New issue
Advanced search Search tips

Issue 153376 link

Starred by 5 users

Issue metadata

Status: Fixed
Closed: Nov 2012
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug

Sign in to add a comment

Chrome: Crash Report - Stack Signature: WebCore::npCreateV8ScriptObject(_NPP *,v8::...

Project Member Reported by, Oct 1 2012

Issue description

This started from 24.0.1281.2. It could be due to

Product: Chrome
Stack Signature: WebCore::npCreateV8ScriptObject(_NPP *,v8::Handle<v8::Object>,WebCore::DOMWindow *)-40CF904
New Signature Label: WebCore::npCreateV8ScriptObject(_NPP *,v8::Handle<v8::Object>,WebCore::DOMWindow *)
New Signature Hash: 07144722_b4de80e5_9c982c26_ba83ce24_6f23b627

Report link: http://go/crash/reportdetail?reportid=b5cb51aff83e2edd

Meta information:
Product Name: Chrome
Product Version: 24.0.1283.0
Report ID: b5cb51aff83e2edd
Report Time: 2012/10/01 16:35:58, Mon
Uptime: 7 sec
Cumulative Uptime: 0 sec
OS Name: Windows NT
OS Version: 6.1.7601 Service Pack 1
CPU Architecture: x86
CPU Info: GenuineIntel family 6 model 23 stepping 10
ptype: renderer


0x54fb8b7a	 [chrome.dll]	 - npv8object.cpp:149 (cs|src|ann)]	WebCore::npCreateV8ScriptObject(_NPP *,v8::Handle<v8::Object>,WebCore::DOMWindow *)
0x54fb82bb	 [chrome.dll]	 - v8nputils.cpp:72 (cs|src|ann)]	WebCore::convertV8ObjectToNPVariant(v8::Local<v8::Value>,NPObject *,_NPVariant *)
0x5555f934	 [chrome.dll]	 - npv8object.cpp:234 (cs|src|ann)]	_NPN_Invoke
0x5662fb3a	 [chrome.dll]	 - (cs|src|ann)]	NPObjectStub::OnInvoke(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *)
0x5662f661	 [chrome.dll]	 - tuple.h:746 (cs|src|ann)]	DispatchToMethod<NPObjectStub,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *),bool,NPIdentifier_Param,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> >,IPC::Message &>(NPObjectStub *,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *),Tuple3<bool,NPIdentifier_Param,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > > const &,Tuple1<IPC::Message &> *)
0x56630118	 [chrome.dll]	 - ipc_message_utils.h:875 (cs|src|ann)]	IPC::SyncMessageSchema<Tuple3<bool,NPIdentifier_Param,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > >,Tuple2<NPVariant_Param &,bool &> >::DispatchDelayReplyWithSendParams<NPObjectStub,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *)>(bool,Tuple3<bool,NPIdentifier_Param,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > > const &,IPC::Message const *,NPObjectStub *,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *))
0x566302d7	 [chrome.dll]	 - plugin_messages.h:490 (cs|src|ann)]	NPObjectMsg_Invoke::DispatchDelayReply<NPObjectStub,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *)>(IPC::Message const *,NPObjectStub *,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *))
0x5663065b	 [chrome.dll]	 - (cs|src|ann)]	NPObjectStub::OnMessageReceived(IPC::Message const &)
0x54dc55fc	 [chrome.dll]	 - (cs|src|ann)]	MessageRouter::RouteMessage(IPC::Message const &)
0x5662ef83	 [chrome.dll]	 - (cs|src|ann)]	NPChannelBase::OnMessageReceived(IPC::Message const &)
0x54d3860a	 [chrome.dll]	 - (cs|src|ann)]	IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const &)
0x54d0e8be	 [chrome.dll]	 - bind_internal.h:1256 (cs|src|ann)]	base::internal::Invoker<2,base::internal::BindState<base::internal::RunnableAdapter<void ( notifier::NonBlockingPushClient::Core::*)(std::vector<notifier::Subscription,std::allocator<notifier::Subscription> > const &)>,void (notifier::NonBlockingPushClient::Core *,std::vector<notifier::Subscription,std::allocator<notifier::Subscription> > const &),void (notifier::NonBlockingPushClient::Core *,std::vector<notifier::Subscription,std::allocator<notifier::Subscription> >)>,void (notifier::NonBlockingPushClient::Core *,std::vector<notifier::Subscription,std::allocator<notifier::Subscription> > const &)>::Run(base::internal::BindStateBase *)
0x54d10b68	 [chrome.dll]	 - (cs|src|ann)]	MessageLoop::RunTask(base::PendingTask const &)
0x54d108cf	 [chrome.dll]	 - (cs|src|ann)]	MessageLoop::DoWork()
0x54d10fab	 [chrome.dll]	 - (cs|src|ann)]	base::MessagePumpDefault::Run(base::MessagePump::Delegate *)
0x54d1059a	 [chrome.dll]	 - (cs|src|ann)]	MessageLoop::RunInternal()
0x54d104f2	 [chrome.dll]	 - (cs|src|ann)]	base::RunLoop::Run()
0x54d3f887	 [chrome.dll]	 - (cs|src|ann)]	MessageLoop::Run()
0x54d5c9a7	 [chrome.dll]	 - (cs|src|ann)]	RendererMain(content::MainFunctionParams const &)
0x54cf864c	 [chrome.dll]	 - (cs|src|ann)]	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x54cf85d3	 [chrome.dll]	 - (cs|src|ann)]	content::ContentMainRunnerImpl::Run()
0x54cea5fc	 [chrome.dll]	 - (cs|src|ann)]	content::ContentMain(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *,content::ContentMainDelegate *)
0x54cea588	 [chrome.dll]	 - (cs|src|ann)]	ChromeMain
0x00f1510d	 [chrome.exe]	 - (cs|src|ann)]	MainDllLoader::Launch(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *)
0x00f17933	 [chrome.exe]	 - (cs|src|ann)]	RunChrome(HINSTANCE__ *)
0x00f1799e	 [chrome.exe]	 - (cs|src|ann)]	wWinMain
0x00f702ec	 [chrome.exe]	 - crt0.c:275]	__tmainCRTStartup
0x7609ed6b	 [kernel32.dll]	 + 0x0004ed6b]	BaseThreadInitThunk
0x7707377a	 [ntdll.dll]	 + 0x0006377a]	__RtlUserThreadStart
0x7707374d	 [ntdll.dll]	 + 0x0006374d]	_RtlUserThreadStart
Hmm, NPObjectStub outlives the page's context. Why? Is this expected?

Comment 3 by, Oct 2 2012

NPAPI plugin interactions w/ the renderer behave like normal function calls, so IPCs can be nested (in both directions); in this case I think the plugin is making a call to an object, and that call is causing things to be torn down, including the V8 context, but the call is then returning another object; by the time we come to wrap it for return to the plugin it's effectively dead.
any updates?

Comment 6 by, Oct 29 2012

could we please have some movement in webkit bug? thank you!

Comment 7 by, Oct 29 2012

Labels: ReleaseBlock-Stable
Been swamped by a continuous stream of bugs. Will go back to this tonight/tomorrow. Thanks.
Labels: Feature-Apps-BrowserTag Iteration-69
Adding feature-apps-browsertag label so I don't miss it.
Labels: Iteration-70
Bulk moving open items that are actively being worked on to Iteration-70

Comment 12 by, Nov 26 2012

Updates so far:
I haven't been successful to repro this on windows (or gtk) from the crash report URLs.
I also tried to write plugin LayoutTest that can provide empty perContextData in NPNInvoke (related to Fady's webkit CL, but it is not working either. (reference: According to abarth@, we should be able to get empty perContextData by caling <object>.NPNInvoke from a document which is no longer displayed in a frame).
While working on this, I've found couple other potential bugs (that crashes renderer), one of them is related to this code, but does not exactly seem to be the cause of the problem: this has to do with colliding hash keys for v8 np object.
I'll update after I am able to chat /w abarth@ about this further.

Comment 13 by, Nov 27 2012

I have a webkit LayoutTest that can reproduce this bug now. Patch uploaded to existing issue:

Comment 14 by, Nov 27 2012

Labels: webkit-id-98448
Status: Started
Project Member

Comment 16 by, Nov 27 2012

Labels: -webkit-id-98448 WebKit-ID-98448-NEW WebKit-Rev-135804
Summary: Chrome: Crash Report - Stack Signature: WebCore::npCreateV8ScriptObject(_NPP *,v8::...
Labels: Merge-Requested
Status: Fixed
Verified following with TestNetscapePlugin and my sample page:

(Windows builds)
r169963, version 25.0.1338.0 (webkit r135920): No crash.
r169641, version 25.0.1337.0 (webkit r135721): Crashes.

Requesting merge.

Comment 19 by, Nov 28 2012

Labels: -Merge-Requested Merge-Approved

Comment 20 by, Nov 28 2012

Labels: -Merge-Approved Merge-Merged-1312
Could you please provide us the Sample URL so that it will be more helpful for QA team to reproduce the same.

Merging this fix into 1312 introduced a regression.  See for more details.

I've already patched the regression upstream in WebKit as  Can someone please tag appropriately to be merged into 1312 as well?

Project Member

Comment 23 by, Mar 10 2013

Labels: -Mstone-24 -Area-WebKit -Feature-Apps-BrowserTag Cr-Content Cr-Platform-Apps-BrowserTag M-24
Project Member

Comment 24 by, Apr 5 2013

Labels: -Cr-Content Cr-Blink

Sign in to add a comment