[Win] Crash after plugin is unloaded.

https://bugs.webkit.org/show_bug.cgi?id=119044

Patch by peavo@outlook.com <peavo@outlook.com> on 2014-07-22
Reviewed by Darin Adler.

We need to invalidate all runtime objects when a plugin view is destroyed, in case the plugin is unloaded,
and one of these runtime objects accesses the plugin function table upon destruction afterwards, which will cause a crash.
If we use the weak pointer to the runtime object when invalidating, it will be null if it's in the WeakImpl::Dead state.
This means the runtime object will not be invalidated, possibly causing a crash if the plugin is unloaded.
It should be safe to use the raw pointer to the runtime object when invalidating, since finalized runtime objects
will be removed from the set of runtime objects in the method RootObject::finalize().

* bridge/runtime_root.cpp:
(JSC::Bindings::RootObject::invalidate): Make sure all runtime objects are invalidated by getting the raw runtime object pointer from the hash key.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@171371 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 0072c66..3aafc10 100644 (file)
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,20 @@
+2014-07-22  peavo@outlook.com  <peavo@outlook.com>
+
+        [Win] Crash after plugin is unloaded.
+        https://bugs.webkit.org/show_bug.cgi?id=119044
+
+        Reviewed by Darin Adler.
+
+        We need to invalidate all runtime objects when a plugin view is destroyed, in case the plugin is unloaded,
+        and one of these runtime objects accesses the plugin function table upon destruction afterwards, which will cause a crash.
+        If we use the weak pointer to the runtime object when invalidating, it will be null if it's in the WeakImpl::Dead state.
+        This means the runtime object will not be invalidated, possibly causing a crash if the plugin is unloaded.
+        It should be safe to use the raw pointer to the runtime object when invalidating, since finalized runtime objects
+        will be removed from the set of runtime objects in the method RootObject::finalize().
+
+        * bridge/runtime_root.cpp:
+        (JSC::Bindings::RootObject::invalidate): Make sure all runtime objects are invalidated by getting the raw runtime object pointer from the hash key.
+
 2014-07-22  Enrica Casucci  <enrica@apple.com>
 
         REGRESSION (WebKit2): Selection inside accelerated overflow:scroll doesn't track scrolling.

diff --git a/Source/WebCore/bridge/runtime_root.cpp b/Source/WebCore/bridge/runtime_root.cpp
index 9b5d8cf..f865c8a 100644 (file)
--- a/Source/WebCore/bridge/runtime_root.cpp
+++ b/Source/WebCore/bridge/runtime_root.cpp
@@ -106,13 +106,10 @@ void RootObject::invalidate()
         return;
 
     {
-        HashMap<RuntimeObject*, JSC::Weak<RuntimeObject>>::iterator end = m_runtimeObjects.end();
-        for (HashMap<RuntimeObject*, JSC::Weak<RuntimeObject>>::iterator it = m_runtimeObjects.begin(); it != end; ++it) {
-            RuntimeObject* runtimeObject = it->value.get();
-            if (!runtimeObject) // Skip zombies.
-                continue;
+        // Get the objects from the keys; the values might be nulled.
+        // Safe because finalized runtime objects are removed from m_runtimeObjects by RootObject::finalize.
+        for (RuntimeObject* runtimeObject : m_runtimeObjects.keys())
             runtimeObject->invalidate();
-        }
 
         m_runtimeObjects.clear();
     }