[chromium-bugs] Issue 23706 in chromium: NPN_Invoke asserts if called within NPP_Destroy

Fri, 02 Oct 2009 21:04:46 -0700 

Status: Unconfirmed
Owner: ----
Labels: Type-Bug Pri-2 OS-All Area-Misc

New issue 23706 by [email protected]: NPN_Invoke asserts if called within  
NPP_Destroy
http://code.google.com/p/chromium/issues/detail?id=23706

Chrome Version       : 4.0.221.1 (Developer Build 27852)
URLs (if applicable) : N/A
Other browsers tested: Chrome specific
   Add OK or FAIL after other browsers where you have tested this issue:
      Safari 4: N/A
   Firefox 3.x: N/A
          IE 7: N/A
          IE 8: N/A

What steps will reproduce the problem?
1. From the NPP_Destroy function of an NPAPI plugin, invoke a method on an
NPObject in another process with NPN_Invoke
2.
3.

What is the expected result?
Either the method is invoked or NPN_Invoke returns false to indicate  
failure.

What happens instead?
Chrome hits an assertion in the plugin process (but does not crash).


Please provide any additional information below. Attach a screenshot if
possible.

The problem seems to be that GetModalDialogEvent keys off the plugin window
handle and by the time NPP_Destroy is called, the window has been destroyed:

In NPObjectProxy::NPInvokePrivate:

   if (IsPluginProcess()) {
     PluginChannel* channel =
static_cast<PluginChannel*>(proxy->channel_.get());
     if (channel) {
       msg->set_pump_messages_event(
           channel->GetModalDialogEvent(containing_window));
     }
   }

Renderer process call stack:
>       chrome.dll!DebugUtil::BreakDebugger()  Line 221 C++
        chrome.dll!logging::LogMessage::~LogMessage()  Line 536 C++
        chrome.dll!PluginChannel::MessageFilter::GetModalDialogEvent(int
containing_window=1121104)  Line 54     C++
        chrome.dll!PluginChannel::GetModalDialogEvent(int
containing_window=1121104)  Line 249    C++
        chrome.dll!NPObjectProxy::NPInvokePrivate(_NPP * npp=0x02f3e0d0, 
NPObject
* obj=0x02f1ee60, bool is_default=false, void * name=0x02f55c00, const
_NPVariant * args=0x0066df24, unsigned int arg_count=1, _NPVariant *
np_result=0x0066df0c)  Line 202 + 0xf bytes     C++
        chrome.dll!`anonymous namespace'::NPN_InvokePatch(_NPP * npp=0x02f3e0d0,
NPObject * npobj=0x02f1ee60, void * methodName=0x02f55c00, const _NPVariant
* args=0x0066df24, unsigned int argCount=1, _NPVariant * result=0x0066df0c)
  Line 41 + 0x1f bytes  C++
        npo3dautoplugin.dll!o3d::gpu_plugin::NPBrowser::Invoke(_NPP *
npp=0x02f3e0d0, NPObject * object=0x02f1ee60, void * name=0x02f55c00, const
_NPVariant * args=0x0066df24, unsigned int num_args=1, _NPVariant *
result=0x0066df0c)  Line 98 + 0x25 bytes        C++
        npo3dautoplugin.dll!o3d::gpu_plugin::NPInvokeVoid<int>(_NPP *
npp=0x02f3e0d0, const o3d::gpu_plugin::NPObjectPointer<NPObject> &
object={...}, const char * name=0x5ede8c34, int p0=1)  Line 165 + 0x51
bytes   C++
        npo3dautoplugin.dll!o3d::RendererCB::Destroy()  Line 153 + 0x28 bytes   
C++
        npo3dautoplugin.dll!o3d::RendererCB::~RendererCB()  Line 81     C++
        npo3dautoplugin.dll!o3d::RendererCB::`scalar deleting destructor'()  +
0x16 bytes      C++
        npo3dautoplugin.dll!glue::_o3d::PluginObject::DeleteRenderer()  Line 257
+ 0x28 bytes    C++
        npo3dautoplugin.dll!glue::_o3d::PluginObject::TearDown()  Line 230      
C++
        npo3dautoplugin.dll!o3d::NPP_Destroy(_NPP * instance=0x02f3e0d0,
_NPSavedData * * save=0x0066e1b8)  Line 815     C++
        chrome.dll!NPAPI::PluginInstance::NPP_Destroy()  Line 188 + 0x18 bytes  
C++
        chrome.dll!WebPluginDelegateImpl::DestroyInstance()  Line 129   C++
        chrome.dll!WebPluginDelegateImpl::~WebPluginDelegateImpl()  Line 311    
C++
        chrome.dll!WebPluginDelegateImpl::`scalar deleting destructor'()  +
0x16 bytes      C++
        chrome.dll!WebPluginDelegateImpl::PluginDestroyed()  Line 323 + 0x22
bytes   C++
        chrome.dll!WebPluginDelegateStub::~WebPluginDelegateStub()  Line 70 +
0x15 bytes      C++
        chrome.dll!WebPluginDelegateStub::`scalar deleting destructor'()  +
0x16 bytes      C++
        chrome.dll!base::RefCounted<WebPluginDelegateStub>::Release()  Line 90 +
0x3a bytes      C++

chrome.dll!scoped_refptr<WebPluginDelegateStub>::~scoped_refptr<WebPluginDelegateStub>()
  Line 207      C++
        chrome.dll!scoped_refptr<WebPluginDelegateStub>::`scalar deleting
destructor'()  + 0x16 bytes     C++
        chrome.dll!std::_Destroy<scoped_refptr<WebPluginDelegateStub>
> (scoped_refptr<WebPluginDelegateStub> * _Ptr=0x02f090cc)  Line 60     C++
        chrome.dll!std::allocator<scoped_refptr<WebPluginDelegateStub>
> ::destroy(scoped_refptr<WebPluginDelegateStub> * _Ptr=0x02f090cc)  Line
160 + 0x9 bytes C++

chrome.dll!std::_Destroy_range<std::allocator<scoped_refptr<WebPluginDelegateStub>
> >(scoped_refptr<WebPluginDelegateStub> * _First=0x02f090cc,
scoped_refptr<WebPluginDelegateStub> * _Last=0x02f090d0,
std::allocator<scoped_refptr<WebPluginDelegateStub> > & _Al={...},
std::_Nonscalar_ptr_iterator_tag __formal={...})  Line 234 + 0xc bytes  C++

chrome.dll!std::_Destroy_range<std::allocator<scoped_refptr<WebPluginDelegateStub>
> >(scoped_refptr<WebPluginDelegateStub> * _First=0x02f090cc,
scoped_refptr<WebPluginDelegateStub> * _Last=0x02f090d0,
std::allocator<scoped_refptr<WebPluginDelegateStub> > & _Al={...})  Line
225 + 0x29 bytes        C++

chrome.dll!std::vector<scoped_refptr<WebPluginDelegateStub>,std::allocator<scoped_refptr<WebPluginDelegateStub>
> >::_Destroy(scoped_refptr<WebPluginDelegateStub> * _First=0x02f090cc,
scoped_refptr<WebPluginDelegateStub> * _Last=0x02f090d0)  Line 1119 +
0x14 bytes      C++

chrome.dll!std::vector<scoped_refptr<WebPluginDelegateStub>,std::allocator<scoped_refptr<WebPluginDelegateStub>

> ::erase(std::_Vector_const_iterator<scoped_refptr<WebPluginDelegateStub>,std::allocator<scoped_refptr<WebPluginDelegateStub>
> > _Where={ptr_=0x02f421c0 })  Line 1010       C++
        chrome.dll!PluginChannel::OnDestroyInstance(int instance_id=1,
IPC::Message * reply_msg=0x02f1c790)  Line 227 + 0x3e bytes     C++
        chrome.dll!DispatchToMethod<PluginChannel,void (__thiscall
PluginChannel::*)(int,IPC::Message *),int,IPC::Message &>(PluginChannel *
obj=0x02f64110, void (int, IPC::Message *)* method=0x563b4b40, const
Tuple1<int> & in={...}, Tuple1<IPC::Message &> * out=0x0066e4f8)  Line 585
+ 0x17 bytes    C++

chrome.dll!IPC::MessageWithReply<Tuple1<int>,Tuple0>::DispatchDelayReply<PluginChannel,void
(__thiscall PluginChannel::*)(int,IPC::Message *)>(const IPC::Message *
msg=0x02f1c740, PluginChannel * obj=0x02f64110, void (int, IPC::Message *)*
func=0x563b4b40)  Line 1224 + 0x19 bytes        C++
        chrome.dll!PluginChannel::OnControlMessageReceived(const IPC::Message &
msg={...})  Line 206 + 0x23 bytes       C++
        chrome.dll!PluginChannelBase::OnMessageReceived(const IPC::Message &
message={...})  Line 122 + 0x13 bytes   C++
        chrome.dll!PluginChannel::OnMessageReceived(const IPC::Message &
msg={...})  Line 200    C++
        chrome.dll!IPC::ChannelProxy::Context::OnDispatchMessage(const
IPC::Message & message={...})  Line 204 + 0x1b bytes    C++
        chrome.dll!IPC::SyncChannel::ReceivedSyncMsgQueue::DispatchMessages()
Line 107        C++
        
chrome.dll!IPC::SyncChannel::ReceivedSyncMsgQueue::DispatchMessagesTask()
  Line 90       C++
        chrome.dll!DispatchToMethod<IPC::SyncChannel::ReceivedSyncMsgQueue,void
(__thiscall
IPC::SyncChannel::ReceivedSyncMsgQueue::*)(void)>(IPC::SyncChannel::ReceivedSyncMsgQueue
* obj=0x02f1f5c0, void (void)* method=0x56f51140, const Tuple0 & arg={...})
  Line 412 + 0x8 bytes  C++
        chrome.dll!RunnableMethod<IPC::SyncChannel::ReceivedSyncMsgQueue,void
(__thiscall IPC::SyncChannel::ReceivedSyncMsgQueue::*)(void),Tuple0>::Run()
  Line 277 + 0x1a bytes C++
        chrome.dll!MessageLoop::RunTask(Task * task=0x02f1b550)  Line 314 + 0xf
bytes   C++
        chrome.dll!MessageLoop::DeferOrRunPendingTask(const
MessageLoop::PendingTask & pending_task={...})  Line 325        C++
        chrome.dll!MessageLoop::DoWork()  Line 429 + 0xc bytes  C++
        chrome.dll!base::MessagePumpForUI::DoRunLoop()  Line 209 + 0x1d bytes   
C++

chrome.dll!base::MessagePumpWin::RunWithDispatcher(base::MessagePump::Delegate
* delegate=0x0066ef34, base::MessagePumpWin::Dispatcher *
dispatcher=0x00000000)  Line 52 + 0xf bytes     C++
        chrome.dll!base::MessagePumpWin::Run(base::MessagePump::Delegate *
delegate=0x0066ef34)  Line 78 + 0x1c bytes      C++
        chrome.dll!MessageLoop::RunInternal()  Line 199 + 0x2a bytes    C++
        chrome.dll!MessageLoop::RunHandler()  Line 175  C++
        chrome.dll!MessageLoop::Run()  Line 156 C++
        chrome.dll!PluginMain(const MainFunctionParams & parameters={...})
Line 159        C++
        chrome.dll!ChromeMain(HINSTANCE__ * instance=0x00090000,
sandbox::SandboxInterfaceInfo * sandbox_info=0x0066f8d8, wchar_t *
command_line=0x00952da8)  Line 554 + 0xc bytes  C++
        chrome.exe!wWinMain(HINSTANCE__ * instance=0x00090000, HINSTANCE__ *
prev_instance=0x00000000, wchar_t * command_line=0x00952da8, int
__formal=5)  Line 104 + 0x14 bytes      C++
        chrome.exe!__tmainCRTStartup()  Line 263 + 0x2c bytes   C
        chrome.exe!wWinMainCRTStartup()  Line 182       C
        kernel32.dll!7621e4a5()         
        [Frames below may be incorrect and/or missing, no symbols loaded for
kernel32.dll]   
        ntdll.dll!7793cfed()    
        ntdll.dll!7793d1ff()    


--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings

--~--~---------~--~----~------------~-------~--~----~
Automated mail from issue updates at http://crbug.com/
Subscription options: http://groups.google.com/group/chromium-bugs
-~----------~----~----~----~------~----~------~--~---

Reply via email to