New issue
Advanced search Search tips

Issue 153376 link

Starred by 5 users

Issue metadata

Status: Fixed
Owner:
Closed: Nov 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug



Sign in to add a comment

Chrome: Crash Report - Stack Signature: WebCore::npCreateV8ScriptObject(_NPP *,v8::...

Project Member Reported by dharani@google.com, Oct 1 2012

Issue description

This started from 24.0.1281.2. It could be due to http://trac.webkit.org/changeset/129933

Product: Chrome
Stack Signature: WebCore::npCreateV8ScriptObject(_NPP *,v8::Handle<v8::Object>,WebCore::DOMWindow *)-40CF904
New Signature Label: WebCore::npCreateV8ScriptObject(_NPP *,v8::Handle<v8::Object>,WebCore::DOMWindow *)
New Signature Hash: 07144722_b4de80e5_9c982c26_ba83ce24_6f23b627

Report link: http://go/crash/reportdetail?reportid=b5cb51aff83e2edd

Meta information:
Product Name: Chrome
Product Version: 24.0.1283.0
Report ID: b5cb51aff83e2edd
Report Time: 2012/10/01 16:35:58, Mon
Uptime: 7 sec
Cumulative Uptime: 0 sec
OS Name: Windows NT
OS Version: 6.1.7601 Service Pack 1
CPU Architecture: x86
CPU Info: GenuineIntel family 6 model 23 stepping 10
ptype: renderer

Thread 0 *CRASHED* ( EXCEPTION_ACCESS_VIOLATION_READ @ 0x00000028 )

0x54fb8b7a	 [chrome.dll]	 - npv8object.cpp:149 (cs|src|ann)]	WebCore::npCreateV8ScriptObject(_NPP *,v8::Handle<v8::Object>,WebCore::DOMWindow *)
0x54fb82bb	 [chrome.dll]	 - v8nputils.cpp:72 (cs|src|ann)]	WebCore::convertV8ObjectToNPVariant(v8::Local<v8::Value>,NPObject *,_NPVariant *)
0x5555f934	 [chrome.dll]	 - npv8object.cpp:234 (cs|src|ann)]	_NPN_Invoke
0x5662fb3a	 [chrome.dll]	 - npobject_stub.cc:183 (cs|src|ann)]	NPObjectStub::OnInvoke(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *)
0x5662f661	 [chrome.dll]	 - tuple.h:746 (cs|src|ann)]	DispatchToMethod<NPObjectStub,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *),bool,NPIdentifier_Param,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> >,IPC::Message &>(NPObjectStub *,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *),Tuple3<bool,NPIdentifier_Param,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > > const &,Tuple1<IPC::Message &> *)
0x56630118	 [chrome.dll]	 - ipc_message_utils.h:875 (cs|src|ann)]	IPC::SyncMessageSchema<Tuple3<bool,NPIdentifier_Param,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > >,Tuple2<NPVariant_Param &,bool &> >::DispatchDelayReplyWithSendParams<NPObjectStub,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *)>(bool,Tuple3<bool,NPIdentifier_Param,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > > const &,IPC::Message const *,NPObjectStub *,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *))
0x566302d7	 [chrome.dll]	 - plugin_messages.h:490 (cs|src|ann)]	NPObjectMsg_Invoke::DispatchDelayReply<NPObjectStub,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *)>(IPC::Message const *,NPObjectStub *,void ( NPObjectStub::*)(bool,NPIdentifier_Param const &,std::vector<NPVariant_Param,std::allocator<NPVariant_Param> > const &,IPC::Message *))
0x5663065b	 [chrome.dll]	 - npobject_stub.cc:93 (cs|src|ann)]	NPObjectStub::OnMessageReceived(IPC::Message const &)
0x54dc55fc	 [chrome.dll]	 - message_router.cc:47 (cs|src|ann)]	MessageRouter::RouteMessage(IPC::Message const &)
0x5662ef83	 [chrome.dll]	 - np_channel_base.cc:174 (cs|src|ann)]	NPChannelBase::OnMessageReceived(IPC::Message const &)
0x54d3860a	 [chrome.dll]	 - ipc_channel_proxy.cc:261 (cs|src|ann)]	IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const &)
0x54d0e8be	 [chrome.dll]	 - bind_internal.h:1256 (cs|src|ann)]	base::internal::Invoker<2,base::internal::BindState<base::internal::RunnableAdapter<void ( notifier::NonBlockingPushClient::Core::*)(std::vector<notifier::Subscription,std::allocator<notifier::Subscription> > const &)>,void (notifier::NonBlockingPushClient::Core *,std::vector<notifier::Subscription,std::allocator<notifier::Subscription> > const &),void (notifier::NonBlockingPushClient::Core *,std::vector<notifier::Subscription,std::allocator<notifier::Subscription> >)>,void (notifier::NonBlockingPushClient::Core *,std::vector<notifier::Subscription,std::allocator<notifier::Subscription> > const &)>::Run(base::internal::BindStateBase *)
0x54d10b68	 [chrome.dll]	 - message_loop.cc:470 (cs|src|ann)]	MessageLoop::RunTask(base::PendingTask const &)
0x54d108cf	 [chrome.dll]	 - message_loop.cc:661 (cs|src|ann)]	MessageLoop::DoWork()
0x54d10fab	 [chrome.dll]	 - message_pump_default.cc:28 (cs|src|ann)]	base::MessagePumpDefault::Run(base::MessagePump::Delegate *)
0x54d1059a	 [chrome.dll]	 - message_loop.cc:427 (cs|src|ann)]	MessageLoop::RunInternal()
0x54d104f2	 [chrome.dll]	 - run_loop.cc:45 (cs|src|ann)]	base::RunLoop::Run()
0x54d3f887	 [chrome.dll]	 - message_loop.cc:307 (cs|src|ann)]	MessageLoop::Run()
0x54d5c9a7	 [chrome.dll]	 - renderer_main.cc:239 (cs|src|ann)]	RendererMain(content::MainFunctionParams const &)
0x54cf864c	 [chrome.dll]	 - content_main_runner.cc:441 (cs|src|ann)]	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x54cf85d3	 [chrome.dll]	 - content_main_runner.cc:734 (cs|src|ann)]	content::ContentMainRunnerImpl::Run()
0x54cea5fc	 [chrome.dll]	 - content_main.cc:35 (cs|src|ann)]	content::ContentMain(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *,content::ContentMainDelegate *)
0x54cea588	 [chrome.dll]	 - chrome_main.cc:28 (cs|src|ann)]	ChromeMain
0x00f1510d	 [chrome.exe]	 - client_util.cc:440 (cs|src|ann)]	MainDllLoader::Launch(HINSTANCE__ *,sandbox::SandboxInterfaceInfo *)
0x00f17933	 [chrome.exe]	 - chrome_exe_main_win.cc:76 (cs|src|ann)]	RunChrome(HINSTANCE__ *)
0x00f1799e	 [chrome.exe]	 - chrome_exe_main_win.cc:92 (cs|src|ann)]	wWinMain
0x00f702ec	 [chrome.exe]	 - crt0.c:275]	__tmainCRTStartup
0x7609ed6b	 [kernel32.dll]	 + 0x0004ed6b]	BaseThreadInitThunk
0x7707377a	 [ntdll.dll]	 + 0x0006377a]	__RtlUserThreadStart
0x7707374d	 [ntdll.dll]	 + 0x0006374d]	_RtlUserThreadStart
 
Cc: w...@chromium.org
Hmm, NPObjectStub outlives the page's context. Why? Is this expected?

Comment 3 by w...@chromium.org, Oct 2 2012

NPAPI plugin interactions w/ the renderer behave like normal function calls, so IPCs can be nested (in both directions); in this case I think the plugin is making a call to an object, and that call is causing things to be torn down, including the V8 context, but the call is then returning another object; by the time we come to wrap it for return to the plugin it's effectively dead.
any updates?

Comment 6 by dharani@google.com, Oct 29 2012

could we please have some movement in webkit bug? thank you!

Comment 7 by dharani@google.com, Oct 29 2012

Labels: ReleaseBlock-Stable
Been swamped by a continuous stream of bugs. Will go back to this tonight/tomorrow. Thanks.
Labels: Feature-Apps-BrowserTag Iteration-69
Adding feature-apps-browsertag label so I don't miss it.
Owner: lazyboy@chromium.org
Labels: Iteration-70
Bulk moving open items that are actively being worked on to Iteration-70

Comment 12 by lazyboy@google.com, Nov 26 2012

Updates so far:
I haven't been successful to repro this on windows (or gtk) from the crash report URLs.
I also tried to write plugin LayoutTest that can provide empty perContextData in NPNInvoke (related to Fady's webkit CL https://bugs.webkit.org/show_bug.cgi?id=98448), but it is not working either. (reference: According to abarth@, we should be able to get empty perContextData by caling <object>.NPNInvoke from a document which is no longer displayed in a frame).
While working on this, I've found couple other potential bugs (that crashes renderer), one of them is related to this code, but does not exactly seem to be the cause of the problem: this has to do with colliding hash keys for v8 np object.
I'll update after I am able to chat /w abarth@ about this further.


Comment 13 by lazyboy@google.com, Nov 27 2012

Update:
I have a webkit LayoutTest that can reproduce this bug now. Patch uploaded to existing issue: https://bugs.webkit.org/show_bug.cgi?id=98448

Comment 14 by dharani@google.com, Nov 27 2012

Labels: webkit-id-98448
Status: Started
Project Member

Comment 16 by bugdroid1@chromium.org, Nov 27 2012

Labels: -webkit-id-98448 WebKit-ID-98448-NEW WebKit-Rev-135804
Summary: Chrome: Crash Report - Stack Signature: WebCore::npCreateV8ScriptObject(_NPP *,v8::...
https://bugs.webkit.org/show_bug.cgi?id=98448
http://trac.webkit.org/changeset/135804
Cc: ligim...@chromium.org
Labels: Merge-Requested
Status: Fixed
Verified following with TestNetscapePlugin and my sample page:

(Windows builds)
r169963, version 25.0.1338.0 (webkit r135920): No crash.
r169641, version 25.0.1337.0 (webkit r135721): Crashes.

Requesting merge.

Comment 19 by dharani@google.com, Nov 28 2012

Labels: -Merge-Requested Merge-Approved

Comment 20 by dharani@google.com, Nov 28 2012

Labels: -Merge-Approved Merge-Merged-1312
Cc: nyerramilli@chromium.org
Could you please provide us the Sample URL so that it will be more helpful for QA team to reproduce the same.

Thanks,
Narayana
Merging this fix into 1312 introduced a regression.  See http://crbug.com/165307 for more details.

I've already patched the regression upstream in WebKit as http://trac.webkit.org/changeset/137964.  Can someone please tag crbug.com/165307 appropriately to be merged into 1312 as well?

Thanks!
Project Member

Comment 23 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Mstone-24 -Area-WebKit -Feature-Apps-BrowserTag Cr-Content Cr-Platform-Apps-BrowserTag M-24
Project Member

Comment 24 by bugdroid1@chromium.org, Apr 5 2013

Labels: -Cr-Content Cr-Blink

Sign in to add a comment