Calling NPN_InvokeDefault from a plugin fails sometimes using the latest (git-svn-id: http://svn.webkit.org/repository/webkit/trunk@115246 268f45cc-cd09-0410-ab3c-d52691b4dbfc) built for gtk (using JavaScriptCore). The failure occurs because the if (!rootObject || !rootObject->isValid()) check fails in NP_jsobject.cpp at _NPN_InvokeDefault. The repro steps run some unit tests for the plugin being developed, which behaves roughly as follows for each test: 1. create <object> 2. run test code 3. remove <object> The test code passes in a JS function to the plugin that is later called via NPN_InvokeDefault. Digging through the code a bit shows me that a new rootObject is created for each instance of the plugin. When the JS function value is converted to an NPVariant before calling the plugin it calls findRootObject to assign a rootObject. At that point there are multiple rootObjects in the root object set: globalObject=0x7fa1438bc150 rootObject=0x24d35f0 rootObject->globalObject=0x7fa1438bc150 rootObject=0x23e4b50 rootObject->globalObject=0x7fa1438bc150 rootObject=0x250d890 rootObject->globalObject=0x7fa1438bc150 rootObject=0x2576d30 rootObject->globalObject=0x7fa1438bc150 rootObject=0x2593830 rootObject->globalObject=0x7fa1438bc150 findRootObject picks the first one, which does not belong to the instance of the plugin that is being called. The first rootObject is invalidated before the plugin calls NPN_InvokeDefault.