Diff
Modified: trunk/LayoutTests/ChangeLog (128387 => 128388)
--- trunk/LayoutTests/ChangeLog 2012-09-13 00:17:23 UTC (rev 128387)
+++ trunk/LayoutTests/ChangeLog 2012-09-13 00:18:07 UTC (rev 128388)
@@ -1,3 +1,13 @@
+2012-09-12 Brady Eidson <[email protected]>
+
+ Assert in NetscapePlugin::destroy() with async plugin init
+ <rdar://problem/12277595> and https://bugs.webkit.org/show_bug.cgi?id=96576
+
+ Reviewed by Anders Carlsson.
+
+ * platform/mac-wk2/plugins/destroy-during-async-npp-new-expected.txt: Added.
+ * platform/mac-wk2/plugins/destroy-during-async-npp-new.html: Added.
+
2012-09-12 James Robinson <[email protected]>
Rebaseline chromium-mac pixel results for 128375
Added: trunk/LayoutTests/platform/mac-wk2/plugins/destroy-during-async-npp-new-expected.txt (0 => 128388)
--- trunk/LayoutTests/platform/mac-wk2/plugins/destroy-during-async-npp-new-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/mac-wk2/plugins/destroy-during-async-npp-new-expected.txt 2012-09-13 00:18:07 UTC (rev 128388)
@@ -0,0 +1,8 @@
+Tests that removing a plug-in element during its NPP_New via an NPN_Invoke resulting in its NPP_Destroy being called doesn't crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS Didn't crash yet.
+PASS Still didn't crash yet.
+
Added: trunk/LayoutTests/platform/mac-wk2/plugins/destroy-during-async-npp-new.html (0 => 128388)
--- trunk/LayoutTests/platform/mac-wk2/plugins/destroy-during-async-npp-new.html (rev 0)
+++ trunk/LayoutTests/platform/mac-wk2/plugins/destroy-during-async-npp-new.html 2012-09-13 00:18:07 UTC (rev 128388)
@@ -0,0 +1,45 @@
+<head>
+<script src=""
+<script>
+if (window.testRunner) {
+ testRunner.overridePreference("WebKit2AsynchronousPluginInitializationEnabled", "1");
+ testRunner.overridePreference("WebKit2AsynchronousPluginInitializationEnabledForAllPlugins", "1");
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+window.removePluginElement = function()
+{
+ if (!window.testRunner) {
+ debug("This test can only run from within DumpRenderTree because it requires TestNetscapePlugin.\n");
+ return;
+ }
+
+ var element = document.getElementById("TestElement");
+ document.body.removeChild(element);
+
+ testPassed("Didn't crash yet.");
+
+ setTimeout("finishTest();", 0);
+}
+
+function finishTest()
+{
+ testPassed("Still didn't crash yet.");
+
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+</script>
+
+</head>
+<body>
+<embed id="TestElement" type="application/x-webkit-test-netscape" test="invoke-destroys-plugin-within-npp-new"></embed>
+<p id="description"></p>
+<div id="console"></div>
+</body>
+
+<script>
+description("Tests that removing a plug-in element during its NPP_New via an NPN_Invoke resulting in its NPP_Destroy being called doesn't crash.");
+</script>
Modified: trunk/Source/WebKit2/ChangeLog (128387 => 128388)
--- trunk/Source/WebKit2/ChangeLog 2012-09-13 00:17:23 UTC (rev 128387)
+++ trunk/Source/WebKit2/ChangeLog 2012-09-13 00:18:07 UTC (rev 128388)
@@ -1,3 +1,17 @@
+2012-09-12 Brady Eidson <[email protected]>
+
+ Assert in NetscapePlugin::destroy() with async plugin init
+ <rdar://problem/12277595> and https://bugs.webkit.org/show_bug.cgi?id=96576
+
+ Reviewed by Anders Carlsson.
+
+ Most of the NPN_* API calls have a plug-in protector during the calls.
+ NPN_Invoke and NPN_InvokeDefault do not.
+
+ * WebProcess/Plugins/Netscape/NetscapeBrowserFuncs.cpp:
+ (WebKit::NPN_Invoke): Protect the plug-in during this call.
+ (WebKit::NPN_InvokeDefault): Ditto.
+
2012-09-11 Alexey Proskuryakov <[email protected]>
<rdar://problem/12275537> REGRESSION(r127384): Non-existent directories are no longer created for sandbox paths
Modified: trunk/Source/WebKit2/WebProcess/Plugins/Netscape/NetscapeBrowserFuncs.cpp (128387 => 128388)
--- trunk/Source/WebKit2/WebProcess/Plugins/Netscape/NetscapeBrowserFuncs.cpp 2012-09-13 00:17:23 UTC (rev 128387)
+++ trunk/Source/WebKit2/WebProcess/Plugins/Netscape/NetscapeBrowserFuncs.cpp 2012-09-13 00:18:07 UTC (rev 128388)
@@ -688,14 +688,20 @@
static bool NPN_Invoke(NPP npp, NPObject *npObject, NPIdentifier methodName, const NPVariant* arguments, uint32_t argumentCount, NPVariant* result)
{
+ RefPtr<NetscapePlugin> plugin = NetscapePlugin::fromNPP(npp);
+ PluginDestructionProtector protector(plugin.get());
+
if (npObject->_class->invoke)
return npObject->_class->invoke(npObject, methodName, arguments, argumentCount, result);
return false;
}
-static bool NPN_InvokeDefault(NPP, NPObject *npObject, const NPVariant* arguments, uint32_t argumentCount, NPVariant* result)
+static bool NPN_InvokeDefault(NPP npp, NPObject *npObject, const NPVariant* arguments, uint32_t argumentCount, NPVariant* result)
{
+ RefPtr<NetscapePlugin> plugin = NetscapePlugin::fromNPP(npp);
+ PluginDestructionProtector protector(plugin.get());
+
if (npObject->_class->invokeDefault)
return npObject->_class->invokeDefault(npObject, arguments, argumentCount, result);
Modified: trunk/Tools/ChangeLog (128387 => 128388)
--- trunk/Tools/ChangeLog 2012-09-13 00:17:23 UTC (rev 128387)
+++ trunk/Tools/ChangeLog 2012-09-13 00:18:07 UTC (rev 128388)
@@ -1,3 +1,23 @@
+2012-09-12 Brady Eidson <[email protected]>
+
+ Assert in NetscapePlugin::destroy() with async plugin init
+ <rdar://problem/12277595> and https://bugs.webkit.org/show_bug.cgi?id=96576
+
+ Reviewed by Anders Carlsson.
+
+ Expose NPN_Invoke to plug-in tests:
+ * DumpRenderTree/TestNetscapePlugIn/PluginTest.cpp:
+ (PluginTest::NPN_Invoke):
+ * DumpRenderTree/TestNetscapePlugIn/PluginTest.h:
+ (PluginTest):
+
+ Add a test that uses NPN_Invoke on the window object from inside NPP_New to remove the plug-in element:
+ * DumpRenderTree/TestNetscapePlugIn/Tests/InvokeDestroysPluginWithinNPP_New.cpp: Added.
+ (InvokeDestroysPluginWithinNPP_New):
+ (InvokeDestroysPluginWithinNPP_New::InvokeDestroysPluginWithinNPP_New):
+ (InvokeDestroysPluginWithinNPP_New::NPP_New):
+ * DumpRenderTree/DumpRenderTree.xcodeproj/project.pbxproj:
+
2012-09-12 Dirk Pranke <[email protected]>
refactor TestExpectations tokenization slightly in preparation for the new syntax
Modified: trunk/Tools/DumpRenderTree/DumpRenderTree.xcodeproj/project.pbxproj (128387 => 128388)
--- trunk/Tools/DumpRenderTree/DumpRenderTree.xcodeproj/project.pbxproj 2012-09-13 00:17:23 UTC (rev 128387)
+++ trunk/Tools/DumpRenderTree/DumpRenderTree.xcodeproj/project.pbxproj 2012-09-13 00:18:07 UTC (rev 128388)
@@ -70,6 +70,7 @@
4437730F125CBC4D00AAE02C /* WebArchiveDumpSupport.h in Headers */ = {isa = PBXBuildFile; fileRef = 44A997820FCDE86400580F10 /* WebArchiveDumpSupport.h */; };
4AD6A11413C8124000EA9737 /* FormValue.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4AD6A11313C8124000EA9737 /* FormValue.cpp */; };
5106803E15CC7B10001A8A23 /* SlowNPPNew.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 5106803D15CC7B10001A8A23 /* SlowNPPNew.cpp */; };
+ 51134C9916014FDC001AA513 /* InvokeDestroysPluginWithinNPP_New.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 51134C9816014FDB001AA513 /* InvokeDestroysPluginWithinNPP_New.cpp */; };
5113DE6715F6CBE5005EC8B3 /* NPPNewFails.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 5113DE6615F6CBE5005EC8B3 /* NPPNewFails.cpp */; };
515C0CD015EE785700F5A613 /* LogNPPSetWindow.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 515C0CCF15EE785700F5A613 /* LogNPPSetWindow.cpp */; };
515F429C15C07872007C8F90 /* PluginScriptableObjectOverridesAllProperties.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 515F429B15C07872007C8F90 /* PluginScriptableObjectOverridesAllProperties.cpp */; };
@@ -287,6 +288,7 @@
44A997830FCDE86400580F10 /* WebArchiveDumpSupport.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = WebArchiveDumpSupport.cpp; path = cf/WebArchiveDumpSupport.cpp; sourceTree = "<group>"; };
4AD6A11313C8124000EA9737 /* FormValue.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = FormValue.cpp; sourceTree = "<group>"; };
5106803D15CC7B10001A8A23 /* SlowNPPNew.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = SlowNPPNew.cpp; path = TestNetscapePlugIn/Tests/SlowNPPNew.cpp; sourceTree = SOURCE_ROOT; };
+ 51134C9816014FDB001AA513 /* InvokeDestroysPluginWithinNPP_New.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = InvokeDestroysPluginWithinNPP_New.cpp; sourceTree = "<group>"; };
5113DE6615F6CBE5005EC8B3 /* NPPNewFails.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = NPPNewFails.cpp; sourceTree = "<group>"; };
515C0CCF15EE785700F5A613 /* LogNPPSetWindow.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = LogNPPSetWindow.cpp; sourceTree = "<group>"; };
515F429B15C07872007C8F90 /* PluginScriptableObjectOverridesAllProperties.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = PluginScriptableObjectOverridesAllProperties.cpp; sourceTree = "<group>"; };
@@ -559,6 +561,7 @@
1A5CC1F3137DD2EC00A5D7E7 /* GetURLWithJavaScriptURL.cpp */,
1A3E28A91311D73B00501349 /* GetURLWithJavaScriptURLDestroyingPlugin.cpp */,
1AD4CB2012A6D1350027A7AF /* GetUserAgentWithNullNPPFromNPPNew.cpp */,
+ 51134C9816014FDB001AA513 /* InvokeDestroysPluginWithinNPP_New.cpp */,
515C0CCF15EE785700F5A613 /* LogNPPSetWindow.cpp */,
1ACF898B132EF41C00E915D4 /* NPDeallocateCalledBeforeNPShutdown.cpp */,
5113DE6615F6CBE5005EC8B3 /* NPPNewFails.cpp */,
@@ -925,6 +928,7 @@
51CACBD815D96FD000EB53A2 /* EvaluateJSWithinNPP_New.cpp in Sources */,
515C0CD015EE785700F5A613 /* LogNPPSetWindow.cpp in Sources */,
5113DE6715F6CBE5005EC8B3 /* NPPNewFails.cpp in Sources */,
+ 51134C9916014FDC001AA513 /* InvokeDestroysPluginWithinNPP_New.cpp in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
Modified: trunk/Tools/DumpRenderTree/TestNetscapePlugIn/PluginTest.cpp (128387 => 128388)
--- trunk/Tools/DumpRenderTree/TestNetscapePlugIn/PluginTest.cpp 2012-09-13 00:17:23 UTC (rev 128387)
+++ trunk/Tools/DumpRenderTree/TestNetscapePlugIn/PluginTest.cpp 2012-09-13 00:18:07 UTC (rev 128388)
@@ -166,6 +166,11 @@
browser->invalidaterect(m_npp, invalidRect);
}
+bool PluginTest::NPN_Invoke(NPObject *npobj, NPIdentifier methodName, const NPVariant *args, uint32_t argCount, NPVariant *result)
+{
+ return browser->invoke(m_npp, npobj, methodName, args, argCount, result);
+}
+
void* PluginTest::NPN_MemAlloc(uint32_t size)
{
return browser->memalloc(size);
Modified: trunk/Tools/DumpRenderTree/TestNetscapePlugIn/PluginTest.h (128387 => 128388)
--- trunk/Tools/DumpRenderTree/TestNetscapePlugIn/PluginTest.h 2012-09-13 00:17:23 UTC (rev 128387)
+++ trunk/Tools/DumpRenderTree/TestNetscapePlugIn/PluginTest.h 2012-09-13 00:18:07 UTC (rev 128388)
@@ -76,6 +76,7 @@
NPError NPN_GetURLNotify(const char* url, const char* target, void* notifyData);
NPError NPN_GetValue(NPNVariable, void* value);
void NPN_InvalidateRect(NPRect* invalidRect);
+ bool NPN_Invoke(NPObject *, NPIdentifier methodName, const NPVariant *args, uint32_t argCount, NPVariant *result);
void* NPN_MemAlloc(uint32_t size);
// NPRuntime NPN functions.
Added: trunk/Tools/DumpRenderTree/TestNetscapePlugIn/Tests/InvokeDestroysPluginWithinNPP_New.cpp (0 => 128388)
--- trunk/Tools/DumpRenderTree/TestNetscapePlugIn/Tests/InvokeDestroysPluginWithinNPP_New.cpp (rev 0)
+++ trunk/Tools/DumpRenderTree/TestNetscapePlugIn/Tests/InvokeDestroysPluginWithinNPP_New.cpp 2012-09-13 00:18:07 UTC (rev 128388)
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2012 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "PluginTest.h"
+
+#include "PluginObject.h"
+
+using namespace std;
+
+// Executing JS within NPP_New when initializing asynchronously should not be able to deadlock with the WebProcess
+
+class InvokeDestroysPluginWithinNPP_New : public PluginTest {
+public:
+ InvokeDestroysPluginWithinNPP_New(NPP, const string& identifier);
+
+private:
+ virtual NPError NPP_New(NPMIMEType pluginType, uint16_t mode, int16_t argc, char* argn[], char* argv[], NPSavedData *);
+
+};
+
+InvokeDestroysPluginWithinNPP_New::InvokeDestroysPluginWithinNPP_New(NPP npp, const string& identifier)
+ : PluginTest(npp, identifier)
+{
+}
+
+NPError InvokeDestroysPluginWithinNPP_New::NPP_New(NPMIMEType pluginType, uint16_t mode, int16_t argc, char* argn[], char* argv[], NPSavedData *saved)
+{
+ // Give the WebProcess enough time to be deadlocked waiting for the PluginProcess if things aren't working correctly.
+ usleep(15000);
+
+ NPObject* windowObject = 0;
+ if (NPN_GetValue(NPNVWindowNPObject, &windowObject) != NPERR_NO_ERROR)
+ return NPERR_GENERIC_ERROR;
+
+ if (!windowObject)
+ return NPERR_GENERIC_ERROR;
+
+ NPVariant result;
+ if (!NPN_Invoke(windowObject, NPN_GetStringIdentifier("removePluginElement"), 0, 0, &result))
+ return NPERR_GENERIC_ERROR;
+
+ return NPERR_NO_ERROR;
+}
+
+static PluginTest::Register<InvokeDestroysPluginWithinNPP_New> registrar("invoke-destroys-plugin-within-npp-new");
