Changeset 171371 in webkit


Ignore:
Timestamp:
Jul 22, 2014 4:33:09 PM (10 years ago)
Author:
commit-queue@webkit.org
Message:

[Win] Crash after plugin is unloaded.
https://bugs.webkit.org/show_bug.cgi?id=119044

Patch by peavo@outlook.com <peavo@outlook.com> on 2014-07-22
Reviewed by Darin Adler.

We need to invalidate all runtime objects when a plugin view is destroyed, in case the plugin is unloaded,
and one of these runtime objects accesses the plugin function table upon destruction afterwards, which will cause a crash.
If we use the weak pointer to the runtime object when invalidating, it will be null if it's in the WeakImpl::Dead state.
This means the runtime object will not be invalidated, possibly causing a crash if the plugin is unloaded.
It should be safe to use the raw pointer to the runtime object when invalidating, since finalized runtime objects
will be removed from the set of runtime objects in the method RootObject::finalize().

  • bridge/runtime_root.cpp:

(JSC::Bindings::RootObject::invalidate): Make sure all runtime objects are invalidated by getting the raw runtime object pointer from the hash key.

Location:
trunk/Source/WebCore
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WebCore/ChangeLog

    r171370 r171371  
     12014-07-22  peavo@outlook.com  <peavo@outlook.com>
     2
     3        [Win] Crash after plugin is unloaded.
     4        https://bugs.webkit.org/show_bug.cgi?id=119044
     5
     6        Reviewed by Darin Adler.
     7
     8        We need to invalidate all runtime objects when a plugin view is destroyed, in case the plugin is unloaded,
     9        and one of these runtime objects accesses the plugin function table upon destruction afterwards, which will cause a crash.
     10        If we use the weak pointer to the runtime object when invalidating, it will be null if it's in the WeakImpl::Dead state.
     11        This means the runtime object will not be invalidated, possibly causing a crash if the plugin is unloaded.
     12        It should be safe to use the raw pointer to the runtime object when invalidating, since finalized runtime objects
     13        will be removed from the set of runtime objects in the method RootObject::finalize().
     14
     15        * bridge/runtime_root.cpp:
     16        (JSC::Bindings::RootObject::invalidate): Make sure all runtime objects are invalidated by getting the raw runtime object pointer from the hash key.
     17
    1182014-07-22  Enrica Casucci  <enrica@apple.com>
    219
  • trunk/Source/WebCore/bridge/runtime_root.cpp

    r166071 r171371  
    107107
    108108    {
    109         HashMap<RuntimeObject*, JSC::Weak<RuntimeObject>>::iterator end = m_runtimeObjects.end();
    110         for (HashMap<RuntimeObject*, JSC::Weak<RuntimeObject>>::iterator it = m_runtimeObjects.begin(); it != end; ++it) {
    111             RuntimeObject* runtimeObject = it->value.get();
    112             if (!runtimeObject) // Skip zombies.
    113                 continue;
     109        // Get the objects from the keys; the values might be nulled.
     110        // Safe because finalized runtime objects are removed from m_runtimeObjects by RootObject::finalize.
     111        for (RuntimeObject* runtimeObject : m_runtimeObjects.keys())
    114112            runtimeObject->invalidate();
    115         }
    116113
    117114        m_runtimeObjects.clear();
Note: See TracChangeset for help on using the changeset viewer.