[This is a follow-up to bug 15405 regarding the general case] HTMLObjectElement::attach() calls RenderPartObject::updateWidget() which lets WebKit plugins execute arbitrary code, potentially re-entering WebKit. I think at some point the protection against creating widgets when updateWidget() is called by attach() applied to WebKit plug-ins, but later it was restricted to Netscape plug-ins.
<rdar://problem/5577978>
Fixed in <http://trac.webkit.org/projects/webkit/changeset/27982>.