[Webkit-unassigned] [Bug 30984] New: Extensive use of Javascript to communicate between two Flash objects crashes WebKit

Sat Oct 31 16:46:44 PDT 2009

https://bugs.webkit.org/show_bug.cgi?id=30984

           Summary: Extensive use of Javascript to communicate between two
                    Flash objects crashes WebKit
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Macintosh Intel
        OS/Version: Mac OS X 10.6
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: Plug-ins
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: edenli+webkit at gmail.com

The dump shows that it crashes in WKPCIdentifierInfo.  It appears
IdentifierRep::isValid is being passed a NULL identifier which causes an
EXC_BAD_ACCESS exception.  A Google search reveals that current Snow Leopard
users are running into this same crash:
http://discussions.apple.com/thread.jspa?messageID=10438485

In this case there are two Flash objects loaded on a web page and they make
100-200 ExternalInterface calls.  Each call triggers a Javascript bridging
object to pass the data it received into the other Flash object.  It works fine
most of the time, but one in 10 loads of the same page will cause WebKit to
crash at the same point.

The same WebKit build on OSX 10.5 does not cause a crash, neither does a crash
occur in any other browser I tested.

Here's the backtrace from a gdb session on a debug build:

#0  0x0000000101269270 in WTF::HashTable<WebCore::IdentifierRep*,
WebCore::IdentifierRep*, WTF::IdentityExtractor<WebCore::IdentifierRep*>,
WTF::PtrHash<WebCore::IdentifierRep*>,
WTF::HashTraits<WebCore::IdentifierRep*>,
WTF::HashTraits<WebCore::IdentifierRep*> >::checkKey<WebCore::IdentifierRep*,
WTF::IdentityHashTranslator<WebCore::IdentifierRep*, WebCore::IdentifierRep*,
WTF::PtrHash<WebCore::IdentifierRep*> > > (this=0x11ae45a90,
key=@0x7fff5fbfc988) at HashTable.h:455
#1  0x0000000101269325 in WTF::HashTable<WebCore::IdentifierRep*,
WebCore::IdentifierRep*, WTF::IdentityExtractor<WebCore::IdentifierRep*>,
WTF::PtrHash<WebCore::IdentifierRep*>,
WTF::HashTraits<WebCore::IdentifierRep*>,
WTF::HashTraits<WebCore::IdentifierRep*> >::lookup<WebCore::IdentifierRep*,
WTF::IdentityHashTranslator<WebCore::IdentifierRep*, WebCore::IdentifierRep*,
WTF::PtrHash<WebCore::IdentifierRep*> > > (this=0x11ae45a90,
key=@0x7fff5fbfc988) at HashTable.h:469
#2  0x000000010126940c in WTF::HashTable<WebCore::IdentifierRep*,
WebCore::IdentifierRep*, WTF::IdentityExtractor<WebCore::IdentifierRep*>,
WTF::PtrHash<WebCore::IdentifierRep*>,
WTF::HashTraits<WebCore::IdentifierRep*>,
WTF::HashTraits<WebCore::IdentifierRep*> >::contains<WebCore::IdentifierRep*,
WTF::IdentityHashTranslator<WebCore::IdentifierRep*, WebCore::IdentifierRep*,
WTF::PtrHash<WebCore::IdentifierRep*> > > (this=0x11ae45a90,
key=@0x7fff5fbfc988) at HashTable.h:794
#3  0x000000010126943b in WTF::HashTable<WebCore::IdentifierRep*,
WebCore::IdentifierRep*, WTF::IdentityExtractor<WebCore::IdentifierRep*>,
WTF::PtrHash<WebCore::IdentifierRep*>,
WTF::HashTraits<WebCore::IdentifierRep*>,
WTF::HashTraits<WebCore::IdentifierRep*> >::contains (this=0x11ae45a90,
key=@0x7fff5fbfc988) at HashTable.h:325
#4  0x000000010126945d in WTF::HashSet<WebCore::IdentifierRep*,
WTF::PtrHash<WebCore::IdentifierRep*>, WTF::HashTraits<WebCore::IdentifierRep*>
>::contains (this=0x11ae45a90, value=@0x7fff5fbfc988) at HashSet.h:178
#5  0x000000010126872b in WebCore::IdentifierRep::isValid (identifier=0x0) at
/Users/eden/WebKit/WebCore/bridge/IdentifierRep.cpp:108
#6  0x00000001002e1fe1 in WKPCIdentifierInfo (clientPort=39939,
serverIdentifier=0, infoData=0x7fff5fbfcacc, infoLength=0x7fff5fbfcae4) at
/Users/eden/WebKit/WebKit/mac/Plugins/Hosted/NetscapePluginHostProxy.mm:826
#7  0x000000010038ef76 in _XPCIdentifierInfo (InHeadP=0x7fff5fbfcb20,
OutHeadP=0x7fff5fbfcab0) at
/Users/eden/WebKit/WebKitBuild/WebKit.build/Debug/WebKit.build/DerivedSources/x86_64/WebKitPluginClientServer.c:6998
#8  0x000000010038e17d in WebKitPluginClient_server (InHeadP=0x7fff5fbfcb20,
OutHeadP=0x7fff5fbfcab0) at
/Users/eden/WebKit/WebKitBuild/WebKit.build/Debug/WebKit.build/DerivedSources/x86_64/WebKitPluginClientServer.c:9634
#9  0x00000001002e5544 in WebKit::NetscapePluginHostProxy::processRequests
(this=0x11aef0c60) at
/Users/eden/WebKit/WebKit/mac/Plugins/Hosted/NetscapePluginHostProxy.mm:291
#10 0x00000001002ef0d6 in
WebKit::NetscapePluginInstanceProxy::processRequestsAndWaitForReply
(this=0x11b2e2560, requestID=46) at
/Users/eden/WebKit/WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm:637
#11 0x0000000100304adb in
WebKit::NetscapePluginInstanceProxy::waitForReply<WebKit::NetscapePluginInstanceProxy::BooleanAndDataReply>
(this=0x11b2e2560, requestID=46) at NetscapePluginInstanceProxy.h:252
#12 0x000000010030701b in WebKit::ProxyInstance::invoke (this=0x11b29b110,
exec=0x11a693218, type=Invoke, identifier=0, args=@0x7fff5fbfdde0) at
/Users/eden/WebKit/WebKit/mac/Plugins/Hosted/ProxyInstance.mm:150
#13 0x0000000100307241 in WebKit::ProxyInstance::invokeMethod
(this=0x11b29b110, exec=0x11a693218, methodList=@0x11ac81780,
args=@0x7fff5fbfdde0) at
/Users/eden/WebKit/WebKit/mac/Plugins/Hosted/ProxyInstance.mm:163
#14 0x00000001016da190 in JSC::callRuntimeMethod (exec=0x11a693218,
function=0x11b4621c0, thisValue={m_ptr = 0x11b088f80}, args=@0x7fff5fbfdde0) at
/Users/eden/WebKit/WebCore/bridge/runtime_method.cpp:114
#15 0x000000010088a3f0 in cti_op_call_NotJSFunction (args=0x7fff5fbfdec0) at
/Users/eden/WebKit/JavaScriptCore/jit/JITStubs.cpp:1615
#16 0x00000001008836c3 in WTF::doubleHash (key=Could not find the frame base
for "WTF::doubleHash(unsigned int)".
) at HashTable.h:437
#17 0x0000000100867e34 in JSC::JITCode::execute (this=0x11aff9158,
registerFile=0x11a0246b8, callFrame=0x11a693048, globalData=0x106912000,
exception=0x7fff5fbfe140) at JITCode.h:79
#18 0x0000000100854ea9 in JSC::Interpreter::execute (this=0x11a0246a0,
program=0x11aff9140, callFrame=0x11b285ff8, scopeChain=0x11aebe9a0,
thisObj=0x11adbec80, exception=0x7fff5fbfe140) at
/Users/eden/WebKit/JavaScriptCore/interpreter/Interpreter.cpp:613
#19 0x0000000100815b8c in JSC::evaluate (exec=0x11b285ff8,
scopeChain=@0x11b285fb0, source=@0x7fff5fbfe210, thisValue={m_ptr = 0x0}) at
/Users/eden/WebKit/JavaScriptCore/runtime/Completion.cpp:60
#20 0x00000001002eee57 in WebKit::NetscapePluginInstanceProxy::evaluate
(this=0x11ac454e0, objectID=182, script=@0x7fff5fbfe320,
resultData=@0x7fff5fbfe318, resultLength=@0x7fff5fbfe34c, allowPopups=false) at
/Users/eden/WebKit/WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm:714
#21 0x00000001002e427a in WKPCEvaluate (clientPort=39939, pluginID=13,
requestID=230, objectID=182, scriptData=0x106205000 "try {
__flash__toXML(jslc.execCall(\"_continuous_play_1256939116878\",\"messageHandler\",\"_SlaveCP_LcName_1256939519590\",\"ConnectRequest\",({lcid:\"_SlaveCP_LcName_1256939519590\"})))
; } catch (e) { \"<undef"..., scriptLength=210, allowPopups=0) at
/Users/eden/WebKit/WebKit/mac/Plugins/Hosted/NetscapePluginHostProxy.mm:553
#22 0x000000010038fdcd in _XPCEvaluate (InHeadP=0x7fff5fbfe590,
OutHeadP=0x7fff5fbfe3d0) at
/Users/eden/WebKit/WebKitBuild/WebKit.build/Debug/WebKit.build/DerivedSources/x86_64/WebKitPluginClientServer.c:4432
#23 0x00007fff86406365 in mshMIGPerform ()
#24 0x00007fff86cb5f84 in __CFRunLoopDoSource1 ()
#25 0x00007fff86c8e64d in __CFRunLoopRun ()
#26 0x00007fff86c8d03f in CFRunLoopRunSpecific ()
#27 0x00007fff81ab4c4e in RunCurrentEventLoopInMode ()
#28 0x00007fff81ab4a53 in ReceiveNextEventCommon ()
#29 0x00007fff81ab490c in BlockUntilNextEventMatchingListInMode ()
#30 0x00007fff85195520 in _DPSNextEvent ()
#31 0x00007fff85194e89 in -[NSApplication
nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#32 0x000000010000bcf0 in ?? ()
#33 0x00007fff8515aa7d in -[NSApplication run] ()
#34 0x00007fff85153798 in NSApplicationMain ()
#35 0x0000000100001d0c in ?? ()

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.