Changeset 228613 in webkit
- Timestamp:
- Feb 19, 2018 12:28:13 AM (6 years ago)
- Location:
- releases/WebKitGTK/webkit-2.20
- Files:
-
- 9 edited
Legend:
- Unmodified
- Added
- Removed
-
releases/WebKitGTK/webkit-2.20/LayoutTests/ChangeLog
r228612 r228613 1 2018-02-05 Daniel Bates <dabates@apple.com> 2 3 Disallow evaluating JavaScript from NPP_Destroy() in WebKit 4 https://bugs.webkit.org/show_bug.cgi?id=181889 5 <rdar://problem/36674701> 6 7 Reviewed by Brent Fulgham. 8 9 Consolidate all the plugin tests that evaluate JavaScript from NPP_Destroy() 10 and mark them as Wont Fix. In a subsequent change we will look to replace 11 these tests with tests that ensure that we do not evaluate JavaScript from 12 NPP_Destroy(). 13 14 * platform/mac/TestExpectations: 15 * platform/wk2/TestExpectations: 16 1 17 2018-02-05 Antti Koivisto <antti@apple.com> 2 18 -
releases/WebKitGTK/webkit-2.20/LayoutTests/platform/mac/TestExpectations
r228017 r228613 190 190 fast/images/animated-webp-expected.html 191 191 192 # Times out because plugins aren't allowed to execute JS after NPP_Destroy has been called in WebKit1's OOP plugins implementation193 webkit.org/b/48929 plugins/evaluate-js-after-removing-plugin-element.html194 192 195 193 # DRT does not support toggling caret browsing on / off … … 436 434 437 435 # --- Plugins --- 438 # WebKit1 OOP plug-ins: Can't evaluate JavaScript from NPP_Destroy. 439 plugins/document-open.html 440 plugins/geturlnotify-during-document-teardown.html 441 plugins/nested-plugin-objects.html 442 plugins/netscape-destroy-plugin-script-objects.html 443 plugins/open-and-close-window-with-plugin.html 436 # Out-of-process plug-ins are disallowed from evaluating JavaScript from NPP_Destroy(). 437 plugins/attach-during-destroy.html [ WontFix ] 438 plugins/destroy-reentry.html [ WontFix ] 439 plugins/document-open.html [ WontFix ] 440 webkit.org/b/48929 plugins/evaluate-js-after-removing-plugin-element.html [ WontFix ] 441 plugins/geturlnotify-during-document-teardown.html [ WontFix ] 442 plugins/js-from-destroy.html [ WontFix ] 443 plugins/nested-plugin-objects.html [ WontFix ] 444 plugins/netscape-destroy-plugin-script-objects.html [ WontFix ] 445 plugins/open-and-close-window-with-plugin.html [ WontFix ] 444 446 445 447 # WebKit1 OOP plug-ins: No support for getting the form value. -
releases/WebKitGTK/webkit-2.20/LayoutTests/platform/wk2/TestExpectations
r227986 r228613 126 126 transitions/default-timing-function.html 127 127 128 # WebKitTestRunner needs testRunner.setCallCloseOnWebViews129 # http://webkit.org/b/46714130 plugins/geturlnotify-during-document-teardown.html131 plugins/open-and-close-window-with-plugin.html132 133 128 # Sometimes fails 134 129 # http://webkit.org/b/58990 … … 513 508 ######################################## 514 509 ### START OF (4) Features that are not supported in WebKit2 and likely never will be 510 511 # Plug-ins are disallowed from evaluating JavaScript from NPP_Destroy(). 512 plugins/attach-during-destroy.html [ WontFix ] 513 plugins/destroy-reentry.html [ WontFix ] 514 plugins/document-open.html [ WontFix ] 515 webkit.org/b/48929 plugins/evaluate-js-after-removing-plugin-element.html [ WontFix ] 516 plugins/geturlnotify-during-document-teardown.html [ WontFix ] 517 plugins/js-from-destroy.html [ WontFix ] 518 plugins/nested-plugin-objects.html [ WontFix ] 519 plugins/netscape-destroy-plugin-script-objects.html [ WontFix ] 520 plugins/open-and-close-window-with-plugin.html [ WontFix ] 515 521 516 522 # Internals.registerDefaultPortForProtocol() does not affect NetworkProcess. We should -
releases/WebKitGTK/webkit-2.20/Source/WebKit/ChangeLog
r228093 r228613 1 2018-02-05 Daniel Bates <dabates@apple.com> 2 3 Disallow evaluating JavaScript from NPP_Destroy() in WebKit 4 https://bugs.webkit.org/show_bug.cgi?id=181889 5 <rdar://problem/36674701> 6 7 Reviewed by Brent Fulgham. 8 9 Make the behavior of WebKit match the behavior of WebKitLegacy on Mac. 10 11 * Shared/Plugins/NPObjectMessageReceiver.cpp: 12 (WebKit::NPObjectMessageReceiver::hasMethod): 13 (WebKit::NPObjectMessageReceiver::invoke): 14 (WebKit::NPObjectMessageReceiver::invokeDefault): 15 (WebKit::NPObjectMessageReceiver::hasProperty): 16 (WebKit::NPObjectMessageReceiver::getProperty): 17 (WebKit::NPObjectMessageReceiver::setProperty): 18 (WebKit::NPObjectMessageReceiver::removeProperty): 19 (WebKit::NPObjectMessageReceiver::enumerate): 20 (WebKit::NPObjectMessageReceiver::construct): 21 Bail out if the plugin is executing NPP_Destroy(). 22 23 * WebProcess/Plugins/Plugin.cpp: 24 (WebKit::Plugin::destroyPlugin): 25 * WebProcess/Plugins/Plugin.h: 26 (WebKit::Plugin::isBeingDestroyed const): 27 Move bookkeeping of whether the plugin is being destroyed from PluginView 28 to here. This makes it straightforward for NPObjectMessageReceiver to query 29 this information. 30 31 * WebProcess/Plugins/PluginView.cpp: 32 (WebKit::PluginView::~PluginView): 33 (WebKit::PluginView::destroyPluginAndReset): 34 (WebKit::PluginView::recreateAndInitialize): 35 (WebKit::PluginView::protectPluginFromDestruction): 36 (WebKit::PluginView::unprotectPluginFromDestruction): 37 Move bookkeeping of whether the plugin is being destroyed from here 38 to Plugin. 39 40 * WebProcess/Plugins/PluginView.h: 41 (WebKit::PluginView::isBeingDestroyed const): Turn around and ask the plugin if it 42 is being destroyed, if we have one. 43 1 44 2018-02-05 Carlos Garcia Campos <cgarcia@igalia.com> 2 45 -
releases/WebKitGTK/webkit-2.20/Source/WebKit/Shared/Plugins/NPObjectMessageReceiver.cpp
r181864 r228613 61 61 void NPObjectMessageReceiver::hasMethod(const NPIdentifierData& methodNameData, bool& returnValue) 62 62 { 63 if ( !m_npObject->_class->hasMethod) {63 if (m_plugin->isBeingDestroyed() || !m_npObject->_class->hasMethod) { 64 64 returnValue = false; 65 65 return; … … 71 71 void NPObjectMessageReceiver::invoke(const NPIdentifierData& methodNameData, const Vector<NPVariantData>& argumentsData, bool& returnValue, NPVariantData& resultData) 72 72 { 73 if ( !m_npObject->_class->invoke) {73 if (m_plugin->isBeingDestroyed() || !m_npObject->_class->invoke) { 74 74 returnValue = false; 75 75 return; … … 101 101 void NPObjectMessageReceiver::invokeDefault(const Vector<NPVariantData>& argumentsData, bool& returnValue, NPVariantData& resultData) 102 102 { 103 if ( !m_npObject->_class->invokeDefault) {103 if (m_plugin->isBeingDestroyed() || !m_npObject->_class->invokeDefault) { 104 104 returnValue = false; 105 105 return; … … 131 131 void NPObjectMessageReceiver::hasProperty(const NPIdentifierData& propertyNameData, bool& returnValue) 132 132 { 133 if ( !m_npObject->_class->hasProperty) {133 if (m_plugin->isBeingDestroyed() || !m_npObject->_class->hasProperty) { 134 134 returnValue = false; 135 135 return; … … 141 141 void NPObjectMessageReceiver::getProperty(const NPIdentifierData& propertyNameData, bool& returnValue, NPVariantData& resultData) 142 142 { 143 if ( !m_npObject->_class->getProperty) {143 if (m_plugin->isBeingDestroyed() || !m_npObject->_class->getProperty) { 144 144 returnValue = false; 145 145 return; … … 163 163 void NPObjectMessageReceiver::setProperty(const NPIdentifierData& propertyNameData, const NPVariantData& propertyValueData, bool& returnValue) 164 164 { 165 if ( !m_npObject->_class->setProperty) {165 if (m_plugin->isBeingDestroyed() || !m_npObject->_class->setProperty) { 166 166 returnValue = false; 167 167 return; … … 179 179 void NPObjectMessageReceiver::removeProperty(const NPIdentifierData& propertyNameData, bool& returnValue) 180 180 { 181 if ( !m_npObject->_class->removeProperty) {181 if (m_plugin->isBeingDestroyed() || !m_npObject->_class->removeProperty) { 182 182 returnValue = false; 183 183 return; … … 189 189 void NPObjectMessageReceiver::enumerate(bool& returnValue, Vector<NPIdentifierData>& identifiersData) 190 190 { 191 if ( !NP_CLASS_STRUCT_VERSION_HAS_ENUM(m_npObject->_class) || !m_npObject->_class->enumerate) {191 if (m_plugin->isBeingDestroyed() || !NP_CLASS_STRUCT_VERSION_HAS_ENUM(m_npObject->_class) || !m_npObject->_class->enumerate) { 192 192 returnValue = false; 193 193 return; … … 209 209 void NPObjectMessageReceiver::construct(const Vector<NPVariantData>& argumentsData, bool& returnValue, NPVariantData& resultData) 210 210 { 211 if ( !NP_CLASS_STRUCT_VERSION_HAS_CTOR(m_npObject->_class) || !m_npObject->_class->construct) {211 if (m_plugin->isBeingDestroyed() || !NP_CLASS_STRUCT_VERSION_HAS_CTOR(m_npObject->_class) || !m_npObject->_class->construct) { 212 212 returnValue = false; 213 213 return; -
releases/WebKitGTK/webkit-2.20/Source/WebKit/WebProcess/Plugins/Plugin.cpp
r204668 r228613 29 29 #include "WebCoreArgumentCoders.h" 30 30 #include <WebCore/IntPoint.h> 31 #include <wtf/SetForScope.h> 31 32 32 33 using namespace WebCore; … … 99 100 void Plugin::destroyPlugin() 100 101 { 102 ASSERT(!m_isBeingDestroyed); 103 SetForScope<bool> scope { m_isBeingDestroyed, true }; 104 101 105 destroy(); 102 106 103 m_pluginController = 0;107 m_pluginController = nullptr; 104 108 } 105 109 -
releases/WebKitGTK/webkit-2.20/Source/WebKit/WebProcess/Plugins/Plugin.h
r227214 r228613 105 105 void destroyPlugin(); 106 106 107 bool isBeingDestroyed() const { return m_isBeingDestroyed; } 108 107 109 // Returns the plug-in controller for this plug-in. 108 110 PluginController* controller() { return m_pluginController; } … … 310 312 PluginType m_type; 311 313 314 bool m_isBeingDestroyed { false }; 315 312 316 private: 313 317 PluginController* m_pluginController; -
releases/WebKitGTK/webkit-2.20/Source/WebKit/WebProcess/Plugins/PluginView.cpp
r227214 r228613 320 320 m_webPage->removePluginView(this); 321 321 322 ASSERT(!m_ isBeingDestroyed);322 ASSERT(!m_plugin || !m_plugin->isBeingDestroyed()); 323 323 324 324 if (m_isWaitingUntilMediaCanStart) … … 341 341 342 342 if (m_plugin) { 343 m_isBeingDestroyed = true;344 343 m_plugin->destroyPlugin(); 345 m_isBeingDestroyed = false;346 344 347 345 m_pendingURLRequests.clear(); … … 374 372 m_isWaitingForSynchronousInitialization = false; 375 373 m_isWaitingUntilMediaCanStart = false; 376 m_isBeingDestroyed = false;377 374 m_manualStreamState = ManualStreamState::Initial; 378 375 m_transientPaintingSnapshot = nullptr; … … 1642 1639 void PluginView::protectPluginFromDestruction() 1643 1640 { 1644 if ( !m_isBeingDestroyed)1641 if (m_plugin && !m_plugin->isBeingDestroyed()) 1645 1642 ref(); 1646 1643 } … … 1648 1645 void PluginView::unprotectPluginFromDestruction() 1649 1646 { 1650 if ( m_isBeingDestroyed)1647 if (!m_plugin || m_plugin->isBeingDestroyed()) 1651 1648 return; 1652 1649 -
releases/WebKitGTK/webkit-2.20/Source/WebKit/WebProcess/Plugins/PluginView.h
r227214 r228613 71 71 WebCore::Frame* frame() const; 72 72 73 bool isBeingDestroyed() const { return m_isBeingDestroyed; }73 bool isBeingDestroyed() const { return !m_plugin || m_plugin->isBeingDestroyed(); } 74 74 75 75 void manualLoadDidReceiveResponse(const WebCore::ResourceResponse&); … … 249 249 bool m_isWaitingForSynchronousInitialization { false }; 250 250 bool m_isWaitingUntilMediaCanStart { false }; 251 bool m_isBeingDestroyed { false };252 251 bool m_pluginProcessHasCrashed { false }; 253 252
Note: See TracChangeset
for help on using the changeset viewer.