Title: [129535] trunk
- Revision
- 129535
- Author
- [email protected]
- Date
- 2012-09-25 11:59:58 -0700 (Tue, 25 Sep 2012)
Log Message
Crash after clicking in plugin at kauaiexplorer.com
<rdar://problem/11525987/> and https://bugs.webkit.org/show_bug.cgi?id=90925
Patch by Akash Vaswani <[email protected]> on 2012-09-25
Reviewed by Sam Weinig.
Source/WebKit2:
Bug: Clicking the plugin to navigate away from the page caused the browser to crash.
This is because it is possible for a beforeunload handler to destroy the plugin
while it is still needed. In this case the handler set visibility to "none" and
then accessed a property on the plugin script object. This forced a layout
that destroyed the plugin.
Fix: Protecting PluginView objects until they are no longer required.
This was done by adding a RefPtr at the beginning of performURLRequest()
* WebProcess/Plugins/PluginView.cpp:
(WebKit::PluginView::performURLRequest):
LayoutTests:
* http/tests/plugins/get-url-beforeunload-destroys-plugin-expected.txt: Added.
* http/tests/plugins/get-url-beforeunload-destroys-plugin.html: Added.
* http/tests/plugins/resources/notify-done.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (129534 => 129535)
--- trunk/LayoutTests/ChangeLog 2012-09-25 18:51:33 UTC (rev 129534)
+++ trunk/LayoutTests/ChangeLog 2012-09-25 18:59:58 UTC (rev 129535)
@@ -1,3 +1,14 @@
+2012-09-25 Akash Vaswani <[email protected]>
+
+ Crash after clicking in plugin at kauaiexplorer.com
+ <rdar://problem/11525987/> and https://bugs.webkit.org/show_bug.cgi?id=90925
+
+ Reviewed by Sam Weinig.
+
+ * http/tests/plugins/get-url-beforeunload-destroys-plugin-expected.txt: Added.
+ * http/tests/plugins/get-url-beforeunload-destroys-plugin.html: Added.
+ * http/tests/plugins/resources/notify-done.html: Added.
+
2012-09-25 Joshua Bell <[email protected]>
IndexedDB: One transaction coordinator per database
Added: trunk/LayoutTests/http/tests/plugins/get-url-beforeunload-destroys-plugin-expected.txt (0 => 129535)
--- trunk/LayoutTests/http/tests/plugins/get-url-beforeunload-destroys-plugin-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/plugins/get-url-beforeunload-destroys-plugin-expected.txt 2012-09-25 18:59:58 UTC (rev 129535)
@@ -0,0 +1 @@
+
Added: trunk/LayoutTests/http/tests/plugins/get-url-beforeunload-destroys-plugin.html (0 => 129535)
--- trunk/LayoutTests/http/tests/plugins/get-url-beforeunload-destroys-plugin.html (rev 0)
+++ trunk/LayoutTests/http/tests/plugins/get-url-beforeunload-destroys-plugin.html 2012-09-25 18:59:58 UTC (rev 129535)
@@ -0,0 +1,28 @@
+<html>
+<body _onbeforeunload_="accessPlugin()">
+This tests that NPN_GetURL causing the beforeunload event handler to destroy the plug-in doesn't crash.
+
+<object name="plg" type="application/x-webkit-test-netscape"></object>
+
+<script>
+ function accessPlugin()
+ {
+ var objects = document.getElementsByTagName("object");
+ for (var i = 0; i < objects.length; ++i) {
+ objects[i].style.display = "none";
+ for (var x in objects[i]) {
+ if (typeof objects[i][x] == "function")
+ objects[i][x] = function() {};
+ }
+ }
+ }
+
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+
+ plg.getURL("resources/notify-done.html", "_self");
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/plugins/resources/notify-done.html (0 => 129535)
--- trunk/LayoutTests/http/tests/plugins/resources/notify-done.html (rev 0)
+++ trunk/LayoutTests/http/tests/plugins/resources/notify-done.html 2012-09-25 18:59:58 UTC (rev 129535)
@@ -0,0 +1,4 @@
+<script>
+ if (window.testRunner)
+ testRunner.notifyDone();
+</script>
Modified: trunk/Source/WebKit2/ChangeLog (129534 => 129535)
--- trunk/Source/WebKit2/ChangeLog 2012-09-25 18:51:33 UTC (rev 129534)
+++ trunk/Source/WebKit2/ChangeLog 2012-09-25 18:59:58 UTC (rev 129535)
@@ -1,3 +1,21 @@
+2012-09-25 Akash Vaswani <[email protected]>
+
+ Crash after clicking in plugin at kauaiexplorer.com
+ <rdar://problem/11525987/> and https://bugs.webkit.org/show_bug.cgi?id=90925
+
+ Reviewed by Sam Weinig.
+
+ Bug: Clicking the plugin to navigate away from the page caused the browser to crash.
+ This is because it is possible for a beforeunload handler to destroy the plugin
+ while it is still needed. In this case the handler set visibility to "none" and
+ then accessed a property on the plugin script object. This forced a layout
+ that destroyed the plugin.
+ Fix: Protecting PluginView objects until they are no longer required.
+ This was done by adding a RefPtr at the beginning of performURLRequest()
+
+ * WebProcess/Plugins/PluginView.cpp:
+ (WebKit::PluginView::performURLRequest):
+
2012-09-25 Carlos Garcia Campos <[email protected]>
[GTK] Don't kill automatically the web process when the ui process finishes
Modified: trunk/Source/WebKit2/WebProcess/Plugins/PluginView.cpp (129534 => 129535)
--- trunk/Source/WebKit2/WebProcess/Plugins/PluginView.cpp 2012-09-25 18:51:33 UTC (rev 129534)
+++ trunk/Source/WebKit2/WebProcess/Plugins/PluginView.cpp 2012-09-25 18:59:58 UTC (rev 129535)
@@ -854,6 +854,9 @@
void PluginView::performURLRequest(URLRequest* request)
{
+ // This protector is needed to make sure the PluginView is not destroyed while it is still needed.
+ RefPtr<PluginView> protect(this);
+
// First, check if this is a _javascript_: url.
if (protocolIsJavaScript(request->request().url())) {
performJavaScriptURLRequest(request);
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
