Crash when createPluginInternal ends up destroying the plug-in

https://bugs.webkit.org/show_bug.cgi?id=118397 <rdar://problem/14155051> Reviewed by Simon Fraser. Keep the WebProcessConnection object alive while calling createPluginInternal and handle the IPC connection going away. * PluginProcess/WebProcessConnection.cpp: (WebKit::WebProcessConnection::createPluginAsynchronously): Canonical link: https://commits.webkit.org/136397@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@152403 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Jul 4, 2013 · 5941988ba7d1e51812632dc5feb0091e787305cc · 5941988
1 parent a18e6dc
commit 5941988ba7d1e51812632dc5feb0091e787305cc
Showing with 24 additions and 0 deletions.

+14 −0 Source/WebKit2/ChangeLog

+10 −0 Source/WebKit2/PluginProcess/WebProcessConnection.cpp
diff --git a/Source/WebKit2/ChangeLog b/Source/WebKit2/ChangeLog
@@ -1,3 +1,17 @@
+2013-07-04  Anders Carlsson  <andersca@apple.com>
+
+        Crash when createPluginInternal ends up destroying the plug-in
+        https://bugs.webkit.org/show_bug.cgi?id=118397
+        <rdar://problem/14155051>
+
+        Reviewed by Simon Fraser.
+
+        Keep the WebProcessConnection object alive while calling createPluginInternal and handle
+        the IPC connection going away.
+
+        * PluginProcess/WebProcessConnection.cpp:
+        (WebKit::WebProcessConnection::createPluginAsynchronously):
+
 2013-07-03  Gordon Sheridan  <gordon_sheridan@apple.com>
 
         Implement mechanism to detect (partially) hidden blocked plugins.

diff --git a/Source/WebKit2/PluginProcess/WebProcessConnection.cpp b/Source/WebKit2/PluginProcess/WebProcessConnection.cpp
@@ -289,7 +289,17 @@ void WebProcessConnection::createPluginAsynchronously(const PluginCreationParame
     // Normally the plug-in process doesn't give its synchronous messages the special flag to allow for that.
     // We can force it to do so by incrementing the "DispatchMessageMarkedDispatchWhenWaitingForSyncReply" count.
     m_connection->incrementDispatchMessageMarkedDispatchWhenWaitingForSyncReplyCount();
+
+    // The call to createPluginInternal can potentially cause the plug-in to be destroyed and
+    // thus free the WebProcessConnection object. Protect it.
+    RefPtr<WebProcessConnection> protect(this);
     createPluginInternal(creationParameters, result, wantsWheelEvents, remoteLayerClientID);
+
+    if (!m_connection) {
+        // createPluginInternal caused the connection to go away.
+        return;
+    }
+
     m_connection->decrementDispatchMessageMarkedDispatchWhenWaitingForSyncReplyCount();
 
     // If someone asked for this plug-in synchronously while it was in the middle of being created then we need perform the