Title: [88867] branches/safari-534-branch/Source/WebKit2
Diff
Modified: branches/safari-534-branch/Source/WebKit2/ChangeLog (88866 => 88867)
--- branches/safari-534-branch/Source/WebKit2/ChangeLog 2011-06-14 23:05:40 UTC (rev 88866)
+++ branches/safari-534-branch/Source/WebKit2/ChangeLog 2011-06-14 23:06:52 UTC (rev 88867)
@@ -1,5 +1,22 @@
2011-06-14 Lucas Forschler <[email protected]>
+ Merged 88647.
+
+ 2011-06-13 Anders Carlsson <[email protected]>
+
+ Reviewed by Dan Bernstein.
+
+ Don't access freed memory in the UI process when a plug-in process crashes
+ https://bugs.webkit.org/show_bug.cgi?id=62548
+
+ Call pluginProcessCrashedOrFailedToLaunch after sending messages to all processes about the plug-in crash,
+ otherwise we'll try to dereference m_pluginInfo.path after the PluginProcessProxy object has been deleted.
+
+ * UIProcess/Plugins/PluginProcessProxy.cpp:
+ (WebKit::PluginProcessProxy::didClose):
+
+2011-06-14 Lucas Forschler <[email protected]>
+
Merged 88599.
2011-06-09 Jer Noble <[email protected]>
Modified: branches/safari-534-branch/Source/WebKit2/UIProcess/Plugins/PluginProcessProxy.cpp (88866 => 88867)
--- branches/safari-534-branch/Source/WebKit2/UIProcess/Plugins/PluginProcessProxy.cpp 2011-06-14 23:05:40 UTC (rev 88866)
+++ branches/safari-534-branch/Source/WebKit2/UIProcess/Plugins/PluginProcessProxy.cpp 2011-06-14 23:06:52 UTC (rev 88867)
@@ -167,11 +167,12 @@
exitFullscreen();
#endif
- pluginProcessCrashedOrFailedToLaunch();
-
const Vector<WebContext*>& contexts = WebContext::allContexts();
for (size_t i = 0; i < contexts.size(); ++i)
contexts[i]->sendToAllProcesses(Messages::WebProcess::PluginProcessCrashed(m_pluginInfo.path));
+
+ // This will cause us to be deleted.
+ pluginProcessCrashedOrFailedToLaunch();
}
void PluginProcessProxy::didReceiveInvalidMessage(CoreIPC::Connection*, CoreIPC::MessageID)
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
