Bug 31067

Summary: Chromium crashes when a plugin invokes the document.open function via NPAPI
Product: WebKit Reporter: Ananta Iyengar <ananta>
Component: WebCore JavaScriptAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, commit-queue, kenneth
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: All   
Attachments:
Description Flags
Initial patch with layout tests.
abarth: review-
Updated patch based on initial review comments
none
Updated patch which now passes layout test runs on mac and windows.
none
Updated patch with the document.open invocation from the plugin now done in npp_destroystream
none
Patch none

Ananta Iyengar
Reported 2009-11-03 09:50:33 PST
This is a chromium only issue. If a plugin invokes the document.open function on the document object via the NPN_Invoke function then the chrome renderer process crashes. The crash occurs in the V8 bindings code. The associated chromium bug is http://code.google.com/p/chromium/issues/detail?id=25703 I will submit a patch for this.
Attachments
Initial patch with layout tests. (15.71 KB, patch)
2009-11-03 16:28 PST, Ananta Iyengar 		abarth: review-
DetailsFormatted DiffDiff
Updated patch based on initial review comments (15.29 KB, patch)
2009-11-04 19:24 PST, Ananta Iyengar 		no flags
DetailsFormatted DiffDiff
Updated patch which now passes layout test runs on mac and windows. (16.28 KB, patch)
2009-11-05 12:28 PST, Ananta Iyengar 		no flags
DetailsFormatted DiffDiff
Updated patch with the document.open invocation from the plugin now done in npp_destroystream (15.53 KB, patch)
2009-11-06 12:39 PST, Ananta Iyengar 		no flags
DetailsFormatted DiffDiff
Patch (15.60 KB, patch)
2009-11-06 14:49 PST, Adam Barth 		no flags
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Ananta Iyengar
Comment 1 2009-11-03 13:19:08 PST
This crash occurs if the plugin invokes the NPN_Invoke API to open a document via document.open without an associated javascript context. If the NPN_Invoke API is used to open a popup via window.open, it fails as well in Chromium.
Ananta Iyengar
Comment 2 2009-11-03 16:28:51 PST
Created attachment 42435 [details] Initial patch with layout tests.
Adam Barth
Comment 3 2009-11-03 21:52:35 PST
Comment on attachment 42435 [details] Initial patch with layout tests. This looks great. A couple minor issues: 123 if (frame) 124 htmlDocument->write(writeHelperGetString(args), frame->document()); We can call htmlDocument->write even when |frame| is null. We can just pass a null second argument. In your LayoutTest/ChangeLog, you have several copies of the change description.
Ananta Iyengar
Comment 4 2009-11-04 19:24:37 PST
Created attachment 42538 [details] Updated patch based on initial review comments
Ananta Iyengar
Comment 5 2009-11-05 12:28:06 PST
Created attachment 42586 [details] Updated patch which now passes layout test runs on mac and windows.
Ananta Iyengar
Comment 6 2009-11-06 12:39:16 PST
Created attachment 42669 [details] Updated patch with the document.open invocation from the plugin now done in npp_destroystream
Adam Barth
Comment 7 2009-11-06 14:40:53 PST
Comment on attachment 42669 [details] Updated patch with the document.open invocation from the plugin now done in npp_destroystream This looks great. One typo: 132 if (frame) 133 htmlDocument->writeln(writeHelperGetString(args), frame ? frame->document() : NULL); We don't want the "if (frame)" here. I can either fix this you on landing or we can use commit-queue if you upload a new patch.
Adam Barth
Comment 8 2009-11-06 14:49:32 PST
Created attachment 42672 [details] Patch
WebKit Commit Bot
Comment 9 2009-11-06 15:00:55 PST
Comment on attachment 42672 [details] Patch Clearing flags on attachment: 42672 Committed r50607: <http://trac.webkit.org/changeset/50607>
WebKit Commit Bot
Comment 10 2009-11-06 15:01:01 PST
All reviewed patches have been landed. Closing bug.
Kenneth Rohde Christiansen
Comment 11 2009-11-10 14:22:16 PST
Hi guys, Running plugins/window-open.html with Qt WebKit does not open any window. Can you give me any hints on where to look in the code base for fixing this? It basically calls invoke which uses a cross platform implementation. Our DRT also supports opening windows.
Note You need to log in before you can comment on or make changes to this bug.