Changeset 88867 in webkit

Timestamp:

Jun 14, 2011, 4:06:52 PM (14 years ago)

Author:

Lucas Forschler

Message:

Merge r88647.

Location:

branches/safari-534-branch/Source/WebKit2

Files:

• ChangeLog (modified) (1 diff)
• UIProcess/Plugins/PluginProcessProxy.cpp (modified) (1 diff)

branches/safari-534-branch/Source/WebKit2/ChangeLog

@@ +1 @@
+2011-06-14  Lucas Forschler  <lforschler@apple.com>
+
+    Merged 88647.
+
+    2011-06-13  Anders Carlsson  <andersca@apple.com>
+
+        Reviewed by Dan Bernstein.
+
+        Don't access freed memory in the UI process when a plug-in process crashes
+        https://bugs.webkit.org/show_bug.cgi?id=62548
+
+        Call pluginProcessCrashedOrFailedToLaunch after sending messages to all processes about the plug-in crash,
+        otherwise we'll try to dereference m_pluginInfo.path after the PluginProcessProxy object has been deleted.
+
+        * UIProcess/Plugins/PluginProcessProxy.cpp:
+        (WebKit::PluginProcessProxy::didClose):
+
 2011-06-14  Lucas Forschler  <lforschler@apple.com>
 

branches/safari-534-branch/Source/WebKit2/UIProcess/Plugins/PluginProcessProxy.cpp

@@ -168 +168 @@
 #endif
 
-    pluginProcessCrashedOrFailedToLaunch();
-
     const Vector<WebContext*>& contexts = WebContext::allContexts();
     for (size_t i = 0; i < contexts.size(); ++i)
         contexts[i]->sendToAllProcesses(Messages::WebProcess::PluginProcessCrashed(m_pluginInfo.path));
+
+    // This will cause us to be deleted.
+    pluginProcessCrashedOrFailedToLaunch();
 }