Fix V8 crashes with plugins. The extra call to _NPN_ReleaseObject inside forgetV8ObjectForNPObject is causing a double deletion.

In ScriptController::clearScriptObjects, we call Unregister (which without this change causes Release to get called in forgetV8ObjectForNpObject).
If the ref count gets to 0, we free the object in Release. Then when Unregister returns, we call Release again in the ScriptController with the
same just-free'd pointer. If we're unlucky, then the Deallocate and free gets called again. We're also trying to access members such as the reference
count and deallocation function through a dead pointer.

Also, in the case where the Flash does not clear it's window object, we call Deallocate directly inside ScriptController::clearScriptObjects. This causes
Unregister to get called (as the object is still alive) which calls Release through forgetV8ObjectForNPObject, which results in a recursive call to Deallocate,
which frees the memory. Then the stack unwinds and we happily try to free again from the first call to Deallocate.

Fix these issues by removing the extra call to NPN_ReleaseObject in forgetV8ObjectForNpObject.

Change-Id: I7f6d21cd4ff38e29bd1a178e4816d023560b6b16

1 files changed, 0 insertions, 1 deletions

diff --git a/WebCore/bindings/v8/V8NPObject.cpp b/WebCore/bindings/v8/V8NPObject.cpp
index b873d5f..bace84d 100644
--- a/WebCore/bindings/v8/V8NPObject.cpp
+++ b/WebCore/bindings/v8/V8NPObject.cpp
@@ -396,6 +396,5 @@ void forgetV8ObjectForNPObject(NPObject* object)
         v8::Persistent<v8::Object> handle(staticNPObjectMap.get(object));
         V8DOMWrapper::setDOMWrapper(handle, WebCore::V8ClassIndex::NPOBJECT, 0);
         staticNPObjectMap.forget(object);
-        _NPN_ReleaseObject(object);
     }
 }