Changeset 64487 in webkit

Timestamp:

Aug 2, 2010 1:02:43 PM (14 years ago)

Author:

andersca@apple.com

Message:

Protect the plug-in from being destroyed while in plug-in code
​https://bugs.webkit.org/show_bug.cgi?id=43370

Reviewed by Sam Weinig.

Add a PluginProtector to NPRuntimeObjectMap and use it in JSNPObject.

• WebProcess/Plugins/JSNPObject.cpp:

(WebKit::JSNPObject::callMethod):
(WebKit::JSNPObject::callObject):
(WebKit::JSNPObject::callConstructor):
(WebKit::JSNPObject::put):
(WebKit::JSNPObject::getOwnPropertyNames):
(WebKit::JSNPObject::propertyGetter):
Add PluginProtector declarations.

• WebProcess/Plugins/NPRuntimeObjectMap.cpp:

(WebKit::NPRuntimeObjectMap::PluginProtector::PluginProtector):
Ref the plug-in view (unless it's being destroyed).

(WebKit::NPRuntimeObjectMap::PluginProtector::~PluginProtector):

• WebProcess/Plugins/NPRuntimeObjectMap.h:

• WebProcess/Plugins/PluginView.cpp:

(WebKit::PluginView::PluginView):
Initialize m_isBeingDestroyed.

(WebKit::PluginView::~PluginView):
Set m_isBeingDestroyed to true.

(WebKit::PluginView::scriptObject):
Don't crash if the plug-in failed to initialize.

(WebKit::PluginView::evaluate):
Remove comment.

• WebProcess/Plugins/PluginView.h:

(WebKit::PluginView::isBeingDestroyed):

Location:

trunk/WebKit2

Files:

• ChangeLog (modified) (1 diff)
• WebProcess/Plugins/JSNPObject.cpp (modified) (11 diffs)
• WebProcess/Plugins/NPRuntimeObjectMap.cpp (modified) (1 diff)
• WebProcess/Plugins/NPRuntimeObjectMap.h (modified) (1 diff)
• WebProcess/Plugins/PluginView.cpp (modified) (5 diffs)
• WebProcess/Plugins/PluginView.h (modified) (2 diffs)

trunk/WebKit2/ChangeLog

@@ -58 +58 @@
         (WebKit::WebBackForwardList::forwardListAsImmutableArrayWithLimit):
         Use a simpler and correct expression to determine "last".
+
+2010-08-02  Anders Carlsson  <andersca@apple.com>
+
+        Reviewed by Sam Weinig.
+
+        Protect the plug-in from being destroyed while in plug-in code
+        https://bugs.webkit.org/show_bug.cgi?id=43370
+
+        Add a PluginProtector to NPRuntimeObjectMap and use it in JSNPObject.
+        
+        * WebProcess/Plugins/JSNPObject.cpp:
+        (WebKit::JSNPObject::callMethod):
+        (WebKit::JSNPObject::callObject):
+        (WebKit::JSNPObject::callConstructor):
+        (WebKit::JSNPObject::put):
+        (WebKit::JSNPObject::getOwnPropertyNames):
+        (WebKit::JSNPObject::propertyGetter):
+        Add PluginProtector declarations.
+
+        * WebProcess/Plugins/NPRuntimeObjectMap.cpp:
+        (WebKit::NPRuntimeObjectMap::PluginProtector::PluginProtector):
+        Ref the plug-in view (unless it's being destroyed).
+
+        (WebKit::NPRuntimeObjectMap::PluginProtector::~PluginProtector):
+        * WebProcess/Plugins/NPRuntimeObjectMap.h:
+
+        * WebProcess/Plugins/PluginView.cpp:
+        (WebKit::PluginView::PluginView):
+        Initialize m_isBeingDestroyed.
+
+        (WebKit::PluginView::~PluginView):
+        Set m_isBeingDestroyed to true.
+
+        (WebKit::PluginView::scriptObject):
+        Don't crash if the plug-in failed to initialize.
+
+        (WebKit::PluginView::evaluate):
+        Remove comment.
+
+        * WebProcess/Plugins/PluginView.h:
+        (WebKit::PluginView::isBeingDestroyed):
 
 2010-08-02  Anders Carlsson  <andersca@apple.com>

trunk/WebKit2/WebProcess/Plugins/JSNPObject.cpp

@@ -89 +89 @@
         m_objectMap->convertJSValueToNPVariant(exec, exec->argument(i), arguments[i]);
 
+    // Calling NPClass::invoke will call into plug-in code, and there's no telling what the plug-in can do.
+    // (including destroying the plug-in). Because of this, we make sure to keep the plug-in alive until 
+    // the call has finished.
+    NPRuntimeObjectMap::PluginProtector protector(m_objectMap);
+
     bool returnValue;
     NPVariant result;
@@ -96 +101 @@
         JSLock::DropAllLocks dropAllLocks(SilenceAssertionsOnly);
         returnValue = m_npObject->_class->invoke(m_npObject, methodName, arguments.data(), argumentCount, &result);
-
-        // FIXME: Handle invoke setting an exception.
-        // FIXME: Find out what happens if calling invoke causes the plug-in to go away.
+        NPRuntimeObjectMap::moveGlobalExceptionToExecState(exec);
     }
 
@@ -124 +127 @@
     for (size_t i = 0; i < argumentCount; ++i)
         m_objectMap->convertJSValueToNPVariant(exec, exec->argument(i), arguments[i]);
+
+    // Calling NPClass::invokeDefault will call into plug-in code, and there's no telling what the plug-in can do.
+    // (including destroying the plug-in). Because of this, we make sure to keep the plug-in alive until 
+    // the call has finished.
+    NPRuntimeObjectMap::PluginProtector protector(m_objectMap);
     
     bool returnValue;
@@ -132 +140 @@
         JSLock::DropAllLocks dropAllLocks(SilenceAssertionsOnly);
         returnValue = m_npObject->_class->invokeDefault(m_npObject, arguments.data(), argumentCount, &result);
-        
-        // FIXME: Handle invokeDefault setting an exception.
-        // FIXME: Find out what happens if calling invokeDefault causes the plug-in to go away.
+        NPRuntimeObjectMap::moveGlobalExceptionToExecState(exec);
     }
 
@@ -161 +167 @@
         m_objectMap->convertJSValueToNPVariant(exec, exec->argument(i), arguments[i]);
 
+    // Calling NPClass::construct will call into plug-in code, and there's no telling what the plug-in can do.
+    // (including destroying the plug-in). Because of this, we make sure to keep the plug-in alive until 
+    // the call has finished.
+    NPRuntimeObjectMap::PluginProtector protector(m_objectMap);
+    
     bool returnValue;
     NPVariant result;
@@ -169 +180 @@
         returnValue = m_npObject->_class->construct(m_npObject, arguments.data(), argumentCount, &result);
         NPRuntimeObjectMap::moveGlobalExceptionToExecState(exec);
-        
-        // FIXME: Find out what happens if calling construct causes the plug-in to go away.
     }
 
@@ -286 +295 @@
     NPVariant variant;
     m_objectMap->convertJSValueToNPVariant(exec, value, variant);
+
+    // Calling NPClass::setProperty will call into plug-in code, and there's no telling what the plug-in can do.
+    // (including destroying the plug-in). Because of this, we make sure to keep the plug-in alive until 
+    // the call has finished.
+    NPRuntimeObjectMap::PluginProtector protector(m_objectMap);
+
     {
         JSLock::DropAllLocks dropAllLocks(SilenceAssertionsOnly);
@@ -292 +307 @@
         NPRuntimeObjectMap::moveGlobalExceptionToExecState(exec);
 
-        // FIXME: Find out what happens if calling setProperty causes the plug-in to go away.
         // FIXME: Should we throw an exception if setProperty returns false?
     }
@@ -312 +326 @@
     uint32_t identifierCount = 0;
     
-    {
-        JSLock::DropAllLocks dropAllLocks(SilenceAssertionsOnly);
-
-        // FIXME: Find out what happens if calling enumerate causes the plug-in to go away.
+    // Calling NPClass::enumerate will call into plug-in code, and there's no telling what the plug-in can do.
+    // (including destroying the plug-in). Because of this, we make sure to keep the plug-in alive until 
+    // the call has finished.
+    NPRuntimeObjectMap::PluginProtector protector(m_objectMap);
+    
+    {
+        JSLock::DropAllLocks dropAllLocks(SilenceAssertionsOnly);
+
         // FIXME: Should we throw an exception if enumerate returns false?
         if (!m_npObject->_class->enumerate(m_npObject, &identifiers, &identifierCount))
@@ -355 +373 @@
     VOID_TO_NPVARIANT(result);
 
+    // Calling NPClass::getProperty will call into plug-in code, and there's no telling what the plug-in can do.
+    // (including destroying the plug-in). Because of this, we make sure to keep the plug-in alive until 
+    // the call has finished.
+    NPRuntimeObjectMap::PluginProtector protector(thisObj->m_objectMap);
+    
     bool returnValue;
     {
@@ -362 +385 @@
         
         NPRuntimeObjectMap::moveGlobalExceptionToExecState(exec);
-
-        // FIXME: Find out what happens if calling getProperty causes the plug-in to go away.
     }
 

trunk/WebKit2/WebProcess/Plugins/NPRuntimeObjectMap.cpp

@@ -47 +47 @@
 }
 
+NPRuntimeObjectMap::PluginProtector::PluginProtector(NPRuntimeObjectMap* npRuntimeObjectMap)
+{
+    // If we're already in the plug-in view destructor, we shouldn't try to keep it alive.
+    if (!npRuntimeObjectMap->m_pluginView->isBeingDestroyed())
+        m_pluginView = npRuntimeObjectMap->m_pluginView;
+}
+
+NPRuntimeObjectMap::PluginProtector::~PluginProtector()
+{
+}
+
 NPObject* NPRuntimeObjectMap::getOrCreateNPObject(JSObject* jsObject)
 {

trunk/WebKit2/WebProcess/Plugins/NPRuntimeObjectMap.h

@@ -54 +54 @@
     explicit NPRuntimeObjectMap(PluginView*);
 
+    class PluginProtector {
+    public:
+        explicit PluginProtector(NPRuntimeObjectMap* npRuntimeObjectMap);
+        ~PluginProtector();
+        
+    private:
+        RefPtr<PluginView> m_pluginView;
+    };
+
     // Returns an NPObject that wraps the given JSObject object. If there is already an NPObject that wraps this JSObject, it will
     // retain it and return it.

trunk/WebKit2/WebProcess/Plugins/PluginView.cpp

@@ -218 +218 @@
     , m_isInitialized(false)
     , m_isWaitingUntilMediaCanStart(false)
+    , m_isBeingDestroyed(false)
     , m_pendingURLRequestsTimer(RunLoop::main(), this, &PluginView::pendingURLRequestsTimerFired)
     , m_npRuntimeObjectMap(this)
@@ -225 +226 @@
 PluginView::~PluginView()
 {
+    ASSERT(!m_isBeingDestroyed);
+
     if (m_isWaitingUntilMediaCanStart)
         m_pluginElement->document()->removeMediaCanStartListener(this);
@@ -233 +236 @@
         it->first->setLoadListener(0);
 
-    if (m_plugin && m_isInitialized)
+    if (m_plugin && m_isInitialized) {
+        m_isBeingDestroyed = true;
         m_plugin->destroy();
+        m_isBeingDestroyed = false;
+    }
 
     // Invalidate the object map.
@@ -285 +291 @@
 JSObject* PluginView::scriptObject(JSGlobalObject* globalObject)
 {
+    // The plug-in can be null here if it failed to initialize.
+    if (!m_plugin)
+        return 0;
+    
     NPObject* scriptableNPObject = m_plugin->pluginScriptableNPObject();
     if (!scriptableNPObject)
@@ -645 +655 @@
     frame()->script()->setAllowPopupsFromPlugin(allowPopups);
 
-    // FIXME: What happens if calling evaluate will cause the plug-in view to go away.
     bool returnValue = m_npRuntimeObjectMap.evaluate(npObject, scriptString, result);
 

trunk/WebKit2/WebProcess/Plugins/PluginView.h

@@ -54 +54 @@
 
     WebCore::Frame* frame();
+
+    bool isBeingDestroyed() const { return m_isBeingDestroyed; }
 
 private:
@@ -117 +119 @@
     bool m_isInitialized;
     bool m_isWaitingUntilMediaCanStart;
+    bool m_isBeingDestroyed;
 
     // Pending URLRequests that the plug-in has made.