Bug 36563

Summary:

A plug-in makes Safari crash on http://www.itscodingtime.com/

Product:

WebKit

Reporter:

Alexey Proskuryakov <ap>

Component:

Plug-ins

Assignee:

Alexey Proskuryakov <ap>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

webkit.review.bot

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

Mac (Intel)

OS:

OS X 10.6

Attachments:

Description	Flags
proposed fix	andersca: review+

Alexey Proskuryakov

Reported 2010-03-24 15:43:06 PDT

Steps to reproduce: install Silverlight, go to http://www.itscodingtime.com/. Here is what happens: 1) WebKit calls NetscapePluginInstanceProxy::resize(), and starts waiting for reply. 2) Instead of a reply, it gets an WKPCGetProperty call from plug-in first. 3) The object the plug-in wants to get a property of is actually a plug-in object, so WebKit calls plugin host via ProxyInstance::fieldNamed(). 4) Silverlight crashes, taking plug-in host with it. 5) NetscapePluginHostProxy::pluginHostDied() destroys host proxy object, and clears all references to it. 6) WebKit returns to "event loop" in NetscapePluginInstanceProxy::processRequestsAndWaitForReply, waiting for a reply to resize(). 7) But m_pluginHostProxy is null already, so it crashes.

Attachments
proposed fix (12.64 KB, patch) 2010-03-24 17:23 PDT, Alexey Proskuryakov	andersca: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Alexey Proskuryakov

Comment 1 2010-03-24 17:23:59 PDT

Created attachment 51566 [details] proposed fix

WebKit Review Bot

Comment 2 2010-03-24 17:24:29 PDT

Attachment 51566 [details] did not pass style-queue: Failed to run "WebKitTools/Scripts/check-webkit-style" exit_code: 1 WebKit/mac/Plugins/Hosted/NetscapePluginHostProxy.h:46: More than one command on the same line [whitespace/newline] [4] WebKit/mac/Plugins/Hosted/NetscapePluginHostProxy.h:47: More than one command on the same line [whitespace/newline] [4] Total errors found: 2 in 4 files If any of these errors are false positives, please file a bug against check-webkit-style.

Oliver Hunt

Comment 3 2010-03-24 17:30:34 PDT

Comment on attachment 51566 [details] proposed fix > +unsigned NetscapePluginHostProxy::s_processingRequests; It's good form to initialise this. In all honesty all the ++ and --'s make me wish we just had a struct to automatically increment and decrement this count.

Anders Carlsson

Comment 4 2010-03-24 17:50:29 PDT

Comment on attachment 51566 [details] proposed fix r=me

Alexey Proskuryakov

Comment 5 2010-03-24 17:53:51 PDT

Committed <http://trac.webkit.org/changeset/56474>. >> +unsigned NetscapePluginHostProxy::s_processingRequests; > It's good form to initialise this. I'm not sure about that - initializing with 0 just adds visual noise.

Alexey Proskuryakov

Comment 6 2010-03-25 09:54:10 PDT

<rdar://problem/7786332>

Note You need to log in before you can comment on or make changes to this bug.