object of roughly 170 bytes happening at nearly 60 times per second, and the stack trace showed the leak coming from NPN_UserAgent.

Comment 1 Alexey Proskuryakov 2009-10-15 19:57:24 PDT

I cannot reproduce this with ToT. Could you please post a full stack trace? Also, are you seeing this in Safari on Mac OS X 10.5?

Could you please try to reproduce this with a nightly build from <http://nightly.webkit.org>?

Comment 2 Dan Webb 2009-10-21 16:07:30 PDT

I reproduced it in Monday's ToT WebKit build.

Stack trace of one of the leaked objects (from ObjectAlloc):
  21 Safari 0x2c92
  20 AppKit NSApplicationMain
  19 AppKit -[NSApplication run]
  18 Safari 0xc303
  17 AppKit -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:]
  16 AppKit _DPSNextEvent
  15 HIToolbox BlockUntilNextEventMatchingListInMode
  14 HIToolbox ReceiveNextEventCommon
  13 HIToolbox RunCurrentEventLoopInMode
  12 CoreFoundation CFRunLoopRunInMode
  11 CoreFoundation CFRunLoopRunSpecific
  10 WebKit WebNetscapePluginEventHandlerCarbon::sendNullEvent() /Users/dwebb/Keyhole-local/WebKit/WebKit/mac/Plugins/WebNetscapePluginEventHandlerCarbon.mm:124
   9 WebKit WebNetscapePluginEventHandlerCarbon::sendEvent(EventRecord*) /Users/dwebb/Keyhole-local/WebKit/WebKit/mac/Plugins/WebNetscapePluginEventHandlerCarbon.mm:420
   8 WebKit -[WebNetscapePluginDocumentView sendEvent:isDrawRect:] /Users/dwebb/Keyhole-local/WebKit/WebKit/mac/Plugins/WebNetscapePluginView.mm:672
   7 libnpgeplugin.dylib Private_HandleEvent(_NPP*, void*)
   6 libnpgeplugin.dylib nsPluginInstance::HandleEvent(void*) scons-out/opt/obj/apps/earth/plugin/idlglue/staticglue/moz/plugin.cc:164
   5 libnpgeplugin.dylib GetNPSupportedModels(_NPP*, bool*, bool*, bool*)
   4 WebKit NPN_UserAgent /Users/dwebb/Keyhole-local/WebKit/WebKit/mac/Plugins/npapi.mm:120
   3 Foundation -[NSCFString UTF8String]
   2 Foundation bytesInEncoding
   1 CoreFoundation __CFDataInit
   0 CoreFoundation _CFRuntimeCreateInstance


If you want to reproduce it using the Google Earth plugin, download the installer from here, install it, and reload the page (might require Safari restart):
<http://code.google.com/apis/earth/>

Comment 3 Mark Rowe (bdash) 2009-10-21 16:16:08 PDT

That appears to show the char* buffer returned by NPN_UserAgent is being leaked.  I would assume that the caller of NPN_UserAgent is responsible for freeing that memory.  Is that not the case?

Comment 4 Dan Webb 2009-10-21 16:35:38 PDT

Hmm, I assumed that the string was owned by npapi, since the docs didn't mention anything about handing off ownership of the C string.
<http://developer.mozilla.org/en/NPN_UserAgent>

I googled around a bit and found some example code that doesn't free the string:
<https://developer.mozilla.org/en/Gecko_Plugin_API_Reference/Initialization_and_Destruction#Initialize_and_Shutdown_Example>

Comment 5 Alexey Proskuryakov 2009-10-21 16:49:48 PDT

If I'm looking at the right place, Mozilla does return a pointer to static buffer: <http://mxr.mozilla.org/mozilla-central/source/modules/plugin/base/src/nsPluginHost.cpp#2612> indeed.