Bug 98448 - [v8] Fix npCreateV8ScriptObject crash
Summary: [v8] Fix npCreateV8ScriptObject crash
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Fady Samuel
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-10-04 13:30 PDT by Fady Samuel
Modified: 2012-11-28 12:35 PST (History)
5 users (show)

See Also:


Attachments
Patch (3.38 KB, patch)
2012-10-04 13:32 PDT, Fady Samuel
abarth: review+
abarth: commit-queue-
Details | Formatted Diff | Diff
Added LayoutTest (7.71 KB, patch)
2012-11-26 17:53 PST, lazyboy
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Fady Samuel 2012-10-04 13:30:04 PDT
[v8] Fix npCreateV8ScriptObject crash
Comment 1 Fady Samuel 2012-10-04 13:32:59 PDT
Created attachment 167165 [details]
Patch
Comment 2 Adam Barth 2012-10-04 13:41:36 PDT
Comment on attachment 167165 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=167165&action=review

> Source/WebCore/ChangeLog:9
> +        npCreateV8ScriptObject was crashing because it was being called after the perContextData had
> +        been torned down. This is fixed by checking for a non-0 perContextData.

Can we write a test for this case?
Comment 3 Fady Samuel 2012-10-16 13:29:38 PDT
I'm unable to repro this bug locally, let alone write a test for it. We're seeing this happen in crash reports:

Meta information:
Product Name: Chrome
Product Version: 24.0.1283.0
Report ID: b5cb51aff83e2edd
Report Time: 2012/10/01 16:35:58, Mon
Uptime: 7 sec
Cumulative Uptime: 0 sec
OS Name: Windows NT
OS Version: 6.1.7601 Service Pack 1
CPU Architecture: x86
CPU Info: GenuineIntel family 6 model 23 stepping 10
ptype: renderer

Thread 0 *CRASHED* ( EXCEPTION_ACCESS_VIOLATION_READ @ 0x00000028 )

0x54fb8b7a	 [chrome.dll]	 - npv8object.cpp:149 (cs|src|ann)]	WebCore::npCreateV8ScriptObject(_NPP *,v8::Handle<v8::Object>,WebCore::DOMWindow *)
0x54fb82bb	 [chrome.dll]	 - v8nputils.cpp:72 (cs|src|ann)]	WebCore::convertV8ObjectToNPVariant(v8::Local<v8::Value>,NPObject *,_NPVariant *)
0x5555f934	 [chrome.dll]	 - npv8object.cpp:234 (cs|src|ann)]	_NPN_Invoke
0x5662fb3a	 [chrome.dll]	 - npobject_stub.cc:183 (cs|src|ann)]	NPObjectStub::OnInvoke(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *)
0x5662f661	 [chrome.dll]	 - tuple.h:746 (cs|src|ann)]	DispatchToMethod<NPObjectStub,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *),bool,NPIdentifier_Param,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> >,IPC::Message &>(NPObjectStub *,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *),Tuple3<bool,NPIdentifier_Param,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > > const &,Tuple1<IPC::Message &> *)
0x56630118	 [chrome.dll]	 - ipc_message_utils.h:875 (cs|src|ann)]	IPC::SyncMessageSchema<Tuple3<bool,NPIdentifier_Param,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > >,Tuple2<NPVariant_Param &,bool &> >::DispatchDelayReplyWithSendParams<NPObjectStub,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *)>(bool,Tuple3<bool,NPIdentifier_Param,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > > const &,IPC::Message const *,NPObjectStub *,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *))
0x566302d7	 [chrome.dll]	 - plugin_messages.h:490 (cs|src|ann)]	NPObjectMsg_Invoke::DispatchDelayReply<NPObjectStub,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *)>(IPC::Message const *,NPObjectStub *,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *))
0x5663065b	 [chrome.dll]	 - npobject_stub.cc:93 (cs|src|ann)]	NPObjectStub::OnMessageReceived(IPC::Message const &)
0x54dc55fc	 [chrome.dll]	 - message_router.cc:47 (cs|src|ann)]	MessageRouter::RouteMessage(IPC::Message const &)
0x5662ef83	 [chrome.dll]	 - np_channel_base.cc:174 (cs|src|ann)]	NPChannelBase::OnMessageReceived(IPC::Message const &)
0x54d3860a	 [chrome.dll]	 - ipc_channel_proxy.cc:261 (cs|src|ann)]	IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const &)
0x54d0e8be	 [chrome.dll]	 - bind_internal.h:1256 (cs|src|ann)]	base::internal::Invoker<2,base::internal::BindState<base::internal::RunnableAdapter<void ( notifier::NonBlockingPushClient::Core::*)(std::vector<notifier::Subscription,std::allocator<notifier::Subscription> > const &)>,void (notifier::NonBlockingPushClient::Core *,std::vector<notifier::Subscription,std::allocator<notifier::Subscription> > const &),void (notifier::NonBlockingPushClient::Core *,std::vector<notifier::Subscription,std::allocator<notifier::Subscription> >)>,void (notifier::NonBlockingPushClient::Core *,std::vector<notifier::Subscription,std::allocator<notifier::Subscription> > const &)>::Run(base::internal::BindStateBase *)
0x54d10b68	 [chrome.dll]	 - message_loop.cc:470 (cs|src|ann)]	MessageLoop::RunTask(base::PendingTask const &)
0x54d108cf	 [chrome.dll]	 - message_loop.cc:661 (cs|src|ann)]	MessageLoop::DoWork()
0x54d10fab	 [chrome.dll]	 - message_pump_default.cc:28 (cs|src|ann)]	base::MessagePumpDefault::Run(base::MessagePump::Delegate *)
0x54d1059a	 [chrome.dll]	 - message_loop.cc:427 (cs|src|ann)]	MessageLoop::RunInternal()
0x54d104f2	 [chrome.dll]	 - run_loop.cc:45 (cs|src|ann)]	base::RunLoop::Run()
0x54d3f887	 [chrome.dll]	 - message_loop.cc:307 (cs|src|ann)]	MessageLoop::Run()
0x54d5c9a7	 [chrome.dll]	 - renderer_main.cc:239 (cs|src|ann)]	RendererMain(content::MainFunctionParams const &)
0x54cf864c	 [chrome.dll]	 - content_main_runner.cc:441 (cs|src|ann)]	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x54cf85d3	 [chrome.dll]	 - content_main_runner.cc:734 (cs|src|ann)]	content::ContentMainRunnerImpl::Run()
0x54cea5fc	 [chrome.dll]	 - content_main.cc:35 (cs|src|ann)]	content::ContentMain(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *,content::ContentMainDelegate *)
0x54cea588	 [chrome.dll]	 - chrome_main.cc:28 (cs|src|ann)]	ChromeMain
0x00f1510d	 [chrome.exe]	 - client_util.cc:440 (cs|src|ann)]	MainDllLoader::Launch(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *)
0x00f17933	 [chrome.exe]	 - chrome_exe_main_win.cc:76 (cs|src|ann)]	RunChrome(HINSTANCE__ *)
0x00f1799e	 [chrome.exe]	 - chrome_exe_main_win.cc:92 (cs|src|ann)]	wWinMain
0x00f702ec	 [chrome.exe]	 - crt0.c:275]	__tmainCRTStartup
0x7609ed6b	 [kernel32.dll]	 + 0x0004ed6b]	BaseThreadInitThunk
0x7707377a	 [ntdll.dll]	 + 0x0006377a]	__RtlUserThreadStart
0x7707374d	 [ntdll.dll]	 + 0x0006374d]	_RtlUserThreadStart
Delete comment
Comment 4 Adam Barth 2012-10-16 13:33:47 PDT
It seems like you should be able to write a LayoutTest for this issue using the test plugin.  You just need to call NPN_Invoke on an object from a document that is no longer being displayed in a frame.  You should also be able to do it using an unit test, but its probably better use the test plugin.
Comment 5 lazyboy 2012-11-26 17:53:21 PST
Created attachment 176129 [details]
Added LayoutTest
Comment 6 Adam Barth 2012-11-26 19:02:10 PST
Comment on attachment 176129 [details]
Added LayoutTest

Thanks for the test.
Comment 7 WebKit Review Bot 2012-11-26 19:41:46 PST
Comment on attachment 176129 [details]
Added LayoutTest

Clearing flags on attachment: 176129

Committed r135804: <http://trac.webkit.org/changeset/135804>