[webkit-changes] [98141] branches/safari-534.52-branch/Source/WebKit2

Fri, 21 Oct 2011 13:55:40 -0700

Title: [98141] branches/safari-534.52-branch/Source/WebKit2
Revision
98141
Author
lforsch...@apple.com
Date
2011-10-21 13:56:35 -0700 (Fri, 21 Oct 2011)

Log Message

Merged r96855.


Modified Paths

Diff

Modified: branches/safari-534.52-branch/Source/WebKit2/ChangeLog (98140 => 98141)


--- branches/safari-534.52-branch/Source/WebKit2/ChangeLog	2011-10-21 20:54:22 UTC (rev 98140)
+++ branches/safari-534.52-branch/Source/WebKit2/ChangeLog	2011-10-21 20:56:35 UTC (rev 98141)
@@ -1,5 +1,25 @@
 2011-10-21  Lucas Forschler  <lforsch...@apple.com>
 
+    Merge 96855
+
+    2011-10-06  Anders Carlsson  <ander...@apple.com>
+
+            Crash when PluginProxy object is destroyed inside PluginProxy::pluginScriptableNPObject
+            https://bugs.webkit.org/show_bug.cgi?id=69559
+            <rdar://problem/9704066>
+
+            Reviewed by Maciej Stachowiak.
+
+            Protect the plug-in itself in the call to pluginScriptableNPObject. In some cases, sending
+            the synchronous message to the plug-in process can end up causing the web process to handle
+            an incoming message that will destroy t he plug-in.
+
+            Unfortunately, this is highly timing-dependent and can't be tested reliably.
+
+            * WebProcess/Plugins/PluginProxy.cpp:
+            (WebKit::PluginProxy::pluginScriptableNPObject):
+2011-10-21  Lucas Forschler  <lforsch...@apple.com>
+
     Merge 94472
 
     2011-09-02  Michael Saboff  <msab...@apple.com>

Modified: branches/safari-534.52-branch/Source/WebKit2/WebProcess/Plugins/PluginProxy.cpp (98140 => 98141)


--- branches/safari-534.52-branch/Source/WebKit2/WebProcess/Plugins/PluginProxy.cpp	2011-10-21 20:54:22 UTC (rev 98140)
+++ branches/safari-534.52-branch/Source/WebKit2/WebProcess/Plugins/PluginProxy.cpp	2011-10-21 20:56:35 UTC (rev 98141)
@@ -337,6 +337,10 @@
 
 NPObject* PluginProxy::pluginScriptableNPObject()
 {
+    // Sending the synchronous Messages::PluginControllerProxy::GetPluginScriptableNPObject message can cause us to dispatch an
+    // incoming synchronous message that ends up destroying the PluginProxy object.
+    PluginController::PluginDestructionProtector protector(controller());
+
     uint64_t pluginScriptableNPObjectID = 0;
     
     if (!m_connection->connection()->sendSync(Messages::PluginControllerProxy::GetPluginScriptableNPObject(), Messages::PluginControllerProxy::GetPluginScriptableNPObject::Reply(pluginScriptableNPObjectID), m_pluginInstanceID))

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to