(In reply to comment #0) > Since this plugin is going away, these crashes are only important if they > turn out to be WebKit bugs and not GNOME Shell bugs. This plugin is still alive. :(

All the crashes are actually the same problem in the end, but the crash happens at different moments. It's not a bug in WebKit, even though we could protect WebKit from crashing due to buggy plugins in some cases like in bug #137425. The bug in in the plugin that is not retaining the np object when returning it from NPP_GetValue. WebKit assumes the the plugin does the right think and releases that given reference. At some point the object is released and deallocated and both the plugin and WebKit still have references to the object thinking that it's still alive. That's why the crash is sometimes in the plugin when it tries to use the np object, or in WebKit for the very same reason. I don't know why it doesn't happen in other browsers, looking at firefox code they also release the object right after creating the internal wrapper in NPP_GetValue, I guess they keep another reference somewhere else. In WebKit, the mac port has a quirk PluginQuirks::ReturnsNonRetainedScriptableNPObject for this. In our case I'll just fix the plugin.