[Webkit-unassigned] [Bug 27769] New: Chromium crashes in the V8 bindings code when the page is being torn down

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jul 28 09:46:11 PDT 2009 

https://bugs.webkit.org/show_bug.cgi?id=27769

           Summary: Chromium crashes in the V8 bindings code when the page
                    is being torn down
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: JavaScriptGlue
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: ananta at chromium.org


This is a chromium specific issue.

The Chromium bug is http://code.google.com/p/chromium/issues/detail?id=17710

Callstack as below:-

The crash happens because the WebCore::V8Proxy::createNewContext function
dereferences the activeDocumentLoader pointer in the FrameLoader object as
below:-
m_frame->loader()->activeDocumentLoader()->url().protocol(), This is set to
NULL in the WebCore::FrameLoader::detachFromParent function by a call to 
setDocumentLoader(0). 

The fix should be to add a NULL check for the activeDocumentLoader pointer in
the WebCore::V8Proxy::createNewContext function. 

I will upload a patch for this.


chrome_23a0000!WebCore::ResourceRequestBase::url+0x2
[c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\platform\network\resourcerequestbase.cpp
@ 106]
chrome_23a0000!WebCore::V8Proxy::createNewContext+0xd8
[c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\bindings\v8\v8proxy.cpp
@ 896]
chrome_23a0000!WebCore::V8Proxy::initContextIfNeeded+0x77
[c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\bindings\v8\v8proxy.cpp
@ 995]
chrome_23a0000!WebCore::V8Proxy::context+0x3e
[c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\bindings\v8\v8proxy.cpp
@ 1114]
chrome_23a0000!WebCore::toV8Context+0x17
[c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\bindings\v8\v8helpers.cpp
@ 49]
chrome_23a0000!NPN_GetProperty+0x38
[c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\bindings\v8\npv8object.cpp
@ 283]
chrome_23a0000!NPObjectStub::OnGetProperty+0x68
[c:\b\slave\chromium-rel-xp\build\src\chrome\plugin\npobject_stub.cc @ 196]
chrome_23a0000!IPC::MessageWithReply<Tuple1<NPIdentifier_Param>,Tuple2<NPVariant_Param
&,bool &> >::Dispatch<NPObjectStub,void (__thiscall
NPObjectStub::*)(NPIdentifier_Param 
const &,NPVariant_Param *,bool *)>+0x91
[c:\b\slave\chromium-rel-xp\build\src\ipc\ipc_message_utils.h @ 1136]
chrome_23a0000!NPObjectStub::OnMessageReceived+0x126
[c:\b\slave\chromium-rel-xp\build\src\chrome\plugin\npobject_stub.cc @ 67]
chrome_23a0000!MessageRouter::RouteMessage+0x34
[c:\b\slave\chromium-rel-xp\build\src\chrome\common\message_router.cc @ 41]
chrome_23a0000!PluginChannelBase::OnMessageReceived+0x48
[c:\b\slave\chromium-rel-xp\build\src\chrome\plugin\plugin_channel_base.cc @
112]
chrome_23a0000!IPC::SyncChannel::ReceivedSyncMsgQueue::DispatchMessages+0x12c
[c:\b\slave\chromium-rel-xp\build\src\ipc\ipc_sync_channel.cc @ 107]
chrome_23a0000!IPC::SyncChannel::WaitForReply+0x79
[c:\b\slave\chromium-rel-xp\build\src\ipc\ipc_sync_channel.cc @ 415]
chrome_23a0000!IPC::SyncChannel::SendWithTimeout+0x162
[c:\b\slave\chromium-rel-xp\build\src\ipc\ipc_sync_channel.cc @ 398]
chrome_23a0000!IPC::SyncChannel::Send+0x10
[c:\b\slave\chromium-rel-xp\build\src\ipc\ipc_sync_channel.cc @ 362]
chrome_23a0000!PluginChannelBase::Send+0x68
[c:\b\slave\chromium-rel-xp\build\src\chrome\plugin\plugin_channel_base.cc @
95]
chrome_23a0000!WebPluginDelegateProxy::Send+0x37
[c:\b\slave\chromium-rel-xp\build\src\chrome\renderer\webplugin_delegate_proxy.cc
@ 294]
chrome_23a0000!WebPluginDelegateProxy::PluginDestroyed+0x78
[c:\b\slave\chromium-rel-xp\build\src\chrome\renderer\webplugin_delegate_proxy.cc
@ 211]
chrome_23a0000!WebPluginImpl::TearDownPluginInstance+0x3f
[c:\b\slave\chromium-rel-xp\build\src\webkit\glue\webplugin_impl.cc @ 1385]
chrome_23a0000!WebPluginContainer::~WebPluginContainer+0x1d
[c:\b\slave\chromium-rel-xp\build\src\webkit\glue\webplugin_impl.cc @ 177]
chrome_23a0000!WebPluginContainer::`scalar deleting destructor'+0xb
chrome_23a0000!WebCore::RenderWidget::clearWidget+0x2b
[c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\rendering\renderwidget.cpp
@ 279]
chrome_23a0000!WebCore::RenderPart::~RenderPart+0x15
[c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\rendering\renderpart.cpp
@ 42]
chrome_23a0000!WebCore::RenderPartObject::`scalar deleting destructor'+0x27
chrome_23a0000!WebCore::RenderObject::arenaDelete+0x80
[c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\rendering\renderobject.cpp
@ 1882]
chrome_23a0000!WebCore::RenderWidget::destroy+0x117
[c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\rendering\renderwidget.cpp
@ 97]
chrome_23a0000!WebCore::Node::detach+0x19
[c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\node.cpp @
1169]
chrome_23a0000!WebCore::ContainerNode::detach+0x1c
[c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\containernode.cpp
@ 587]
chrome_23a0000!WebCore::ContainerNode::detach+0x1c
[c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\containernode.cpp
@ 587]
chrome_23a0000!WebCore::ContainerNode::detach+0x1c
[c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\containernode.cpp
@ 587]
chrome_23a0000!WebCore::ContainerNode::detach+0x1c
[c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\containernode.cpp
@ 587]
chrome_23a0000!WebCore::Document::detach+0xc0
[c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\dom\document.cpp
@ 1359]
chrome_23a0000!WebCore::Frame::setView+0x31
[c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\page\frame.cpp
@ 232]
chrome_23a0000!WebCore::FrameLoader::detachFromParent+0x12c
[c:\b\slave\chromium-rel-xp\build\src\third_party\webkit\webcore\loader\frameloader.cpp
@ 3524]
chrome_23a0000!WebViewImpl::close+0x1f
[c:\b\slave\chromium-rel-xp\build\src\webkit\glue\webview_impl.cc @ 943]
chrome_23a0000!RenderWidget::Close+0x10
[c:\b\slave\chromium-rel-xp\build\src\chrome\renderer\render_widget.cc @ 651]
chrome_23a0000!MessageLoop::RunTask+0x7e
[c:\b\slave\chromium-rel-xp\build\src\base\message_loop.cc @ 314]
chrome_23a0000!MessageLoop::DoWork+0x1ea
[c:\b\slave\chromium-rel-xp\build\src\base\message_loop.cc @ 436]
chrome_23a0000!base::MessagePumpDefault::Run+0x111
[c:\b\slave\chromium-rel-xp\build\src\base\message_pump_default.cc @ 50]
chrome_23a0000!MessageLoop::RunInternal+0xb7
[c:\b\slave\chromium-rel-xp\build\src\base\message_loop.cc @ 198]
chrome_23a0000!MessageLoop::RunHandler+0xa0
[c:\b\slave\chromium-rel-xp\build\src\base\message_loop.cc @ 182]
chrome_23a0000!MessageLoop::Run+0x3d
[c:\b\slave\chromium-rel-xp\build\src\base\message_loop.cc @ 156]
chrome_23a0000!RendererMain+0x40f
[c:\b\slave\chromium-rel-xp\build\src\chrome\renderer\renderer_main.cc @ 151]
chrome_23a0000!ChromeMain+0x608
[c:\b\slave\chromium-rel-xp\build\src\chrome\app\chrome_dll_main.cc @ 486]
chrome!wWinMain+0x2fd
[c:\b\slave\chromium-rel-xp\build\src\chrome\app\chrome_exe_main.cc @ 102]
chrome!__tmainCRTStartup+0x176 [f:\sp\vctools\crt_bld\self_x86\crt\src\crt0.c @
324]
WARNING: Stack unwind information not available. Following frames may be wrong.
kernel32!RegisterWaitForInputIdle+0x49

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list