[webkit-changes] [96855] trunk/Source/WebKit2

Thu, 06 Oct 2011 13:58:46 -0700

Title: [96855] trunk/Source/WebKit2
Revision
96855
Author
ander...@apple.com
Date
2011-10-06 13:59:47 -0700 (Thu, 06 Oct 2011)

Log Message

Crash when PluginProxy object is destroyed inside PluginProxy::pluginScriptableNPObject
https://bugs.webkit.org/show_bug.cgi?id=69559
<rdar://problem/9704066>

Reviewed by Maciej Stachowiak.

Protect the plug-in itself in the call to pluginScriptableNPObject. In some cases, sending
the synchronous message to the plug-in process can end up causing the web process to handle
an incoming message that will destroy t he plug-in.

Unfortunately, this is highly timing-dependent and can't be tested reliably.

* WebProcess/Plugins/PluginProxy.cpp:
(WebKit::PluginProxy::pluginScriptableNPObject):

Modified Paths

Diff

Modified: trunk/Source/WebKit2/ChangeLog (96854 => 96855)


--- trunk/Source/WebKit2/ChangeLog	2011-10-06 20:49:50 UTC (rev 96854)
+++ trunk/Source/WebKit2/ChangeLog	2011-10-06 20:59:47 UTC (rev 96855)
@@ -1,3 +1,20 @@
+2011-10-06  Anders Carlsson  <ander...@apple.com>
+
+        Crash when PluginProxy object is destroyed inside PluginProxy::pluginScriptableNPObject
+        https://bugs.webkit.org/show_bug.cgi?id=69559
+        <rdar://problem/9704066>
+
+        Reviewed by Maciej Stachowiak.
+
+        Protect the plug-in itself in the call to pluginScriptableNPObject. In some cases, sending
+        the synchronous message to the plug-in process can end up causing the web process to handle
+        an incoming message that will destroy t he plug-in.
+
+        Unfortunately, this is highly timing-dependent and can't be tested reliably.
+
+        * WebProcess/Plugins/PluginProxy.cpp:
+        (WebKit::PluginProxy::pluginScriptableNPObject):
+
 2011-10-06  Carlos Garcia Campos  <cgar...@igalia.com>
 
         [GTK] Add estimated-progress property to WebKitWebLoaderClient

Modified: trunk/Source/WebKit2/WebProcess/Plugins/PluginProxy.cpp (96854 => 96855)


--- trunk/Source/WebKit2/WebProcess/Plugins/PluginProxy.cpp	2011-10-06 20:49:50 UTC (rev 96854)
+++ trunk/Source/WebKit2/WebProcess/Plugins/PluginProxy.cpp	2011-10-06 20:59:47 UTC (rev 96855)
@@ -329,6 +329,10 @@
 
 NPObject* PluginProxy::pluginScriptableNPObject()
 {
+    // Sending the synchronous Messages::PluginControllerProxy::GetPluginScriptableNPObject message can cause us to dispatch an
+    // incoming synchronous message that ends up destroying the PluginProxy object.
+    PluginController::PluginDestructionProtector protector(controller());
+
     uint64_t pluginScriptableNPObjectID = 0;
     
     if (!m_connection->connection()->sendSync(Messages::PluginControllerProxy::GetPluginScriptableNPObject(), Messages::PluginControllerProxy::GetPluginScriptableNPObject::Reply(pluginScriptableNPObjectID), m_pluginInstanceID))

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to