• aroben@apple.com's avatar
    Invalidate JS wrappers for NPObjects when they are finalized · 87e2ac32
    aroben@apple.com authored
    This will cause the underlying NPObject to be released at finalization time, rather than at
    destruction time (which is unpredictable and could occur after the plugin has been
    unloaded).
    
    Test: plugins/npobject-js-wrapper-destroyed-after-plugin-unload.html
    
    Fixes <http://webkit.org/b/61316> <rdar://problem/9489824> Crash in deallocateNPObject when
    reloading yahoo.com webarchive in WebKit2
    
    and
    
    <http://webkit.org/b/61317> <rdar://problem/9489829> Crash in _NPN_DeallocateObject when
    reloading yahoo.com webarchive in WebKit1
    
    Reviewed by Oliver Hunt.
    
    Source/WebCore:
    
    * bridge/runtime_object.cpp:
    (JSC::Bindings::RuntimeObject::~RuntimeObject): Assert that we've already been invalidated.
    
    * bridge/runtime_root.cpp:
    (JSC::Bindings::RootObject::invalidate):
    (JSC::Bindings::RootObject::addRuntimeObject):
    Updated for m_runtimeObjects type change.
    
    (JSC::Bindings::RootObject::finalize): Added. Invalidates the RuntimeObject and removes it
    from the map.
    
    * bridge/runtime_root.h: Now inherits from WeakHandleOwner.
    Changed m_runtimeObjects from a WeakGCMap to a HashMap of JSC::Weak objects so that we will
    be notified when the RuntimeObjects are finalized.
    
    Source/WebKit2:
    
    * WebProcess/Plugins/Netscape/JSNPObject.cpp:
    (WebKit::JSNPObject::~JSNPObject): Assert that we've already been invalidated, rather than
    trying to perform invalidation now (when the plugin might already be unloaded).
    
    * WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp:
    (WebKit::NPRuntimeObjectMap::getOrCreateJSObject):
    (WebKit::NPRuntimeObjectMap::invalidate):
    Updated for m_jsNPObjects type change.
    
    (WebKit::NPRuntimeObjectMap::finalize): Added. Invalidates the JSNPObject and removes it
    from the map.
    
    * WebProcess/Plugins/Netscape/NPRuntimeObjectMap.h: Now inherits from WeakHandleOwner.
    Changed m_jsNPObjects from a WeakGCMap to a HashMap of JSC::Weak objects so that we will be
    notified when the JSNPObjects are finalized.
    
    LayoutTests:
    
    Test that we don't crash when a JS wrapper for an NPObject is destroyed after its plugin is unloaded
    
    * plugins/npobject-js-wrapper-destroyed-after-plugin-unload-expected.txt: Added.
    * plugins/npobject-js-wrapper-destroyed-after-plugin-unload.html: Added.
    (startTest): Gets a JS wrapper for an NPObject from the plugin, allocate a bunch of memory
    so the JS wrapper will be finalized, then destroy the plugin and wait for a little bit
    before calling finishTest.
    (finishTest): Force a GC so the JS wrapper will be destroyed. If we didn't crash, we passed!
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@87179 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    87e2ac32
npobject-js-wrapper-destroyed-after-plugin-unload-expected.txt 69 Bytes