Diff
Modified: branches/safari-536.28-branch/LayoutTests/ChangeLog (134833 => 134834)
--- branches/safari-536.28-branch/LayoutTests/ChangeLog 2012-11-15 22:07:37 UTC (rev 134833)
+++ branches/safari-536.28-branch/LayoutTests/ChangeLog 2012-11-15 22:27:58 UTC (rev 134834)
@@ -1,3 +1,17 @@
+2012-11-15 Lucas Forschler <[email protected]>
+
+ Merge r127595
+
+ 2012-09-05 Brady Eidson <[email protected]>
+
+ Frequent crashes in PluginView::scriptObject under runtimeObjectCustomGetOwnPropertySlot
+ <rdar://problem/12142226> and https://bugs.webkit.org/show_bug.cgi?id=95026
+
+ Reviewed by Andy Estes.
+
+ * plugins/npp-new-fails-expected.txt: Added.
+ * plugins/npp-new-fails.html: Added.
+
2012-11-14 Timothy Hatcher <[email protected]>
Merge r134100
Copied: branches/safari-536.28-branch/LayoutTests/plugins/npp-new-fails-expected.txt (from rev 127595, trunk/LayoutTests/plugins/npp-new-fails-expected.txt) (0 => 134834)
--- branches/safari-536.28-branch/LayoutTests/plugins/npp-new-fails-expected.txt (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/plugins/npp-new-fails-expected.txt 2012-11-15 22:27:58 UTC (rev 134834)
@@ -0,0 +1,8 @@
+
+http://webkit.org/b/95026 - Tests that access to the plug-in script object after the plug-in fails to initialize doesn't crash
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS Did not crash trying to access the plug-in script object.
+
Copied: branches/safari-536.28-branch/LayoutTests/plugins/npp-new-fails.html (from rev 127595, trunk/LayoutTests/plugins/npp-new-fails.html) (0 => 134834)
--- branches/safari-536.28-branch/LayoutTests/plugins/npp-new-fails.html (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/plugins/npp-new-fails.html 2012-11-15 22:27:58 UTC (rev 134834)
@@ -0,0 +1,30 @@
+<head>
+<script src=""
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+function runTest()
+{
+ var foo = document.getElementById("TestElement").someMadeUpBar;
+
+ testPassed("Did not crash trying to access the plug-in script object.");
+
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+</script>
+
+</head>
+<body _onload_="runTest();">
+<embed id="TestElement" type="application/x-webkit-test-netscape" test="npp-new-fails"></embed>
+<p id="description"></p>
+<div id="console"></div>
+</body>
+
+<script>
+description("http://webkit.org/b/95026 - Tests that access to the plug-in script object after the plug-in fails to initialize doesn't crash");
+</script>
Modified: branches/safari-536.28-branch/Source/WebKit2/ChangeLog (134833 => 134834)
--- branches/safari-536.28-branch/Source/WebKit2/ChangeLog 2012-11-15 22:07:37 UTC (rev 134833)
+++ branches/safari-536.28-branch/Source/WebKit2/ChangeLog 2012-11-15 22:27:58 UTC (rev 134834)
@@ -1,3 +1,22 @@
+2012-11-15 Lucas Forschler <[email protected]>
+
+ Merge r127595
+
+ 2012-09-05 Brady Eidson <[email protected]>
+
+ Frequent crashes in PluginView::scriptObject under runtimeObjectCustomGetOwnPropertySlot
+ <rdar://problem/12142226> and https://bugs.webkit.org/show_bug.cgi?id=95026
+
+ Patch partially by Andras Becsi <[email protected]>
+
+ Reviewed by Andy Estes.
+
+ If a plug-in fails to initialize then the m_plugin pointer is cleared out.
+ When accessing the script object it is appropriate to unconditionally null check m_plugin.
+
+ * WebProcess/Plugins/PluginView.cpp:
+ (WebKit::PluginView::scriptObject): Null check m_plugin before trying to use it.
+
2012-11-13 Lucas Forschler <[email protected]>
Merge r129959
Modified: branches/safari-536.28-branch/Source/WebKit2/WebProcess/Plugins/PluginView.cpp (134833 => 134834)
--- branches/safari-536.28-branch/Source/WebKit2/WebProcess/Plugins/PluginView.cpp 2012-11-15 22:07:37 UTC (rev 134833)
+++ branches/safari-536.28-branch/Source/WebKit2/WebProcess/Plugins/PluginView.cpp 2012-11-15 22:27:58 UTC (rev 134834)
@@ -545,6 +545,10 @@
if (m_isWaitingForSynchronousInitialization)
return 0;
+ // The plug-in can be null here if it failed to initialize previously.
+ if (!m_plugin)
+ return 0;
+
// If the plug-in exists but is not initialized then we're still initializing asynchronously.
// We need to wait here until initialization has either succeeded or failed.
if (m_plugin->isBeingAsynchronouslyInitialized()) {
@@ -553,7 +557,7 @@
m_isWaitingForSynchronousInitialization = false;
}
- // The plug-in can be null here if it failed to initialize.
+ // The plug-in can be null here if it still failed to initialize.
if (!m_isInitialized || !m_plugin)
return 0;
Modified: branches/safari-536.28-branch/Tools/ChangeLog (134833 => 134834)
--- branches/safari-536.28-branch/Tools/ChangeLog 2012-11-15 22:07:37 UTC (rev 134833)
+++ branches/safari-536.28-branch/Tools/ChangeLog 2012-11-15 22:27:58 UTC (rev 134834)
@@ -1,3 +1,27 @@
+2012-11-15 Lucas Forschler <[email protected]>
+
+ Merge r127595
+
+ 2012-09-05 Brady Eidson <[email protected]>
+
+ Frequent crashes in PluginView::scriptObject under runtimeObjectCustomGetOwnPropertySlot
+ <rdar://problem/12142226> and https://bugs.webkit.org/show_bug.cgi?id=95026
+
+ Reviewed by Andy Estes.
+
+ Add a plug-in that always fails to initialize:
+ * DumpRenderTree/TestNetscapePlugIn/Tests/NPPNewFails.cpp: Added.
+ (NPPNewFails):
+ (NPPNewFails::NPPNewFails):
+ (NPPNewFails::NPP_New):
+
+ Add it to all the project files:
+ * DumpRenderTree/DumpRenderTree.gypi:
+ * DumpRenderTree/DumpRenderTree.xcodeproj/project.pbxproj:
+ * DumpRenderTree/TestNetscapePlugIn/CMakeLists.txt:
+ * DumpRenderTree/TestNetscapePlugIn/win/TestNetscapePlugin.vcproj:
+ * DumpRenderTree/qt/TestNetscapePlugin/TestNetscapePlugin.pro:
+
2012-11-08 Lucas Forschler <[email protected]>
Merge r125457
Modified: branches/safari-536.28-branch/Tools/DumpRenderTree/DumpRenderTree.gypi (134833 => 134834)
--- branches/safari-536.28-branch/Tools/DumpRenderTree/DumpRenderTree.gypi 2012-11-15 22:07:37 UTC (rev 134833)
+++ branches/safari-536.28-branch/Tools/DumpRenderTree/DumpRenderTree.gypi 2012-11-15 22:27:58 UTC (rev 134834)
@@ -66,6 +66,7 @@
'TestNetscapePlugIn/Tests/GetURLWithJavaScriptURL.cpp',
'TestNetscapePlugIn/Tests/GetURLWithJavaScriptURLDestroyingPlugin.cpp',
'TestNetscapePlugIn/Tests/GetUserAgentWithNullNPPFromNPPNew.cpp',
+ 'TestNetscapePlugIn/Tests/NPPNewFails.cpp',
'TestNetscapePlugIn/Tests/NPRuntimeObjectFromDestroyedPlugin.cpp',
'TestNetscapePlugIn/Tests/NPRuntimeRemoveProperty.cpp',
'TestNetscapePlugIn/Tests/NullNPPGetValuePointer.cpp',
Modified: branches/safari-536.28-branch/Tools/DumpRenderTree/DumpRenderTree.xcodeproj/project.pbxproj (134833 => 134834)
--- branches/safari-536.28-branch/Tools/DumpRenderTree/DumpRenderTree.xcodeproj/project.pbxproj 2012-11-15 22:07:37 UTC (rev 134833)
+++ branches/safari-536.28-branch/Tools/DumpRenderTree/DumpRenderTree.xcodeproj/project.pbxproj 2012-11-15 22:27:58 UTC (rev 134834)
@@ -69,6 +69,7 @@
4437730F125CBC4D00AAE02C /* WebArchiveDumpSupport.h in Headers */ = {isa = PBXBuildFile; fileRef = 44A997820FCDE86400580F10 /* WebArchiveDumpSupport.h */; };
4AD6A11413C8124000EA9737 /* FormValue.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4AD6A11313C8124000EA9737 /* FormValue.cpp */; };
5106803E15CC7B10001A8A23 /* SlowNPPNew.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 5106803D15CC7B10001A8A23 /* SlowNPPNew.cpp */; };
+ 5113DE6715F6CBE5005EC8B3 /* NPPNewFails.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 5113DE6615F6CBE5005EC8B3 /* NPPNewFails.cpp */; };
515F429C15C07872007C8F90 /* PluginScriptableObjectOverridesAllProperties.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 515F429B15C07872007C8F90 /* PluginScriptableObjectOverridesAllProperties.cpp */; };
5185F6B210714E07007AA393 /* HistoryDelegate.mm in Sources */ = {isa = PBXBuildFile; fileRef = 5185F69F10714A57007AA393 /* HistoryDelegate.mm */; };
5185F6B310714E12007AA393 /* HistoryDelegate.h in Headers */ = {isa = PBXBuildFile; fileRef = 5185F69E10714A57007AA393 /* HistoryDelegate.h */; };
@@ -274,6 +275,7 @@
44A997830FCDE86400580F10 /* WebArchiveDumpSupport.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = WebArchiveDumpSupport.cpp; path = cf/WebArchiveDumpSupport.cpp; sourceTree = "<group>"; };
4AD6A11313C8124000EA9737 /* FormValue.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = FormValue.cpp; sourceTree = "<group>"; };
5106803D15CC7B10001A8A23 /* SlowNPPNew.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = SlowNPPNew.cpp; path = TestNetscapePlugIn/Tests/SlowNPPNew.cpp; sourceTree = SOURCE_ROOT; };
+ 5113DE6615F6CBE5005EC8B3 /* NPPNewFails.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = NPPNewFails.cpp; sourceTree = "<group>"; };
515C0CCF15EE785700F5A613 /* LogNPPSetWindow.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = LogNPPSetWindow.cpp; sourceTree = "<group>"; };
515F429B15C07872007C8F90 /* PluginScriptableObjectOverridesAllProperties.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = PluginScriptableObjectOverridesAllProperties.cpp; sourceTree = "<group>"; };
5185F69E10714A57007AA393 /* HistoryDelegate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = HistoryDelegate.h; path = mac/HistoryDelegate.h; sourceTree = "<group>"; };
@@ -543,6 +545,7 @@
1AD4CB2012A6D1350027A7AF /* GetUserAgentWithNullNPPFromNPPNew.cpp */,
515C0CCF15EE785700F5A613 /* LogNPPSetWindow.cpp */,
1ACF898B132EF41C00E915D4 /* NPDeallocateCalledBeforeNPShutdown.cpp */,
+ 5113DE6615F6CBE5005EC8B3 /* NPPNewFails.cpp */,
C031182A134E4A2B00919757 /* NPPSetWindowCalledDuringDestruction.cpp */,
1A24BAA8120734EE00FBB059 /* NPRuntimeObjectFromDestroyedPlugin.cpp */,
1AC77DCE120605B6005C19EF /* NPRuntimeRemoveProperty.cpp */,
@@ -902,6 +905,7 @@
515F429C15C07872007C8F90 /* PluginScriptableObjectOverridesAllProperties.cpp in Sources */,
5106803E15CC7B10001A8A23 /* SlowNPPNew.cpp in Sources */,
51CACBD815D96FD000EB53A2 /* EvaluateJSWithinNPP_New.cpp in Sources */,
+ 5113DE6715F6CBE5005EC8B3 /* NPPNewFails.cpp in Sources */,
1C5C9B2E15F103AA0035558E /* LogNPPSetWindow.cpp in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
Copied: branches/safari-536.28-branch/Tools/DumpRenderTree/TestNetscapePlugIn/Tests/NPPNewFails.cpp (from rev 127595, trunk/Tools/DumpRenderTree/TestNetscapePlugIn/Tests/NPPNewFails.cpp) (0 => 134834)
--- branches/safari-536.28-branch/Tools/DumpRenderTree/TestNetscapePlugIn/Tests/NPPNewFails.cpp (rev 0)
+++ branches/safari-536.28-branch/Tools/DumpRenderTree/TestNetscapePlugIn/Tests/NPPNewFails.cpp 2012-11-15 22:27:58 UTC (rev 134834)
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2012 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "PluginTest.h"
+
+#include <string.h>
+
+using namespace std;
+
+class NPPNewFails : public PluginTest {
+public:
+ NPPNewFails(NPP npp, const string& identifier)
+ : PluginTest(npp, identifier)
+ {
+ }
+
+private:
+
+ virtual NPError NPP_New(NPMIMEType pluginType, uint16_t mode, int16_t argc, char* argn[], char* argv[], NPSavedData *saved)
+ {
+ return NPERR_GENERIC_ERROR;
+ }
+};
+
+static PluginTest::Register<NPPNewFails> nppNewFails("npp-new-fails");
Modified: branches/safari-536.28-branch/Tools/DumpRenderTree/TestNetscapePlugIn/win/TestNetscapePlugin.vcproj (134833 => 134834)
--- branches/safari-536.28-branch/Tools/DumpRenderTree/TestNetscapePlugIn/win/TestNetscapePlugin.vcproj 2012-11-15 22:07:37 UTC (rev 134833)
+++ branches/safari-536.28-branch/Tools/DumpRenderTree/TestNetscapePlugIn/win/TestNetscapePlugin.vcproj 2012-11-15 22:27:58 UTC (rev 134834)
@@ -426,6 +426,10 @@
>
</File>
<File
+ RelativePath="..\Tests\NPPNewFails.cpp"
+ >
+ </File>
+ <File
RelativePath="..\Tests\NPPSetWindowCalledDuringDestruction.cpp"
>
</File>
Modified: branches/safari-536.28-branch/Tools/DumpRenderTree/qt/TestNetscapePlugin/TestNetscapePlugin.pro (134833 => 134834)
--- branches/safari-536.28-branch/Tools/DumpRenderTree/qt/TestNetscapePlugin/TestNetscapePlugin.pro 2012-11-15 22:07:37 UTC (rev 134833)
+++ branches/safari-536.28-branch/Tools/DumpRenderTree/qt/TestNetscapePlugin/TestNetscapePlugin.pro 2012-11-15 22:27:58 UTC (rev 134834)
@@ -22,6 +22,7 @@
Tests/GetURLWithJavaScriptURLDestroyingPlugin.cpp \
Tests/GetUserAgentWithNullNPPFromNPPNew.cpp \
Tests/NPDeallocateCalledBeforeNPShutdown.cpp \
+ Tests/NPPNewFails.cpp \
Tests/NPPSetWindowCalledDuringDestruction.cpp \
Tests/NPRuntimeObjectFromDestroyedPlugin.cpp \
Tests/NPRuntimeRemoveProperty.cpp \
