Commit 65e67acb authored by beidson@apple.com's avatar beidson@apple.com

Frequent crashes in PluginView::scriptObject under runtimeObjectCustomGetOwnPropertySlot

<rdar://problem/12142226> and https://bugs.webkit.org/show_bug.cgi?id=95026

Source/WebKit2:

Patch partially by Andras Becsi  <andras.becsi@nokia.com>

Reviewed by Andy Estes.

If a plug-in fails to initialize then the m_plugin pointer is cleared out.
When accessing the script object it is appropriate to unconditionally null check m_plugin.

* WebProcess/Plugins/PluginView.cpp:
(WebKit::PluginView::scriptObject): Null check m_plugin before trying to use it.

Tools:

Reviewed by Andy Estes.

Add a plug-in that always fails to initialize:
* DumpRenderTree/TestNetscapePlugIn/Tests/NPPNewFails.cpp: Added.
(NPPNewFails):
(NPPNewFails::NPPNewFails):
(NPPNewFails::NPP_New):

Add it to all the project files:
* DumpRenderTree/DumpRenderTree.gypi:
* DumpRenderTree/DumpRenderTree.xcodeproj/project.pbxproj:
* DumpRenderTree/TestNetscapePlugIn/CMakeLists.txt:
* DumpRenderTree/TestNetscapePlugIn/win/TestNetscapePlugin.vcproj:
* DumpRenderTree/qt/TestNetscapePlugin/TestNetscapePlugin.pro:

LayoutTests:

Reviewed by Andy Estes.

* plugins/npp-new-fails-expected.txt: Added.
* plugins/npp-new-fails.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127595 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 539854b0
2012-09-05 Brady Eidson <beidson@apple.com>
Frequent crashes in PluginView::scriptObject under runtimeObjectCustomGetOwnPropertySlot
<rdar://problem/12142226> and https://bugs.webkit.org/show_bug.cgi?id=95026
Reviewed by Andy Estes.
* plugins/npp-new-fails-expected.txt: Added.
* plugins/npp-new-fails.html: Added.
2012-09-05 Dominik Röttsches <dominik.rottsches@intel.com>
[EFL] Unreviewed gardening.
http://webkit.org/b/95026 - Tests that access to the plug-in script object after the plug-in fails to initialize doesn't crash
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
PASS Did not crash trying to access the plug-in script object.
<head>
<script src="../fast/js/resources/js-test-pre.js"></script>
<script>
if (window.testRunner) {
testRunner.dumpAsText();
testRunner.waitUntilDone();
}
function runTest()
{
var foo = document.getElementById("TestElement").someMadeUpBar;
testPassed("Did not crash trying to access the plug-in script object.");
if (window.testRunner)
testRunner.notifyDone();
}
</script>
</head>
<body onload="runTest();">
<embed id="TestElement" type="application/x-webkit-test-netscape" test="npp-new-fails"></embed>
<p id="description"></p>
<div id="console"></div>
</body>
<script>
description("http://webkit.org/b/95026 - Tests that access to the plug-in script object after the plug-in fails to initialize doesn't crash");
</script>
2012-09-05 Brady Eidson <beidson@apple.com>
Frequent crashes in PluginView::scriptObject under runtimeObjectCustomGetOwnPropertySlot
<rdar://problem/12142226> and https://bugs.webkit.org/show_bug.cgi?id=95026
Patch partially by Andras Becsi <andras.becsi@nokia.com>
Reviewed by Andy Estes.
If a plug-in fails to initialize then the m_plugin pointer is cleared out.
When accessing the script object it is appropriate to unconditionally null check m_plugin.
* WebProcess/Plugins/PluginView.cpp:
(WebKit::PluginView::scriptObject): Null check m_plugin before trying to use it.
2012-09-05 Christophe Dumez <christophe.dumez@intel.com>
[EFL][WK2] Provide implementation for WebFrameNetworkingContext
......
......@@ -550,6 +550,10 @@ JSObject* PluginView::scriptObject(JSGlobalObject* globalObject)
if (m_isWaitingForSynchronousInitialization)
return 0;
// The plug-in can be null here if it failed to initialize previously.
if (!m_plugin)
return 0;
// If the plug-in exists but is not initialized then we're still initializing asynchronously.
// We need to wait here until initialization has either succeeded or failed.
if (m_plugin->isBeingAsynchronouslyInitialized()) {
......@@ -558,7 +562,7 @@ JSObject* PluginView::scriptObject(JSGlobalObject* globalObject)
m_isWaitingForSynchronousInitialization = false;
}
// The plug-in can be null here if it failed to initialize.
// The plug-in can be null here if it still failed to initialize.
if (!m_isInitialized || !m_plugin)
return 0;
......
2012-09-05 Brady Eidson <beidson@apple.com>
Frequent crashes in PluginView::scriptObject under runtimeObjectCustomGetOwnPropertySlot
<rdar://problem/12142226> and https://bugs.webkit.org/show_bug.cgi?id=95026
Reviewed by Andy Estes.
Add a plug-in that always fails to initialize:
* DumpRenderTree/TestNetscapePlugIn/Tests/NPPNewFails.cpp: Added.
(NPPNewFails):
(NPPNewFails::NPPNewFails):
(NPPNewFails::NPP_New):
Add it to all the project files:
* DumpRenderTree/DumpRenderTree.gypi:
* DumpRenderTree/DumpRenderTree.xcodeproj/project.pbxproj:
* DumpRenderTree/TestNetscapePlugIn/CMakeLists.txt:
* DumpRenderTree/TestNetscapePlugIn/win/TestNetscapePlugin.vcproj:
* DumpRenderTree/qt/TestNetscapePlugin/TestNetscapePlugin.pro:
2012-09-05 Tor Arne Vestbø <tor.arne.vestbo@nokia.com>
[Qt] Fix makefile race condition between derived sources and target
......
......@@ -96,6 +96,7 @@
'TestNetscapePlugIn/Tests/GetURLWithJavaScriptURL.cpp',
'TestNetscapePlugIn/Tests/GetURLWithJavaScriptURLDestroyingPlugin.cpp',
'TestNetscapePlugIn/Tests/GetUserAgentWithNullNPPFromNPPNew.cpp',
'TestNetscapePlugIn/Tests/NPPNewFails.cpp',
'TestNetscapePlugIn/Tests/NPRuntimeObjectFromDestroyedPlugin.cpp',
'TestNetscapePlugIn/Tests/NPRuntimeRemoveProperty.cpp',
'TestNetscapePlugIn/Tests/NullNPPGetValuePointer.cpp',
......
......@@ -70,6 +70,7 @@
4437730F125CBC4D00AAE02C /* WebArchiveDumpSupport.h in Headers */ = {isa = PBXBuildFile; fileRef = 44A997820FCDE86400580F10 /* WebArchiveDumpSupport.h */; };
4AD6A11413C8124000EA9737 /* FormValue.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4AD6A11313C8124000EA9737 /* FormValue.cpp */; };
5106803E15CC7B10001A8A23 /* SlowNPPNew.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 5106803D15CC7B10001A8A23 /* SlowNPPNew.cpp */; };
5113DE6715F6CBE5005EC8B3 /* NPPNewFails.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 5113DE6615F6CBE5005EC8B3 /* NPPNewFails.cpp */; };
515C0CD015EE785700F5A613 /* LogNPPSetWindow.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 515C0CCF15EE785700F5A613 /* LogNPPSetWindow.cpp */; };
515F429C15C07872007C8F90 /* PluginScriptableObjectOverridesAllProperties.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 515F429B15C07872007C8F90 /* PluginScriptableObjectOverridesAllProperties.cpp */; };
5185F6B210714E07007AA393 /* HistoryDelegate.mm in Sources */ = {isa = PBXBuildFile; fileRef = 5185F69F10714A57007AA393 /* HistoryDelegate.mm */; };
......@@ -286,6 +287,7 @@
44A997830FCDE86400580F10 /* WebArchiveDumpSupport.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = WebArchiveDumpSupport.cpp; path = cf/WebArchiveDumpSupport.cpp; sourceTree = "<group>"; };
4AD6A11313C8124000EA9737 /* FormValue.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = FormValue.cpp; sourceTree = "<group>"; };
5106803D15CC7B10001A8A23 /* SlowNPPNew.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = SlowNPPNew.cpp; path = TestNetscapePlugIn/Tests/SlowNPPNew.cpp; sourceTree = SOURCE_ROOT; };
5113DE6615F6CBE5005EC8B3 /* NPPNewFails.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = NPPNewFails.cpp; sourceTree = "<group>"; };
515C0CCF15EE785700F5A613 /* LogNPPSetWindow.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = LogNPPSetWindow.cpp; sourceTree = "<group>"; };
515F429B15C07872007C8F90 /* PluginScriptableObjectOverridesAllProperties.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = PluginScriptableObjectOverridesAllProperties.cpp; sourceTree = "<group>"; };
5185F69E10714A57007AA393 /* HistoryDelegate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = HistoryDelegate.h; path = mac/HistoryDelegate.h; sourceTree = "<group>"; };
......@@ -559,6 +561,7 @@
1AD4CB2012A6D1350027A7AF /* GetUserAgentWithNullNPPFromNPPNew.cpp */,
515C0CCF15EE785700F5A613 /* LogNPPSetWindow.cpp */,
1ACF898B132EF41C00E915D4 /* NPDeallocateCalledBeforeNPShutdown.cpp */,
5113DE6615F6CBE5005EC8B3 /* NPPNewFails.cpp */,
C031182A134E4A2B00919757 /* NPPSetWindowCalledDuringDestruction.cpp */,
1A24BAA8120734EE00FBB059 /* NPRuntimeObjectFromDestroyedPlugin.cpp */,
1AC77DCE120605B6005C19EF /* NPRuntimeRemoveProperty.cpp */,
......@@ -921,6 +924,7 @@
5106803E15CC7B10001A8A23 /* SlowNPPNew.cpp in Sources */,
51CACBD815D96FD000EB53A2 /* EvaluateJSWithinNPP_New.cpp in Sources */,
515C0CD015EE785700F5A613 /* LogNPPSetWindow.cpp in Sources */,
5113DE6715F6CBE5005EC8B3 /* NPPNewFails.cpp in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
......
......@@ -14,6 +14,7 @@ SET(WebKitTestNetscapePlugin_SOURCES
${WEBKIT_TESTNETSCAPEPLUGIN_DIR}/Tests/GetURLWithJavaScriptURLDestroyingPlugin.cpp
${WEBKIT_TESTNETSCAPEPLUGIN_DIR}/Tests/GetUserAgentWithNullNPPFromNPPNew.cpp
${WEBKIT_TESTNETSCAPEPLUGIN_DIR}/Tests/NPDeallocateCalledBeforeNPShutdown.cpp
${WEBKIT_TESTNETSCAPEPLUGIN_DIR}/Tests/NPPNewFails.cpp
${WEBKIT_TESTNETSCAPEPLUGIN_DIR}/Tests/NPPSetWindowCalledDuringDestruction.cpp
${WEBKIT_TESTNETSCAPEPLUGIN_DIR}/Tests/NPRuntimeObjectFromDestroyedPlugin.cpp
${WEBKIT_TESTNETSCAPEPLUGIN_DIR}/Tests/NPRuntimeRemoveProperty.cpp
......
/*
* Copyright (C) 2012 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
* THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "PluginTest.h"
#include <string.h>
using namespace std;
class NPPNewFails : public PluginTest {
public:
NPPNewFails(NPP npp, const string& identifier)
: PluginTest(npp, identifier)
{
}
private:
virtual NPError NPP_New(NPMIMEType pluginType, uint16_t mode, int16_t argc, char* argn[], char* argv[], NPSavedData *saved)
{
return NPERR_GENERIC_ERROR;
}
};
static PluginTest::Register<NPPNewFails> nppNewFails("npp-new-fails");
......@@ -425,6 +425,10 @@
RelativePath="..\Tests\NPDeallocateCalledBeforeNPShutdown.cpp"
>
</File>
<File
RelativePath="..\Tests\NPPNewFails.cpp"
>
</File>
<File
RelativePath="..\Tests\NPPSetWindowCalledDuringDestruction.cpp"
>
......
......@@ -22,6 +22,7 @@ SOURCES += \
Tests/GetURLWithJavaScriptURLDestroyingPlugin.cpp \
Tests/GetUserAgentWithNullNPPFromNPPNew.cpp \
Tests/NPDeallocateCalledBeforeNPShutdown.cpp \
Tests/NPPNewFails.cpp \
Tests/NPPSetWindowCalledDuringDestruction.cpp \
Tests/NPRuntimeObjectFromDestroyedPlugin.cpp \
Tests/NPRuntimeRemoveProperty.cpp \
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment