Hello, I am seeing a crash in the android browser when unloading an NPAPI plugin I am developing. I do not see the problem in chrome, so am wondering if anyone can help me sort out what's different between the two.
The test web page is passing a JS object to the plugin, which calls NPN_SetProperty on the JS object with a couple of plugin created objects. When the <object> element is removed as the page is getting cleaned up, the browser does not release the plugin created object until after it unloads the plugin. At that point the code for deallocate doesn't exist anymore, so the browser crashes. Looking into the code a bit, I see that plugin created objects are registered with an owner object, and that cleanup will remove the sub-objects of the owner (this is in the V8 binding). However I also see that in WebCore/bindings/v8/NPV8Object.cpp, the owner for set property is object->rootObject->frame()->script()->windowScriptNPObject(): the window object, not the <object>. So it looks as though it will not be considered a sub-object of <object>, and therefore not be released before the plugin is unloaded. Is this a bug, or am I missing something more fundamental here? Also, if this is more appropriate to one of the android lists, please let me know. This looks like common code so I'm starting with this list. Other info: I've verified that the referenceCount field is correct on the plugin created object. I also see the problem with other plugin-created objects having window as an owner and not getting released before the plugin is unloaded. Thanks, -Todd _______________________________________________ webkit-dev mailing list [email protected] http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
