Bug 31084 - Crash when a plugin removes itself from the DOM during paint
Summary: Crash when a plugin removes itself from the DOM during paint
Status: UNCONFIRMED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Plug-ins (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-11-03 14:02 PST by James Robinson
Modified: 2010-06-10 19:30 PDT (History)
0 users

See Also:


Attachments
LayoutTest that exhibits the behavior (9.10 KB, patch)
2009-11-03 14:04 PST, James Robinson
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description James Robinson 2009-11-03 14:02:11 PST
If a plugin removes itself from the DOM during the paint (via, say, a NPN_Evaluate()), the rendering code defers a NULL pointer and crashes.  We're seeing this in the wild in the Chromium port surprisingly often.
Comment 1 James Robinson 2009-11-03 14:04:40 PST
Created attachment 42416 [details]
LayoutTest that exhibits the behavior

Attached is a layout test (and modifications to the TestNetscapePlugin) with a plugin that removes itself (by calling NPN_Evaluate() on a script that sets the plugin's parent's innerHTML to '') during paint.  This causes a crash in RenderWidget.cpp.  The problem is that setting innerHTML causes the previous child Node objects to be destroyed, which causes the associated renderers to be destroyed.  The rendering code does not check for this case and dies.