HTMLPlugInImageElement::didAddUserAgentShadowRoot() calls into the JSC VM to get the "createOverlay" function. If an exception occurs in this call, it should handle that exception. Currently, it does, and leaves a dangling exception in the VM.
The exception was because we couldn't find a createOverlay property in the global object, and we tried to convert the returned undefined to an object. However, it turns out that createOverlay should never be undefined. So, the real bug is why is the property coming back as undefined.
http://trac.webkit.org/changeset/184329 fixed HTMLPlugInImageElement::didAddUserAgentShadowRoot() to use the document's frame instead of the page's main frame. However, Document::ensurePlugInsInjectedScript() is still evaluating the injected script on the main frame. As a result, HTMLPlugInImageElement::didAddUserAgentShadowRoot()'s attempt to get the createOverlay function from the document frame's global object will fail. Fixing Document::ensurePlugInsInjectedScript() to evaluating the injected script on the document's frame fixes the issue.
Created attachment 253626 [details] the patch.
Comment on attachment 253626 [details] the patch. Provisional r=me
Comment on attachment 253626 [details] the patch. Bots are all green. Jon already r+'ed. Will land.
Thanks for the review. Landed in r184816: <http://trac.webkit.org/r184816>.
Comment on attachment 253626 [details] the patch. View in context: https://bugs.webkit.org/attachment.cgi?id=253626&action=review > Source/WebCore/ChangeLog:18 > + No new tests. Why not?