https://bugs.webkit.org/show_bug.cgi?id=100569
<rdar://problem/
11726426>
<rdar://problem/
12352836>
Reviewed by Darin Adler.
Finally bite the bullet and remove the assertion from NetscapePlugin::fromNPP. The WebKit1 equivalent of this
function used to return the plug-in currently being initialized in NPP_New, but we've never done that in WebKit2
and it has never been necessary. The crashes fixed here are not from calls underneath NPP_New so fixing it wouldn't
do us any good anyway.
Also, make the PluginDestructionProtector handle a null plug-in gracefully.
* WebProcess/Plugins/Netscape/NetscapeBrowserFuncs.cpp:
(WebKit::PluginDestructionProtector::PluginDestructionProtector):
(PluginDestructionProtector):
* WebProcess/Plugins/Netscape/NetscapePlugin.cpp:
(WebKit::NetscapePlugin::fromNPP):
Tools: Crash when making NPRuntime calls with a null NPP pointer
https://bugs.webkit.org/show_bug.cgi?id=100569
Reviewed by Darin Adler.
Add new NPRuntimeCallsWithNullNPP plug-in test.
* DumpRenderTree/DumpRenderTree.gypi:
* DumpRenderTree/DumpRenderTree.xcodeproj/project.pbxproj:
* DumpRenderTree/TestNetscapePlugIn/PluginTest.cpp:
(PluginTest::NPN_ReleaseVariantValue):
(PluginTest::netscapeFuncs):
* DumpRenderTree/TestNetscapePlugIn/PluginTest.h:
(PluginTest):
* DumpRenderTree/TestNetscapePlugIn/Tests/NPRuntimeCallsWithNullNPP.cpp: Added.
(NPRuntimeCallsWithNullNPP):
(NPRuntimeCallsWithNullNPP::NPRuntimeCallsWithNullNPP):
(NPRuntimeCallsWithNullNPP::NPP_New):
* DumpRenderTree/TestNetscapePlugIn/win/TestNetscapePlugin.vcproj:
* DumpRenderTree/qt/TestNetscapePlugin/TestNetscapePlugin.pro:
* GNUmakefile.am:
LayoutTests: Crash when making NPRuntime calls with a null NPP pointer
https://bugs.webkit.org/show_bug.cgi?id=100569
Reviewed by Darin Adler.
Add new tests.
* plugins/npruntime/npruntime-calls-with-null-npp-expected.txt: Added.
* plugins/npruntime/npruntime-calls-with-null-npp.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@132713
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2012-10-26 Anders Carlsson <andersca@apple.com>
+
+ Crash when making NPRuntime calls with a null NPP pointer
+ https://bugs.webkit.org/show_bug.cgi?id=100569
+
+ Reviewed by Darin Adler.
+
+ Add new tests.
+
+ * plugins/npruntime/npruntime-calls-with-null-npp-expected.txt: Added.
+ * plugins/npruntime/npruntime-calls-with-null-npp.html: Added.
+
2012-10-26 Vincent Scheib <scheib@chromium.org>
Unreviewed, rolling out r132702.
--- /dev/null
+
+Test that calling various NPRuntime related NPN_ functions doesn't crash.
+
+SUCCESS!
--- /dev/null
+<script>
+function runTest() {
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+}
+</script>
+<body onLoad="runTest()">
+<embed id="plugin" type="application/x-webkit-test-netscape" test="npruntime-calls-with-null-npp"></embed>
+<p id="description">Test that calling various NPRuntime related NPN_ functions doesn't crash.</p>
+<div id="result">FAILURE</div>
+</body>
+2012-10-26 Anders Carlsson <andersca@apple.com>
+
+ Crash when making NPRuntime calls with a null NPP pointer
+ https://bugs.webkit.org/show_bug.cgi?id=100569
+ <rdar://problem/11726426>
+ <rdar://problem/12352836>
+
+ Reviewed by Darin Adler.
+
+ Finally bite the bullet and remove the assertion from NetscapePlugin::fromNPP. The WebKit1 equivalent of this
+ function used to return the plug-in currently being initialized in NPP_New, but we've never done that in WebKit2
+ and it has never been necessary. The crashes fixed here are not from calls underneath NPP_New so fixing it wouldn't
+ do us any good anyway.
+
+ Also, make the PluginDestructionProtector handle a null plug-in gracefully.
+
+ * WebProcess/Plugins/Netscape/NetscapeBrowserFuncs.cpp:
+ (WebKit::PluginDestructionProtector::PluginDestructionProtector):
+ (PluginDestructionProtector):
+ * WebProcess/Plugins/Netscape/NetscapePlugin.cpp:
+ (WebKit::NetscapePlugin::fromNPP):
+
2012-10-26 Stephanie Lewis <slewis@apple.com>
Add pids to WebMemorySampleFiles.
class PluginDestructionProtector {
public:
explicit PluginDestructionProtector(NetscapePlugin* plugin)
- : m_protector(static_cast<Plugin*>(plugin)->controller())
{
+ if (plugin)
+ m_protector = adoptPtr(new PluginController::PluginDestructionProtector(static_cast<Plugin*>(plugin)->controller()));
}
private:
- PluginController::PluginDestructionProtector m_protector;
+ OwnPtr<PluginController::PluginDestructionProtector> m_protector;
};
static bool startsWithBlankLine(const char* bytes, unsigned length)
PassRefPtr<NetscapePlugin> NetscapePlugin::fromNPP(NPP npp)
{
- if (npp)
- return static_cast<NetscapePlugin*>(npp->ndata);
+ if (!npp)
+ return 0;
- // FIXME: Return the current NetscapePlugin here.
- ASSERT_NOT_REACHED();
- return 0;
+ return static_cast<NetscapePlugin*>(npp->ndata);
}
void NetscapePlugin::invalidate(const NPRect* invalidRect)
+2012-10-26 Anders Carlsson <andersca@apple.com>
+
+ Crash when making NPRuntime calls with a null NPP pointer
+ https://bugs.webkit.org/show_bug.cgi?id=100569
+
+ Reviewed by Darin Adler.
+
+ Add new NPRuntimeCallsWithNullNPP plug-in test.
+
+ * DumpRenderTree/DumpRenderTree.gypi:
+ * DumpRenderTree/DumpRenderTree.xcodeproj/project.pbxproj:
+ * DumpRenderTree/TestNetscapePlugIn/PluginTest.cpp:
+ (PluginTest::NPN_ReleaseVariantValue):
+ (PluginTest::netscapeFuncs):
+ * DumpRenderTree/TestNetscapePlugIn/PluginTest.h:
+ (PluginTest):
+ * DumpRenderTree/TestNetscapePlugIn/Tests/NPRuntimeCallsWithNullNPP.cpp: Added.
+ (NPRuntimeCallsWithNullNPP):
+ (NPRuntimeCallsWithNullNPP::NPRuntimeCallsWithNullNPP):
+ (NPRuntimeCallsWithNullNPP::NPP_New):
+ * DumpRenderTree/TestNetscapePlugIn/win/TestNetscapePlugin.vcproj:
+ * DumpRenderTree/qt/TestNetscapePlugin/TestNetscapePlugin.pro:
+ * GNUmakefile.am:
+
2012-10-26 Dominic Mazzoni <dmazzoni@google.com>
AX: Notification should be sent when accessibilityIsIgnored changes
'TestNetscapePlugIn/Tests/GetURLWithJavaScriptURLDestroyingPlugin.cpp',
'TestNetscapePlugIn/Tests/GetUserAgentWithNullNPPFromNPPNew.cpp',
'TestNetscapePlugIn/Tests/NPPNewFails.cpp',
+ 'TestNetscapePlugIn/Tests/NPRuntimeCallsWithNullNPP.cpp',
'TestNetscapePlugIn/Tests/NPRuntimeObjectFromDestroyedPlugin.cpp',
'TestNetscapePlugIn/Tests/NPRuntimeRemoveProperty.cpp',
'TestNetscapePlugIn/Tests/NullNPPGetValuePointer.cpp',
1AC77DCF120605B6005C19EF /* NPRuntimeRemoveProperty.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1AC77DCE120605B6005C19EF /* NPRuntimeRemoveProperty.cpp */; };
1ACF898D132EF41C00E915D4 /* NPDeallocateCalledBeforeNPShutdown.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1ACF898B132EF41C00E915D4 /* NPDeallocateCalledBeforeNPShutdown.cpp */; };
1AD4CB2212A6D1350027A7AF /* GetUserAgentWithNullNPPFromNPPNew.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1AD4CB2012A6D1350027A7AF /* GetUserAgentWithNullNPPFromNPPNew.cpp */; };
+ 1AD8683F163B2FD000A28583 /* NPRuntimeCallsWithNullNPP.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1AD8683D163B2FD000A28583 /* NPRuntimeCallsWithNullNPP.cpp */; };
1AD9D2FE12028409001A70D1 /* PluginScriptableNPObjectInvokeDefault.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1AD9D2FD12028409001A70D1 /* PluginScriptableNPObjectInvokeDefault.cpp */; };
1AFF66BC137DEFD200791696 /* GetURLNotifyWithURLThatFailsToLoad.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 1AFF66BB137DEA8300791696 /* GetURLNotifyWithURLThatFailsToLoad.cpp */; };
23BCB8900EA57623003C6289 /* OpenGL.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 23BCB88F0EA57623003C6289 /* OpenGL.framework */; };
BC0E24E00E2D9451001B6BC2 /* AccessibilityUIElement.h in Headers */ = {isa = PBXBuildFile; fileRef = BC0E24DE0E2D9451001B6BC2 /* AccessibilityUIElement.h */; };
BC0E24E10E2D9451001B6BC2 /* AccessibilityUIElement.cpp in Sources */ = {isa = PBXBuildFile; fileRef = BC0E24DF0E2D9451001B6BC2 /* AccessibilityUIElement.cpp */; };
BC0E26150E2DA4C6001B6BC2 /* AccessibilityUIElementMac.mm in Sources */ = {isa = PBXBuildFile; fileRef = BC0E26140E2DA4C6001B6BC2 /* AccessibilityUIElementMac.mm */; };
- BC0E24E00E2D9451001B6BC3 /* AccessibilityCommonMac.h in Headers */ = {isa = PBXBuildFile; fileRef = BC0E24DE0E2D9451001B6BC3 /* AccessibilityCommonMac.h */; };
BC0E26150E2DA4C6001B6BC3 /* AccessibilityCommonMac.mm in Sources */ = {isa = PBXBuildFile; fileRef = BC0E26140E2DA4C6001B6BC3 /* AccessibilityCommonMac.mm */; };
BC47412A0D038A4C0072B006 /* JavaScriptThreading.h in Headers */ = {isa = PBXBuildFile; fileRef = BC4741290D038A4C0072B006 /* JavaScriptThreading.h */; };
BC4741410D038A570072B006 /* JavaScriptThreadingPthreads.cpp in Sources */ = {isa = PBXBuildFile; fileRef = BC4741400D038A570072B006 /* JavaScriptThreadingPthreads.cpp */; };
1AC77DCE120605B6005C19EF /* NPRuntimeRemoveProperty.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = NPRuntimeRemoveProperty.cpp; sourceTree = "<group>"; };
1ACF898B132EF41C00E915D4 /* NPDeallocateCalledBeforeNPShutdown.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = NPDeallocateCalledBeforeNPShutdown.cpp; sourceTree = "<group>"; };
1AD4CB2012A6D1350027A7AF /* GetUserAgentWithNullNPPFromNPPNew.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = GetUserAgentWithNullNPPFromNPPNew.cpp; sourceTree = "<group>"; };
+ 1AD8683D163B2FD000A28583 /* NPRuntimeCallsWithNullNPP.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = NPRuntimeCallsWithNullNPP.cpp; sourceTree = "<group>"; };
1AD9D2FD12028409001A70D1 /* PluginScriptableNPObjectInvokeDefault.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = PluginScriptableNPObjectInvokeDefault.cpp; sourceTree = "<group>"; };
1AFF66BB137DEA8300791696 /* GetURLNotifyWithURLThatFailsToLoad.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = GetURLNotifyWithURLThatFailsToLoad.cpp; sourceTree = "<group>"; };
23BCB88F0EA57623003C6289 /* OpenGL.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = OpenGL.framework; path = /System/Library/Frameworks/OpenGL.framework; sourceTree = "<absolute>"; };
BC0131D80C9772010087317D /* TestRunner.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = TestRunner.cpp; sourceTree = "<group>"; };
BC0131D90C9772010087317D /* TestRunner.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = TestRunner.h; sourceTree = "<group>"; };
BC0E24DE0E2D9451001B6BC2 /* AccessibilityUIElement.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AccessibilityUIElement.h; sourceTree = "<group>"; };
- BC0E24DE0E2D9451001B6BC3 /* AccessibilityCommonMac.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = mac/AccessibilityCommonMac.h; sourceTree = "<group>"; };
BC0E24DF0E2D9451001B6BC2 /* AccessibilityUIElement.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = AccessibilityUIElement.cpp; sourceTree = "<group>"; };
BC0E26140E2DA4C6001B6BC2 /* AccessibilityUIElementMac.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; name = AccessibilityUIElementMac.mm; path = mac/AccessibilityUIElementMac.mm; sourceTree = "<group>"; };
BC0E26140E2DA4C6001B6BC3 /* AccessibilityCommonMac.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; name = AccessibilityCommonMac.mm; path = mac/AccessibilityCommonMac.mm; sourceTree = "<group>"; };
BC0E24DF0E2D9451001B6BC2 /* AccessibilityUIElement.cpp */,
BC0E24DE0E2D9451001B6BC2 /* AccessibilityUIElement.h */,
BC0E26140E2DA4C6001B6BC2 /* AccessibilityUIElementMac.mm */,
- BC0E26140E2DA4C6001B6BC3 /* AccessibilityCommonMac.h */,
+ BC0E26140E2DA4C6001B6BC3 /* AccessibilityCommonMac.mm */,
BC0E26140E2DA4C6001B6BC3 /* AccessibilityCommonMac.mm */,
BCA18B360C9B021900114369 /* AppleScriptController.h */,
BCA18B370C9B021900114369 /* AppleScriptController.m */,
1ACF898B132EF41C00E915D4 /* NPDeallocateCalledBeforeNPShutdown.cpp */,
5113DE6615F6CBE5005EC8B3 /* NPPNewFails.cpp */,
C031182A134E4A2B00919757 /* NPPSetWindowCalledDuringDestruction.cpp */,
+ 1AD8683D163B2FD000A28583 /* NPRuntimeCallsWithNullNPP.cpp */,
1A24BAA8120734EE00FBB059 /* NPRuntimeObjectFromDestroyedPlugin.cpp */,
1AC77DCE120605B6005C19EF /* NPRuntimeRemoveProperty.cpp */,
C0EC3C9B12787F0500939164 /* NullNPPGetValuePointer.cpp */,
515C0CD015EE785700F5A613 /* LogNPPSetWindow.cpp in Sources */,
5113DE6715F6CBE5005EC8B3 /* NPPNewFails.cpp in Sources */,
51134C9916014FDC001AA513 /* InvokeDestroysPluginWithinNPP_New.cpp in Sources */,
+ 1AD8683F163B2FD000A28583 /* NPRuntimeCallsWithNullNPP.cpp in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
return browser->removeproperty(m_npp, npObject, propertyName);
}
+void PluginTest::NPN_ReleaseVariantValue(NPVariant* variant)
+{
+ browser->releasevariantvalue(variant);
+}
+
#ifdef XP_MACOSX
bool PluginTest::NPN_ConvertPoint(double sourceX, double sourceY, NPCoordinateSpace sourceSpace, double *destX, double *destY, NPCoordinateSpace destSpace)
{
va_end(args);
}
+NPNetscapeFuncs* PluginTest::netscapeFuncs()
+{
+ return browser;
+}
+
void PluginTest::waitUntilDone()
{
executeScript("testRunner.waitUntilDone()");
NPObject* NPN_RetainObject(NPObject*);
void NPN_ReleaseObject(NPObject*);
bool NPN_RemoveProperty(NPObject*, NPIdentifier propertyName);
+ void NPN_ReleaseVariantValue(NPVariant*);
#ifdef XP_MACOSX
bool NPN_ConvertPoint(double sourceX, double sourceY, NPCoordinateSpace sourceSpace, double *destX, double *destY, NPCoordinateSpace destSpace);
const std::string& identifier() const { return m_identifier; }
+ static NPNetscapeFuncs* netscapeFuncs();
+
void waitUntilDone();
void notifyDone();
--- /dev/null
+/*
+ * Copyright (C) 2012 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "PluginTest.h"
+
+class NPRuntimeCallsWithNullNPP : public PluginTest {
+public:
+ NPRuntimeCallsWithNullNPP(NPP npp, const std::string& identifier)
+ : PluginTest(npp, identifier)
+ {
+ }
+
+private:
+ virtual NPError NPP_New(NPMIMEType pluginType, uint16_t mode, int16_t argc, char* argn[], char* argv[], NPSavedData *saved)
+ {
+ NPObject* windowObject = 0;
+ if (NPN_GetValue(NPNVWindowNPObject, &windowObject) != NPERR_NO_ERROR || !windowObject)
+ return NPERR_GENERIC_ERROR;
+
+ NPIdentifier alertIdentifier = NPN_GetStringIdentifier("alert");
+ if (!PluginTest::netscapeFuncs()->hasmethod(0, windowObject, alertIdentifier)) {
+ NPN_ReleaseObject(windowObject);
+ return NPERR_GENERIC_ERROR;
+ }
+
+ NPIdentifier documentIdentifier = NPN_GetStringIdentifier("document");
+ NPVariant variant;
+ if (!PluginTest::netscapeFuncs()->getproperty(0, windowObject, documentIdentifier, &variant)) {
+ NPN_ReleaseObject(windowObject);
+ return NPERR_GENERIC_ERROR;
+ }
+ NPN_ReleaseVariantValue(&variant);
+
+ NPN_ReleaseObject(windowObject);
+
+ executeScript("document.getElementById('result').innerHTML = 'SUCCESS!'");
+ notifyDone();
+ return NPERR_NO_ERROR;
+ }
+};
+
+static PluginTest::Register<NPRuntimeCallsWithNullNPP> npRuntimeCallsWithNullNPP("npruntime-calls-with-null-npp");
+
+
>
</File>
<File
+ RelativePath="..\Tests\NPRuntimeCallsWithNullNPP.cpp"
+ >
+ </File>
+ <File
RelativePath="..\Tests\NPRuntimeObjectFromDestroyedPlugin.cpp"
>
</File>
Tests/NPDeallocateCalledBeforeNPShutdown.cpp \
Tests/NPPNewFails.cpp \
Tests/NPPSetWindowCalledDuringDestruction.cpp \
+ Tests/NPRuntimeCallsWithNullNPP.cpp \
Tests/NPRuntimeObjectFromDestroyedPlugin.cpp \
Tests/NPRuntimeRemoveProperty.cpp \
Tests/NullNPPGetValuePointer.cpp \
Tools/DumpRenderTree/TestNetscapePlugIn/Tests/NPDeallocateCalledBeforeNPShutdown.cpp \
Tools/DumpRenderTree/TestNetscapePlugIn/Tests/NPPNewFails.cpp \
Tools/DumpRenderTree/TestNetscapePlugIn/Tests/NPPSetWindowCalledDuringDestruction.cpp \
+ Tools/DumpRenderTree/TestNetscapePlugIn/Tests/NPRuntimeCallsWithNullNPP.cpp \
Tools/DumpRenderTree/TestNetscapePlugIn/Tests/NPRuntimeObjectFromDestroyedPlugin.cpp \
Tools/DumpRenderTree/TestNetscapePlugIn/Tests/NPRuntimeRemoveProperty.cpp \
Tools/DumpRenderTree/TestNetscapePlugIn/Tests/NullNPPGetValuePointer.cpp \