diff options
| author | Steve Block <steveblock@google.com> | 2010-07-08 12:51:48 +0100 |
|---|---|---|
| committer | Steve Block <steveblock@google.com> | 2010-07-09 15:33:40 +0100 |
| commit | ca9cb53ed1119a3fd98fafa0972ffeb56dee1c24 (patch) | |
| tree | bb45155550ec013adc0ad10f4d7d354c6469b022 /WebKit/mac/Plugins | |
| parent | d4b24d9a829ed7de70381c8b99fb75a07ab40466 (diff) | |
| download | external_webkit-ca9cb53ed1119a3fd98fafa0972ffeb56dee1c24.zip external_webkit-ca9cb53ed1119a3fd98fafa0972ffeb56dee1c24.tar.gz external_webkit-ca9cb53ed1119a3fd98fafa0972ffeb56dee1c24.tar.bz2 | |
Merge WebKit at r62496: Initial merge by git
Change-Id: Ie3da0770eca22a70a632e3571f31cfabc80facb2
Diffstat (limited to 'WebKit/mac/Plugins')
| -rw-r--r-- | WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.h | 14 | ||||
| -rw-r--r-- | WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm | 9 |
2 files changed, 20 insertions, 3 deletions
diff --git a/WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.h b/WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.h index 5900b02..9ca5b5a 100644 --- a/WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.h +++ b/WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.h @@ -342,7 +342,19 @@ private: unsigned m_pluginFunctionCallDepth; bool m_shouldStopSoon; uint32_t m_currentRequestID; - bool m_inDestroy; + + // All NPRuntime functions will return false when destroying a plug-in. This is necessary because there may be unhandled messages waiting, + // and spinning in processRequests() will unexpectedly execute them from inside destroy(). That's not a good time to execute arbitrary JavaScript, + // since both loading and rendering data structures may be in inconsistent state. + // This suppresses calls from all plug-ins, even those in different pages, since JS might affect the frame with plug-in that's being stopped. + // + // FIXME: Plug-ins can execute arbitrary JS from destroy() in same process case, and other browsers also support that. + // A better fix may be to make sure that unrelated messages are postponed until after destroy() returns. + // Another possible fix may be to send destroy message at a time when internal structures are consistent. + // + // FIXME: We lack similar message suppression in other cases - resize() is also triggered by layout, so executing arbitrary JS is also problematic. + static bool m_inDestroy; + bool m_pluginIsWaitingForDraw; RefPtr<HostedNetscapePluginStream> m_manualStream; diff --git a/WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm b/WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm index ca012ee..8354c06 100644 --- a/WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm +++ b/WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm @@ -206,6 +206,8 @@ bool NetscapePluginInstanceProxy::LocalObjectMap::forget(uint32_t objectID) static uint32_t pluginIDCounter; +bool NetscapePluginInstanceProxy::m_inDestroy; + #ifndef NDEBUG static WTF::RefCountedLeakCounter netscapePluginInstanceProxyCounter("NetscapePluginInstanceProxy"); #endif @@ -222,7 +224,6 @@ NetscapePluginInstanceProxy::NetscapePluginInstanceProxy(NetscapePluginHostProxy , m_pluginFunctionCallDepth(0) , m_shouldStopSoon(false) , m_currentRequestID(0) - , m_inDestroy(false) , m_pluginIsWaitingForDraw(false) { ASSERT(m_pluginView); @@ -321,7 +322,8 @@ void NetscapePluginInstanceProxy::invalidate() void NetscapePluginInstanceProxy::destroy() { uint32_t requestID = nextRequestID(); - + + ASSERT(!m_inDestroy); m_inDestroy = true; FrameLoadMap::iterator end = m_pendingFrameLoads.end(); @@ -848,6 +850,9 @@ bool NetscapePluginInstanceProxy::evaluate(uint32_t objectID, const String& scri resultData = 0; resultLength = 0; + if (m_inDestroy) + return false; + if (!m_localObjects.contains(objectID)) { LOG_ERROR("NetscapePluginInstanceProxy::evaluate: local object %u doesn't exist.", objectID); return false; |