[Webkit-unassigned] [Bug 119044] New: [Win] Crash after plugin is unloaded.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jul 24 05:44:10 PDT 2013 

https://bugs.webkit.org/show_bug.cgi?id=119044

           Summary: [Win] Crash after plugin is unloaded.
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Unspecified
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: peavo at outlook.com


I'm frequently getting a crash (access violation reading) in the function _NPN_DeallocateObject, line 159, in WebCore/bridge/npruntime.cpp.

I suspect the reason for this crash is that after a plugin has been unloaded, garbage collection is performed, which is accessing plugin objects which has already been freed when the plugin was unloaded.

Here's the stacktrace of the crash:

     WebKit.dll!_NPN_DeallocateObject(NPObject * obj=0x085144e8)  Line 159 + 0x5 bytes    C++
     WebKit.dll!_NPN_ReleaseObject(NPObject * obj=0x085144e8)  Line 150 + 0x9 bytes    C++
     WebKit.dll!JSC::Bindings::CInstance::~CInstance()  Line 90 + 0xc bytes    C++
     WebKit.dll!JSC::Bindings::CInstance::`scalar deleting destructor'()  + 0x16 bytes    C++
     WebKit.dll!WTF::RefCounted<JSC::Bindings::Instance>::deref()  Line 197 + 0x3b bytes    C++
     WebKit.dll!WTF::derefIfNotNull<JSC::Bindings::Instance>(JSC::Bindings::Instance * ptr=0x12bf5410)  Line 53    C++
     WebKit.dll!WTF::RefPtr<JSC::Bindings::Instance>::~RefPtr<JSC::Bindings::Instance>()  Line 62 + 0x19 bytes    C++
     WebKit.dll!JSC::Bindings::RuntimeObject::~RuntimeObject()  + 0x19 bytes    C++
     WebKit.dll!JSC::Bindings::RuntimeObject::destroy(JSC::JSCell * cell=0x0675af48)  Line 55    C++
     JavaScriptCore.dll!JSC::MarkedBlock::callDestructor(JSC::JSCell * cell=0x0675af48)  Line 66 + 0x12 bytes    C++
     JavaScriptCore.dll!JSC::MarkedBlock::specializedSweep<3,1,2>()  Line 90    C++
     JavaScriptCore.dll!JSC::MarkedBlock::sweepHelper<2>(JSC::MarkedBlock::SweepMode sweepMode=SweepToFreeList)  Line 140 + 0x12 bytes    C++
     JavaScriptCore.dll!JSC::MarkedBlock::sweep(JSC::MarkedBlock::SweepMode sweepMode=SweepToFreeList)  Line 119 + 0x10 bytes    C++
     JavaScriptCore.dll!JSC::MarkedAllocator::tryAllocateHelper(unsigned int bytes=16)  Line 35    C++
     JavaScriptCore.dll!JSC::MarkedAllocator::tryAllocate(unsigned int bytes=16)  Line 66 + 0xc bytes    C++
     JavaScriptCore.dll!JSC::MarkedAllocator::allocateSlowCase(unsigned int bytes=16)  Line 82 + 0xc bytes    C++
     WebKit.dll!JSC::MarkedAllocator::allocate(unsigned int bytes=16)  Line 82 + 0xc bytes    C++
     WebKit.dll!JSC::MarkedSpace::allocateWithNormalDestructor(unsigned int bytes=16)  Line 216    C++
     WebKit.dll!JSC::Heap::allocateWithNormalDestructor(unsigned int bytes=16)  Line 375    C++
     WebKit.dll!JSC::allocateCell<WebCore::JSNodeList>(JSC::Heap & heap={...}, unsigned int size=16)  Line 94 + 0xc bytes    C++
     WebKit.dll!JSC::allocateCell<WebCore::JSNodeList>(JSC::Heap & heap={...})  Line 104 + 0xb bytes    C++
     WebKit.dll!WebCore::JSNodeList::create(JSC::Structure * structure=0x08bdb568, WebCore::JSDOMGlobalObject * globalObject=0x045fd038, WTF::PassRefPtr<WebCore::NodeList> impl={...})  Line 37 + 0x11 bytes    C++
     WebKit.dll!WebCore::createWrapper<WebCore::JSNodeList,WebCore::NodeList>(JSC::ExecState * exec=0x04f404d8, WebCore::JSDOMGlobalObject * globalObject=0x045fd038, WebCore::NodeList * node=0x1305cd38)  Line 187 + 0x26 bytes    C++
     WebKit.dll!WebCore::createNewWrapper<WebCore::JSNodeList,WebCore::NodeList>(JSC::ExecState * exec=0x04f404d8, WebCore::JSDOMGlobalObject * globalObject=0x045fd038, WebCore::NodeList * domObject=0x1305cd38)  Line 213 + 0x11 bytes    C++
     WebKit.dll!WebCore::toJS(JSC::ExecState * exec=0x04f404d8, WebCore::JSDOMGlobalObject * globalObject=0x045fd038, WebCore::NodeList * impl=0x1305cd38)  Line 275 + 0x15 bytes    C++
     WebKit.dll!WebCore::jsElementPrototypeFunctionGetElementsByClassName(JSC::ExecState * exec=0x04f404d8)  Line 2174 + 0x30 bytes    C++
     056c2cef()    
     JavaScriptCore.dll!cti_op_get_by_id_proto_list()  Line 1829 + 0x20 bytes    C++
     JavaScriptCore.dll!JSC::call(JSC::ExecState * exec=0x04f40180, JSC::JSValue functionObject={...}, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValue thisValue={...}, const JSC::ArgList & args={...})  Line 40 + 0x3c bytes    C++
     JavaScriptCore.dll!JSC::functionProtoFuncApply(JSC::ExecState * exec=0x04f40180)  Line 154 + 0x51 bytes    C++
     044a00ef()    
     JavaScriptCore.dll!cti_op_get_by_id_proto_list_full()  Line 1841 + 0x1c bytes    C++
     JavaScriptCore.dll!JSC::Interpreter::executeCall(JSC::ExecState * callFrame=0x045f85a0, JSC::JSObject * function=0x0879e558, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValue thisValue={...}, const JSC::ArgList & args={...})  Line 1052 + 0x27 bytes    C++
     JavaScriptCore.dll!JSC::call(JSC::ExecState * exec=0x045f85a0, JSC::JSValue functionObject={...}, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValue thisValue={...}, const JSC::ArgList & args={...})  Line 40 + 0x3c bytes    C++
     WebKit.dll!WebCore::JSMainThreadExecState::call(JSC::ExecState * exec=0x045f85a0, JSC::JSValue functionObject={...}, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValue thisValue={...}, const JSC::ArgList & args={...})  Line 56 + 0x29 bytes    C++
     WebKit.dll!WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext * scriptExecutionContext=0x0c1fdb40, WebCore::Event * event=0x0bcce198)  Line 130 + 0x64 bytes    C++
     WebKit.dll!WebCore::EventTarget::fireEventListeners(WebCore::Event * event=0x0bcce198, WebCore::EventTargetData * d=0x149b4048, WTF::Vector<WebCore::RegisteredEventListener,1,WTF::CrashOnOverflow> & entry={...})  Line 258 + 0x22 bytes    C++
     WebKit.dll!WebCore::EventTarget::fireEventListeners(WebCore::Event * event=0x0bcce198)  Line 204 + 0x14 bytes    C++
     WebKit.dll!WebCore::Node::handleLocalEvents(WebCore::Event * event=0x0bcce198)  Line 2378    C++
     WebKit.dll!WebCore::EventContext::handleLocalEvents(WebCore::Event * event=0x0bcce198)  Line 58 + 0x24 bytes    C++
     WebKit.dll!WebCore::EventDispatcher::dispatchEventAtTarget()  Line 168 + 0x32 bytes    C++
     WebKit.dll!WebCore::EventDispatcher::dispatch()  Line 125 + 0x8 bytes    C++
     WebKit.dll!WebCore::EventDispatchMediator::dispatchEvent(WebCore::EventDispatcher * dispatcher=0x0026f1bc)  Line 55    C++
     WebKit.dll!WebCore::EventDispatcher::dispatchEvent(WebCore::Node * node=0x1500c878, WTF::PassRefPtr<WebCore::EventDispatchMediator> mediator={...})  Line 56 + 0x2a bytes    C++
     WebKit.dll!WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event> event={...})  Line 2398 + 0x21 bytes    C++
     WebKit.dll!WebCore::DOMWindow::dispatchLoadEvent()  Line 1711    C++
     WebKit.dll!WebCore::Document::dispatchWindowLoadEvent()  Line 3668    C++
     WebKit.dll!WebCore::Document::implicitClose()  Line 2421    C++
     WebKit.dll!WebCore::FrameLoader::checkCallImplicitClose()  Line 827    C++
     WebKit.dll!WebCore::FrameLoader::checkCompleted()  Line 771    C++
     WebKit.dll!WebCore::FrameLoader::completed()  Line 1077    C++
     WebKit.dll!WebCore::FrameLoader::checkCompleted()  Line 774    C++
     WebKit.dll!WebCore::FrameLoader::completed()  Line 1077    C++
     WebKit.dll!WebCore::FrameLoader::checkCompleted()  Line 774    C++
     WebKit.dll!WebCore::FrameLoader::loadDone()  Line 716    C++
     WebKit.dll!WebCore::CachedResourceLoader::loadDone(WebCore::CachedResource * resource=0x184fbfa8)  Line 773    C++
     WebKit.dll!WebCore::SubresourceLoader::releaseResources()  Line 327    C++
     WebKit.dll!WebCore::ResourceLoader::didFinishLoading(double finishTime=0.00000000000000000)  Line 346 + 0xf bytes    C++
     WebKit.dll!WebCore::SubresourceLoader::didFinishLoading(double finishTime=0.00000000000000000)  Line 285    C++
     WebKit.dll!WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle * __formal=0x084e9410, double finishTime=0.00000000000000000)  Line 500 + 0x18 bytes    C++
     WebKit.dll!WebCore::ResourceHandleManager::downloadTimerCallback(WebCore::Timer<WebCore::ResourceHandleManager> * timer=0x03fd3de0)  Line 436 + 0x35 bytes    C++
     WebKit.dll!WebCore::Timer<WebCore::ResourceHandleManager>::fired()  Line 113 + 0x23 bytes    C++
     WebKit.dll!WebCore::ThreadTimers::sharedTimerFiredInternal()  Line 129 + 0xf bytes    C++
     WebKit.dll!WebCore::ThreadTimers::sharedTimerFired()  Line 106    C++
     WebKit.dll!WebCore::TimerWindowWndProc(HWND__ * hWnd=0x000e152a, unsigned int message=49794, unsigned int wParam=0, long lParam=0)  Line 110 + 0x8 bytes    C++

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list