Changeset 71249 in webkit

Timestamp:

Nov 3, 2010 10:32:56 AM (13 years ago)

Author:

Adam Roben

Message:

Add a plugin test that evaluates JS after removing the plugin element from the document

This test replaces platform/win/plugins/plugin-delayed-destroy.html.
That test was made to prevent a crash very similar to this one, but
unfortunately tested only the mechanism that prevented the crash and
not whether the crash itself was prevented. Since WebKit2 uses a
different mechanism to prevent the crash, the test was failing even
though WebKit2 was not vulnerable to the crash. This new test crashes
if there is no mechanism in place to prevent it and passes in both
WebKit1 and WebKit2.

Fixes <​http://webkit.org/b/46711> <rdar://problem/8485903>
platform/win/plugins/plugin-delayed-destroy.html fails in WebKit2

Reviewed by Anders Carlsson.

WebKitTools:

• DumpRenderTree/DumpRenderTree.xcodeproj/project.pbxproj:
• DumpRenderTree/TestNetscapePlugIn/win/TestNetscapePlugin.vcproj:
• DumpRenderTree/qt/TestNetscapePlugin/TestNetscapePlugin.pro:
• GNUmakefile.am:

Added new file.

• DumpRenderTree/TestNetscapePlugIn/PluginObject.cpp:

(pluginDeallocate): Make sure we delete the PluginTest object. This
prevents a leak and also allows us to test the crash.

• DumpRenderTree/TestNetscapePlugIn/PluginTest.cpp:

(PluginTest::executeScript): Made this into a non-static member
function.

(PluginTest::waitUntilDone):
(PluginTest::notifyDone):
Updated for changes to executeScript.

• DumpRenderTree/TestNetscapePlugIn/PluginTest.h: Added executeScript.

• DumpRenderTree/TestNetscapePlugIn/Tests/EvaluateJSAfterRemovingPluginElement.cpp: Added.

(EvaluateJSAfterRemovingPluginElement::EvaluateJSAfterRemovingPluginElement):
Initialize ourselves and tell the test harness to wait.
(EvaluateJSAfterRemovingPluginElement::NPP_DestroyStream): Remove our
plugin element from the document, then execute some JavaScript. If
WebKit does not have appropriate mechanisms in place, we'll be
destroyed inside the first call to executeScript and crash on the
second call.

LayoutTests:

• platform/mac/Skipped: Added the new test, which fails in WebKit1 on SnowLeopard.

• platform/win-wk2/Skipped: Removed platform/win/plugins/plugin-delayed-destroy.html.

• platform/win/plugins/plugin-delayed-destroy-expected.txt: Removed.
• platform/win/plugins/plugin-delayed-destroy.html: Removed.

• plugins/evaluate-js-after-removing-plugin-element-expected.txt: Added.
• plugins/evaluate-js-after-removing-plugin-element.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/platform/mac/Skipped (modified) (1 diff)
• LayoutTests/platform/win-wk2/Skipped (modified) (1 diff)
• LayoutTests/platform/win/plugins/plugin-delayed-destroy-expected.txt (deleted)
• LayoutTests/platform/win/plugins/plugin-delayed-destroy.html (deleted)
• LayoutTests/plugins/evaluate-js-after-removing-plugin-element-expected.txt (added)
• LayoutTests/plugins/evaluate-js-after-removing-plugin-element.html (added)
• WebKitTools/ChangeLog (modified) (1 diff)
• WebKitTools/DumpRenderTree/DumpRenderTree.xcodeproj/project.pbxproj (modified) (4 diffs)
• WebKitTools/DumpRenderTree/TestNetscapePlugIn/PluginObject.cpp (modified) (2 diffs)
• WebKitTools/DumpRenderTree/TestNetscapePlugIn/PluginTest.cpp (modified) (3 diffs)
• WebKitTools/DumpRenderTree/TestNetscapePlugIn/PluginTest.h (modified) (1 diff)
• WebKitTools/DumpRenderTree/TestNetscapePlugIn/Tests/EvaluateJSAfterRemovingPluginElement.cpp (added)
• WebKitTools/DumpRenderTree/TestNetscapePlugIn/win/TestNetscapePlugin.vcproj (modified) (1 diff)
• WebKitTools/DumpRenderTree/qt/TestNetscapePlugin/TestNetscapePlugin.pro (modified) (1 diff)
• WebKitTools/GNUmakefile.am (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2010-11-03  Adam Roben  <aroben@apple.com>
+
+        Add a plugin test that evaluates JS after removing the plugin element
+        from the document
+
+        This test replaces platform/win/plugins/plugin-delayed-destroy.html.
+        That test was made to prevent a crash very similar to this one, but
+        unfortunately tested only the mechanism that prevented the crash and
+        not whether the crash itself was prevented. Since WebKit2 uses a
+        different mechanism to prevent the crash, the test was failing even
+        though WebKit2 was not vulnerable to the crash. This new test crashes
+        if there is no mechanism in place to prevent it and passes in both
+        WebKit1 and WebKit2.
+
+        Fixes <http://webkit.org/b/46711> <rdar://problem/8485903>
+        platform/win/plugins/plugin-delayed-destroy.html fails in WebKit2
+
+        Reviewed by Anders Carlsson.
+
+        * platform/mac/Skipped: Added the new test, which fails in WebKit1 on SnowLeopard.
+
+        * platform/win-wk2/Skipped: Removed platform/win/plugins/plugin-delayed-destroy.html.
+
+        * platform/win/plugins/plugin-delayed-destroy-expected.txt: Removed.
+        * platform/win/plugins/plugin-delayed-destroy.html: Removed.
+
+        * plugins/evaluate-js-after-removing-plugin-element-expected.txt: Added.
+        * plugins/evaluate-js-after-removing-plugin-element.html: Added.
+
 2010-11-03  Stephen White  <senorblanco@chromium.org>
 

trunk/LayoutTests/platform/mac/Skipped

@@ -273 +273 @@
 # https://bugs.webkit.org/show_bug.cgi?id=47901
 fast/canvas/canvas-getImageData-negative-source.html
+
+# Times out because plugins aren't allowed to execute JS after NPP_Destroy has been called in WebKit1's OOP plugins implementation http://webkit.org/b/48929
+plugins/evaluate-js-after-removing-plugin-element.html

trunk/LayoutTests/platform/win-wk2/Skipped

@@ -76 +76 @@
 plugins/embed-attributes-style.html
 
-# http://webkit.org/b/46711
-platform/win/plugins/plugin-delayed-destroy.html
-
 # http://webkit.org/b/46715
 plugins/npruntime/invoke-failure.html

trunk/WebKitTools/ChangeLog

@@ +1 @@
+2010-11-03  Adam Roben  <aroben@apple.com>
+
+        Add a plugin test that evaluates JS after removing the plugin element
+        from the document
+
+        This test replaces platform/win/plugins/plugin-delayed-destroy.html.
+        That test was made to prevent a crash very similar to this one, but
+        unfortunately tested only the mechanism that prevented the crash and
+        not whether the crash itself was prevented. Since WebKit2 uses a
+        different mechanism to prevent the crash, the test was failing even
+        though WebKit2 was not vulnerable to the crash. This new test crashes
+        if there is no mechanism in place to prevent it and passes in both
+        WebKit1 and WebKit2.
+
+        Fixes <http://webkit.org/b/46711> <rdar://problem/8485903>
+        platform/win/plugins/plugin-delayed-destroy.html fails in WebKit2
+
+        Reviewed by Anders Carlsson.
+
+        * DumpRenderTree/DumpRenderTree.xcodeproj/project.pbxproj:
+        * DumpRenderTree/TestNetscapePlugIn/win/TestNetscapePlugin.vcproj:
+        * DumpRenderTree/qt/TestNetscapePlugin/TestNetscapePlugin.pro:
+        * GNUmakefile.am:
+        Added new file.
+
+        * DumpRenderTree/TestNetscapePlugIn/PluginObject.cpp:
+        (pluginDeallocate): Make sure we delete the PluginTest object. This
+        prevents a leak and also allows us to test the crash.
+
+        * DumpRenderTree/TestNetscapePlugIn/PluginTest.cpp:
+        (PluginTest::executeScript): Made this into a non-static member
+        function.
+
+        (PluginTest::waitUntilDone):
+        (PluginTest::notifyDone):
+        Updated for changes to executeScript.
+
+        * DumpRenderTree/TestNetscapePlugIn/PluginTest.h: Added executeScript.
+
+        * DumpRenderTree/TestNetscapePlugIn/Tests/EvaluateJSAfterRemovingPluginElement.cpp: Added.
+        (EvaluateJSAfterRemovingPluginElement::EvaluateJSAfterRemovingPluginElement):
+        Initialize ourselves and tell the test harness to wait.
+        (EvaluateJSAfterRemovingPluginElement::NPP_DestroyStream): Remove our
+        plugin element from the document, then execute some JavaScript. If
+        WebKit does not have appropriate mechanisms in place, we'll be
+        destroyed inside the first call to executeScript and crash on the
+        second call.
+
 2010-11-02  Stephen White  <senorblanco@chromium.org>
 

trunk/WebKitTools/DumpRenderTree/DumpRenderTree.xcodeproj/project.pbxproj

@@ -133 +133 @@
                 BCF6C6500C98E9C000AC063E /* GCController.cpp in Sources */ = {isa = PBXBuildFile; fileRef = BCF6C64F0C98E9C000AC063E /* GCController.cpp */; };
                 C06F9ABC1267A7060058E1F6 /* PassDifferentNPPStruct.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C06F9ABB1267A7060058E1F6 /* PassDifferentNPPStruct.cpp */; };
+                C0E720751281C828004EF533 /* EvaluateJSAfterRemovingPluginElement.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C0E720741281C828004EF533 /* EvaluateJSAfterRemovingPluginElement.cpp */; };
                 C0EC3C9C12787F0500939164 /* NullNPPGetValuePointer.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C0EC3C9B12787F0500939164 /* NullNPPGetValuePointer.cpp */; };
                 E1B7816511AF31B7007E1BC2 /* MockGeolocationProvider.mm in Sources */ = {isa = PBXBuildFile; fileRef = E1B7808711AF1669007E1BC2 /* MockGeolocationProvider.mm */; };
@@ -308 +309 @@
                 BCF6C64F0C98E9C000AC063E /* GCController.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = GCController.cpp; sourceTree = "<group>"; };
                 C06F9ABB1267A7060058E1F6 /* PassDifferentNPPStruct.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = PassDifferentNPPStruct.cpp; sourceTree = "<group>"; };
+                C0E720741281C828004EF533 /* EvaluateJSAfterRemovingPluginElement.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = EvaluateJSAfterRemovingPluginElement.cpp; sourceTree = "<group>"; };
                 C0EC3C9B12787F0500939164 /* NullNPPGetValuePointer.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = NullNPPGetValuePointer.cpp; sourceTree = "<group>"; };
                 E1B7808511AF1643007E1BC2 /* MockGeolocationProvider.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = MockGeolocationProvider.h; path = mac/MockGeolocationProvider.h; sourceTree = "<group>"; };
@@ -463 +465 @@
                         children = (
                                 1A215A7511F26072008AD0F5 /* DocumentOpenInDestroyStream.cpp */,
+                                C0E720741281C828004EF533 /* EvaluateJSAfterRemovingPluginElement.cpp */,
                                 1A24BAA8120734EE00FBB059 /* NPRuntimeObjectFromDestroyedPlugin.cpp */,
                                 1AC77DCE120605B6005C19EF /* NPRuntimeRemoveProperty.cpp */,
@@ -752 +755 @@
                                 C06F9ABC1267A7060058E1F6 /* PassDifferentNPPStruct.cpp in Sources */,
                                 C0EC3C9C12787F0500939164 /* NullNPPGetValuePointer.cpp in Sources */,
+                                C0E720751281C828004EF533 /* EvaluateJSAfterRemovingPluginElement.cpp in Sources */,
                         );
                         runOnlyForDeploymentPostprocessing = 0;

trunk/WebKitTools/DumpRenderTree/TestNetscapePlugIn/PluginObject.cpp

@@ -28 +28 @@
 #include "PluginObject.h"
 
+#include "PluginTest.h"
 #include "TestObject.h"
 #include <assert.h>
@@ -991 +992 @@
 {
     PluginObject* plugin = reinterpret_cast<PluginObject*>(header);
+    delete plugin->pluginTest;
     if (plugin->testObject)
         browser->releaseobject(plugin->testObject);

trunk/WebKitTools/DumpRenderTree/TestNetscapePlugIn/PluginTest.cpp

@@ -102 +102 @@
 }
 
-static void executeScript(NPP npp, const char* script)
+void PluginTest::executeScript(const char* script)
 {
     NPObject* windowScriptObject;
-    browser->getvalue(npp, NPNVWindowNPObject, &windowScriptObject);
+    browser->getvalue(m_npp, NPNVWindowNPObject, &windowScriptObject);
 
     NPString npScript;
@@ -112 +112 @@
 
     NPVariant browserResult;
-    browser->evaluate(npp, windowScriptObject, &npScript, &browserResult);
+    browser->evaluate(m_npp, windowScriptObject, &npScript, &browserResult);
     browser->releasevariantvalue(&browserResult);
 }
@@ -118 +118 @@
 void PluginTest::waitUntilDone()
 {
-    executeScript(m_npp, "layoutTestController.waitUntilDone()");
+    executeScript("layoutTestController.waitUntilDone()");
 }
 
 void PluginTest::notifyDone()
 {
-    executeScript(m_npp, "layoutTestController.notifyDone()");
+    executeScript("layoutTestController.notifyDone()");
 }
 

trunk/WebKitTools/DumpRenderTree/TestNetscapePlugIn/PluginTest.h

@@ -69 +69 @@
     bool NPN_RemoveProperty(NPObject*, NPIdentifier propertyName);
     
+    void executeScript(const char*);
+
     template<typename TestClassTy> class Register {
     public:

trunk/WebKitTools/DumpRenderTree/TestNetscapePlugIn/win/TestNetscapePlugin.vcproj

@@ -376 +376 @@
                         </File>
                         <File
+                                RelativePath="..\Tests\EvaluateJSAfterRemovingPluginElement.cpp"
+                                >
+                        </File>
+                        <File
                                 RelativePath="..\Tests\NPRuntimeObjectFromDestroyedPlugin.cpp"
                                 >

trunk/WebKitTools/DumpRenderTree/qt/TestNetscapePlugin/TestNetscapePlugin.pro

@@ -30 +30 @@
           TestObject.cpp \
           Tests/DocumentOpenInDestroyStream.cpp \
+          Tests/EvaluateJSAfterRemovingPluginElement.cpp \
           Tests/NPRuntimeObjectFromDestroyedPlugin.cpp \
           Tests/NPRuntimeRemoveProperty.cpp \

trunk/WebKitTools/GNUmakefile.am

@@ -168 +168 @@
         WebKitTools/DumpRenderTree/unix/TestNetscapePlugin/TestNetscapePlugin.cpp \
         WebKitTools/DumpRenderTree/TestNetscapePlugIn/Tests/DocumentOpenInDestroyStream.cpp \
+        WebKitTools/DumpRenderTree/TestNetscapePlugIn/Tests/EvaluateJSAfterRemovingPluginElement.cpp \
         WebKitTools/DumpRenderTree/TestNetscapePlugIn/Tests/NPRuntimeObjectFromDestroyedPlugin.cpp \
         WebKitTools/DumpRenderTree/TestNetscapePlugIn/Tests/NPRuntimeRemoveProperty.cpp \