[Webkit-unassigned] [Bug 85417] New: NPN_InvokeDefault fails due to invalid rootObject

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed May 2 14:01:41 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=85417

           Summary: NPN_InvokeDefault fails due to invalid rootObject
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: New Bugs
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: tmalsbar at codeaurora.org


Calling NPN_InvokeDefault from a plugin fails sometimes using the latest (git-svn-id: http://svn.webkit.org/repository/webkit/trunk@115246 268f45cc-cd09-0410-ab3c-d52691b4dbfc) built for gtk (using JavaScriptCore).  The failure occurs because the
    if (!rootObject || !rootObject->isValid())
check fails in NP_jsobject.cpp at _NPN_InvokeDefault.

The repro steps run some unit tests for the plugin being developed, which behaves roughly as follows for each test:
    1. create <object>
    2. run test code
    3. remove <object>
The test code passes in a JS function to the plugin that is later called via NPN_InvokeDefault.

Digging through the code a bit shows me that a new rootObject is created for each instance of the plugin.  When the JS function value is converted to an NPVariant before calling the plugin it calls findRootObject to assign a rootObject.  At that point there are multiple rootObjects in the root object set:
    globalObject=0x7fa1438bc150
    rootObject=0x24d35f0 rootObject->globalObject=0x7fa1438bc150
    rootObject=0x23e4b50 rootObject->globalObject=0x7fa1438bc150
    rootObject=0x250d890 rootObject->globalObject=0x7fa1438bc150
    rootObject=0x2576d30 rootObject->globalObject=0x7fa1438bc150
    rootObject=0x2593830 rootObject->globalObject=0x7fa1438bc150
findRootObject picks the first one, which does not belong to the instance of the plugin that is being called.  The first rootObject is invalidated before the plugin calls NPN_InvokeDefault.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list