Diff
Modified: branches/safari-536-branch/Source/WebKit2/ChangeLog (118425 => 118426)
--- branches/safari-536-branch/Source/WebKit2/ChangeLog 2012-05-24 22:16:47 UTC (rev 118425)
+++ branches/safari-536-branch/Source/WebKit2/ChangeLog 2012-05-24 22:18:20 UTC (rev 118426)
@@ -1,5 +1,40 @@
2012-05-24 Lucas Forschler <[email protected]>
+ Merge 118060
+
+ 2012-05-22 Anders Carlsson <[email protected]>
+
+ Crash when a plug-in view outlives its containing WebPage
+ https://bugs.webkit.org/show_bug.cgi?id=87163
+ <rdar://problem/10849258>
+
+ Reviewed by Dan Bernstein.
+
+ In rare cases, when a plug-in is kept alive for some reason it can outlive its WebPage. When that happens,
+ the PluginView destructor will try to access the (deleted) web page and we'll crash.
+
+ Fix this by making the WebPage destructor iterate over all the registered plug-ins and null out the m_webPage pointer.
+ Don't try to access the WebPage object if it's null.
+
+ Also, remove PLATFORM(MAC) ifdefs around the HashSet of known plug-in views as well as the member functions that access the set;
+ we want this to be cross platform now.
+
+ * WebProcess/Plugins/PluginView.cpp:
+ (WebKit::PluginView::PluginView):
+ (WebKit::PluginView::~PluginView):
+ (WebKit::PluginView::webPageDestroyed):
+ (WebKit):
+ * WebProcess/Plugins/PluginView.h:
+ (PluginView):
+ * WebProcess/WebPage/WebPage.cpp:
+ (WebKit::WebPage::~WebPage):
+ (WebKit::WebPage::scalePage):
+ (WebKit):
+ * WebProcess/WebPage/WebPage.h:
+ (WebPage):
+
+2012-05-24 Lucas Forschler <[email protected]>
+
Merge 117869
2012-05-21 Anders Carlsson <[email protected]>
Modified: branches/safari-536-branch/Source/WebKit2/WebProcess/Plugins/PluginView.cpp (118425 => 118426)
--- branches/safari-536-branch/Source/WebKit2/WebProcess/Plugins/PluginView.cpp 2012-05-24 22:16:47 UTC (rev 118425)
+++ branches/safari-536-branch/Source/WebKit2/WebProcess/Plugins/PluginView.cpp 2012-05-24 22:18:20 UTC (rev 118426)
@@ -265,16 +265,13 @@
, m_npRuntimeObjectMap(this)
, m_manualStreamState(StreamStateInitial)
{
-#if PLATFORM(MAC)
m_webPage->addPluginView(this);
-#endif
}
PluginView::~PluginView()
{
-#if PLATFORM(MAC)
- m_webPage->removePluginView(this);
-#endif
+ if (m_webPage)
+ m_webPage->removePluginView(this);
ASSERT(!m_isBeingDestroyed);
@@ -290,7 +287,8 @@
m_plugin->destroyPlugin();
m_isBeingDestroyed = false;
#if PLATFORM(MAC)
- pluginFocusOrWindowFocusChanged(false);
+ if (m_webPage)
+ pluginFocusOrWindowFocusChanged(false);
#endif
}
@@ -395,6 +393,11 @@
viewGeometryDidChange();
}
+void PluginView::webPageDestroyed()
+{
+ m_webPage = 0;
+}
+
#if PLATFORM(MAC)
void PluginView::setWindowIsVisible(bool windowIsVisible)
{
Modified: branches/safari-536-branch/Source/WebKit2/WebProcess/Plugins/PluginView.h (118425 => 118426)
--- branches/safari-536-branch/Source/WebKit2/WebProcess/Plugins/PluginView.h 2012-05-24 22:16:47 UTC (rev 118425)
+++ branches/safari-536-branch/Source/WebKit2/WebProcess/Plugins/PluginView.h 2012-05-24 22:18:20 UTC (rev 118426)
@@ -73,6 +73,7 @@
WebCore::RenderBoxModelObject* renderer() const;
void pageScaleFactorDidChange();
+ void webPageDestroyed();
private:
PluginView(PassRefPtr<WebCore::HTMLPlugInElement>, PassRefPtr<Plugin>, const Plugin::Parameters& parameters);
Modified: branches/safari-536-branch/Source/WebKit2/WebProcess/WebPage/WebPage.cpp (118425 => 118426)
--- branches/safari-536-branch/Source/WebKit2/WebProcess/WebPage/WebPage.cpp 2012-05-24 22:16:47 UTC (rev 118425)
+++ branches/safari-536-branch/Source/WebKit2/WebProcess/WebPage/WebPage.cpp 2012-05-24 22:18:20 UTC (rev 118426)
@@ -321,9 +321,8 @@
m_sandboxExtensionTracker.invalidate();
-#if PLATFORM(MAC)
- ASSERT(m_pluginViews.isEmpty());
-#endif
+ for (HashSet<PluginView*>::const_iterator it = m_pluginViews.begin(), end = m_pluginViews.end(); it != end; ++it)
+ (*it)->webPageDestroyed();
#ifndef NDEBUG
webPageCounter.decrement();
@@ -1007,10 +1006,8 @@
{
m_page->setPageScaleFactor(scale, origin);
-#if PLATFORM(MAC)
for (HashSet<PluginView*>::const_iterator it = m_pluginViews.begin(), end = m_pluginViews.end(); it != end; ++it)
(*it)->pageScaleFactorDidChange();
-#endif
send(Messages::WebPageProxy::PageScaleFactorDidChange(scale));
}
@@ -2483,8 +2480,6 @@
}
}
-#if PLATFORM(MAC)
-
void WebPage::addPluginView(PluginView* pluginView)
{
ASSERT(!m_pluginViews.contains(pluginView));
@@ -2499,6 +2494,7 @@
m_pluginViews.remove(pluginView);
}
+#if PLATFORM(MAC)
void WebPage::setWindowIsVisible(bool windowIsVisible)
{
m_windowIsVisible = windowIsVisible;
Modified: branches/safari-536-branch/Source/WebKit2/WebProcess/WebPage/WebPage.h (118425 => 118426)
--- branches/safari-536-branch/Source/WebKit2/WebProcess/WebPage/WebPage.h 2012-05-24 22:16:47 UTC (rev 118425)
+++ branches/safari-536-branch/Source/WebKit2/WebProcess/WebPage/WebPage.h 2012-05-24 22:18:20 UTC (rev 118426)
@@ -303,10 +303,10 @@
void exitAcceleratedCompositingMode();
#endif
-#if PLATFORM(MAC)
void addPluginView(PluginView*);
void removePluginView(PluginView*);
+#if PLATFORM(MAC)
LayerHostingMode layerHostingMode() const { return m_layerHostingMode; }
void setLayerHostingMode(LayerHostingMode);
@@ -701,6 +701,9 @@
WebCore::IntSize m_viewSize;
OwnPtr<DrawingArea> m_drawingArea;
+
+ HashSet<PluginView*> m_pluginViews;
+
bool m_useFixedLayout;
bool m_drawsBackground;
@@ -727,9 +730,6 @@
// The accessibility position of the view.
WebCore::IntPoint m_accessibilityPosition;
- // All plug-in views on this web page.
- HashSet<PluginView*> m_pluginViews;
-
// The layer hosting mode.
LayerHostingMode m_layerHostingMode;
