This is reproducible with the Qt MiniBrowser when loading index.hu.

Created attachment 161937 [details]
Patch

Comment on attachment 161937 [details]
Patch

I would like to see steps to reproduce this crash and a backtrace of the crash.

There's active work going on in this area so it's important to understand the details of what you've found and not just wallpaper over it.

More specifically, PluginViews are created with m_plugin set to the Plugin that last their entire lifetime, so it's surprising to see that m_plugin might be null.

The only time it can be cleared is if the plug-in fails to initialize and then the PluginView is still used after that case.

Again, please give details on how this reproduces.

The crash is reproducible (since http://trac.webkit.org/changeset/124815) with Qt MiniBrowser the following way:

MiniBrowser index.hu

And the backtrace of the crash:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fff97ffd700 (LWP 17013)]
0x00007ffff47c6305 in WebKit::PluginView::scriptObject (this=0x20fc5b0, globalObject=0x7fffe406ec80) at /home/abecsi/devel/git/webkit-git-svn/Source/WebKit2/WebProcess/Plugins/PluginView.cpp:555
555         if (m_plugin->isBeingAsynchronouslyInitialized()) {
(gdb) bt
#0  0x00007ffff47c6305 in WebKit::PluginView::scriptObject (this=0x20fc5b0, globalObject=0x7fffe406ec80) at /home/abecsi/devel/git/webkit-git-svn/Source/WebKit2/WebProcess/Plugins/PluginView.cpp:555
#1  0x00007ffff49c4574 in WebCore::pluginScriptObjectFromPluginViewBase (pluginElement=0x18c7240, globalObject=0x7fffe406ec80) at /home/abecsi/devel/git/webkit-git-svn/Source/WebCore/bindings/js/JSPluginElementFunctions.cpp:68
#2  0x00007ffff49c4637 in WebCore::pluginScriptObject (exec=0x7fff9dbdf2d8, jsHTMLElement=0x7fff7c09ef00) at /home/abecsi/devel/git/webkit-git-svn/Source/WebCore/bindings/js/JSPluginElementFunctions.cpp:90
#3  0x00007ffff49c4750 in WebCore::runtimeObjectCustomGetOwnPropertySlot (exec=0x7fff9dbdf2d8, propertyName=..., slot=..., element=0x7fff7c09ef00)
    at /home/abecsi/devel/git/webkit-git-svn/Source/WebCore/bindings/js/JSPluginElementFunctions.cpp:115
#4  0x00007ffff49b1fc5 in WebCore::pluginElementCustomGetOwnPropertySlot<WebCore::JSHTMLObjectElement, WebCore::JSHTMLElement> (exec=0x7fff9dbdf2d8, propertyName=..., slot=..., element=0x7fff7c09ef00)
    at /home/abecsi/devel/git/webkit-git-svn/Source/WebCore/bindings/js/JSPluginElementFunctions.h:58
#5  0x00007ffff49b1e3c in WebCore::JSHTMLObjectElement::getOwnPropertySlotDelegate (this=0x7fff7c09ef00, exec=0x7fff9dbdf2d8, propertyName=..., slot=...)
    at /home/abecsi/devel/git/webkit-git-svn/Source/WebCore/bindings/js/JSHTMLObjectElementCustom.cpp:38
#6  0x00007ffff5b9c5f7 in WebCore::JSHTMLObjectElement::getOwnPropertySlot (cell=0x7fff7c09ef00, exec=0x7fff9dbdf2d8, propertyName=..., slot=...) at generated/JSHTMLObjectElement.cpp:161
#7  0x00007ffff479ea07 in JSC::JSCell::fastGetOwnPropertySlot (this=0x7fff7c09ef00, exec=0x7fff9dbdf2d8, propertyName=..., slot=...) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/runtime/JSObject.h:616
#8  0x00007ffff49c26dc in JSC::JSValue::get (this=0x7fffffffcb80, exec=0x7fff9dbdf2d8, propertyName=..., slot=...) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/runtime/JSObject.h:871
#9  0x00007ffff6057fee in JSC::cti_op_get_by_id (args=0x7fffffffcc00) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/jit/JITStubs.cpp:1710
#10 0x00007ffff6055a99 in JSC::JITThunks::tryCacheGetByID (callFrame=0x22f1b30, codeBlock=0x7ffff455a29d <JSC::PropertyName::PropertyName(JSC::Identifier const&)+65>, returnAddress=..., baseValue=..., propertyName=..., slot=..., stubInfo=
    0x7fff7c09ef00) at /home/abecsi/devel/git/webkit-git-svn/Source/JavaScriptCore/jit/JITStubs.cpp:980
#11 0x00007fffffffcc30 in ?? ()
#12 0x00007fff7c09ef00 in ?? ()
#13 0x00000000022f1b30 in ?? ()
#14 0x00007fff00000003 in ?? ()
#15 0x00007fffffffcc40 in ?? ()
#16 0x00007fff7c0bcfc0 in ?? ()
#17 0x00007ffff7db0b00 in JSC::JSNotAnObject::s_info () from /home/abecsi/devel/git/webkit-git-svn/WebKitBuild/Debug/lib/libQtWebKit.so.5
#18 0x00007ffff7d6f260 in WebCore::JSDOMWindowPrototype::s_info () from /home/abecsi/devel/git/webkit-git-svn/WebKitBuild/Debug/lib/libQtWebKit.so.5
#19 0x00007fffffffcc70 in ?? ()
#20 0x00007fffa052a460 in ?? ()
#21 0x0000000000515ef8 in ?? ()
#22 0x00007fff9dbdf2d8 in ?? ()
#23 0x0000000000000000 in ?? ()

(In reply to comment #4)
> The crash is reproducible (since http://trac.webkit.org/changeset/124815) with Qt MiniBrowser the following way:
> 
> MiniBrowser index.hu

Why is the plug-in failing to initialize?

Can you construct a test for this?  TestNetscapePlugin and WebKitTestRunner have the ability to test this type of thing.

Created attachment 162073 [details]
Makes Qt MiniBrowser crash

Plugin support seems generally be unreliable/broken in Qt5 so plugin tests are disabled, though plugins are not disabled in MiniBrowser since work is ongoing to fix the issues.
Because the initialization of plugins that set the "movie" parameter fails in MiniBrowser and since on the mentioned news site (index.hu) some scripts try to access the plugin object the web process crashes in PluginView::scriptObject.

Attached is a reduced test page that crashes the QtWebProcess in MiniBrowser.

CC-ing Balazs who used to work on plugin issues.

I understand what is going on here.  It hasn't come up on Mac because plug-ins generally don't fail to initialize there.  Interesting that Qt has this problem.

I'm not against the change.  I'm just against it without a test.

*** This bug has been marked as a duplicate of bug 95026 ***