Plugin create can end up destroying its renderer.
authorzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 10 Jul 2015 05:55:20 +0000 (05:55 +0000)
committerzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 10 Jul 2015 05:55:20 +0000 (05:55 +0000)
commit821b837de695f8f832a952a7c5fb23f322a81a66
tree39b29a5c2f35f922fd601b31088d1fe234b95182
parenta3f4f058314fa657724f02f06481e60b1dabd7c6
Plugin create can end up destroying its renderer.
https://bugs.webkit.org/show_bug.cgi?id=146824
rdar://problem/18921429

Reviewed by Andreas Kling.

Plugins can run arbitrary code during initialization. If the plugin
happens to destroy the associated node, its renderer becomes invalid.
This patch checks whether the renderer survived the createPlugin() call.
(This WeakPtr pattern is also used in RenderWidget to avoid dangling pointers.)

Speculative fix. Not reproducible.

* loader/SubframeLoader.cpp:
(WebCore::SubframeLoader::loadPlugin):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@186666 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebCore/ChangeLog
Source/WebCore/loader/SubframeLoader.cpp