From: commit-queue@webkit.org Date: Tue, 22 Jul 2014 23:33:09 +0000 (+0000) Subject: [Win] Crash after plugin is unloaded. X-Git-Url: http://git.webkit.org/?p=WebKit-https.git;a=commitdiff_plain;h=b1915fd657ae9fe9d48e5e0151011d591f208224 [Win] Crash after plugin is unloaded. https://bugs.webkit.org/show_bug.cgi?id=119044 Patch by peavo@outlook.com on 2014-07-22 Reviewed by Darin Adler. We need to invalidate all runtime objects when a plugin view is destroyed, in case the plugin is unloaded, and one of these runtime objects accesses the plugin function table upon destruction afterwards, which will cause a crash. If we use the weak pointer to the runtime object when invalidating, it will be null if it's in the WeakImpl::Dead state. This means the runtime object will not be invalidated, possibly causing a crash if the plugin is unloaded. It should be safe to use the raw pointer to the runtime object when invalidating, since finalized runtime objects will be removed from the set of runtime objects in the method RootObject::finalize(). * bridge/runtime_root.cpp: (JSC::Bindings::RootObject::invalidate): Make sure all runtime objects are invalidated by getting the raw runtime object pointer from the hash key. git-svn-id: https://svn.webkit.org/repository/webkit/trunk@171371 268f45cc-cd09-0410-ab3c-d52691b4dbfc --- diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog index 0072c66..3aafc10 100644 --- a/Source/WebCore/ChangeLog +++ b/Source/WebCore/ChangeLog @@ -1,3 +1,20 @@ +2014-07-22 peavo@outlook.com + + [Win] Crash after plugin is unloaded. + https://bugs.webkit.org/show_bug.cgi?id=119044 + + Reviewed by Darin Adler. + + We need to invalidate all runtime objects when a plugin view is destroyed, in case the plugin is unloaded, + and one of these runtime objects accesses the plugin function table upon destruction afterwards, which will cause a crash. + If we use the weak pointer to the runtime object when invalidating, it will be null if it's in the WeakImpl::Dead state. + This means the runtime object will not be invalidated, possibly causing a crash if the plugin is unloaded. + It should be safe to use the raw pointer to the runtime object when invalidating, since finalized runtime objects + will be removed from the set of runtime objects in the method RootObject::finalize(). + + * bridge/runtime_root.cpp: + (JSC::Bindings::RootObject::invalidate): Make sure all runtime objects are invalidated by getting the raw runtime object pointer from the hash key. + 2014-07-22 Enrica Casucci REGRESSION (WebKit2): Selection inside accelerated overflow:scroll doesn't track scrolling. diff --git a/Source/WebCore/bridge/runtime_root.cpp b/Source/WebCore/bridge/runtime_root.cpp index 9b5d8cf..f865c8a 100644 --- a/Source/WebCore/bridge/runtime_root.cpp +++ b/Source/WebCore/bridge/runtime_root.cpp @@ -106,13 +106,10 @@ void RootObject::invalidate() return; { - HashMap>::iterator end = m_runtimeObjects.end(); - for (HashMap>::iterator it = m_runtimeObjects.begin(); it != end; ++it) { - RuntimeObject* runtimeObject = it->value.get(); - if (!runtimeObject) // Skip zombies. - continue; + // Get the objects from the keys; the values might be nulled. + // Safe because finalized runtime objects are removed from m_runtimeObjects by RootObject::finalize. + for (RuntimeObject* runtimeObject : m_runtimeObjects.keys()) runtimeObject->invalidate(); - } m_runtimeObjects.clear(); }