[webkit-changes] [88647] trunk/Source/WebKit2

[andersca]

Title: [88647] trunk/Source/WebKit2

Revision

88647

Author

ander...@apple.com

Date

2011-06-13 10:24:10 -0700 (Mon, 13 Jun 2011)

Log Message

2011-06-13  Anders Carlsson  <ander...@apple.com>

        Reviewed by Dan Bernstein.

        Don't access freed memory in the UI process when a plug-in process crashes
        https://bugs.webkit.org/show_bug.cgi?id=62548

        Call pluginProcessCrashedOrFailedToLaunch after sending messages to all processes about the plug-in crash,
        otherwise we'll try to dereference m_pluginInfo.path after the PluginProcessProxy object has been deleted.

        * UIProcess/Plugins/PluginProcessProxy.cpp:
        (WebKit::PluginProcessProxy::didClose):

Modified Paths

• trunk/Source/WebKit2/ChangeLog
• trunk/Source/WebKit2/UIProcess/Plugins/PluginProcessProxy.cpp

Diff

Modified: trunk/Source/WebKit2/ChangeLog (88646 => 88647)

--- trunk/Source/WebKit2/ChangeLog	2011-06-13 17:14:36 UTC (rev 88646)
+++ trunk/Source/WebKit2/ChangeLog	2011-06-13 17:24:10 UTC (rev 88647)
@@ -1,3 +1,16 @@
+2011-06-13  Anders Carlsson  <ander...@apple.com>
+
+        Reviewed by Dan Bernstein.
+
+        Don't access freed memory in the UI process when a plug-in process crashes
+        https://bugs.webkit.org/show_bug.cgi?id=62548
+
+        Call pluginProcessCrashedOrFailedToLaunch after sending messages to all processes about the plug-in crash,
+        otherwise we'll try to dereference m_pluginInfo.path after the PluginProcessProxy object has been deleted.
+
+        * UIProcess/Plugins/PluginProcessProxy.cpp:
+        (WebKit::PluginProcessProxy::didClose):
+
 2011-06-13  Carlos Garcia Campos  <cgar...@igalia.com>
 
         Reviewed by Martin Robinson.

Modified: trunk/Source/WebKit2/UIProcess/Plugins/PluginProcessProxy.cpp (88646 => 88647)

--- trunk/Source/WebKit2/UIProcess/Plugins/PluginProcessProxy.cpp	2011-06-13 17:14:36 UTC (rev 88646)
+++ trunk/Source/WebKit2/UIProcess/Plugins/PluginProcessProxy.cpp	2011-06-13 17:24:10 UTC (rev 88647)
@@ -167,11 +167,12 @@
         exitFullscreen();
 #endif
 
-    pluginProcessCrashedOrFailedToLaunch();
-
     const Vector<WebContext*>& contexts = WebContext::allContexts();
     for (size_t i = 0; i < contexts.size(); ++i)
         contexts[i]->sendToAllProcesses(Messages::WebProcess::PluginProcessCrashed(m_pluginInfo.path));
+
+    // This will cause us to be deleted.
+    pluginProcessCrashedOrFailedToLaunch();
 }
 
 void PluginProcessProxy::didReceiveInvalidMessage(CoreIPC::Connection*, CoreIPC::MessageID)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes