CEF crashes on certain flash related javascript

[GoogleCodeExporter]

What steps will reproduce the problem?
I have copied the original page which is causing the issue. The page loads fine 
in normal browsers, but not CEF.
1. Using any CEF test browser, go to http://enesce.com/lockerz/testpage/play.htm
2. Once the page has loaded, application will crash with an access violation
3. It appears to be coming from the swfobject code in "a_003.js" @ above URL.

What is the expected output? What do you see instead?
Expecting the page to be displayed, but getting an access violation or complete 
application crash.
I tested using the cefclient.exe that comes with CEF, and using my own 
implementation, both have the problem.

What version of the product are you using? On what operating system?
Latest CEF binaries, Vista x64.

Please provide any additional information below.

access violation at 0x666F3C85: read of address 0x000009B0
:666f3c85 ; C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

666F3C80 A1D031B866       mov eax,[$66b831d0]
666F3C85 83B8B009000003   cmp dword ptr [eax+$000009b0],$03
666F3C8C 7522             jnz $666f3cb0
666F3C8E 80B9A508000000   cmp byte ptr [ecx+$000008a5],$00
666F3C95 7519             jnz $666f3cb0
666F3C97 8B80AC090000     mov eax,[eax+$000009ac]
666F3C9D 50               push eax
666F3C9E E88DD22600       call $66960f30
666F3CA3 83C404           add esp,$04
666F3CA6 85C0             test eax,eax
666F3CA8 7506             jnz $666f3cb0
666F3CAA B801000000       mov eax,$00000001
666F3CAF C3               ret 
666F3CB0 33C0             xor eax,eax
666F3CB2 C3               ret 

Original issue reported on code.google.com by ad...@enesce.com on 30 Aug 2010 at 9:00

[GoogleCodeExporter]

This is a crash in Flash player. Try upgrading to the latest Flash player and 
see if that resolves the issue.

Original comment by magreenb...@gmail.com on 30 Aug 2010 at 1:20

[GoogleCodeExporter]

I am using the latest Flash version: 10,1,82,76.
As I mentioned, it works fine everywhere except in CEF; which leads me to 
believe it is a CEF bug, right?

Original comment by ad...@enesce.com on 30 Aug 2010 at 1:28

[GoogleCodeExporter]

Does the crash occur with the Chromium test_shell application?

1) Build test_shell with the Chromium HEAD revision and see if the problem is 
fixed
there.  If so, then it will likely be fixed with the next CEF update.

2) If it's still broken in Chromium HEAD then search the Chromium bug lists to 
see if anyone has reported the problem.  If you don't find an existing bug then 
create a Chromium bug for it.  If you find or create a Chromium bug for this 
issue please add a link here so that we can track the resolution.

Original comment by magreenb...@gmail.com on 30 Aug 2010 at 1:34

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

It is crashing in the latest test_shell too.

http://code.google.com/p/chromium/issues/detail?id=53932

Original comment by ad...@enesce.com on 31 Aug 2010 at 9:56

[GoogleCodeExporter]

Well, months later and they still haven't helped.

Original comment by ad...@enesce.com on 14 Oct 2010 at 8:26

[GoogleCodeExporter]

yes,many url will make cef crashed
when can resolve this bug?

Original comment by ptom...@gmail.com on 15 Oct 2010 at 2:48

[GoogleCodeExporter]

see http://code.google.com/p/chromiumembedded/issues/detail?id=130 for a fix

Original comment by lodle...@gmail.com on 16 Oct 2010 at 5:35

[GoogleCodeExporter]

I did some debugging myself and I found the following code actually fixes 
swfobject pages from crashing, you need to manually inject this javascript into 
the page and execute it before the DOM loads...
    var o = document.createElement("object");
    o.type = "application/x-shockwave-flash";
    document.getElementsByTagName("body")[0].appendChild(o);

Original comment by ad...@enesce.com on 16 Oct 2010 at 11:27

[GoogleCodeExporter]

The crash is fixed in Chromium revision 66269.

Original comment by magreenb...@gmail.com on 16 Nov 2010 at 2:30

• Changed state: Accepted

[GoogleCodeExporter]

The crash is fixed in CEF revision 138.

Original comment by magreenb...@gmail.com on 16 Nov 2010 at 4:01

• Changed state: Fixed