[Webkit-unassigned] [Bug 61317] New: Crash in _NPN_DeallocateObject when reloading yahoo.com webarchive in WebKit1

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon May 23 16:04:28 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=61317

           Summary: Crash in _NPN_DeallocateObject when reloading
                    yahoo.com webarchive in WebKit1
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Keywords: NeedsRadar
          Severity: Normal
          Priority: P2
         Component: Plug-ins
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: aroben at apple.com
                CC: andersca at apple.com, oliver at apple.com


Created an attachment (id=94511)
 --> (https://bugs.webkit.org/attachment.cgi?id=94511&action=review)
webarchive

To reproduce:

1. Load the attached webarchive
2. Reload

You'll crash in deallocateNPObject. The crashing line is:

        if (obj->_class->deallocate)

_class is garbage because the plugin has already been unloaded. Here's the backtrace:


>	WebKit.dll!_NPN_DeallocateObject(NPObject * obj=0x1330edd8)  Line 157 + 0x5 bytes	C++
     WebKit.dll!_NPN_ReleaseObject(NPObject * obj=0x1330edd8)  Line 148 + 0x9 bytes    C++
     WebKit.dll!JSC::Bindings::CInstance::~CInstance()  Line 92 + 0xc bytes    C++
     WebKit.dll!JSC::Bindings::CInstance::`scalar deleting destructor'()  + 0x16 bytes    C++
     WebKit.dll!WTF::RefCounted<JSC::Bindings::Instance>::deref()  Line 141 + 0x3b bytes    C++
     WebKit.dll!WTF::derefIfNotNull<JSC::Bindings::Instance>(JSC::Bindings::Instance * ptr=0x132a5490)  Line 60    C++
     WebKit.dll!WTF::RefPtr<JSC::Bindings::Instance>::~RefPtr<JSC::Bindings::Instance>()  Line 58 + 0x19 bytes    C++
     WebKit.dll!JSC::Bindings::RuntimeObject::~RuntimeObject()  Line 50 + 0xb bytes    C++
     WebKit.dll!JSC::Bindings::CRuntimeObject::~CRuntimeObject()  Line 50 + 0x8 bytes    C++
     WebKit.dll!JSC::Bindings::CRuntimeObject::`scalar deleting destructor'()  + 0x16 bytes    C++
     JavaScriptCore.dll!JSC::MarkedBlock::sweep()  Line 83 + 0x10 bytes    C++
     JavaScriptCore.dll!JSC::MarkedSpace::sweep()  Line 125 + 0xf bytes    C++
     JavaScriptCore.dll!JSC::Heap::reset(JSC::Heap::SweepToggle sweepToggle=DoSweep)  Line 409    C++
     JavaScriptCore.dll!JSC::Heap::collectAllGarbage()  Line 388    C++
     WebKit.dll!WebCore::collect(void * __formal=0x00000000)  Line 43    C++
     WebKit.dll!WebCore::GCController::gcTimerFired(WebCore::Timer<WebCore::GCController> * __formal=0x0f53cd50)  Line 65 + 0x7 bytes    C++
     WebKit.dll!WebCore::Timer<WebCore::GCController>::fired()  Line 100 + 0x23 bytes    C++
     WebKit.dll!WebCore::ThreadTimers::sharedTimerFiredInternal()  Line 112 + 0xf bytes    C++
     WebKit.dll!WebCore::ThreadTimers::sharedTimerFired()  Line 91    C++
     WebKit.dll!WebCore::TimerWindowWndProc(HWND__ * hWnd=0x001c05c6, unsigned int message=49602, unsigned int wParam=0, long lParam=0)  Line 103 + 0x8 bytes    C++
     user32.dll!_InternalCallWinProc at 20()  + 0x28 bytes    
     user32.dll!_UserCallWinProcCheckWow at 32()  + 0xb7 bytes    
     user32.dll!_DispatchMessageWorker at 8()  + 0xdc bytes    
     user32.dll!_DispatchMessageW at 4()  + 0xf bytes

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list