[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373

ap at apple.com ap at apple.com
Thu Apr 8 02:19:47 UTC 2010 

The following commit has been merged in the webkit-1.2 branch:
commit f8bfffaf325cf258b9dbd8b5a5b3adc50a5497b4
Author: ap at apple.com <ap at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Fri Mar 12 00:02:06 2010 +0000

            Reviewed by Geoff Garen.
    
            https://bugs.webkit.org/show_bug.cgi?id=35965
            <rdar://problem/7742771> Crash when passing an object returned from plug-in back to the plug-in
    
            Test: plugins/round-trip-npobject.html
    
            * Plugins/Hosted/NetscapePluginInstanceProxy.mm:
            (WebKit::NetscapePluginInstanceProxy::retainLocalObject): Corrected the check - there is
            now a separate ProxyRuntimeObject class for proxy pbjects.
            (WebKit::NetscapePluginInstanceProxy::releaseLocalObject): Ditto.
    
            * Plugins/Hosted/ProxyInstance.mm:
            (WebKit::ProxyInstance::invoke): Check if m_instanceProxy is still non-zero. The plug-in
            could have crashed while we were waiting for response.
            (WebKit::ProxyInstance::setFieldValue): Ditto.
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@55861 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index eae2790..5746f42 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-03-11  Alexey Proskuryakov  <ap at apple.com>
+
+        Reviewed by Geoff Garen.
+
+        https://bugs.webkit.org/show_bug.cgi?id=35965
+        <rdar://problem/7742771> Crash when passing an object returned from plug-in back to the plug-in
+
+        * plugins/round-trip-npobject-expected.txt: Added.
+        * plugins/round-trip-npobject.html: Added.
+
 2010-03-11  Dmitry Titov  <dimich at chromium.org>
 
         Reviewed by Alexey Proskuryakov.
diff --git a/LayoutTests/plugins/round-trip-npobject-expected.txt b/LayoutTests/plugins/round-trip-npobject-expected.txt
new file mode 100644
index 0000000..b051f24
--- /dev/null
+++ b/LayoutTests/plugins/round-trip-npobject-expected.txt
@@ -0,0 +1,5 @@
+Test for bug 35965: Crash when passing an object returned from plug-in back to the plug-in.
+
+PASS if no crash.
+
+
diff --git a/LayoutTests/plugins/round-trip-npobject.html b/LayoutTests/plugins/round-trip-npobject.html
new file mode 100644
index 0000000..33a33ec
--- /dev/null
+++ b/LayoutTests/plugins/round-trip-npobject.html
@@ -0,0 +1,15 @@
+<body>
+<p>Test for <a href="https://bugs.webkit.org/show_bug.cgi?id=35965">bug 35965</a>:
+Crash when passing an object returned from plug-in back to the plug-in.</p>
+<p>PASS if no crash.</p>
+<embed id="plug-in" type="application/x-webkit-test-netscape" width=100 height=100></embed>
+<script>
+    if (window.layoutTestController)
+        layoutTestController.dumpAsText();
+
+    var plugIn = document.getElementById("plug-in");
+
+    plugIn.remember(plugIn.testObject);
+
+</script>
+</body>
diff --git a/WebKit/mac/ChangeLog b/WebKit/mac/ChangeLog
index 0688088..b96208b 100644
--- a/WebKit/mac/ChangeLog
+++ b/WebKit/mac/ChangeLog
@@ -1,3 +1,22 @@
+2010-03-11  Alexey Proskuryakov  <ap at apple.com>
+
+        Reviewed by Geoff Garen.
+
+        https://bugs.webkit.org/show_bug.cgi?id=35965
+        <rdar://problem/7742771> Crash when passing an object returned from plug-in back to the plug-in
+
+        Test: plugins/round-trip-npobject.html
+
+        * Plugins/Hosted/NetscapePluginInstanceProxy.mm:
+        (WebKit::NetscapePluginInstanceProxy::retainLocalObject): Corrected the check - there is
+        now a separate ProxyRuntimeObject class for proxy pbjects.
+        (WebKit::NetscapePluginInstanceProxy::releaseLocalObject): Ditto.
+
+        * Plugins/Hosted/ProxyInstance.mm:
+        (WebKit::ProxyInstance::invoke): Check if m_instanceProxy is still non-zero. The plug-in
+        could have crashed while we were waiting for response.
+        (WebKit::ProxyInstance::setFieldValue): Ditto.
+
 2010-03-10  Simon Fraser  <simon.fraser at apple.com>
 
         Reviewed by Darin Adler.
diff --git a/WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm b/WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm
index b00b287..f710efe 100644
--- a/WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm
+++ b/WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm
@@ -1352,26 +1352,18 @@ void NetscapePluginInstanceProxy::demarshalValues(ExecState* exec, data_t values
 
 void NetscapePluginInstanceProxy::retainLocalObject(JSC::JSValue value)
 {
-    if (!value.isObject())
+    if (!value.isObject() || value.inherits(&ProxyRuntimeObject::s_info))
         return;
 
-    JSObject* object = asObject(value);
-    if (object->classInfo() == &RuntimeObject::s_info)
-        return;
-
-    m_localObjects.retain(object);
+    m_localObjects.retain(asObject(value));
 }
 
 void NetscapePluginInstanceProxy::releaseLocalObject(JSC::JSValue value)
 {
-    if (!value.isObject())
-        return;
-
-    JSObject* object = asObject(value);
-    if (object->classInfo() == &RuntimeObject::s_info)
+    if (!value.isObject() || value.inherits(&ProxyRuntimeObject::s_info))
         return;
 
-    m_localObjects.release(object);
+    m_localObjects.release(asObject(value));
 }
 
 PassRefPtr<Instance> NetscapePluginInstanceProxy::createBindingsInstance(PassRefPtr<RootObject> rootObject)
diff --git a/WebKit/mac/Plugins/Hosted/ProxyInstance.mm b/WebKit/mac/Plugins/Hosted/ProxyInstance.mm
index f2df06f..eaf43ee 100644
--- a/WebKit/mac/Plugins/Hosted/ProxyInstance.mm
+++ b/WebKit/mac/Plugins/Hosted/ProxyInstance.mm
@@ -163,8 +163,10 @@ JSValue ProxyInstance::invoke(JSC::ExecState* exec, InvokeType type, uint64_t id
     auto_ptr<NetscapePluginInstanceProxy::BooleanAndDataReply> reply = waitForReply<NetscapePluginInstanceProxy::BooleanAndDataReply>(requestID);
     NetscapePluginInstanceProxy::moveGlobalExceptionToExecState(exec);
 
-    for (unsigned i = 0; i < args.size(); i++)
-        m_instanceProxy->releaseLocalObject(args.at(i));
+    if (m_instanceProxy) {
+        for (unsigned i = 0; i < args.size(); i++)
+            m_instanceProxy->releaseLocalObject(args.at(i));
+    }
 
     if (!reply.get() || !reply->m_returnValue)
         return jsUndefined();
@@ -429,7 +431,8 @@ void ProxyInstance::setFieldValue(ExecState* exec, const Field* field, JSValue v
                                                 m_instanceProxy->pluginID(), requestID,
                                                 m_objectID, serverIdentifier, valueData, valueLength);
     mig_deallocate(reinterpret_cast<vm_address_t>(valueData), valueLength);
-    m_instanceProxy->releaseLocalObject(value);
+    if (m_instanceProxy)
+        m_instanceProxy->releaseLocalObject(value);
     if (kr != KERN_SUCCESS)
         return;
     
diff --git a/WebKitTools/ChangeLog b/WebKitTools/ChangeLog
index 3ec9614..de92f5f 100644
--- a/WebKitTools/ChangeLog
+++ b/WebKitTools/ChangeLog
@@ -1,3 +1,20 @@
+2010-03-11  Alexey Proskuryakov  <ap at apple.com>
+
+        Reviewed by Geoff Garen.
+
+        https://bugs.webkit.org/show_bug.cgi?id=35965
+        <rdar://problem/7742771> Crash when passing an object returned from plug-in back to the plug-in
+
+        Made rememberedObject a member of PluginObject. A plug-in must not use it's references
+        to browser NPObjects after being destroyed, but this wasn't the case with static variable.
+
+        * DumpRenderTree/TestNetscapePlugIn.subproj/PluginObject.cpp:
+        (pluginInvoke):
+        (pluginInvalidate):
+        (pluginAllocate):
+        (pluginDeallocate):
+        * DumpRenderTree/TestNetscapePlugIn.subproj/PluginObject.h:
+
 2010-03-11  Simon Fraser  <simon.fraser at apple.com>
 
         Reviewed by Oliver Hunt.
diff --git a/WebKitTools/DumpRenderTree/TestNetscapePlugIn.subproj/PluginObject.cpp b/WebKitTools/DumpRenderTree/TestNetscapePlugIn.subproj/PluginObject.cpp
index 58d2f38..c46c8ed 100644
--- a/WebKitTools/DumpRenderTree/TestNetscapePlugIn.subproj/PluginObject.cpp
+++ b/WebKitTools/DumpRenderTree/TestNetscapePlugIn.subproj/PluginObject.cpp
@@ -790,8 +790,6 @@ static bool testSetStatus(PluginObject* obj, const NPVariant* args, uint32_t arg
     return true;
 }
 
-static NPObject* rememberedObject;
-
 static bool pluginInvoke(NPObject* header, NPIdentifier name, const NPVariant* args, uint32_t argCount, NPVariant* result)
 {
     PluginObject* plugin = reinterpret_cast<PluginObject*>(header);
@@ -853,21 +851,21 @@ static bool pluginInvoke(NPObject* header, NPIdentifier name, const NPVariant* a
         browser->setproperty(plugin->npp, NPVARIANT_TO_OBJECT(args[0]), stringVariantToIdentifier(args[1]), &args[2]);
         return true;
     } else if (name == pluginMethodIdentifiers[ID_REMEMBER]) {
-        if (rememberedObject)
-            browser->releaseobject(rememberedObject);
-        rememberedObject = NPVARIANT_TO_OBJECT(args[0]);
-        browser->retainobject(rememberedObject);
+        if (plugin->rememberedObject)
+            browser->releaseobject(plugin->rememberedObject);
+        plugin->rememberedObject = NPVARIANT_TO_OBJECT(args[0]);
+        browser->retainobject(plugin->rememberedObject);
         VOID_TO_NPVARIANT(*result);
         return true;
     } else if (name == pluginMethodIdentifiers[ID_GET_REMEMBERED_OBJECT]) {
-        assert(rememberedObject);
-        browser->retainobject(rememberedObject);
-        OBJECT_TO_NPVARIANT(rememberedObject, *result);
+        assert(plugin->rememberedObject);
+        browser->retainobject(plugin->rememberedObject);
+        OBJECT_TO_NPVARIANT(plugin->rememberedObject, *result);
         return true;
     } else if (name == pluginMethodIdentifiers[ID_GET_AND_FORGET_REMEMBERED_OBJECT]) {
-        assert(rememberedObject);
-        OBJECT_TO_NPVARIANT(rememberedObject, *result);
-        rememberedObject = 0;
+        assert(plugin->rememberedObject);
+        OBJECT_TO_NPVARIANT(plugin->rememberedObject, *result);
+        plugin->rememberedObject = 0;
         return true;
     } else if (name == pluginMethodIdentifiers[ID_REF_COUNT]) {
         uint32_t refCount = NPVARIANT_TO_OBJECT(args[0])->referenceCount;
@@ -889,6 +887,7 @@ static void pluginInvalidate(NPObject* header)
 {
     PluginObject* plugin = reinterpret_cast<PluginObject*>(header);
     plugin->testObject = 0;
+    plugin->rememberedObject = 0;
 }
 
 static NPObject *pluginAllocate(NPP npp, NPClass *theClass)
@@ -902,6 +901,7 @@ static NPObject *pluginAllocate(NPP npp, NPClass *theClass)
 
     newInstance->npp = npp;
     newInstance->testObject = browser->createobject(npp, getTestClass());
+    newInstance->rememberedObject = 0;
     newInstance->eventLogging = FALSE;
     newInstance->onStreamLoad = 0;
     newInstance->onStreamDestroy = 0;
@@ -928,6 +928,8 @@ static void pluginDeallocate(NPObject* header)
     PluginObject* plugin = reinterpret_cast<PluginObject*>(header);
     if (plugin->testObject)
         browser->releaseobject(plugin->testObject);
+    if (plugin->rememberedObject)
+        browser->releaseobject(plugin->rememberedObject);
 
     free(plugin->firstUrl);
     free(plugin->firstHeaders);
diff --git a/WebKitTools/DumpRenderTree/TestNetscapePlugIn.subproj/PluginObject.h b/WebKitTools/DumpRenderTree/TestNetscapePlugIn.subproj/PluginObject.h
index 157a1d2..00be1e3 100644
--- a/WebKitTools/DumpRenderTree/TestNetscapePlugIn.subproj/PluginObject.h
+++ b/WebKitTools/DumpRenderTree/TestNetscapePlugIn.subproj/PluginObject.h
@@ -37,6 +37,7 @@ typedef struct {
     NPBool returnErrorFromNewStream;
     NPBool cachedPrivateBrowsingMode;
     NPObject* testObject;
+    NPObject* rememberedObject;
     NPStream* stream;
     NPBool testDocumentOpenInDestroyStream;
     NPBool testWindowOpen;

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list