RESOLVED INVALID 30984
Extensive use of Javascript to communicate between two Flash objects crashes WebKit 
https://bugs.webkit.org/show_bug.cgi?id=30984
Summary Extensive use of Javascript to communicate between two Flash objects crashes ...
Eden Li
Reported 2009-10-31 16:46:44 PDT
The dump shows that it crashes in WKPCIdentifierInfo. It appears IdentifierRep::isValid is being passed a NULL identifier which causes an EXC_BAD_ACCESS exception. A Google search reveals that current Snow Leopard users are running into this same crash: http://discussions.apple.com/thread.jspa?messageID=10438485 In this case there are two Flash objects loaded on a web page and they make 100-200 ExternalInterface calls. Each call triggers a Javascript bridging object to pass the data it received into the other Flash object. It works fine most of the time, but one in 10 loads of the same page will cause WebKit to crash at the same point. The same WebKit build on OSX 10.5 does not cause a crash, neither does a crash occur in any other browser I tested. Here's the backtrace from a gdb session on a debug build: #0 0x0000000101269270 in WTF::HashTable<WebCore::IdentifierRep*, WebCore::IdentifierRep*, WTF::IdentityExtractor<WebCore::IdentifierRep*>, WTF::PtrHash<WebCore::IdentifierRep*>, WTF::HashTraits<WebCore::IdentifierRep*>, WTF::HashTraits<WebCore::IdentifierRep*> >::checkKey<WebCore::IdentifierRep*, WTF::IdentityHashTranslator<WebCore::IdentifierRep*, WebCore::IdentifierRep*, WTF::PtrHash<WebCore::IdentifierRep*> > > (this=0x11ae45a90, key=@0x7fff5fbfc988) at HashTable.h:455 #1 0x0000000101269325 in WTF::HashTable<WebCore::IdentifierRep*, WebCore::IdentifierRep*, WTF::IdentityExtractor<WebCore::IdentifierRep*>, WTF::PtrHash<WebCore::IdentifierRep*>, WTF::HashTraits<WebCore::IdentifierRep*>, WTF::HashTraits<WebCore::IdentifierRep*> >::lookup<WebCore::IdentifierRep*, WTF::IdentityHashTranslator<WebCore::IdentifierRep*, WebCore::IdentifierRep*, WTF::PtrHash<WebCore::IdentifierRep*> > > (this=0x11ae45a90, key=@0x7fff5fbfc988) at HashTable.h:469 #2 0x000000010126940c in WTF::HashTable<WebCore::IdentifierRep*, WebCore::IdentifierRep*, WTF::IdentityExtractor<WebCore::IdentifierRep*>, WTF::PtrHash<WebCore::IdentifierRep*>, WTF::HashTraits<WebCore::IdentifierRep*>, WTF::HashTraits<WebCore::IdentifierRep*> >::contains<WebCore::IdentifierRep*, WTF::IdentityHashTranslator<WebCore::IdentifierRep*, WebCore::IdentifierRep*, WTF::PtrHash<WebCore::IdentifierRep*> > > (this=0x11ae45a90, key=@0x7fff5fbfc988) at HashTable.h:794 #3 0x000000010126943b in WTF::HashTable<WebCore::IdentifierRep*, WebCore::IdentifierRep*, WTF::IdentityExtractor<WebCore::IdentifierRep*>, WTF::PtrHash<WebCore::IdentifierRep*>, WTF::HashTraits<WebCore::IdentifierRep*>, WTF::HashTraits<WebCore::IdentifierRep*> >::contains (this=0x11ae45a90, key=@0x7fff5fbfc988) at HashTable.h:325 #4 0x000000010126945d in WTF::HashSet<WebCore::IdentifierRep*, WTF::PtrHash<WebCore::IdentifierRep*>, WTF::HashTraits<WebCore::IdentifierRep*> >::contains (this=0x11ae45a90, value=@0x7fff5fbfc988) at HashSet.h:178 #5 0x000000010126872b in WebCore::IdentifierRep::isValid (identifier=0x0) at /Users/eden/WebKit/WebCore/bridge/IdentifierRep.cpp:108 #6 0x00000001002e1fe1 in WKPCIdentifierInfo (clientPort=39939, serverIdentifier=0, infoData=0x7fff5fbfcacc, infoLength=0x7fff5fbfcae4) at /Users/eden/WebKit/WebKit/mac/Plugins/Hosted/NetscapePluginHostProxy.mm:826 #7 0x000000010038ef76 in _XPCIdentifierInfo (InHeadP=0x7fff5fbfcb20, OutHeadP=0x7fff5fbfcab0) at /Users/eden/WebKit/WebKitBuild/WebKit.build/Debug/WebKit.build/DerivedSources/x86_64/WebKitPluginClientServer.c:6998 #8 0x000000010038e17d in WebKitPluginClient_server (InHeadP=0x7fff5fbfcb20, OutHeadP=0x7fff5fbfcab0) at /Users/eden/WebKit/WebKitBuild/WebKit.build/Debug/WebKit.build/DerivedSources/x86_64/WebKitPluginClientServer.c:9634 #9 0x00000001002e5544 in WebKit::NetscapePluginHostProxy::processRequests (this=0x11aef0c60) at /Users/eden/WebKit/WebKit/mac/Plugins/Hosted/NetscapePluginHostProxy.mm:291 #10 0x00000001002ef0d6 in WebKit::NetscapePluginInstanceProxy::processRequestsAndWaitForReply (this=0x11b2e2560, requestID=46) at /Users/eden/WebKit/WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm:637 #11 0x0000000100304adb in WebKit::NetscapePluginInstanceProxy::waitForReply<WebKit::NetscapePluginInstanceProxy::BooleanAndDataReply> (this=0x11b2e2560, requestID=46) at NetscapePluginInstanceProxy.h:252 #12 0x000000010030701b in WebKit::ProxyInstance::invoke (this=0x11b29b110, exec=0x11a693218, type=Invoke, identifier=0, args=@0x7fff5fbfdde0) at /Users/eden/WebKit/WebKit/mac/Plugins/Hosted/ProxyInstance.mm:150 #13 0x0000000100307241 in WebKit::ProxyInstance::invokeMethod (this=0x11b29b110, exec=0x11a693218, methodList=@0x11ac81780, args=@0x7fff5fbfdde0) at /Users/eden/WebKit/WebKit/mac/Plugins/Hosted/ProxyInstance.mm:163 #14 0x00000001016da190 in JSC::callRuntimeMethod (exec=0x11a693218, function=0x11b4621c0, thisValue={m_ptr = 0x11b088f80}, args=@0x7fff5fbfdde0) at /Users/eden/WebKit/WebCore/bridge/runtime_method.cpp:114 #15 0x000000010088a3f0 in cti_op_call_NotJSFunction (args=0x7fff5fbfdec0) at /Users/eden/WebKit/JavaScriptCore/jit/JITStubs.cpp:1615 #16 0x00000001008836c3 in WTF::doubleHash (key=Could not find the frame base for "WTF::doubleHash(unsigned int)". ) at HashTable.h:437 #17 0x0000000100867e34 in JSC::JITCode::execute (this=0x11aff9158, registerFile=0x11a0246b8, callFrame=0x11a693048, globalData=0x106912000, exception=0x7fff5fbfe140) at JITCode.h:79 #18 0x0000000100854ea9 in JSC::Interpreter::execute (this=0x11a0246a0, program=0x11aff9140, callFrame=0x11b285ff8, scopeChain=0x11aebe9a0, thisObj=0x11adbec80, exception=0x7fff5fbfe140) at /Users/eden/WebKit/JavaScriptCore/interpreter/Interpreter.cpp:613 #19 0x0000000100815b8c in JSC::evaluate (exec=0x11b285ff8, scopeChain=@0x11b285fb0, source=@0x7fff5fbfe210, thisValue={m_ptr = 0x0}) at /Users/eden/WebKit/JavaScriptCore/runtime/Completion.cpp:60 #20 0x00000001002eee57 in WebKit::NetscapePluginInstanceProxy::evaluate (this=0x11ac454e0, objectID=182, script=@0x7fff5fbfe320, resultData=@0x7fff5fbfe318, resultLength=@0x7fff5fbfe34c, allowPopups=false) at /Users/eden/WebKit/WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm:714 #21 0x00000001002e427a in WKPCEvaluate (clientPort=39939, pluginID=13, requestID=230, objectID=182, scriptData=0x106205000 "try { __flash__toXML(jslc.execCall(\"_continuous_play_1256939116878\",\"messageHandler\",\"_SlaveCP_LcName_1256939519590\",\"ConnectRequest\",({lcid:\"_SlaveCP_LcName_1256939519590\"}))) ; } catch (e) { \"<undef"..., scriptLength=210, allowPopups=0) at /Users/eden/WebKit/WebKit/mac/Plugins/Hosted/NetscapePluginHostProxy.mm:553 #22 0x000000010038fdcd in _XPCEvaluate (InHeadP=0x7fff5fbfe590, OutHeadP=0x7fff5fbfe3d0) at /Users/eden/WebKit/WebKitBuild/WebKit.build/Debug/WebKit.build/DerivedSources/x86_64/WebKitPluginClientServer.c:4432 #23 0x00007fff86406365 in mshMIGPerform () #24 0x00007fff86cb5f84 in __CFRunLoopDoSource1 () #25 0x00007fff86c8e64d in __CFRunLoopRun () #26 0x00007fff86c8d03f in CFRunLoopRunSpecific () #27 0x00007fff81ab4c4e in RunCurrentEventLoopInMode () #28 0x00007fff81ab4a53 in ReceiveNextEventCommon () #29 0x00007fff81ab490c in BlockUntilNextEventMatchingListInMode () #30 0x00007fff85195520 in _DPSNextEvent () #31 0x00007fff85194e89 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] () #32 0x000000010000bcf0 in ?? () #33 0x00007fff8515aa7d in -[NSApplication run] () #34 0x00007fff85153798 in NSApplicationMain () #35 0x0000000100001d0c in ?? ()
Attachments
Add attachment proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1 2009-10-31 17:26:59 PDT
If you have a reproducible case of this crash, please attach information about how to reproduce it to this bug report so that we can investigate it.
Alexey Proskuryakov
Comment 2 2010-03-26 14:04:05 PDT
No response in 4 months, closing. For unreproducible crashes that you can't or aren't willing to provide additional information about, please just let crash report dialog submit the information to Apple.
Note You need to log in before you can comment on or make changes to this bug.