[Webkit-unassigned] [Bug 20635] New: Silverlight Beta 2 crash within JavascriptCore
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Sep 3 16:42:07 PDT 2008
https://bugs.webkit.org/show_bug.cgi?id=20635
Summary: Silverlight Beta 2 crash within JavascriptCore
Product: WebKit
Version: 419.x
Platform: Macintosh
OS/Version: Mac OS X 10.4
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: haok at microsoft.com
We are seeing a crash within Safari's Javascript core using Silverlight to
invoke window.open. This repros with a crash within 1-2 clicks in Safari 2.x,
it also repros on newer 3.x safaris but at a much lower frequency.
Repro attached and should repro against Silverlight Beta 2 for the Mac
(http://www.microsoft.com/silverlight/resources/install.aspx)
Looks like the javascript engine is deferencing bad memory, the basic scenario
is we get a native reference to a script object which we get back from safari,
and are passing it back into the javascript core for purposes of object
identity, specifically we are seeing a crash when we pass back a resulting
window from a call to window.open to javascript which is simply trying to do
reference equality. Replacing equality with a tostring on the object also
crashes, so it looks like the window reference we pass back is corrupt somehow
and crashes the javascript engine when its accessed in any way.
1. Silverlight code calls window.open in javascript gets back a native handle.
2. We pass that handle back into javascript trying to execute in javascript:
function ref_equality(o1, o2) { return o1 == o2; }
This causes the crash stack below(on both Safari 2.x and 3.x...
Crash log:
Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000008
Crashed Thread: 0
Thread 0 Crashed:
0 com.apple.JavaScriptCore 0x943ff478 KJS::equal(KJS::ExecState*,
KJS::JSValue*, KJS::JSValue*) + 360
1 com.apple.JavaScriptCore 0x943ff2fa
KJS::EqualNode::evaluate(KJS::ExecState*) + 218
2 com.apple.JavaScriptCore 0x943f807e
KJS::GroupNode::evaluate(KJS::ExecState*) + 14
3 com.apple.JavaScriptCore 0x94404f45
KJS::ReturnNode::execute(KJS::ExecState*) + 133
4 com.apple.JavaScriptCore 0x943f6e0b
KJS::SourceElementsNode::execute(KJS::ExecState*) + 139
5 com.apple.JavaScriptCore 0x943f6601
KJS::BlockNode::execute(KJS::ExecState*) + 49
6 com.apple.JavaScriptCore 0x9440257c
KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 28
7 com.apple.JavaScriptCore 0x94401f8f
KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List
const&) + 559
8 com.apple.JavaScriptCore 0x9442d127
KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 135
9 com.apple.JavaScriptCore 0x9443e02c _NPN_Invoke + 396
10 ...microsoft.SilverlightPlugin 0x1695ef7b
NPWrapper::InvokeObjectMethod(NPObject*, void*, _NPVariant const*, unsigned
int, _NPVariant*) + 101 (NPWrapper.cpp:140)
11 com.apple.JavaScriptCore 0x9443deea _NPN_Invoke + 74
12 ...microsoft.SilverlightPlugin 0x1694b9aa
CNPBrowser::InvokeNPMethod(NPObject*, wchar_t const*, _NPVariant const*, int,
_NPVariant*) + 742 (NPBrowser.cpp:2754)
13 ...microsoft.SilverlightPlugin 0x1695388f
CNPBrowser::ReferenceEquals(void const*, void const*) + 169
(NPBrowser.cpp:1036)
14 ...microsoft.SilverlightPlugin 0x163c431d DOM_ReferenceEquals + 405
(PALDOM.cpp:16)
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list