Title: [152539] trunk/Source/WebKit2
- Revision
- 152539
- Author
- [email protected]
- Date
- 2013-07-10 11:34:19 -0700 (Wed, 10 Jul 2013)
Log Message
Some Java plugin instances can deadlock with the WebProcess on NPP_Destroy.
<rdar://problem/14286390> and https://bugs.webkit.org/show_bug.cgi?id=118535
Reviewed by Alexey Proskuryakov.
* Shared/Plugins/NPObjectProxy.cpp:
(WebKit::NPObjectProxy::~NPObjectProxy): ASSERT this is the main thread.
(WebKit::NPObjectProxy::NP_Deallocate): If this isn't the main thread, call it again on the main thread.
Modified Paths
Diff
Modified: trunk/Source/WebKit2/ChangeLog (152538 => 152539)
--- trunk/Source/WebKit2/ChangeLog 2013-07-10 17:02:26 UTC (rev 152538)
+++ trunk/Source/WebKit2/ChangeLog 2013-07-10 18:34:19 UTC (rev 152539)
@@ -1,3 +1,14 @@
+2013-07-10 Brady Eidson <[email protected]>
+
+ Some Java plugin instances can deadlock with the WebProcess on NPP_Destroy.
+ <rdar://problem/14286390> and https://bugs.webkit.org/show_bug.cgi?id=118535
+
+ Reviewed by Alexey Proskuryakov.
+
+ * Shared/Plugins/NPObjectProxy.cpp:
+ (WebKit::NPObjectProxy::~NPObjectProxy): ASSERT this is the main thread.
+ (WebKit::NPObjectProxy::NP_Deallocate): If this isn't the main thread, call it again on the main thread.
+
2013-07-10 Sergio Correia <[email protected]>
Remove the meshType from CoordinatedCustomFilterOperation
Modified: trunk/Source/WebKit2/Shared/Plugins/NPObjectProxy.cpp (152538 => 152539)
--- trunk/Source/WebKit2/Shared/Plugins/NPObjectProxy.cpp 2013-07-10 17:02:26 UTC (rev 152538)
+++ trunk/Source/WebKit2/Shared/Plugins/NPObjectProxy.cpp 2013-07-10 18:34:19 UTC (rev 152539)
@@ -35,7 +35,11 @@
#include "NPRemoteObjectMap.h"
#include "NPRuntimeUtilities.h"
#include "NPVariantData.h"
+#include <WebCore/RunLoop.h>
+#include <wtf/MainThread.h>
+using namespace WebCore;
+
namespace WebKit {
NPObjectProxy* NPObjectProxy::create(NPRemoteObjectMap* npRemoteObjectMap, Plugin* plugin, uint64_t npObjectID)
@@ -55,6 +59,8 @@
NPObjectProxy::~NPObjectProxy()
{
+ ASSERT(isMainThread());
+
if (!m_npRemoteObjectMap)
return;
@@ -293,6 +299,16 @@
void NPObjectProxy::NP_Deallocate(NPObject* npObject)
{
+ // http://webkit.org/b/118535 - The Java Netscape Plug-in has a background thread do some of their NPP_Destroy work.
+ // That background thread can call NP_Deallocate, and this leads to a WebProcess <-> PluginProcess deadlock.
+ // Since NPAPI behavior on a background thread is undefined, it is okay to limit this workaround to the one API
+ // that is known to be misused during plugin teardown, and to not be concerned about change in behavior if this
+ // occured at any other time.
+ if (!isMainThread()) {
+ RunLoop::main()->dispatch(bind(&NPObjectProxy::NP_Deallocate, npObject));
+ return;
+ }
+
NPObjectProxy* npObjectProxy = toNPObjectProxy(npObject);
delete npObjectProxy;
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
