Skip to content
Permalink
Browse files
2011-02-10 Anders Carlsson <andersca@apple.com>
        Reviewed by Dan Bernstein.

        Repro crash with Sony Google TV ad at Gizmodo
        https://bugs.webkit.org/show_bug.cgi?id=54150
        <rdar://problem/8782346>

        Re-landing this fix, bug without the test case, since it causes hangs on the bots.
        https://bugs.webkit.org/show_bug.cgi?id=54171 tracks adding back the test.

        Since PluginView::evaluate can cause the plug-in element to go away, we need to protect it.

        * WebProcess/Plugins/PluginView.cpp:
        (WebKit::PluginView::~PluginView):
        Null out m_pluginElement here so we'll catch crashes earlier.

        (WebKit::PluginView::evaluate):
        Add a plug-in protector.


Canonical link: https://commits.webkit.org/68310@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@78299 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
Anders Carlsson committed Feb 11, 2011
1 parent 5fef5bd commit bf0e4d6518b1341f24b40434284cc5585bba46a4
Showing with 28 additions and 1 deletion.
  1. +20 −0 Source/WebKit2/ChangeLog
  2. +8 −1 Source/WebKit2/WebProcess/Plugins/PluginView.cpp
@@ -1,3 +1,23 @@
2011-02-10 Anders Carlsson <andersca@apple.com>

Reviewed by Dan Bernstein.

Repro crash with Sony Google TV ad at Gizmodo
https://bugs.webkit.org/show_bug.cgi?id=54150
<rdar://problem/8782346>

Re-landing this fix, bug without the test case, since it causes hangs on the bots.
https://bugs.webkit.org/show_bug.cgi?id=54171 tracks adding back the test.

Since PluginView::evaluate can cause the plug-in element to go away, we need to protect it.

* WebProcess/Plugins/PluginView.cpp:
(WebKit::PluginView::~PluginView):
Null out m_pluginElement here so we'll catch crashes earlier.

(WebKit::PluginView::evaluate):
Add a plug-in protector.

2011-02-10 Alice Liu <alice.liu@apple.com>

Reviewed by Enrica Casucci and Adele Peterson.
@@ -284,8 +284,11 @@ PluginView::~PluginView()
// Invalidate the object map.
m_npRuntimeObjectMap.invalidate();

// Cancel all streams.
cancelAllStreams();

// Null out the plug-in element explicitly so we'll crash earlier if we try to use
// the plug-in view after it's been destroyed.
m_pluginElement = nullptr;
}

Frame* PluginView::frame()
@@ -903,6 +906,10 @@ bool PluginView::evaluate(NPObject* npObject, const String& scriptString, NPVari
bool oldAllowPopups = frame()->script()->allowPopupsFromPlugin();
frame()->script()->setAllowPopupsFromPlugin(allowPopups);

// Calling evaluate will run JavaScript that can potentially remove the plug-in element, so we need to
// protect the plug-in view from destruction.
NPRuntimeObjectMap::PluginProtector pluginProtector(&m_npRuntimeObjectMap);

bool returnValue = m_npRuntimeObjectMap.evaluate(npObject, scriptString, result);

frame()->script()->setAllowPopupsFromPlugin(oldAllowPopups);

0 comments on commit bf0e4d6

Please sign in to comment.