Plugin create can end up destroying its renderer.
authorzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 10 Jul 2015 05:55:20 +0000 (05:55 +0000)
committerzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 10 Jul 2015 05:55:20 +0000 (05:55 +0000)
https://bugs.webkit.org/show_bug.cgi?id=146824
rdar://problem/18921429

Reviewed by Andreas Kling.

Plugins can run arbitrary code during initialization. If the plugin
happens to destroy the associated node, its renderer becomes invalid.
This patch checks whether the renderer survived the createPlugin() call.
(This WeakPtr pattern is also used in RenderWidget to avoid dangling pointers.)

Speculative fix. Not reproducible.

* loader/SubframeLoader.cpp:
(WebCore::SubframeLoader::loadPlugin):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@186666 268f45cc-cd09-0410-ab3c-d52691b4dbfc


No differences found