[Webkit-unassigned] [Bug 20635] New: Silverlight Beta 2 crash within JavascriptCore

Wed Sep 3 16:42:07 PDT 2008

https://bugs.webkit.org/show_bug.cgi?id=20635

           Summary: Silverlight Beta 2 crash within JavascriptCore
           Product: WebKit
           Version: 419.x
          Platform: Macintosh
        OS/Version: Mac OS X 10.4
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: haok at microsoft.com

We are seeing a crash within Safari's Javascript core using Silverlight to
invoke window.open.  This repros with a crash within 1-2 clicks in Safari 2.x,
it also repros on newer 3.x safaris but at a much lower frequency.

Repro attached and should repro against Silverlight Beta 2 for the Mac
(http://www.microsoft.com/silverlight/resources/install.aspx)

Looks like the javascript engine is deferencing bad memory, the basic scenario
is we get a native reference to a script object which we get back from safari,
and are passing it back into the javascript core for purposes of object
identity, specifically we are seeing a crash when we pass back a resulting
window from a call to window.open to javascript which is simply trying to do
reference equality.  Replacing equality with a tostring on the object also
crashes, so it looks like the window reference we pass back is corrupt somehow
and crashes the javascript engine when its accessed in any way.

1. Silverlight code calls window.open in javascript gets back a native handle.
2. We pass that handle back into javascript trying to execute in javascript:
   function ref_equality(o1, o2) { return o1 == o2; }

This causes the crash stack below(on both Safari 2.x and 3.x...

Crash log:
Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000008
Crashed Thread:  0

Thread 0 Crashed:
0   com.apple.JavaScriptCore            0x943ff478 KJS::equal(KJS::ExecState*,
KJS::JSValue*, KJS::JSValue*) + 360
1   com.apple.JavaScriptCore            0x943ff2fa
KJS::EqualNode::evaluate(KJS::ExecState*) + 218
2   com.apple.JavaScriptCore            0x943f807e
KJS::GroupNode::evaluate(KJS::ExecState*) + 14
3   com.apple.JavaScriptCore            0x94404f45
KJS::ReturnNode::execute(KJS::ExecState*) + 133
4   com.apple.JavaScriptCore            0x943f6e0b
KJS::SourceElementsNode::execute(KJS::ExecState*) + 139
5   com.apple.JavaScriptCore            0x943f6601
KJS::BlockNode::execute(KJS::ExecState*) + 49
6   com.apple.JavaScriptCore            0x9440257c
KJS::DeclaredFunctionImp::execute(KJS::ExecState*) + 28
7   com.apple.JavaScriptCore            0x94401f8f
KJS::FunctionImp::callAsFunction(KJS::ExecState*, KJS::JSObject*, KJS::List
const&) + 559
8   com.apple.JavaScriptCore            0x9442d127
KJS::JSObject::call(KJS::ExecState*, KJS::JSObject*, KJS::List const&) + 135
9   com.apple.JavaScriptCore            0x9443e02c _NPN_Invoke + 396
10  ...microsoft.SilverlightPlugin      0x1695ef7b
NPWrapper::InvokeObjectMethod(NPObject*, void*, _NPVariant const*, unsigned
int, _NPVariant*) + 101 (NPWrapper.cpp:140)
11  com.apple.JavaScriptCore            0x9443deea _NPN_Invoke + 74
12  ...microsoft.SilverlightPlugin      0x1694b9aa
CNPBrowser::InvokeNPMethod(NPObject*, wchar_t const*, _NPVariant const*, int,
_NPVariant*) + 742 (NPBrowser.cpp:2754)
13  ...microsoft.SilverlightPlugin      0x1695388f
CNPBrowser::ReferenceEquals(void const*, void const*) + 169
(NPBrowser.cpp:1036)
14  ...microsoft.SilverlightPlugin      0x163c431d DOM_ReferenceEquals + 405
(PALDOM.cpp:16)

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.