Plug-in process crashes if plug-in is destroyed as a result of sending NPObjectMessag...
authorandersca@apple.com <andersca@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 30 Jul 2013 19:45:09 +0000 (19:45 +0000)
committerandersca@apple.com <andersca@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 30 Jul 2013 19:45:09 +0000 (19:45 +0000)
commit180f320dfe5de8612ad3ee0e28672855c4877bb1
tree88c5e9ed21ba7bb71de1b53a5429c5777a69817d
parent2c8e628e71a08461389792b848319fc5ae9eaf18
Plug-in process crashes if plug-in is destroyed as a result of sending NPObjectMessageReceiver::Deallocate
https://bugs.webkit.org/show_bug.cgi?id=119270
<rdar://problem/13368226>

Reviewed by Darin Adler.

Normally we use the PluginDestructionProtector RAII object to prevent plug-ins from being destroyed while
they're executing code. However, in the case of the NPObjectMessageReceiver::Deallocate message, we can't do this
since we don't know the plug-in or connection.

Instead, add a counter to Connection that keeps track of whether sendSync is currently called and defer plug-in
destruction if it is. (This approach is actually more robust and we should investigate getting rid of the destruction protector).

* Platform/CoreIPC/Connection.cpp:
(CoreIPC::Connection::Connection):
(CoreIPC::Connection::sendSyncMessage):
* Platform/CoreIPC/Connection.h:
(CoreIPC::Connection::inSendSync):
* PluginProcess/PluginControllerProxy.cpp:
(WebKit::PluginControllerProxy::destroy):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153488 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebKit2/ChangeLog
Source/WebKit2/Platform/CoreIPC/Connection.cpp
Source/WebKit2/Platform/CoreIPC/Connection.h
Source/WebKit2/PluginProcess/PluginControllerProxy.cpp