Changeset 228100 in webkit

Timestamp:

Feb 5, 2018 10:03:58 AM (6 years ago)

Author:

dbates@webkit.org

Message:

Disallow evaluating JavaScript from NPP_Destroy() in WebKit
​https://bugs.webkit.org/show_bug.cgi?id=181889
<rdar://problem/36674701>

Reviewed by Brent Fulgham.

Source/WebKit:

Make the behavior of WebKit match the behavior of WebKitLegacy on Mac.

• Shared/Plugins/NPObjectMessageReceiver.cpp:

(WebKit::NPObjectMessageReceiver::hasMethod):
(WebKit::NPObjectMessageReceiver::invoke):
(WebKit::NPObjectMessageReceiver::invokeDefault):
(WebKit::NPObjectMessageReceiver::hasProperty):
(WebKit::NPObjectMessageReceiver::getProperty):
(WebKit::NPObjectMessageReceiver::setProperty):
(WebKit::NPObjectMessageReceiver::removeProperty):
(WebKit::NPObjectMessageReceiver::enumerate):
(WebKit::NPObjectMessageReceiver::construct):
Bail out if the plugin is executing NPP_Destroy().

• WebProcess/Plugins/Plugin.cpp:

(WebKit::Plugin::destroyPlugin):

• WebProcess/Plugins/Plugin.h:

(WebKit::Plugin::isBeingDestroyed const):
Move bookkeeping of whether the plugin is being destroyed from PluginView
to here. This makes it straightforward for NPObjectMessageReceiver to query
this information.

• WebProcess/Plugins/PluginView.cpp:

(WebKit::PluginView::~PluginView):
(WebKit::PluginView::destroyPluginAndReset):
(WebKit::PluginView::recreateAndInitialize):
(WebKit::PluginView::protectPluginFromDestruction):
(WebKit::PluginView::unprotectPluginFromDestruction):
Move bookkeeping of whether the plugin is being destroyed from here
to Plugin.

• WebProcess/Plugins/PluginView.h:

(WebKit::PluginView::isBeingDestroyed const): Turn around and ask the plugin if it
is being destroyed, if we have one.

LayoutTests:

Consolidate all the plugin tests that evaluate JavaScript from NPP_Destroy()
and mark them as Wont Fix. In a subsequent change we will look to replace
these tests with tests that ensure that we do not evaluate JavaScript from
NPP_Destroy().

• platform/mac/TestExpectations:
• platform/wk2/TestExpectations:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/platform/mac/TestExpectations (modified) (2 diffs)
• LayoutTests/platform/wk2/TestExpectations (modified) (2 diffs)
• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/Shared/Plugins/NPObjectMessageReceiver.cpp (modified) (9 diffs)
• Source/WebKit/WebProcess/Plugins/Plugin.cpp (modified) (2 diffs)
• Source/WebKit/WebProcess/Plugins/Plugin.h (modified) (2 diffs)
• Source/WebKit/WebProcess/Plugins/PluginView.cpp (modified) (5 diffs)
• Source/WebKit/WebProcess/Plugins/PluginView.h (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2018-02-05  Daniel Bates  <dabates@apple.com>
+
+        Disallow evaluating JavaScript from NPP_Destroy() in WebKit
+        https://bugs.webkit.org/show_bug.cgi?id=181889
+        <rdar://problem/36674701>
+
+        Reviewed by Brent Fulgham.
+
+        Consolidate all the plugin tests that evaluate JavaScript from NPP_Destroy()
+        and mark them as Wont Fix. In a subsequent change we will look to replace
+        these tests with tests that ensure that we do not evaluate JavaScript from
+        NPP_Destroy().
+
+        * platform/mac/TestExpectations:
+        * platform/wk2/TestExpectations:
+
 2018-02-05  Antoine Quint  <graouts@apple.com>
 

trunk/LayoutTests/platform/mac/TestExpectations

@@ -190 +190 @@
 fast/images/animated-webp-expected.html
 
-# Times out because plugins aren't allowed to execute JS after NPP_Destroy has been called in WebKit1's OOP plugins implementation
-webkit.org/b/48929 plugins/evaluate-js-after-removing-plugin-element.html
 
 # DRT does not support toggling caret browsing on / off
@@ -436 +434 @@
 
 # --- Plugins ---
-# WebKit1 OOP plug-ins: Can't evaluate JavaScript from NPP_Destroy.
-plugins/document-open.html
-plugins/geturlnotify-during-document-teardown.html
-plugins/nested-plugin-objects.html
-plugins/netscape-destroy-plugin-script-objects.html
-plugins/open-and-close-window-with-plugin.html
+# Out-of-process plug-ins are disallowed from evaluating JavaScript from NPP_Destroy().
+plugins/attach-during-destroy.html [ WontFix ]
+plugins/destroy-reentry.html [ WontFix ]
+plugins/document-open.html [ WontFix ]
+webkit.org/b/48929 plugins/evaluate-js-after-removing-plugin-element.html [ WontFix ]
+plugins/geturlnotify-during-document-teardown.html [ WontFix ]
+plugins/js-from-destroy.html [ WontFix ]
+plugins/nested-plugin-objects.html [ WontFix ]
+plugins/netscape-destroy-plugin-script-objects.html [ WontFix ]
+plugins/open-and-close-window-with-plugin.html [ WontFix ]
 
 # WebKit1 OOP plug-ins: No support for getting the form value.

trunk/LayoutTests/platform/wk2/TestExpectations

@@ -126 +126 @@
 transitions/default-timing-function.html
 
-# WebKitTestRunner needs testRunner.setCallCloseOnWebViews
-# http://webkit.org/b/46714
-plugins/geturlnotify-during-document-teardown.html
-plugins/open-and-close-window-with-plugin.html
-
 # Sometimes fails
 # http://webkit.org/b/58990
@@ -513 +508 @@
 ########################################
 ### START OF (4) Features that are not supported in WebKit2 and likely never will be
+
+# Plug-ins are disallowed from evaluating JavaScript from NPP_Destroy().
+plugins/attach-during-destroy.html [ WontFix ]
+plugins/destroy-reentry.html [ WontFix ]
+plugins/document-open.html [ WontFix ]
+webkit.org/b/48929 plugins/evaluate-js-after-removing-plugin-element.html [ WontFix ]
+plugins/geturlnotify-during-document-teardown.html [ WontFix ]
+plugins/js-from-destroy.html [ WontFix ]
+plugins/nested-plugin-objects.html [ WontFix ]
+plugins/netscape-destroy-plugin-script-objects.html [ WontFix ]
+plugins/open-and-close-window-with-plugin.html [ WontFix ]
 
 # Internals.registerDefaultPortForProtocol() does not affect NetworkProcess. We should

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2018-02-05  Daniel Bates  <dabates@apple.com>
+
+        Disallow evaluating JavaScript from NPP_Destroy() in WebKit
+        https://bugs.webkit.org/show_bug.cgi?id=181889
+        <rdar://problem/36674701>
+
+        Reviewed by Brent Fulgham.
+
+        Make the behavior of WebKit match the behavior of WebKitLegacy on Mac.
+
+        * Shared/Plugins/NPObjectMessageReceiver.cpp:
+        (WebKit::NPObjectMessageReceiver::hasMethod):
+        (WebKit::NPObjectMessageReceiver::invoke):
+        (WebKit::NPObjectMessageReceiver::invokeDefault):
+        (WebKit::NPObjectMessageReceiver::hasProperty):
+        (WebKit::NPObjectMessageReceiver::getProperty):
+        (WebKit::NPObjectMessageReceiver::setProperty):
+        (WebKit::NPObjectMessageReceiver::removeProperty):
+        (WebKit::NPObjectMessageReceiver::enumerate):
+        (WebKit::NPObjectMessageReceiver::construct):
+        Bail out if the plugin is executing NPP_Destroy().
+
+        * WebProcess/Plugins/Plugin.cpp:
+        (WebKit::Plugin::destroyPlugin):
+        * WebProcess/Plugins/Plugin.h:
+        (WebKit::Plugin::isBeingDestroyed const):
+        Move bookkeeping of whether the plugin is being destroyed from PluginView
+        to here. This makes it straightforward for NPObjectMessageReceiver to query
+        this information.
+
+        * WebProcess/Plugins/PluginView.cpp:
+        (WebKit::PluginView::~PluginView):
+        (WebKit::PluginView::destroyPluginAndReset):
+        (WebKit::PluginView::recreateAndInitialize):
+        (WebKit::PluginView::protectPluginFromDestruction):
+        (WebKit::PluginView::unprotectPluginFromDestruction):
+        Move bookkeeping of whether the plugin is being destroyed from here
+        to Plugin.
+
+        * WebProcess/Plugins/PluginView.h:
+        (WebKit::PluginView::isBeingDestroyed const): Turn around and ask the plugin if it
+        is being destroyed, if we have one.
+
 2018-02-05  Carlos Garcia Campos  <cgarcia@igalia.com>
 

trunk/Source/WebKit/Shared/Plugins/NPObjectMessageReceiver.cpp

@@ -61 +61 @@
 void NPObjectMessageReceiver::hasMethod(const NPIdentifierData& methodNameData, bool& returnValue)
 {
-    if (!m_npObject->_class->hasMethod) {
+    if (m_plugin->isBeingDestroyed() || !m_npObject->_class->hasMethod) {
         returnValue = false;
         return;
@@ -71 +71 @@
 void NPObjectMessageReceiver::invoke(const NPIdentifierData& methodNameData, const Vector<NPVariantData>& argumentsData, bool& returnValue, NPVariantData& resultData)
 {
-    if (!m_npObject->_class->invoke) {
+    if (m_plugin->isBeingDestroyed() || !m_npObject->_class->invoke) {
         returnValue = false;
         return;
@@ -101 +101 @@
 void NPObjectMessageReceiver::invokeDefault(const Vector<NPVariantData>& argumentsData, bool& returnValue, NPVariantData& resultData)
 {
-    if (!m_npObject->_class->invokeDefault) {
+    if (m_plugin->isBeingDestroyed() || !m_npObject->_class->invokeDefault) {
         returnValue = false;
         return;
@@ -131 +131 @@
 void NPObjectMessageReceiver::hasProperty(const NPIdentifierData& propertyNameData, bool& returnValue)
 {
-    if (!m_npObject->_class->hasProperty) {
+    if (m_plugin->isBeingDestroyed() || !m_npObject->_class->hasProperty) {
         returnValue = false;
         return;
@@ -141 +141 @@
 void NPObjectMessageReceiver::getProperty(const NPIdentifierData& propertyNameData, bool& returnValue, NPVariantData& resultData)
 {
-    if (!m_npObject->_class->getProperty) {
+    if (m_plugin->isBeingDestroyed() || !m_npObject->_class->getProperty) {
         returnValue = false;
         return;
@@ -163 +163 @@
 void NPObjectMessageReceiver::setProperty(const NPIdentifierData& propertyNameData, const NPVariantData& propertyValueData, bool& returnValue)
 {
-    if (!m_npObject->_class->setProperty) {
+    if (m_plugin->isBeingDestroyed() || !m_npObject->_class->setProperty) {
         returnValue = false;
         return;
@@ -179 +179 @@
 void NPObjectMessageReceiver::removeProperty(const NPIdentifierData& propertyNameData, bool& returnValue)
 {
-    if (!m_npObject->_class->removeProperty) {
+    if (m_plugin->isBeingDestroyed() || !m_npObject->_class->removeProperty) {
         returnValue = false;
         return;
@@ -189 +189 @@
 void NPObjectMessageReceiver::enumerate(bool& returnValue, Vector<NPIdentifierData>& identifiersData)
 {
-    if (!NP_CLASS_STRUCT_VERSION_HAS_ENUM(m_npObject->_class) || !m_npObject->_class->enumerate) {
+    if (m_plugin->isBeingDestroyed() || !NP_CLASS_STRUCT_VERSION_HAS_ENUM(m_npObject->_class) || !m_npObject->_class->enumerate) {
         returnValue = false;
         return;
@@ -209 +209 @@
 void NPObjectMessageReceiver::construct(const Vector<NPVariantData>& argumentsData, bool& returnValue, NPVariantData& resultData)
 {
-    if (!NP_CLASS_STRUCT_VERSION_HAS_CTOR(m_npObject->_class) || !m_npObject->_class->construct) {
+    if (m_plugin->isBeingDestroyed() || !NP_CLASS_STRUCT_VERSION_HAS_CTOR(m_npObject->_class) || !m_npObject->_class->construct) {
         returnValue = false;
         return;

trunk/Source/WebKit/WebProcess/Plugins/Plugin.cpp

@@ -29 +29 @@
 #include "WebCoreArgumentCoders.h"
 #include <WebCore/IntPoint.h>
+#include <wtf/SetForScope.h>
 
 using namespace WebCore;
@@ -99 +100 @@
 void Plugin::destroyPlugin()
 {
+    ASSERT(!m_isBeingDestroyed);
+    SetForScope<bool> scope { m_isBeingDestroyed, true };
+
     destroy();
 
-    m_pluginController = 0;
+    m_pluginController = nullptr;
 }
 

trunk/Source/WebKit/WebProcess/Plugins/Plugin.h

@@ -105 +105 @@
     void destroyPlugin();
 
+    bool isBeingDestroyed() const { return m_isBeingDestroyed; }
+
     // Returns the plug-in controller for this plug-in.
     PluginController* controller() { return m_pluginController; }
@@ -310 +312 @@
     PluginType m_type;
 
+    bool m_isBeingDestroyed { false };
+
 private:
     PluginController* m_pluginController;

trunk/Source/WebKit/WebProcess/Plugins/PluginView.cpp

@@ -320 +320 @@
         m_webPage->removePluginView(this);
 
-    ASSERT(!m_isBeingDestroyed);
+    ASSERT(!m_plugin || !m_plugin->isBeingDestroyed());
 
     if (m_isWaitingUntilMediaCanStart)
@@ -341 +341 @@
 
     if (m_plugin) {
-        m_isBeingDestroyed = true;
         m_plugin->destroyPlugin();
-        m_isBeingDestroyed = false;
 
         m_pendingURLRequests.clear();
@@ -374 +372 @@
     m_isWaitingForSynchronousInitialization = false;
     m_isWaitingUntilMediaCanStart = false;
-    m_isBeingDestroyed = false;
     m_manualStreamState = ManualStreamState::Initial;
     m_transientPaintingSnapshot = nullptr;
@@ -1642 +1639 @@
 void PluginView::protectPluginFromDestruction()
 {
-    if (!m_isBeingDestroyed)
+    if (m_plugin && !m_plugin->isBeingDestroyed())
         ref();
 }
@@ -1648 +1645 @@
 void PluginView::unprotectPluginFromDestruction()
 {
-    if (m_isBeingDestroyed)
+    if (!m_plugin || m_plugin->isBeingDestroyed())
         return;
 

trunk/Source/WebKit/WebProcess/Plugins/PluginView.h

@@ -71 +71 @@
     WebCore::Frame* frame() const;
 
-    bool isBeingDestroyed() const { return m_isBeingDestroyed; }
+    bool isBeingDestroyed() const { return !m_plugin || m_plugin->isBeingDestroyed(); }
 
     void manualLoadDidReceiveResponse(const WebCore::ResourceResponse&);
@@ -249 +249 @@
     bool m_isWaitingForSynchronousInitialization { false };
     bool m_isWaitingUntilMediaCanStart { false };
-    bool m_isBeingDestroyed { false };
     bool m_pluginProcessHasCrashed { false };