2011-02-20 Anders Carlsson <andersca@apple.com>

Reviewed by Maciej Stachowiak. Crash when a plug-in requests a javascript: url that destroys the plug-in https://bugs.webkit.org/show_bug.cgi?id=54837 <rdar://problem/9005475> Add new plug-in test. * DumpRenderTree/DumpRenderTree.gypi: * DumpRenderTree/DumpRenderTree.xcodeproj/project.pbxproj: * DumpRenderTree/TestNetscapePlugIn/PluginTest.cpp: (PluginTest::NPN_GetURL): * DumpRenderTree/TestNetscapePlugIn/PluginTest.h: * DumpRenderTree/TestNetscapePlugIn/Tests/GetURLWithJavaScriptURLDestroyingPlugin.cpp: Added. (GetURLWithJavaScriptURLDestroyingPlugin::GetURLWithJavaScriptURLDestroyingPlugin): (GetURLWithJavaScriptURLDestroyingPlugin::NPP_New): * DumpRenderTree/TestNetscapePlugIn/win/TestNetscapePlugin.vcproj: * DumpRenderTree/qt/TestNetscapePlugin/TestNetscapePlugin.pro: 2011-02-20 Anders Carlsson <andersca@apple.com> Reviewed by Maciej Stachowiak. Crash when a plug-in requests a javascript: url that destroys the plug-in https://bugs.webkit.org/show_bug.cgi?id=54837 <rdar://problem/9005475> Add test. * plugins/get-url-with-javascript-destroying-plugin-expected.txt: Added. * plugins/get-url-with-javascript-destroying-plugin.html: Added. 2011-02-20 Anders Carlsson <andersca@apple.com> Reviewed by Maciej Stachowiak. Crash when a plug-in requests a javascript: url that destroys the plug-in https://bugs.webkit.org/show_bug.cgi?id=54837 <rdar://problem/9005475> * WebProcess/Plugins/PluginProxy.cpp: (WebKit::PluginProxy::destroy): Null out m_pluginController. * WebProcess/Plugins/PluginView.cpp: (WebKit::PluginView::performJavaScriptURLRequest): Don't access the frame through m_pluginElement since it will be nulled out when the plug-in is destroyed. Canonical link: https://commits.webkit.org/69090@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@79157 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Feb 21, 2011 · 1469e49 · 1469e49
1 parent 4324301
commit 1469e49
Show file tree

Hide file tree

Showing 14 changed files with 142 additions and 2 deletions.
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2011-02-20  Anders Carlsson  <andersca@apple.com>
+
+        Reviewed by Maciej Stachowiak.
+
+        Crash when a plug-in requests a javascript: url that destroys the plug-in
+        https://bugs.webkit.org/show_bug.cgi?id=54837
+        <rdar://problem/9005475>
+
+        Add test.
+
+        * plugins/get-url-with-javascript-destroying-plugin-expected.txt: Added.
+        * plugins/get-url-with-javascript-destroying-plugin.html: Added.
+
 2011-02-20  Dirk Schulze  <krit@webkit.org>
 
         Reviewed by Nikolas Zimmermann.

diff --git a/LayoutTests/plugins/get-url-with-javascript-destroying-plugin-expected.txt b/LayoutTests/plugins/get-url-with-javascript-destroying-plugin-expected.txt
@@ -0,0 +1,3 @@
+This tests that evaluating JS that calls NPN_GetURL to evaluate a javascript: URL that destroys the plug-in doesn't crash.
+
+SUCCESS
diff --git a/LayoutTests/plugins/get-url-with-javascript-destroying-plugin.html b/LayoutTests/plugins/get-url-with-javascript-destroying-plugin.html
@@ -0,0 +1,19 @@
+<script>
+function removePlugin() {
+    var plugin = document.getElementById('plugin');
+    plugin.parentNode.removeChild(plugin);
+
+    document.getElementById('console').innerText = 'SUCCESS';
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+</script>
+<body>
+<embed id="plugin" type="application/x-webkit-test-netscape" test="get-url-with-javascript-url-destroying-plugin" width=100 height=100></embed>
+<p id="description">This tests that evaluating JS that calls NPN_GetURL to evaluate a javascript: URL that destroys the plug-in doesn't crash.</p>
+<div id="console">FAILURE</div>
diff --git a/Source/WebKit2/ChangeLog b/Source/WebKit2/ChangeLog
@@ -1,3 +1,20 @@
+2011-02-20  Anders Carlsson  <andersca@apple.com>
+
+        Reviewed by Maciej Stachowiak.
+
+        Crash when a plug-in requests a javascript: url that destroys the plug-in
+        https://bugs.webkit.org/show_bug.cgi?id=54837
+        <rdar://problem/9005475>
+
+        * WebProcess/Plugins/PluginProxy.cpp:
+        (WebKit::PluginProxy::destroy):
+        Null out m_pluginController.
+
+        * WebProcess/Plugins/PluginView.cpp:
+        (WebKit::PluginView::performJavaScriptURLRequest):
+        Don't access the frame through m_pluginElement since it will be nulled out
+        when the plug-in is destroyed.
+
 2011-02-20  Anders Carlsson  <andersca@apple.com>
 
         Reviewed by Sam Weinig.

diff --git a/Source/WebKit2/WebProcess/Plugins/PluginProxy.cpp b/Source/WebKit2/WebProcess/Plugins/PluginProxy.cpp
@@ -117,6 +117,8 @@ void PluginProxy::destroy()
     m_connection->connection()->sendSync(Messages::WebProcessConnection::DestroyPlugin(m_pluginInstanceID), Messages::WebProcessConnection::DestroyPlugin::Reply(), 0);
 
     m_isStarted = false;
+    m_pluginController = 0;
+
     m_connection->removePluginProxy(this);
 }
 

diff --git a/Source/WebKit2/WebProcess/Plugins/PluginView.cpp b/Source/WebKit2/WebProcess/Plugins/PluginView.cpp
@@ -738,15 +738,15 @@ void PluginView::performJavaScriptURLRequest(URLRequest* request)
     bool oldAllowPopups = frame->script()->allowPopupsFromPlugin();
     frame->script()->setAllowPopupsFromPlugin(request->allowPopups());
 
-    ScriptValue result = m_pluginElement->document()->frame()->script()->executeScript(jsString);
+    ScriptValue result = frame->script()->executeScript(jsString);
 
     frame->script()->setAllowPopupsFromPlugin(oldAllowPopups);
 
     // Check if evaluating the JavaScript destroyed the plug-in.
     if (!plugin->controller())
         return;
 
-    ScriptState* scriptState = m_pluginElement->document()->frame()->script()->globalObject(pluginWorld())->globalExec();
+    ScriptState* scriptState = frame->script()->globalObject(pluginWorld())->globalExec();
     String resultString;
     result.getString(scriptState, resultString);
 

diff --git a/Tools/ChangeLog b/Tools/ChangeLog
@@ -1,3 +1,24 @@
+2011-02-20  Anders Carlsson  <andersca@apple.com>
+
+        Reviewed by Maciej Stachowiak.
+
+        Crash when a plug-in requests a javascript: url that destroys the plug-in
+        https://bugs.webkit.org/show_bug.cgi?id=54837
+        <rdar://problem/9005475>
+
+        Add new plug-in test.
+
+        * DumpRenderTree/DumpRenderTree.gypi:
+        * DumpRenderTree/DumpRenderTree.xcodeproj/project.pbxproj:
+        * DumpRenderTree/TestNetscapePlugIn/PluginTest.cpp:
+        (PluginTest::NPN_GetURL):
+        * DumpRenderTree/TestNetscapePlugIn/PluginTest.h:
+        * DumpRenderTree/TestNetscapePlugIn/Tests/GetURLWithJavaScriptURLDestroyingPlugin.cpp: Added.
+        (GetURLWithJavaScriptURLDestroyingPlugin::GetURLWithJavaScriptURLDestroyingPlugin):
+        (GetURLWithJavaScriptURLDestroyingPlugin::NPP_New):
+        * DumpRenderTree/TestNetscapePlugIn/win/TestNetscapePlugin.vcproj:
+        * DumpRenderTree/qt/TestNetscapePlugin/TestNetscapePlugin.pro:
+
 2011-02-19  Patrick Gansterer  <paroga@webkit.org>
 
         Reviewed by Andreas Kling.

diff --git a/Tools/DumpRenderTree/DumpRenderTree.gypi b/Tools/DumpRenderTree/DumpRenderTree.gypi
@@ -54,6 +54,7 @@
             'TestNetscapePlugIn/TestObject.h',
             'TestNetscapePlugIn/Tests/DocumentOpenInDestroyStream.cpp',
             'TestNetscapePlugIn/Tests/EvaluateJSAfterRemovingPluginElement.cpp',
+            'TestNetscapePlugIn/Tests/GetURLWithJavaScriptURLDestroyingPlugin.cpp',
             'TestNetscapePlugIn/Tests/GetUserAgentWithNullNPPFromNPPNew.cpp',
             'TestNetscapePlugIn/Tests/NPRuntimeObjectFromDestroyedPlugin.cpp',
             'TestNetscapePlugIn/Tests/NPRuntimeRemoveProperty.cpp',

diff --git a/Tools/DumpRenderTree/DumpRenderTree.xcodeproj/project.pbxproj b/Tools/DumpRenderTree/DumpRenderTree.xcodeproj/project.pbxproj
@@ -36,6 +36,7 @@
 		1A215A8211F2609C008AD0F5 /* PluginTest.h in Headers */ = {isa = PBXBuildFile; fileRef = 1A215A8011F2609C008AD0F5 /* PluginTest.h */; };
 		1A215BE711F27658008AD0F5 /* DocumentOpenInDestroyStream.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1A215A7511F26072008AD0F5 /* DocumentOpenInDestroyStream.cpp */; };
 		1A24BAA9120734EE00FBB059 /* NPRuntimeObjectFromDestroyedPlugin.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1A24BAA8120734EE00FBB059 /* NPRuntimeObjectFromDestroyedPlugin.cpp */; };
+		1A3E28AA1311D73B00501349 /* GetURLWithJavaScriptURLDestroyingPlugin.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1A3E28A91311D73B00501349 /* GetURLWithJavaScriptURLDestroyingPlugin.cpp */; };
 		1A8F02E80BB9B4EC008CFA34 /* TestObject.h in Headers */ = {isa = PBXBuildFile; fileRef = 1A8F024C0BB9B056008CFA34 /* TestObject.h */; };
 		1AC6C8490D07638600CD3161 /* main.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1AC6C77F0D07589B00CD3161 /* main.cpp */; };
 		1AC6C84A0D07638600CD3161 /* PluginObject.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1AC6C7800D07589B00CD3161 /* PluginObject.cpp */; };
@@ -205,6 +206,7 @@
 		1A215A7F11F2609C008AD0F5 /* PluginTest.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = PluginTest.cpp; sourceTree = "<group>"; };
 		1A215A8011F2609C008AD0F5 /* PluginTest.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = PluginTest.h; sourceTree = "<group>"; };
 		1A24BAA8120734EE00FBB059 /* NPRuntimeObjectFromDestroyedPlugin.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = NPRuntimeObjectFromDestroyedPlugin.cpp; sourceTree = "<group>"; };
+		1A3E28A91311D73B00501349 /* GetURLWithJavaScriptURLDestroyingPlugin.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = GetURLWithJavaScriptURLDestroyingPlugin.cpp; sourceTree = "<group>"; };
 		1A8F024C0BB9B056008CFA34 /* TestObject.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = TestObject.h; sourceTree = "<group>"; };
 		1AC6C77F0D07589B00CD3161 /* main.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = main.cpp; sourceTree = "<group>"; };
 		1AC6C7800D07589B00CD3161 /* PluginObject.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = PluginObject.cpp; sourceTree = "<group>"; };
@@ -467,6 +469,7 @@
 			children = (
 				1A215A7511F26072008AD0F5 /* DocumentOpenInDestroyStream.cpp */,
 				C0E720741281C828004EF533 /* EvaluateJSAfterRemovingPluginElement.cpp */,
+				1A3E28A91311D73B00501349 /* GetURLWithJavaScriptURLDestroyingPlugin.cpp */,
 				1AD4CB2012A6D1350027A7AF /* GetUserAgentWithNullNPPFromNPPNew.cpp */,
 				1A24BAA8120734EE00FBB059 /* NPRuntimeObjectFromDestroyedPlugin.cpp */,
 				1AC77DCE120605B6005C19EF /* NPRuntimeRemoveProperty.cpp */,
@@ -759,6 +762,7 @@
 				C0EC3C9C12787F0500939164 /* NullNPPGetValuePointer.cpp in Sources */,
 				C0E720751281C828004EF533 /* EvaluateJSAfterRemovingPluginElement.cpp in Sources */,
 				1AD4CB2212A6D1350027A7AF /* GetUserAgentWithNullNPPFromNPPNew.cpp in Sources */,
+				1A3E28AA1311D73B00501349 /* GetURLWithJavaScriptURLDestroyingPlugin.cpp in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};

diff --git a/Tools/DumpRenderTree/TestNetscapePlugIn/PluginTest.cpp b/Tools/DumpRenderTree/TestNetscapePlugIn/PluginTest.cpp
@@ -84,6 +84,11 @@ void PluginTest::NPN_InvalidateRect(NPRect* invalidRect)
     browser->invalidaterect(m_npp, invalidRect);
 }
 
+NPError PluginTest::NPN_GetURL(const char* url, const char* target)
+{
+    return browser->geturl(m_npp, url, target);
+}
+
 NPIdentifier PluginTest::NPN_GetStringIdentifier(const NPUTF8 *name)
 {
     return browser->getstringidentifier(name);

diff --git a/Tools/DumpRenderTree/TestNetscapePlugIn/PluginTest.h b/Tools/DumpRenderTree/TestNetscapePlugIn/PluginTest.h
@@ -62,6 +62,8 @@ class PluginTest {
     virtual NPError NPP_SetWindow(NPP, NPWindow*);
 
     // NPN functions.
+    NPError NPN_GetURL(const char* url, const char* target);
+
     void NPN_InvalidateRect(NPRect* invalidRect);
     NPIdentifier NPN_GetStringIdentifier(const NPUTF8* name);
     NPIdentifier NPN_GetIntIdentifier(int32_t intid);

diff --git a/Tools/DumpRenderTree/TestNetscapePlugIn/Tests/GetURLWithJavaScriptURLDestroyingPlugin.cpp b/Tools/DumpRenderTree/TestNetscapePlugIn/Tests/GetURLWithJavaScriptURLDestroyingPlugin.cpp
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2011 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "PluginTest.h"
+
+using namespace std;
+
+// From NPP_New, call NPN_GetURL to evaluate JavaScript that destroys the plug-in.
+
+class GetURLWithJavaScriptURLDestroyingPlugin : public PluginTest {
+public:
+    GetURLWithJavaScriptURLDestroyingPlugin(NPP npp, const string& identifier)
+        : PluginTest(npp, identifier)
+    {
+    }
+
+private:
+
+    virtual NPError NPP_New(NPMIMEType pluginType, uint16_t mode, int16_t argc, char *argn[], char *argv[], NPSavedData *saved)
+    {
+        NPN_GetURL("javascript:removePlugin()", 0);
+        return NPERR_NO_ERROR;
+    }        
+};
+
+static PluginTest::Register<GetURLWithJavaScriptURLDestroyingPlugin> getURLWithJavaScriptURLDestroyingPlugin("get-url-with-javascript-url-destroying-plugin");
diff --git a/Tools/DumpRenderTree/TestNetscapePlugIn/win/TestNetscapePlugin.vcproj b/Tools/DumpRenderTree/TestNetscapePlugIn/win/TestNetscapePlugin.vcproj
@@ -401,6 +401,10 @@
 				RelativePath="..\Tests\GetUserAgentWithNullNPPFromNPPNew.cpp"
 				>
 			</File>
+			<File
+				RelativePath="..\Tests\GetURLWithJavaScriptURLDestroyingPlugin.cpp"
+				>
+			</File>
 			<File
 				RelativePath="..\Tests\NPRuntimeObjectFromDestroyedPlugin.cpp"
 				>

diff --git a/Tools/DumpRenderTree/qt/TestNetscapePlugin/TestNetscapePlugin.pro b/Tools/DumpRenderTree/qt/TestNetscapePlugin/TestNetscapePlugin.pro
@@ -30,6 +30,7 @@ SOURCES = PluginObject.cpp \
           TestObject.cpp \
           Tests/DocumentOpenInDestroyStream.cpp \
           Tests/EvaluateJSAfterRemovingPluginElement.cpp \
+          Tests/GetURLWithJavaScriptURLDestroyingPlugin.cpp \
           Tests/GetUserAgentWithNullNPPFromNPPNew.cpp \
           Tests/NPRuntimeObjectFromDestroyedPlugin.cpp \
           Tests/NPRuntimeRemoveProperty.cpp \