[webkit-changes] [118060] trunk/Source/WebKit2

[andersca]

Title: [118060] trunk/Source/WebKit2

Revision

118060

Author

ander...@apple.com

Date

2012-05-22 14:56:36 -0700 (Tue, 22 May 2012)

Log Message

Crash when a plug-in view outlives its containing WebPage
https://bugs.webkit.org/show_bug.cgi?id=87163
<rdar://problem/10849258>

Reviewed by Dan Bernstein.

In rare cases, when a plug-in is kept alive for some reason it can outlive its WebPage. When that happens,
the PluginView destructor will try to access the (deleted) web page and we'll crash.

Fix this by making the WebPage destructor iterate over all the registered plug-ins and null out the m_webPage pointer.
Don't try to access the WebPage object if it's null.

Also, remove PLATFORM(MAC) ifdefs around the HashSet of known plug-in views as well as the member functions that access the set;
we want this to be cross platform now.

* WebProcess/Plugins/PluginView.cpp:
(WebKit::PluginView::PluginView):
(WebKit::PluginView::~PluginView):
(WebKit::PluginView::webPageDestroyed):
(WebKit):
* WebProcess/Plugins/PluginView.h:
(PluginView):
* WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::~WebPage):
(WebKit::WebPage::scalePage):
(WebKit):
* WebProcess/WebPage/WebPage.h:
(WebPage):

Modified Paths

• trunk/Source/WebKit2/ChangeLog
• trunk/Source/WebKit2/WebProcess/Plugins/PluginView.cpp
• trunk/Source/WebKit2/WebProcess/Plugins/PluginView.h
• trunk/Source/WebKit2/WebProcess/WebPage/WebPage.cpp
• trunk/Source/WebKit2/WebProcess/WebPage/WebPage.h

Diff

Modified: trunk/Source/WebKit2/ChangeLog (118059 => 118060)

--- trunk/Source/WebKit2/ChangeLog	2012-05-22 21:55:58 UTC (rev 118059)
+++ trunk/Source/WebKit2/ChangeLog	2012-05-22 21:56:36 UTC (rev 118060)
@@ -1 +1,32 @@
+2012-05-22  Anders Carlsson  <ander...@apple.com>
+
+        Crash when a plug-in view outlives its containing WebPage
+        https://bugs.webkit.org/show_bug.cgi?id=87163
+        <rdar://problem/10849258>
+
+        Reviewed by Dan Bernstein.
+
+        In rare cases, when a plug-in is kept alive for some reason it can outlive its WebPage. When that happens,
+        the PluginView destructor will try to access the (deleted) web page and we'll crash.
+
+        Fix this by making the WebPage destructor iterate over all the registered plug-ins and null out the m_webPage pointer.
+        Don't try to access the WebPage object if it's null.
+
+        Also, remove PLATFORM(MAC) ifdefs around the HashSet of known plug-in views as well as the member functions that access the set;
+        we want this to be cross platform now.
+
+        * WebProcess/Plugins/PluginView.cpp:
+        (WebKit::PluginView::PluginView):
+        (WebKit::PluginView::~PluginView):
+        (WebKit::PluginView::webPageDestroyed):
+        (WebKit):
+        * WebProcess/Plugins/PluginView.h:
+        (PluginView):
+        * WebProcess/WebPage/WebPage.cpp:
+        (WebKit::WebPage::~WebPage):
+        (WebKit::WebPage::scalePage):
+        (WebKit):
+        * WebProcess/WebPage/WebPage.h:
+        (WebPage):
+
 == Rolled over to ChangeLog-2012-05-22 ==

Modified: trunk/Source/WebKit2/WebProcess/Plugins/PluginView.cpp (118059 => 118060)

--- trunk/Source/WebKit2/WebProcess/Plugins/PluginView.cpp	2012-05-22 21:55:58 UTC (rev 118059)
+++ trunk/Source/WebKit2/WebProcess/Plugins/PluginView.cpp	2012-05-22 21:56:36 UTC (rev 118060)
@@ -268,16 +268,13 @@
 #endif
     , m_manualStreamState(StreamStateInitial)
 {
-#if PLATFORM(MAC)
     m_webPage->addPluginView(this);
-#endif
 }
 
 PluginView::~PluginView()
 {
-#if PLATFORM(MAC)
-    m_webPage->removePluginView(this);
-#endif
+    if (m_webPage)
+        m_webPage->removePluginView(this);
 
     ASSERT(!m_isBeingDestroyed);
 
@@ -293,7 +290,8 @@
         m_plugin->destroyPlugin();
         m_isBeingDestroyed = false;
 #if PLATFORM(MAC)
-        pluginFocusOrWindowFocusChanged(false);
+        if (m_webPage)
+            pluginFocusOrWindowFocusChanged(false);
 #endif
     }
 
@@ -400,6 +398,11 @@
     viewGeometryDidChange();
 }
 
+void PluginView::webPageDestroyed()
+{
+    m_webPage = 0;
+}
+
 #if PLATFORM(MAC)    
 void PluginView::setWindowIsVisible(bool windowIsVisible)
 {

Modified: trunk/Source/WebKit2/WebProcess/Plugins/PluginView.h (118059 => 118060)

--- trunk/Source/WebKit2/WebProcess/Plugins/PluginView.h	2012-05-22 21:55:58 UTC (rev 118059)
+++ trunk/Source/WebKit2/WebProcess/Plugins/PluginView.h	2012-05-22 21:56:36 UTC (rev 118060)
@@ -73,6 +73,7 @@
     WebCore::RenderBoxModelObject* renderer() const;
 
     void pageScaleFactorDidChange();
+    void webPageDestroyed();
 
 private:
     PluginView(PassRefPtr<WebCore::HTMLPlugInElement>, PassRefPtr<Plugin>, const Plugin::Parameters& parameters);

Modified: trunk/Source/WebKit2/WebProcess/WebPage/WebPage.cpp (118059 => 118060)

--- trunk/Source/WebKit2/WebProcess/WebPage/WebPage.cpp	2012-05-22 21:55:58 UTC (rev 118059)
+++ trunk/Source/WebKit2/WebProcess/WebPage/WebPage.cpp	2012-05-22 21:56:36 UTC (rev 118060)
@@ -326,9 +326,8 @@
 
     m_sandboxExtensionTracker.invalidate();
 
-#if PLATFORM(MAC)
-    ASSERT(m_pluginViews.isEmpty());
-#endif
+    for (HashSet<PluginView*>::const_iterator it = m_pluginViews.begin(), end = m_pluginViews.end(); it != end; ++it)
+        (*it)->webPageDestroyed();
 
 #ifndef NDEBUG
     webPageCounter.decrement();
@@ -1014,10 +1013,8 @@
 {
     m_page->setPageScaleFactor(scale, origin);
 
-#if PLATFORM(MAC)
     for (HashSet<PluginView*>::const_iterator it = m_pluginViews.begin(), end = m_pluginViews.end(); it != end; ++it)
         (*it)->pageScaleFactorDidChange();
-#endif
 
     send(Messages::WebPageProxy::PageScaleFactorDidChange(scale));
 }
@@ -2497,8 +2494,6 @@
     }
 }
 
-#if PLATFORM(MAC)
-
 void WebPage::addPluginView(PluginView* pluginView)
 {
     ASSERT(!m_pluginViews.contains(pluginView));
@@ -2513,6 +2508,7 @@
     m_pluginViews.remove(pluginView);
 }
 
+#if PLATFORM(MAC)
 void WebPage::setWindowIsVisible(bool windowIsVisible)
 {
     m_windowIsVisible = windowIsVisible;

Modified: trunk/Source/WebKit2/WebProcess/WebPage/WebPage.h (118059 => 118060)

--- trunk/Source/WebKit2/WebProcess/WebPage/WebPage.h	2012-05-22 21:55:58 UTC (rev 118059)
+++ trunk/Source/WebKit2/WebProcess/WebPage/WebPage.h	2012-05-22 21:56:36 UTC (rev 118060)
@@ -306,10 +306,10 @@
     void exitAcceleratedCompositingMode();
 #endif
 
-#if PLATFORM(MAC)
     void addPluginView(PluginView*);
     void removePluginView(PluginView*);
 
+#if PLATFORM(MAC)
     LayerHostingMode layerHostingMode() const { return m_layerHostingMode; }
     void setLayerHostingMode(LayerHostingMode);
 
@@ -707,6 +707,9 @@
 
     WebCore::IntSize m_viewSize;
     OwnPtr<DrawingArea> m_drawingArea;
+
+    HashSet<PluginView*> m_pluginViews;
+
     bool m_useFixedLayout;
 
     bool m_drawsBackground;
@@ -733,9 +736,6 @@
     // The accessibility position of the view.
     WebCore::IntPoint m_accessibilityPosition;
     
-    // All plug-in views on this web page.
-    HashSet<PluginView*> m_pluginViews;
-
     // The layer hosting mode.
     LayerHostingMode m_layerHostingMode;
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes