WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
98448
[v8] Fix npCreateV8ScriptObject crash
https://bugs.webkit.org/show_bug.cgi?id=98448
Summary
[v8] Fix npCreateV8ScriptObject crash
Fady Samuel
Reported
2012-10-04 13:30:04 PDT
[v8] Fix npCreateV8ScriptObject crash
Attachments
Patch
(3.38 KB, patch)
2012-10-04 13:32 PDT
,
Fady Samuel
abarth
: review+
abarth
: commit-queue-
Details
Formatted Diff
Diff
Added LayoutTest
(7.71 KB, patch)
2012-11-26 17:53 PST
,
lazyboy
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Fady Samuel
Comment 1
2012-10-04 13:32:59 PDT
Created
attachment 167165
[details]
Patch
Adam Barth
Comment 2
2012-10-04 13:41:36 PDT
Comment on
attachment 167165
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=167165&action=review
> Source/WebCore/ChangeLog:9 > + npCreateV8ScriptObject was crashing because it was being called after the perContextData had > + been torned down. This is fixed by checking for a non-0 perContextData.
Can we write a test for this case?
Fady Samuel
Comment 3
2012-10-16 13:29:38 PDT
I'm unable to repro this bug locally, let alone write a test for it. We're seeing this happen in crash reports: Meta information: Product Name: Chrome Product Version: 24.0.1283.0 Report ID: b5cb51aff83e2edd Report Time: 2012/10/01 16:35:58, Mon Uptime: 7 sec Cumulative Uptime: 0 sec OS Name: Windows NT OS Version: 6.1.7601 Service Pack 1 CPU Architecture: x86 CPU Info: GenuineIntel family 6 model 23 stepping 10 ptype: renderer Thread 0 *CRASHED* ( EXCEPTION_ACCESS_VIOLATION_READ @ 0x00000028 ) 0x54fb8b7a [chrome.dll] - npv8object.cpp:149 (cs|src|ann)] WebCore::npCreateV8ScriptObject(_NPP *,v8::Handle<v8::Object>,WebCore::DOMWindow *) 0x54fb82bb [chrome.dll] - v8nputils.cpp:72 (cs|src|ann)] WebCore::convertV8ObjectToNPVariant(v8::Local<v8::Value>,NPObject *,_NPVariant *) 0x5555f934 [chrome.dll] - npv8object.cpp:234 (cs|src|ann)] _NPN_Invoke 0x5662fb3a [chrome.dll] - npobject_stub.cc:183 (cs|src|ann)] NPObjectStub::OnInvoke(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *) 0x5662f661 [chrome.dll] - tuple.h:746 (cs|src|ann)] DispatchToMethod<NPObjectStub,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *),bool,NPIdentifier_Param,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> >,IPC::Message &>(NPObjectStub *,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *),Tuple3<bool,NPIdentifier_Param,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > > const &,Tuple1<IPC::Message &> *) 0x56630118 [chrome.dll] - ipc_message_utils.h:875 (cs|src|ann)] IPC::SyncMessageSchema<Tuple3<bool,NPIdentifier_Param,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > >,Tuple2<NPVariant_Param &,bool &> >::DispatchDelayReplyWithSendParams<NPObjectStub,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *)>(bool,Tuple3<bool,NPIdentifier_Param,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > > const &,IPC::Message const *,NPObjectStub *,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *)) 0x566302d7 [chrome.dll] - plugin_messages.h:490 (cs|src|ann)] NPObjectMsg_Invoke::DispatchDelayReply<NPObjectStub,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *)>(IPC::Message const *,NPObjectStub *,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *)) 0x5663065b [chrome.dll] - npobject_stub.cc:93 (cs|src|ann)] NPObjectStub::OnMessageReceived(IPC::Message const &) 0x54dc55fc [chrome.dll] - message_router.cc:47 (cs|src|ann)] MessageRouter::RouteMessage(IPC::Message const &) 0x5662ef83 [chrome.dll] - np_channel_base.cc:174 (cs|src|ann)] NPChannelBase::OnMessageReceived(IPC::Message const &) 0x54d3860a [chrome.dll] - ipc_channel_proxy.cc:261 (cs|src|ann)] IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const &) 0x54d0e8be [chrome.dll] - bind_internal.h:1256 (cs|src|ann)] base::internal::Invoker<2,base::internal::BindState<base::internal::RunnableAdapter<void ( notifier::NonBlockingPushClient::Core::*)(std::vector<notifier::Subscription,std::allocator<notifier::Subscription> > const &)>,void (notifier::NonBlockingPushClient::Core *,std::vector<notifier::Subscription,std::allocator<notifier::Subscription> > const &),void (notifier::NonBlockingPushClient::Core *,std::vector<notifier::Subscription,std::allocator<notifier::Subscription> >)>,void (notifier::NonBlockingPushClient::Core *,std::vector<notifier::Subscription,std::allocator<notifier::Subscription> > const &)>::Run(base::internal::BindStateBase *) 0x54d10b68 [chrome.dll] - message_loop.cc:470 (cs|src|ann)] MessageLoop::RunTask(base::PendingTask const &) 0x54d108cf [chrome.dll] - message_loop.cc:661 (cs|src|ann)] MessageLoop::DoWork() 0x54d10fab [chrome.dll] - message_pump_default.cc:28 (cs|src|ann)] base::MessagePumpDefault::Run(base::MessagePump::Delegate *) 0x54d1059a [chrome.dll] - message_loop.cc:427 (cs|src|ann)] MessageLoop::RunInternal() 0x54d104f2 [chrome.dll] - run_loop.cc:45 (cs|src|ann)] base::RunLoop::Run() 0x54d3f887 [chrome.dll] - message_loop.cc:307 (cs|src|ann)] MessageLoop::Run() 0x54d5c9a7 [chrome.dll] - renderer_main.cc:239 (cs|src|ann)] RendererMain(content::MainFunctionParams const &) 0x54cf864c [chrome.dll] - content_main_runner.cc:441 (cs|src|ann)] content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *) 0x54cf85d3 [chrome.dll] - content_main_runner.cc:734 (cs|src|ann)] content::ContentMainRunnerImpl::Run() 0x54cea5fc [chrome.dll] - content_main.cc:35 (cs|src|ann)] content::ContentMain(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *,content::ContentMainDelegate *) 0x54cea588 [chrome.dll] - chrome_main.cc:28 (cs|src|ann)] ChromeMain 0x00f1510d [chrome.exe] - client_util.cc:440 (cs|src|ann)] MainDllLoader::Launch(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *) 0x00f17933 [chrome.exe] - chrome_exe_main_win.cc:76 (cs|src|ann)] RunChrome(HINSTANCE__ *) 0x00f1799e [chrome.exe] - chrome_exe_main_win.cc:92 (cs|src|ann)] wWinMain 0x00f702ec [chrome.exe] - crt0.c:275] __tmainCRTStartup 0x7609ed6b [kernel32.dll] + 0x0004ed6b] BaseThreadInitThunk 0x7707377a [ntdll.dll] + 0x0006377a] __RtlUserThreadStart 0x7707374d [ntdll.dll] + 0x0006374d] _RtlUserThreadStart Delete comment
Adam Barth
Comment 4
2012-10-16 13:33:47 PDT
It seems like you should be able to write a LayoutTest for this issue using the test plugin. You just need to call NPN_Invoke on an object from a document that is no longer being displayed in a frame. You should also be able to do it using an unit test, but its probably better use the test plugin.
lazyboy
Comment 5
2012-11-26 17:53:21 PST
Created
attachment 176129
[details]
Added LayoutTest
Adam Barth
Comment 6
2012-11-26 19:02:10 PST
Comment on
attachment 176129
[details]
Added LayoutTest Thanks for the test.
WebKit Review Bot
Comment 7
2012-11-26 19:41:46 PST
Comment on
attachment 176129
[details]
Added LayoutTest Clearing flags on attachment: 176129 Committed
r135804
: <
http://trac.webkit.org/changeset/135804
>
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug