Diff
Modified: branches/safari-534.54-branch/LayoutTests/ChangeLog (104995 => 104996)
--- branches/safari-534.54-branch/LayoutTests/ChangeLog 2012-01-13 22:58:00 UTC (rev 104995)
+++ branches/safari-534.54-branch/LayoutTests/ChangeLog 2012-01-13 23:13:20 UTC (rev 104996)
@@ -1,5 +1,20 @@
2011-1-13 Lucas Forschler <[email protected]>
+ Merge 104239
+
+ 2012-01-05 Anders Carlsson <[email protected]>
+
+ Crash when trying to invalidate the NPRuntimeObjectMap for a plug-in in a subframe
+ https://bugs.webkit.org/show_bug.cgi?id=75667
+ <rdar://problem/10389454>
+
+ Reviewed by Kevin Decker.
+
+ * plugins/npruntime/object-from-destroyed-plugin-in-subframe-expected.txt: Added.
+ * plugins/npruntime/object-from-destroyed-plugin-in-subframe.html: Added.
+
+2011-1-13 Lucas Forschler <[email protected]>
+
Merge 104086
2012-01-04 Filip Pizlo <[email protected]>
Copied: branches/safari-534.54-branch/LayoutTests/plugins/npruntime/object-from-destroyed-plugin-in-subframe-expected.txt (from rev 104239, trunk/LayoutTests/plugins/npruntime/object-from-destroyed-plugin-in-subframe-expected.txt) (0 => 104996)
--- branches/safari-534.54-branch/LayoutTests/plugins/npruntime/object-from-destroyed-plugin-in-subframe-expected.txt (rev 0)
+++ branches/safari-534.54-branch/LayoutTests/plugins/npruntime/object-from-destroyed-plugin-in-subframe-expected.txt 2012-01-13 23:13:20 UTC (rev 104996)
@@ -0,0 +1,10 @@
+Test various operation on an NPObject whose plug-in (that lives in a subframe) has been destroyed
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+ PASS testObject.gettingProperty threw exception ReferenceError: Trying to access object from destroyed plug-in..
+PASS testObject.settingProperty = 10 threw exception ReferenceError: Trying to access object from destroyed plug-in..
+PASS testObject() threw exception TypeError: '' is not a function (evaluating 'testObject()').
+PASS new testObject(); threw exception TypeError: '' is not a constructor (evaluating 'new testObject()').
+
Copied: branches/safari-534.54-branch/LayoutTests/plugins/npruntime/object-from-destroyed-plugin-in-subframe.html (from rev 104239, trunk/LayoutTests/plugins/npruntime/object-from-destroyed-plugin-in-subframe.html) (0 => 104996)
--- branches/safari-534.54-branch/LayoutTests/plugins/npruntime/object-from-destroyed-plugin-in-subframe.html (rev 0)
+++ branches/safari-534.54-branch/LayoutTests/plugins/npruntime/object-from-destroyed-plugin-in-subframe.html 2012-01-13 23:13:20 UTC (rev 104996)
@@ -0,0 +1,35 @@
+
+<script src=""
+</head>
+<script>
+var subframe;
+var testObject;
+
+function runTest() {
+ subframe = document.getElementById('subframe');
+ subframe.contentWindow.document.documentElement.innerHTML = '<embed id="plugin" type="application/x-webkit-test-netscape" test="npruntime-object-from-destroyed-plugin"></embed>';
+
+ var plugin = subframe.contentWindow.document.getElementById('plugin');
+
+ // Get a reference to the plug-in test object.
+ testObject = plugin.testObject;
+
+ plugin.evaluate('window.top.subframe.parentNode.removeChild(window.top.subframe)')
+
+ // testObject is now a dangling object and every operation on it should throw.
+ shouldThrow('testObject.gettingProperty');
+ shouldThrow('testObject.settingProperty = 10');
+ shouldThrow('testObject()');
+ shouldThrow('new testObject();')
+}
+
+</script>
+<body _onLoad_="runTest()">
+<p id="description"></p>
+<iframe id="subframe"></iframe>
+<div id="console"></div>
+
+<script>
+description("Test various operation on an NPObject whose plug-in (that lives in a subframe) has been destroyed");
+
+</script>
Modified: branches/safari-534.54-branch/Source/WebKit2/ChangeLog (104995 => 104996)
--- branches/safari-534.54-branch/Source/WebKit2/ChangeLog 2012-01-13 22:58:00 UTC (rev 104995)
+++ branches/safari-534.54-branch/Source/WebKit2/ChangeLog 2012-01-13 23:13:20 UTC (rev 104996)
@@ -1,3 +1,33 @@
+2011-1-13 Lucas Forschler <[email protected]>
+
+ Merge 104239
+
+ 2012-01-05 Anders Carlsson <[email protected]>
+
+ Crash when trying to invalidate the NPRuntimeObjectMap for a plug-in in a subframe
+ https://bugs.webkit.org/show_bug.cgi?id=75667
+ <rdar://problem/10389454>
+
+ Reviewed by Kevin Decker.
+
+ NPRuntimeObjectMap::invalidate is called whenever a plug-in view is destroyed. If invalidate is called for an object map
+ whose plug-in has a null frame, we'd crash.
+
+ The plug-in will have a null frame if the plug-in view is destroyed because its containing frame has been removed from the document,
+ and if the plug-in view is being destroyed asynchronously due to the plug-in itself calling _javascript_ that will remove the frame
+ (see PluginView::unprotectPluginFromDestruction).
+
+ The reason NPRuntimeObjectMap::invalidate will crash when the frame is null is because we were trying to access the frame's global
+ object, causing a null dereference. The reason we were trying to get at the frame's global object was to create a Strong handle to
+ a JSNPObject so we could stick the object in a vector so we could later iterate over the vector elements and call invalidate() on
+ each JSNPObject which will end up releasing the underlying NPObject.
+
+ However, it turns out that we don't need to stick the JSNPObject in a vector; we can just get the underlying NPObject directly and
+ stick that in a vector and then iterate over the NPObjects, releasing them.
+
+ * WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp:
+ (WebKit::NPRuntimeObjectMap::invalidate):
+
2011-1-12 Lucas Forschler <[email protected]>
Merge 102024
Modified: branches/safari-534.54-branch/Source/WebKit2/WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp (104995 => 104996)
--- branches/safari-534.54-branch/Source/WebKit2/WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp 2012-01-13 22:58:00 UTC (rev 104995)
+++ branches/safari-534.54-branch/Source/WebKit2/WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp 2012-01-13 23:13:20 UTC (rev 104996)
@@ -209,13 +209,15 @@
// We shouldn't have any NPJSObjects left now.
ASSERT(m_npJSObjects.isEmpty());
- HashMap<NPObject*, JSC::Weak<JSNPObject> >::iterator end = m_jsNPObjects.end();
- Vector<Strong<JSNPObject> > objects;
- for (HashMap<NPObject*, JSC::Weak<JSNPObject> >::iterator ptr = m_jsNPObjects.begin(); ptr != end; ++ptr)
- objects.append(Strong<JSNPObject>(globalObject()->globalData(), ptr->second));
+ Vector<NPObject*> objects;
+
+ for (HashMap<NPObject*, JSC::Weak<JSNPObject> >::iterator ptr = m_jsNPObjects.begin(), end = m_jsNPObjects.end(); ptr != end; ++ptr)
+ objects.append(ptr->second->leakNPObject());
+
m_jsNPObjects.clear();
+
for (size_t i = 0; i < objects.size(); ++i)
- objects[i]->invalidate();
+ releaseNPObject(objects[i]);
// Deal with any objects that were scheduled for delayed destruction
if (m_npObjectsToFinalize.isEmpty())
Modified: branches/safari-534.54-branch/Tools/ChangeLog (104995 => 104996)
--- branches/safari-534.54-branch/Tools/ChangeLog 2012-01-13 22:58:00 UTC (rev 104995)
+++ branches/safari-534.54-branch/Tools/ChangeLog 2012-01-13 23:13:20 UTC (rev 104996)
@@ -1,3 +1,25 @@
+2011-1-13 Lucas Forschler <[email protected]>
+
+ Merge 104239
+
+ 2012-01-05 Anders Carlsson <[email protected]>
+
+ Crash when trying to invalidate the NPRuntimeObjectMap for a plug-in in a subframe
+ https://bugs.webkit.org/show_bug.cgi?id=75667
+ <rdar://problem/10389454>
+
+ Reviewed by Kevin Decker.
+
+ Add an evaluate method to the plug-in test scriptable object that can be used to evaluate a given JS string.
+
+ * DumpRenderTree/TestNetscapePlugIn/PluginTest.cpp:
+ (PluginTest::executeScript):
+ * DumpRenderTree/TestNetscapePlugIn/PluginTest.h:
+ * DumpRenderTree/TestNetscapePlugIn/Tests/NPRuntimeObjectFromDestroyedPlugin.cpp:
+ (NPRuntimeObjectFromDestroyedPlugin::ScriptableObject::hasMethod):
+ (NPRuntimeObjectFromDestroyedPlugin::ScriptableObject::invoke):
+ (NPRuntimeObjectFromDestroyedPlugin::ScriptableObject::hasProperty):
+
2011-1-4 Lucas Forschler <[email protected]>
Merge 95440
