Context Navigation

Changeset 152403 in webkit

Timestamp:

Jul 4, 2013 11:42:16 AM (11 years ago)

Author:

andersca@apple.com

Message:

Crash when createPluginInternal ends up destroying the plug-in
https://bugs.webkit.org/show_bug.cgi?id=118397
<rdar://problem/14155051>

Reviewed by Simon Fraser.

Keep the WebProcessConnection object alive while calling createPluginInternal and handle
the IPC connection going away.

(WebKit::WebProcessConnection::createPluginAsynchronously):

Location:

trunk/Source/WebKit2

Files:

-                      r152382
+                      r152403
+-07-04  Anders Carlsson  <andersca@apple.com>
+        Crash when createPluginInternal ends up destroying the plug-in
+        https://bugs.webkit.org/show_bug.cgi?id=118397
+        <rdar://problem/14155051>
+        Reviewed by Simon Fraser.
+        Keep the WebProcessConnection object alive while calling createPluginInternal and handle
+        the IPC connection going away.
+        * PluginProcess/WebProcessConnection.cpp:
+        (WebKit::WebProcessConnection::createPluginAsynchronously):
 -07-03  Gordon Sheridan  <gordon_sheridan@apple.com>

-                      r151480
+                      r152403
     // We can force it to do so by incrementing the "DispatchMessageMarkedDispatchWhenWaitingForSyncReply" count.
     m_connection->incrementDispatchMessageMarkedDispatchWhenWaitingForSyncReplyCount();
+    // The call to createPluginInternal can potentially cause the plug-in to be destroyed and
+    // thus free the WebProcessConnection object. Protect it.
+    RefPtr<WebProcessConnection> protect(this);
     createPluginInternal(creationParameters, result, wantsWheelEvents, remoteLayerClientID);
+    if (!m_connection) {
+        // createPluginInternal caused the connection to go away.
+        return;
+    }
     m_connection->decrementDispatchMessageMarkedDispatchWhenWaitingForSyncReplyCount();

Note: See TracChangeset for help on using the changeset viewer.