[chromium] Use after free in plugins/geturlnotify-during-document-teardown.html
authorjochen@chromium.org <jochen@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 23 Jan 2013 19:45:52 +0000 (19:45 +0000)
committerjochen@chromium.org <jochen@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 23 Jan 2013 19:45:52 +0000 (19:45 +0000)
commit89b3c80d4dd1122599aa944adf50f8490c1b8bef
treeadad9da1f5b8f0994727bab78bd345417d732e85
parent346506fd8f1271769eb8e6363d4a0e959a60f28a
[chromium] Use after free in plugins/geturlnotify-during-document-teardown.html
https://bugs.webkit.org/show_bug.cgi?id=107556

Reviewed by Tony Chang.

WebViewHost initiates a navigation to about:blank in its destructor.
However, since WebTestProxy inherits from WebViewHost, at this point
the WebViewClient and WebFrameClient interfaces are already partially
destructed resulting in the use after free.

This does not affect the chromium implementation since it doesn't
invoke WebKit API methods in its destructor.

* DumpRenderTree/chromium/TestShell.cpp:
(TestShell::~TestShell):
(TestShell::closeWindow):
* DumpRenderTree/chromium/WebViewHost.cpp:
(WebViewHost::WebViewHost):
(WebViewHost::~WebViewHost):
(WebViewHost::shutdown):
* DumpRenderTree/chromium/WebViewHost.h:
(WebViewHost):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@140561 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Tools/ChangeLog
Tools/DumpRenderTree/chromium/TestShell.cpp
Tools/DumpRenderTree/chromium/WebViewHost.cpp
Tools/DumpRenderTree/chromium/WebViewHost.h