Changeset 88647 in webkit

Timestamp:

Jun 13, 2011 10:24:10 AM (13 years ago)

Author:

andersca@apple.com

Message:

2011-06-13 Anders Carlsson <​andersca@apple.com>

Reviewed by Dan Bernstein.

Don't access freed memory in the UI process when a plug-in process crashes
​https://bugs.webkit.org/show_bug.cgi?id=62548

Call pluginProcessCrashedOrFailedToLaunch after sending messages to all processes about the plug-in crash,
otherwise we'll try to dereference m_pluginInfo.path after the PluginProcessProxy object has been deleted.

• UIProcess/Plugins/PluginProcessProxy.cpp: (WebKit::PluginProcessProxy::didClose):

Location:

trunk/Source/WebKit2

Files:

• ChangeLog (modified) (1 diff)
• UIProcess/Plugins/PluginProcessProxy.cpp (modified) (1 diff)

trunk/Source/WebKit2/ChangeLog

@@ +1 @@
+2011-06-13  Anders Carlsson  <andersca@apple.com>
+
+        Reviewed by Dan Bernstein.
+
+        Don't access freed memory in the UI process when a plug-in process crashes
+        https://bugs.webkit.org/show_bug.cgi?id=62548
+
+        Call pluginProcessCrashedOrFailedToLaunch after sending messages to all processes about the plug-in crash,
+        otherwise we'll try to dereference m_pluginInfo.path after the PluginProcessProxy object has been deleted.
+
+        * UIProcess/Plugins/PluginProcessProxy.cpp:
+        (WebKit::PluginProcessProxy::didClose):
+
 2011-06-13  Carlos Garcia Campos  <cgarcia@igalia.com>
 

trunk/Source/WebKit2/UIProcess/Plugins/PluginProcessProxy.cpp

@@ -168 +168 @@
 #endif
 
-    pluginProcessCrashedOrFailedToLaunch();
-
     const Vector<WebContext*>& contexts = WebContext::allContexts();
     for (size_t i = 0; i < contexts.size(); ++i)
         contexts[i]->sendToAllProcesses(Messages::WebProcess::PluginProcessCrashed(m_pluginInfo.path));
+
+    // This will cause us to be deleted.
+    pluginProcessCrashedOrFailedToLaunch();
 }